Skip to content


Subversion checkout URL

You can clone with
Download ZIP
mirror of MIT krb5 repository
C C++ HTML Python Groff Perl Other
Tag: krb5-1.11.1-fi…

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.


                   Kerberos Version 5, Release 1.11

                            Release Notes
                        The MIT Kerberos Team

Copyright and Other Notices

Copyright (C) 1985-2013 by the Massachusetts Institute of Technology
and its contributors.  All rights reserved.

Please see the file named NOTICE for additional notices.


Unified documentation for Kerberos V5 is available in both HTML and
PDF formats.  The table of contents of the HTML format documentation
is at doc/html/index.html, and the PDF format documentation is in the
doc/pdf directory.

Additionally, you may find copies of the HTML format documentation
online at

for the most recent supported release, or at

for the release under development.

More information about Kerberos may be found at

and at the MIT Kerberos Consortium web site

Building and Installing Kerberos 5

Build documentation is in doc/html/build/index.html or

The installation guide is in doc/html/admin/install.html or

If you are attempting to build under Windows, please see the
src/windows/README file.

Reporting Bugs

Please report any problems/bugs/comments using the krb5-send-pr
program.  The krb5-send-pr program will be installed in the sbin
directory once you have successfully compiled and installed Kerberos
V5 (or if you have installed one of our binary distributions).

If you are not able to use krb5-send-pr because you haven't been able
compile and install Kerberos V5 on any platform, you may send mail to

You may view bug reports by visiting

and logging in as "guest" with password "guest".

DES transition

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.

Major changes in 1.11.1 (2013-02-21)

This is a bugfix release.

* Restore capability for multi-hop SAM-2 preauth exchanges, which
  krb5-1.11 had inadvertently removed.

* Fix a null pointer dereference in the KDC PKINIT code

krb5-1.11.1 changes by ticket ID

7458    add more strftime format strings for klist
7523    Fix gss_str_to_oid for OIDs with zero-valued arcs
7525    Fix DPRINT in ipropd_svc.c
7534    Minor pointer management patches
7539    Fix no_host_referral concatention in KDC
7548    Fix iprop safety net in kdb5_util load
7553    sendto_kdc can invoke poll with negative timeout
7557    Fix h1 end tag in Sphinx header titles
7558    Fix typos in layout.html
7559    Fix "search" accesskey in layout.html
7560    Fix kdb5_util dump.c uninitialized warnings
7561    kprop doesn't work with RC4 session key
7567    Fix RFC 5587 const pointer typedefs
7569    Convert success in krb5_chpw_result_code_string
7570    PKINIT null pointer deref [CVE-2013-1415]
7571    Allow multi-hop SAM-2 exchanges
7573    File descriptor leak in DIR ccaches
7574    Fix memory leak closing DIR ccaches

Major changes in 1.11 (2012-12-17)

Additional background information on these changes may be found at


Code quality:

* Improve ASN.1 support code, making it table-driven for decoding as
  well as encoding

* Refactor parts of KDC

Developer experience:

* Documentation consolidation

* Add a new API krb5_kt_have_content() to determine whether a keytab
  exists and contains any entries.

* Add a new API krb5_cccol_have_content() to determine whether the
  ccache collection contains any credentials.

* Add a new API krb5_kt_client_default() to resolve the default client

* Add new APIs gss_export_cred and gss_import_cred to serialize and
  unserialize GSSAPI credentials.

* Add a krb5_get_init_creds_opt_set_in_ccache() option.

* Add get_cc_config() and set_cc_config() clpreauth callbacks for
  getting string attribute values from an in_ccache and storing them
  in an out_ccache, respectively.

* Add a plugin interface for GSSAPI interposer mechanisms.

* Add an optional responder callback to the krb5_get_init_creds
  functions. The responder callback can consider and answer all
  preauth-related questions at once, and can process more complicated
  questions than the prompter.

* Add a method to the clpreauth interface to allow modules to supply
  response items for consideration by the responder callback.

