historical git-svn mirror of MIT krb5 anonsvn repository
Fetching latest commit…
Cannot retrieve the latest commit at this time
Kerberos Version 5, Release 1.9 Release Notes The MIT Kerberos Team Copyright and Other Notices --------------------------- Copyright (C) 1985-2010 by the Massachusetts Institute of Technology and its contributors. All rights reserved. Please see the file named NOTICE for additional notices. Building and Installing Kerberos 5 ---------------------------------- The first file you should look at is doc/install-guide.ps; it contains the notes for building and installing Kerberos 5. The info file krb5-install.info has the same information in info file format. You can view this using the GNU emacs info-mode, or by using the standalone info file viewer from the Free Software Foundation. This is also available as an HTML file, install.html. Other good files to look at are admin-guide.ps and user-guide.ps, which contain the system administrator's guide, and the user's guide, respectively. They are also available as info files kerberos-admin.info and krb5-user.info, respectively. These files are also available as HTML files. If you are attempting to build under Windows, please see the src/windows/README file. Reporting Bugs -------------- Please report any problems/bugs/comments using the krb5-send-pr program. The krb5-send-pr program will be installed in the sbin directory once you have successfully compiled and installed Kerberos V5 (or if you have installed one of our binary distributions). If you are not able to use krb5-send-pr because you haven't been able compile and install Kerberos V5 on any platform, you may send mail to email@example.com. You may view bug reports by visiting http://krbdev.mit.edu/rt/ and logging in as "guest" with password "guest". DES transition -------------- The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, which defaults to "false" beginning with krb5-1.8. Major changes in 1.9 -------------------- Code quality: * Python-based testing framework * DAL cleanup Developer experience: * NSS crypto back end * PRNG modularity * Fortuna-like PRNG Performance: * Account lockout performance improvements Administrator experience: * Trace logging * Plugin interface for password sync * Plugin interface for password quality checks * Configuration file validator * KDC support for SecurID preauthentication Protocol evolution: * IAKERB * Camellia encryption (experimental; disabled by default) krb5-1.9 changes by ticket ID ----------------------------- 1219 mechanism to delete old keys should exist 2032 No advanced warning of password expiry 5014 kadmin (and other utilities) should report enctypes as it takes them 6647 Memory leak in kdc 6672 Python test framework 6679 Lazy history key creation 6684 Simple kinit verbosity patch 6686 IPv6 support for kprop and kpropd 6688 mit-krb5-1.7 fails to compile against openssl-1.0.0 6699 Validate and renew should work on non-TGT creds 6700 Introduce new krb5_tkt_creds API 6712 Add IAKERB mechanism and gss_acquire_cred_with_password 6714 [patch] fix format errors in krb5-1.8.1 6715 cksum_body exports 6719 Add lockout-related performance tuning variables 6720 Negative enctypes improperly read from keytabs 6723 Negative enctypes improperly read from ccaches 6733 Make signedpath authdata visible via GSS naming exts 6736 Add krb5_enctype_to_name() API 6737 Trace logging 6746 Make kadmin work over IPv6 6749 DAL improvements 6753 Fix XDR decoding of large values in xdr_u_int 6755 Add GIC option for password/account expiration callback 6758 Allow krb5_gss_register_acceptor_identity to unset keytab name 6760 Fail properly when profile can't be accessed 6761 add profile include support 6762 key expiration computed incorrectly in libkdb_ldap 6763 New plugin infrastructure 6765 Password quality pluggable interface 6769 clean up memory leak and potential unused variable in crypto tests 6771 Fix memory leaks in kdb5_verify 6772 Ensure valid key in krb5int_yarrow_cipher_encrypt_block 6774 pkinit client cert matching can be disrupted by one of the candidate certs 6775 pkinit <KU> evaluation during certificate matching may fail 6776 Typos in src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 6777 Segmentation fault in krb library (sn2princ.c) if realm not resolved 6778 kdb: store mkey list in context and permit NULL mkey for