Skip to content
This repository

mirror of MIT krb5 repository

tag: krb5-1.4-beta2

Fetching latest commit…

Cannot retrieve the latest commit at this time

README
		   Kerberos Version 5, Release 1.4

			    Release Notes
			The MIT Kerberos Team

Unpacking the Source Distribution
---------------------------------

The source distribution of Kerberos 5 comes in a tarfile,
krb5-1.4-signed.tar.  The tarfile contains a gzipped tarfile,
krb5-1.4.tar.gz, and its corresponding PGP signature,
krb5-1.4.tar.gz.asc.

You will need the GNU gzip program, and preferably, the GNU tar
program, to extract the source distribution.

The distribution will extract into a subdirectory "krb5-1.4" of the
current directory.

Building and Installing Kerberos 5
----------------------------------

The first file you should look at is doc/install-guide.ps; it contains
the notes for building and installing Kerberos 5.  The info file
krb5-install.info has the same information in info file format.  You
can view this using the GNU emacs info-mode, or by using the
standalone info file viewer from the Free Software Foundation.  This
is also available as an HTML file, install.html.

Other good files to look at are admin-guide.ps and user-guide.ps,
which contain the system administrator's guide, and the user's guide,
respectively.  They are also available as info files
kerberos-admin.info and krb5-user.info, respectively.  These files are
also available as HTML files.

If you are attempting to build under Windows, please see the
src/windows/README file.

Reporting Bugs
--------------

Please report any problems/bugs/comments using the krb5-send-pr
program.  The krb5-send-pr program will be installed in the sbin
directory once you have successfully compiled and installed Kerberos
V5 (or if you have installed one of our binary distributions).

If you are not able to use krb5-send-pr because you haven't been able
compile and install Kerberos V5 on any platform, you may send mail to
krb5-bugs@mit.edu.

You may view bug reports by visiting

http://krbdev.mit.edu/rt/

and logging in as "guest" with password "guest".

Major changes in 1.4
--------------------

* [841] Merged Athena telnetd changes for creating a new option for
  requiring encryption.

* [1349, 2578, 2601, 2606, 2613, 2743, 2775, 2778] Add implementation
  of the RPCSEC_GSS authentication flavor to the RPC library.  Thanks
  to Kevin Coffman and the CITI group at the University of Michigan.

* [2061] The kadmind4 backwards-compatibility admin server and the
  v5passwdd backwards-compatibility password-changing server have been
  removed.

* [1303(inprogress), 2740, 2755, 2781, 2782] Thread safety for krb5
  libraries.

* [2410] Yarrow code now uses AES.

* [2678] New client commands kcpytkt and kdeltkt for Windows.

* [2688] New command mit2ms on Windows.

* [2762] Merged Athena changes to allow ftpd to require encrypted
  passwords.

* [2587] Incorporate gss_krb5_set_allowable_enctypes() and
  gss_krb5_export_lucid_sec_context(), which are needed for NFSv4,
  from Kevin Coffman.

Minor changes in 1.4
--------------------

Please see

http://krbdev.mit.edu/rt/NoAuth/krb5-1.4/fixed-1.4.html

for a complete list.

* [249] Install example config files.

* [427] PATH environment variable won't be overwritten by login.krb5
  if already set.

* [696] Sample KDC propagation script fixed.

* [868] Fixed search for res_search() and friends.

* [927] Compilation on Tru64 now detects GNU linker and chooses
  whether to use -oldstyle_liblookup accordingly.

* [1044] port-sockets.h explicitly declares h_errno if the declaration
  is missing.

* [1210] KDC cleans up some per-listener state upon process
  termination to avoid spurious memory leak indications.

* [1335] The server side of the Horowitz password-change protocol now
  checks for minimum password life.

* [1345, 2730, 2757] patchlevel.h is now the master version file.

* [1364] GNU sed is no longer required to make depend on Irix.

* [1497] A memory leak in the krb5 context serializer has been fixed.

* [1570] Some team procedures now documented.

* [1588] Automatic rebuilding of configure scripts, etc. are only done
  if --enable-maintainer-mode is passed to configure.

* [1623] Memory management in the ftp client has been cleaned up.

* [1724] DNS SRV record lookup support is unconditionally built on
  Unix.

* [1791] Replacement for daemon() is compiled separately each time it
  is needed, rather than ending up in the krb5 library.

* [1806] Default to building shared libraries on most platforms that
  support them.

* [1847] Fixed daemon() replacement to build on Tru64.

* [1850] Fixed some 0 vs NULL issues.

* [2066] AES-only configuration now tested in test suite.

* [2219] Fixed memory leak in KDC preauth handling.

* [2256] Use $(CC) rather than ld to build shared libs on Tru64 and
  Irix.

* [2276] Support for the non-standard enctype
  ENCTYPE_LOCAL_DES3_HMAC_SHA1 has been removed.

* [2285] Test suite checks TCP access to KDC.