* Projects/Password_response_item

* Add GSSAPI extensions to allow callers to specify credential store
  locations when acquiring or storing credentials

* Add a new API krb5_kt_client_default() to resolve the default client

Administrator experience:

* Documentation consolidation

* Add parameter expansion for default_keytab_name and
  default_client_keytab_name profile variables.

* Add new default_ccache_name profile variable to override the
  built-in default credential cache name.

* Add configure-time support for changing the built-in ccache and
  keytab names.

* Add krb5-config options for displaying the built-in ccache and
  keytab names.

* In the default build, use the system's built-in ccache and keytab
  names if they can be discovered using krb5-config.

* Add support for a "default client keytab". Its location is
  determined by the KRB5_CLIENT_KTNAME environment variable, the
  default_client_keytab profile relation, or a hardcoded path (TBD).

* GSSAPI initiator applications can now acquire credentials
  automatically from the default client keytab, if one is available.

* Add client support for FAST OTP (RFC 6560)

End-user experience:

* Documentation consolidation

* Store metadata in the ccache about how a credential was acquired, to
  improve the user's experience when reacquiring

* Projects/Extensible_Policy


* Improve KDC lookaside cache performance

Protocol evolution:

* Add client support for FAST OTP (RFC 6560)

* Build Camellia encryption support by default

krb5-1.11 changes by ticket ID

2131    krb5_get_init_creds_keytab() doesn't restrict requested
        enctypes to those in keytab entry
2545    AFS string_to_key broken for passwords > 8 chars
5126    krb5_verify_init_creds behaves badly with a ticket cache
6973    error reporting made worse in gss_acquire_creds
7025    FAST: error handling and const keyblock
7026    FAST TGS
7046    Allow S4U2Proxy delegated credentials to be saved
7047    Allow S4U2Proxy service tickets to be cached
7048    Allow null server key to krb5_pac_verify
7054    Test suite requires python 2.6 or better...
7061    Fix PKINIT serverDHNonce encoding
7063    Prompter delay can cause spurious clock skew
7064    install sphinx-generated manpages
7072    PKINIT pk_as_rep_draft9 encoding issues
7073    kadmin.local.8 belongs in ADMIN_mandir
7080    failures to compile src/lib/krb5/krb/x-deltat.y with GCC 4.7
7085    Better short/long descs in gss_display_mech_attr
7086    potential memory leak in krb5int_get_fq_hostname
7091    Report profile errors when initializing krb5 context
7094    Fail during configure if unable to find ar
7097    improve kadm5 acl testing coverage
7100    trunk a86e885 does not deal with default salt
7105    side effects in assertions
7106    documentation nit in tkt_mgmt.rst
7107    Suppress some gcc uninitialized variable warnings
7109    Key rollover for MIT/AD cross TGT principals fails due to
        kvno 0
7110    Fix password reuse check with cpw -keepold
7111    Incorrect ASN.1 tag for EncASRepPart in svn trunk
7112    KRB5_TRACE is broken in trunk
7113    add tests for trace logging
7114    Support using kdc time during encrypted timestamp preauth
7121    password argument to krb5_get_init_creds_password not const
7125    krb5_verify_init_creds should try all host principals in
        keytab by default
7126    Documentation__Building Kerberos V5
7128    Add API to interpret changepw result strings
7129    Add krb5_parse_name flag to ignore realm
7130    kinit to AD server should be more tolerant of clock skew
7131    [PATCH 1/1] sn2princ.c: add terminal newline to "failed to
        canonicalize" debug message.
7133    [PATCH 1/1] trace.c: rename k5trace to krb5int_trace in
7134    Fix "(null" typo in "{key}" handler in trace.c
7137    Fix "(empty" typo in "{etypes}" handler in trace.c
7138    [PATCH] Add missing $(LIBS) to in several
7139    Remove mention of util/autoconf
7147    Make doc/coding-style point to wiki page
7151    Convert DEBUG_REFERRALS to TRACE_* framework
7158    Add krb5_kt_have_content API
7159    Fail from gss_acquire_cred if we have no keytab
7160    gss_acquire_cred for krb5 initiator creds should fail if no
        tickets exist
7161    Minor memory leak in default_an_to_ln on error
7162    krb5_verify_init_creds frees its input argument
7166    Remove big-endian gss-krb5 support
7173    Add krb5_cccol_have_content API
7179    krb5_cc_get_full_name() does not document how to free
7183    PKINIT should handle CMS SignedData without certificates
7187    ReST html docs render '--' as &#8211 (en dash)
7188    Add krb5_kt_client_default API
7189    Add client keytab initiation support
7190    Try harder to make keytab-based AS requests work
7192    klist does not use localized time formatting
7196    Automatically create DIR ccache directories
7205    Rename 'free' -> 'free_func' in asn1_encode.c/.h
7211    define USE_HEAPALLOC in gssapi_alloc.h
7216    Add kinit/klist -i options to use client keytab
7217    Introduce credential store extensions
7218    Do something reasonable if "kinit -t" without "-k"
7219    Add token expansion for keytab names
7220    Add default_ccache_name profile variable
7221    Support changing the built-in ccache/keytab names
7223    Policy extensions + new policy: allowed ks types
7224    Fix edge-case bugs in kdb5_util load