kdb_dbe_decrypt_key_data 6779 kinit: add KDB keytab support 6783 KDC worker processes feature 6784 relicense Sun RPC to 3-clause BSD-style 6785 Add gss_krb5_import_cred 6786 kpasswd: if a credential cache is present, use FAST 6787 S4U memory leak 6791 kadm5_hook: new plugin interface 6792 Implement k5login_directory and k5login_authoritative options 6793 acquire_init_cred leaks interned name 6795 Propagate modprinc -unlock from master to slave KDCs 6796 segfault due to uninitialized variable in S4U 6799 Performance issue in LDAP policy fetch 6801 Fix leaks in get_init_creds interface 6802 copyright notice updates 6804 Remove KDC replay cache 6805 securID code fixes 6806 securID error handling fix 6807 SecurID build support 6809 gss_krb5int_make_seal_token_v3_iov fails to set conf_state 6810 Better libk5crypto NSS fork safety 6811 Mark Camellia-CCM code as experimental 6812 krb5_get_credentials should not fail due to inability to store a credential in a cache 6815 Failed kdb5_util load removes real database 6819 Handle referral realm in kprop client principal 6820 Read KDC profile settings in kpropd 6822 Implement Camellia-CTS-CMAC instead of Camellia-CCM 6823 getdate.y: declare yyparse 6824 Export krb5_tkt_creds_get 6825 Add missing KRB5_CALLCONV in callback declaration 6826 Fix Windows build 6827 SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others) 6828 Install kadm5_hook_plugin.h 6829 Implement restrict_anonymous_to_tgt realm flag Acknowledgements ---------------- Past and present Sponsors of the MIT Kerberos Consortium: Apple Carnegie Mellon University Centrify Corporation Columbia University Cornell University The Department of Defense of the United States of America (DoD) Google Iowa State University MIT Michigan State University Microsoft The National Aeronautics and Space Administration of the United States of America (NASA) Network Appliance (NetApp) Nippon Telephone and Telegraph (NTT) Oracle Pennsylvania State University Red Hat Stanford University TeamF1, Inc. The University of Alaska The University of Michigan The University of Pennsylvania Past and present members of the Kerberos Team at MIT: Danilo Almeida Jeffrey Altman Justin Anderson Richard Basch Mitch Berger Jay Berkenbilt Andrew Boardman Bill Bryant Steve Buckley Joe Calzaretta John Carr Mark Colan Don Davis Alexandra Ellwood Dan Geer Nancy Gilman Matt Hancher Thomas Hardjono Sam Hartman Paul Hill Marc Horowitz Eva Jacobus Miroslav Jurisic Barry Jaspan Geoffrey King Kevin Koch John Kohl HaoQi Li Peter Litwack Scott McGuire Steve Miller Kevin Mitchell Cliff Neuman Paul Park Ezra Peisach Chris Provenzano Ken Raeburn Jon Rochlis Jeff Schiller Jen Selby Robert Silk Bill Sommerfeld Jennifer Steiner Ralph Swick Brad Thompson Harry Tsai Zhanna Tsitkova Ted Ts'o Marshall Vale Tom Yu The following external contributors have provided code, patches, bug reports, suggestions, and valuable resources: Brandon Allbery Russell Allbery Brian Almeida Michael B Allen Derek Atkins David Bantz Alex Baule Arlene Berry Jeff Blaine Radoslav Bodo Emmanuel Bouillon Michael Calmer Ravi Channavajhala Srinivas Cheruku Leonardo Chiquitto Howard Chu Andrea Cirulli Christopher D. Clausen Kevin Coffman Simon Cooper Sylvain Cortes Nalin Dahyabhai Roland Dowdeswell Jason Edgecombe Mark Eichin Shawn M. Emery Douglas E. Engert Peter Eriksson Ronni Feldt Bill Fellows JC Ferguson William Fiveash Ákos Frohner Marcus Granado Scott Grizzard Steve Grubb Philip Guenther Dominic Hargreaves Jakob Haufe Jeff Hodges Love Hörnquist Åstrand Ken Hornstein Henry B. Hotz Luke Howard Jakub Hrozek Shumon Huque Jeffrey Hutzelman Wyllys Ingersoll Holger Isenberg Pavel Jindra Joel Johnson Mikkel Kruse Volker Lendecke Jan iankko Lieskovsky Ryan Lynch Franklyn Mendez Markus Moeller Paul Moore Zbysek Mraz Edward Murrell Nikos Nikoleris Dmitri Pal Javier Palacios Ezra Peisach W. Michael Petullo Mark Phalan Robert Relyea Martin Rex Jason Rogers Mike Roszkowski Guillaume Rousse Tom Shaw Peter Shoults Simo Sorce Michael Ströder Bjørn Tore Sund Rathor Vipin Jorgen Wahlsten Max (Weijun) Wang John Washington Marcus Watts Simon Wilkinson Nicolas Williams Ross Wilper Xu Qiang Hanz van Zijst The above is not an exhaustive list; many others have contributed in various ways to the MIT Kerberos development effort over the years. Other acknowledgments (for bug reports and patches) are in the doc/CHANGES file.