* [2295] Minor stylistic cleanup in gss-client.

* [2296, 2370, 2424] krb5_get_init_creds() APIs avoid multiple queries
  to master KDC.

* [2379] Remove _XOPEN_EXTENDED hack previously used for HP-UX.

* [2432] Only sanity-check setutent() API if utmpx.h is not present,
  as this was preventing recent NetBSD from configuring.

* [2525] kvno.exe installed on Windows.

* [2529] Fix some internal type inconsistencies in gssapi library.

* [2530] Fix KRB5_CALLCONV usage in krb5_cc_resolve().

* [2537] Apply fix from John Hascall to make krb5_get_in_tkt()
  emulation actually honor the lifetimes in the input credentials.

* [2539] Create manpage for krb524d.

* [2573] The rcache code no longer attempts to close a negative file
  descriptor from a failed open.

* [2591] The gssapi library now requires that the initiator's channel
  bindings match those provided by the acceptor, if the acceptor
  provides them at all.

* [2592] Fix some HP-UX 11 compilation issues.

* [2598] Fix some HP-UX 11 foreachaddr() issues.

* [2600] gss_accept_sec_context() no longer leaks rcaches.

* [2603] Clean up some issues relating to use of reserved namespace in
  k5-platform.h.

* [2614] Rewrite handling of whitespace in profile library to better
  handle whitespace around tag names.

* [2629] Fix double-negation of a preprocessor test in osconf.h.

* [2637] krb5int_zap_data() uses SecureZeroMemory on Windows instead
  of memset().

* [2654] krb5_get_init_creds() checks for overflow/underflow on 32-bit
  timestamps.

* [2655] krb5_get_init_creds() no longer issues requests where the
  renew_until time precedes the expiration time.

* [2656] krb5_get_init_creds() supports ticket_lifetime libdefault.

* [2657] Default ccache name is evaluated more lazily.

* [2674] libkadm5 acl_init() API renamed to avoid conflict with MacOS
  X acl API.

* [2684, 2710, 2728] Use BIND 8 parsing API when available.

* [2685] The profile library iterators no longer get confused when
  modifications are made to the in-memory profile.

* [2694] The krb5-config script now has a manpage.

* [2704] New ccache API flag to request only information, not actual
  credentials.

* [2705] Support for upcoming read/write MSLSA ccache.

* [2706] resolv.h is included when searching for res_search() and
  friends, to account for symbol renaming.

* [2715] The install-strip make target no longer attempts to strip
  scripts.

* [2718] Fix memory leak in arcfour string_to_key.  Reported by
  Derrick Schommer.

* [2719] Fix memory leak in rd_cred.c.  Reported by Derrick Schommer. 

* [2725] Fix memory leak in mk_req_extended().  Reported by Derrick
  Schommer.

* [2729] Add some new version strings for Windows.

* [2734] The ticket_lifetime libdefault now uses units of seconds by
  default, if no units are provided.

* [2741] The profile library's error tables aren't loaded on MacOS X.

* [2750] Calls to the profile library which set values no longer fail
  if the file is not writable.

* [2751] The profile library has a new API to detect whether the
  default profile is writable.

* [2753] An initial C implementation of CCAPI has been done.

* [2754] fake-addrinfo.h includes errno.h earlier.

* [2756] The profile library calls stat() less frequently on files.

* [2760, 2780] The keytab implementation checks for cases where
  fopen() can return NULL without setting errno.  Reported by Roland
  Dowdeswell.

* [2770] com_err now creates valid prototypes for generated files.
  Reported by Jeremy Allison.

* [2772, 2797] The krb4 library now honors the dns_fallback libdefault
  setting.

* [2776, 2779] Solaris patches exist for the pty-close race condition
  bug.  We check for these patches now checked, and don't apply the
  priocntl hack if they are present.

* [2783] ftpcmds.y unconditionally defines NBBY to 8.

* [2793] locate_kdc.c can compile if KRB5_DNS_LOOKUP isn't defined,
  though we removed the configure-time option for this.

* [2795] Fixed some addrinfo problems that affected Irix.

Copyright Notice and Legal Administrivia
----------------------------------------

Copyright (C) 1985-2004 by the Massachusetts Institute of Technology.

All rights reserved.

Export of this software from the United States of America may require
a specific license from the United States Government.  It is the
responsibility of any person or organization contemplating export to
obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of M.I.T. not be used in advertising or publicity pertaining
to distribution of the software without specific, written prior
permission.  Furthermore if you modify this software you must label
your software as modified software and not distribute it in such a
fashion that it might be confused with the original MIT software.
M.I.T. makes no representations about the suitability of this software
for any purpose.  It is provided "as is" without express or implied
warranty.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

Individual source code files are copyright MIT, Cygnus Support,
OpenVision, Oracle, Sun Soft, FundsXpress, and others.

Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
and Zephyr are trademarks of the Massachusetts Institute of Technology
(MIT).  No commercial use of these trademarks may be made without
prior written permission of MIT.