7229    Turn off replay cache in krb5_verify_init_creds()
7242    Add otp client preauth plugin
7346    Support kdc_timesync offsets in memory ccache
7347    Add support for GSS_C_NT_COMPOSITE_EXPORT
7351    Avoid libdl dependencies in bundled libverto
7354    Introduce gss_export_cred and gss_import_cred
7355    Add responder feature for initial cred exchanges
7356    GSSAPI constrained delegation fails with default initiator
7358    Map CANTLOCK_DB to SVC_UNAVAILABLE in krb5kdc
7359    Use blocking locks in krb5kdc and libkadm5srv
7360    Fix lock inconsistency in ctx_unlock()
7364    Update FILES and WINFILES for
7366    Keep verifier cred locked in accept_sec_context
7367    Remove
7368    MAX_ULOGENTRIES is too low
7369    iprop can block for extended periods due to UPDATE_BUSY
7370    kdb5_util load needs an iprop safety net
7371    kadmind per-slave ipropd dumps are wasteful
7372    kadmind hardcodes paths to kdb5_util, kprop, and dump file
7373    kpropd handling of full resyncs is racy
7374    iprop full resyncs need testing
7375    feature request: kproplog -R to reset ulog, force full resync
7376    kpropd -S option is superfluous
7377    kdb5_util dump is racy
7378 needs a start_kpropd() method
7379    kpropd docs are out of date regarding iprop
7384    kdb5_util dump race can leave policy refcounts incorrect
7399    Race in kdb5_util load completion
7400    GENC should always export composite names
7403    krb5_db_delete_principal() can fail to unlock ulog
7407    Import remaining content from texinfo to reST
7408    Remove obsolete texinfo documentation
7409    rework documentation tree layout
7413    Add an input ccache get_init_creds option
7414    Add "pa_type" configuration to ccaches
7415    Fix sam2 client preauth after salt changes
7416    Use config storage for client OTP token selection
7417    Don't expose binary format in preauth otp
7418    Add dependencies for some test programs
7419    Alter responder function signature for consistency
7421    Documentation__krb5_rd_req - Parse and decrypt a KRB_AP_REQ
7422    Only record real selected preauth type
7423    Document prompter and responder callbacks
7424    Add missing macro and type index.rst entries
7425    Fix verto_ctx declaration in preauth_plugin.h
7426    Add loop() kdcpreauth method
7427    Don't save empty cc_config_out in ccache
7428    Don't leak new fields of krb5_init_creds_context
7429    Document GSSAPI loadable module interface
7431    Improve documentation for krb5_unparse_name_ext()
7433    Documentation build system improvements
7435    Always rebuild rst_composite in src/doc
7436    Document PKINIT and anonymos PKINIT configuration
7437    Update Camellia feature description
7439    Add Camellia to enctype table in documentation
7444    De-conditionalize Camellia code
7445    Make kdb5_util dump work with LDAP again
7446    Add Camellia enctypes to default enctype lists
7447    Fix warnings in doc build
7448    Avoid using grep -q in
7451    Add "Kerberos" to PDF titles
7452    Reword krb5_unparse_name_ext doxygen markup
7453    Update mkrel for new doc build process
7455    Documentation: table formating and ref correction in MIT
7456    Documentation: Update 1.11 feature list
7457    camellia needs key_cleanup() routine
7459    Remove broken clean_hostname trace messages
7460    Add first-introduced version for
        krb5_get_init_creds_opt_set_in_ccache() in doxygen markup
7461    Remove .doctrees when cleaning src/doc
7462    Move Release tag to the footer in Sphinx html documentation
7464    Remove "Test coverage" topic from Sphinx documentation
7466    Do not generate unused parts of toctree
7467    Do not include hidden files in the sidebar
7468    Make sphinx warnings fatal for doc build
7469    Reformat RST to avoid sphinx warnings
7470    Note notice.txt's dependency on
7471    Fix typo
7472    Document parameter expansion for keytab and ccache
        configuration options
7474    Update comments about conflicting KRB5_KEYUSAGE_PA types
7477    Document account lockout configuration
7479    Build fixes for windows
7480    Cross-reference account lockout documentation
7482    Make resources.rst more useful to non-devs
7483    KDC can return host referral to its own realm
7488    Various nits in krb5-1.10.3
7489    Do not document unused symbols
7490    Update comments for RFC 3244 kpasswd extensions
7491    Make building docs easier in an unconfigured tree
7492    Doc build in unconfigured tree broken on some platforms
7494    Regenerate checked-in man pages
7495    Make the doc build quieter
7496    Document API for getting anonymous tickets
7497    Update mkrel for SPHINX_ARGS
7498    Document principal name interactions with DNS
7499    Use an empty challenge for the password question
7500    Add examples to init_creds.rst
7501    Update retiring-des with real-world experience
7503    Fix documentation browser resizing behavior
7504    Conditionally include MITKC logo in HTML doc
7505    Better names for doxygen-Sphinx bridge functions
7506    PKINIT (draft9) null ptr deref [CVE-2012-1016]
7507    Document enctypes
7509    Update README for Sphinx documentation
7510    Add copyright footer to HTML docs
7512    Add web pages to resources.rst
7513    Clarify enctype settings in krb5_conf.rst
7515    Add release string to index.rst page heading