"Commercial use" means use of a name in a product or other for-profit
manner.  It does NOT prevent a commercial firm from referring to the
MIT trademarks in order to convey information (although in doing so,
recognition of their trademark status should be given).

----

The following copyright and permission notice applies to the
OpenVision Kerberos Administration system located in kadmin/create,
kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions
of lib/rpc:

   Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved

   WARNING: Retrieving the OpenVision Kerberos Administration system 
   source code, as described below, indicates your acceptance of the 
   following terms.  If you do not agree to the following terms, do not 
   retrieve the OpenVision Kerberos administration system.

   You may freely use and distribute the Source Code and Object Code
   compiled from it, with or without modification, but this Source
   Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
   INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
   FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
   EXPRESS OR IMPLIED.  IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
   FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF 
   SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
   CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, 
   WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE 
   CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY 
   OTHER REASON.

   OpenVision retains all copyrights in the donated Source Code. OpenVision
   also retains copyright to derivative works of the Source Code, whether
   created by OpenVision or by a third party. The OpenVision copyright 
   notice must be preserved if derivative works are made based on the 
   donated Source Code.

   OpenVision Technologies, Inc. has donated this Kerberos 
   Administration system to MIT for inclusion in the standard 
   Kerberos 5 distribution.  This donation underscores our 
   commitment to continuing Kerberos technology development 
   and our gratitude for the valuable work which has been 
   performed by MIT and the Kerberos community.

----

    Portions contributed by Matt Crawford <crawdad@fnal.gov> were
    work performed at Fermi National Accelerator Laboratory, which is
    operated by Universities Research Association, Inc., under
    contract DE-AC02-76CHO3000 with the U.S. Department of Energy.

---- The implementation of the Yarrow pseudo-random number generator
in src/lib/crypto/yarrow has the following copyright:

Copyright 2000 by Zero-Knowledge Systems, Inc.

Permission to use, copy, modify, distribute, and sell this software
and its documentation for any purpose is hereby granted without fee,
provided that the above copyright notice appear in all copies and that
both that copyright notice and this permission notice appear in
supporting documentation, and that the name of Zero-Knowledge Systems,
Inc. not be used in advertising or publicity pertaining to
distribution of the software without specific, written prior
permission.  Zero-Knowledge Systems, Inc. makes no representations
about the suitability of this software for any purpose.  It is
provided "as is" without express or implied warranty.

ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

---- The implementation of the AES encryption algorithm in
src/lib/crypto/aes has the following copyright:

 Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
 All rights reserved.

 LICENSE TERMS

 The free distribution and use of this software in both source and binary 
 form is allowed (with or without changes) provided that:

   1. distributions of this source code include the above copyright 
      notice, this list of conditions and the following disclaimer;

   2. distributions in binary form include the above copyright
      notice, this list of conditions and the following disclaimer
      in the documentation and/or other associated materials;

   3. the copyright holder's name is not used to endorse products 
      built using this software without specific written permission. 

 DISCLAIMER

 This software is provided 'as is' with no explcit or implied warranties
 in respect of any properties, including, but not limited to, correctness 
 and fitness for purpose.

---- The implementation of the RPCSEC_GSS authentication flavor in
src/lib/rpc has the following copyright:

  Copyright (c) 2000 The Regents of the University of Michigan.
  All rights reserved.
  
  Copyright (c) 2000 Dug Song <dugsong@UMICH.EDU>.
  All rights reserved, all wrongs reversed.

  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions
  are met:

  1. Redistributions of source code must retain the above copyright
     notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright
     notice, this list of conditions and the following disclaimer in the
     documentation and/or other materials provided with the distribution.
  3. Neither the name of the University nor the names of its
     contributors may be used to endorse or promote products derived
     from this software without specific prior written permission.

  THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
  BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Acknowledgments
---------------

Appreciation Time!!!!  There are far too many people to try to thank
them all; many people have contributed to the development of Kerberos
V5.  This is only a partial listing....

Thanks to Kevin Coffman and the CITI group at the University of
Michigan for providing patches for implementing RPCSEC_GSS
authentication in the RPC library.

Thanks to Derrick Schommer for reporting multiple memory leaks.

Thanks to Quanah Gibson-Mount of Stanford University for helping
exercise the thread support code.

[...]

Thanks to the members of the Kerberos V5 development team at MIT, both
past and present: Danilo Almeida, Jeffrey Altman, Jay Berkenbilt,
Richard Basch, Mitch Berger, John Carr, Don Davis, Alexandra Ellwood,
Nancy Gilman, Matt Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva
Jacobus, Miroslav Jurisic, Barry Jaspan, Geoffrey King, John Kohl,
Peter Litwack, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul Park,
Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff
Schiller, Jen Selby, Brad Thompson, Harry Tsai, Ted Ts'o, Marshall
Vale, Tom Yu.
Something went wrong with that request. Please try again.