Past and present Sponsors of the MIT Kerberos Consortium:

    Carnegie Mellon University
    Centrify Corporation
    Columbia University
    Cornell University
    The Department of Defense of the United States of America (DoD)
    Fidelity Investments
    Iowa State University
    Michigan State University
    The National Aeronautics and Space Administration
        of the United States of America (NASA)
    Network Appliance (NetApp)
    Nippon Telephone and Telegraph (NTT)
    Pennsylvania State University
    Red Hat
    Stanford University
    TeamF1, Inc.
    The University of Alaska
    The University of Michigan
    The University of Pennsylvania

Past and present members of the Kerberos Team at MIT:

    Danilo Almeida
    Jeffrey Altman
    Justin Anderson
    Richard Basch
    Mitch Berger
    Jay Berkenbilt
    Andrew Boardman
    Bill Bryant
    Steve Buckley
    Joe Calzaretta
    John Carr
    Mark Colan
    Don Davis
    Alexandra Ellwood
    Carlos Garay
    Dan Geer
    Nancy Gilman
    Matt Hancher
    Thomas Hardjono
    Sam Hartman
    Paul Hill
    Marc Horowitz
    Eva Jacobus
    Miroslav Jurisic
    Barry Jaspan
    Benjamin Kaduk
    Geoffrey King
    Kevin Koch
    John Kohl
    HaoQi Li
    Jonathan Lin
    Peter Litwack
    Scott McGuire
    Steve Miller
    Kevin Mitchell
    Cliff Neuman
    Paul Park
    Ezra Peisach
    Chris Provenzano
    Ken Raeburn
    Jon Rochlis
    Jeff Schiller
    Jen Selby
    Robert Silk
    Bill Sommerfeld
    Jennifer Steiner
    Ralph Swick
    Brad Thompson
    Harry Tsai
    Zhanna Tsitkova
    Ted Ts'o
    Marshall Vale
    Tom Yu

The following external contributors have provided code, patches, bug
reports, suggestions, and valuable resources:

    Ian Abbott
    Brandon Allbery
    Russell Allbery
    Brian Almeida
    Michael B Allen
    Heinz-Ado Arnolds
    Derek Atkins
    Mark Bannister
    David Bantz
    Alex Baule
    Adam Bernstein
    Arlene Berry
    Jeff Blaine
    Radoslav Bodo
    Sumit Bose
    Emmanuel Bouillon
    Michael Calmer
    Julien Chaffraix
    Ravi Channavajhala
    Srinivas Cheruku
    Leonardo Chiquitto
    Howard Chu
    Andrea Cirulli
    Christopher D. Clausen
    Kevin Coffman
    Simon Cooper
    Sylvain Cortes
    Nalin Dahyabhai
    Mark Davies
    Dennis Davis
    Mark Deneen
    Roland Dowdeswell
    Jason Edgecombe
    Mark Eichin
    Shawn M. Emery
    Douglas E. Engert
    Peter Eriksson
    Juha Erkkilä
    Ronni Feldt
    Bill Fellows
    JC Ferguson
    William Fiveash
    Ákos Frohner
    Sebastian Galiano
    Marcus Granado
    Scott Grizzard
    Helmut Grohne
    Steve Grubb
    Philip Guenther
    Dominic Hargreaves
    Jakob Haufe
    Matthieu Hautreux
    Paul B. Henson
    Jeff Hodges
    Christopher Hogan
    Love Hörnquist Åstrand
    Ken Hornstein
    Henry B. Hotz
    Luke Howard
    Jakub Hrozek
    Shumon Huque
    Jeffrey Hutzelman
    Wyllys Ingersoll
    Holger Isenberg
    Pavel Jindra
    Joel Johnson
    W. Trevor King
    Mikkel Kruse
    Volker Lendecke
    Jan iankko Lieskovsky
    Oliver Loch
    Kevin Longfellow
    Ryan Lynch
    Nathaniel McCallum
    Greg McClement
    Cameron Meadors
    Alexey Melnikov
    Franklyn Mendez
    Markus Moeller
    Kyle Moffett
    Paul Moore
    Keiichi Mori
    Michael Morony
    Zbysek Mraz
    Edward Murrell
    Nikos Nikoleris
    Felipe Ortega
    Andrej Ota
    Dmitri Pal
    Javier Palacios
    Tom Parker
    Ezra Peisach
    W. Michael Petullo
    Mark Phalan
    Jonathan Reams
    Robert Relyea
    Martin Rex
    Jason Rogers
    Mike Roszkowski
    Guillaume Rousse
    Tom Shaw
    Peter Shoults
    Simo Sorce
    Michael Spang
    Michael Ströder
    Bjørn Tore Sund
    Joe Travaglini
    Rathor Vipin
    Jorgen Wahlsten
    Stef Walter
    Max (Weijun) Wang
    John Washington
    Stef Walter
    Xi Wang
    Kevin Wasserman
    Margaret Wasserman
    Marcus Watts
    Andreas Wiese
    Simon Wilkinson
    Nicolas Williams
    Ross Wilper
    Xu Qiang
    Nickolai Zeldovich
    Hanz van Zijst
    Gertjan Zwartjes

The above is not an exhaustive list; many others have contributed in
various ways to the MIT Kerberos development effort over the years.
Other acknowledgments (for bug reports and patches) are in the
doc/CHANGES file.
Something went wrong with that request. Please try again.