Skip to content
mirror of MIT krb5 repository
C C++ Python HTML Groff Makefile Other
Find file
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


                   Kerberos Version 5, Release 1.9

                            Release Notes
                        The MIT Kerberos Team

Copyright and Other Notices

Copyright (C) 1985-2011 by the Massachusetts Institute of Technology
and its contributors.  All rights reserved.

Please see the file named NOTICE for additional notices.

MIT Kerberos is a project of the MIT Kerberos Consortium.  For more
information about the Kerberos Consortium, see

For more information about the MIT Kerberos software, see

People interested in participating in the MIT Kerberos development
effort should visit

Building and Installing Kerberos 5

The first file you should look at is doc/; it contains
the notes for building and installing Kerberos 5.  The info file has the same information in info file format.  You
can view this using the GNU emacs info-mode, or by using the
standalone info file viewer from the Free Software Foundation.  This
is also available as an HTML file, install.html.

Other good files to look at are and,
which contain the system administrator's guide, and the user's guide,
respectively.  They are also available as info files and, respectively.  These files are
also available as HTML files.

If you are attempting to build under Windows, please see the
src/windows/README file.

Reporting Bugs

Please report any problems/bugs/comments using the krb5-send-pr
program.  The krb5-send-pr program will be installed in the sbin
directory once you have successfully compiled and installed Kerberos
V5 (or if you have installed one of our binary distributions).

If you are not able to use krb5-send-pr because you haven't been able
compile and install Kerberos V5 on any platform, you may send mail to

Please keep in mind that unencrypted e-mail is not secure. If you need
to report a security vulnerability, or send sensitive information,
please PGP-encrypt it to

You may view bug reports by visiting

and logging in as "guest" with password "guest".

DES transition

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.

Major changes in 1.9.2

This is primarily a bugfix release.

* Improve KDC performance by fully its disabling replay cache.

* Fix MITKRB5-SA-2011-006 KDC denial of service vulnerabilities
  [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529].

krb5-1.9.1 changes by ticket ID

6844    Memory leak in save_error_string_nocopy()
6884    KDC memory leak in FAST error path
6885    KDC memory leak of reply padata for FAST replies
6886    rc4-hmac weak key checks break interoperability
6888    No explanation of failed passwd entry if REQUIRES_PWCHANGE is set
6906    modernize doc/Makefile somewhat
6907    setpw response parsing fails for lengths above 255
6908    Delete sec context properly in gss_krb5_export_lucid_sec_context
6912    Use hmac-md5 checksum for PA-FOR-USER padata
6913    Fix multiple tl-data updates over iprop
6916    Restore krb5_get_credentials caching for referral requests
6917    Restore fallback non-referral TGS request to same realm
6920    Fix old-style GSSRPC authentication
6932    Fix gss_set_cred_option cred creation with no name
6939    Legacy checksum APIs usually fail
6941    Fix accidental KDC use of replay cache
6943    incorrect reference in spnego_gss_set_cred_option
6949    TCP connection leak with 1.9.1, with connect_to_server()
6952    Fix cross-realm traversal TGT requests
6960    always include krb5_libinit.h in init_ctx.c
6970    gss_unwrap_iov crashes with stream buffers for 3des, des, rc4
6972    memory leak in version 1.9.1
6982    SA-2011-006 KDC denial of service [CVE-2011-1527 CVE-2011-1528
6990    fix tar invocation in mkrel

Major changes in 1.9.1

This is primarily a bugfix release.

* Fix vulnerabilities:
  ** kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
  ** KDC denial of service attacks [MITKRB5-SA-2011-002
     CVE-2011-0281 CVE-2011-0282 CVE-2011-0283]
  ** KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003
  ** kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285]

* Interoperability:

  ** Don't reject AP-REQ messages if their PAC doesn't validate;
     suppress the PAC instead.

  ** Correctly validate HMAC-MD5 checksums that use DES keys

krb5-1.9.1 changes by ticket ID

6596    [Michael Spang] Bug#561176: krb5-kdc-ldap: krb5kdc leaks file
6675    segfault in gss_export_sec_context
6800    memory leak in kg_new_connection
6847    Suppress camellia-gen in 1.9 make check
6849    Fix edge case in LDAP last_admin_unlock processing
6852    Make gss_krb5_set_allowable_enctypes work for the acceptor
6856    Fix seg faulting trace log message for use of fallback realm
6859    kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
6860    KDC denial of service attacks [MITKRB5-SA-2011-002
        CVE-2011-0281 CVE-2011-0282 CVE-2011-0283]
6867    Trace logging file descriptor leak
6869    hmac-md5 checksum doesn't work with DES keys
6870    Don't reject AP-REQs based on PACs
6871    "make distclean" leaves an object file behind.
6875    kdb5_util mkey operations hit assertion when iprop is enabled
6881    KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284]
6899    kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285]

Major changes in 1.9

Additional background information on these changes may be found at


Code quality:

* Fix MITKRB5-SA-2010-007 checksum vulnerabilities (CVE-2010-1324 and

* Add a Python-based testing framework.

* Perform DAL cleanup.

Developer experience:

* Add NSS crypto back end.

* Improve PRNG modularity.

* Add a Fortuna-like PRNG back end.


* Account lockout performance improvements -- allow disabling of some
  account lockout functionality to reduce the number of write
  operations to the database during authentication

* Add support for multiple KDC worker processes.

Administrator experience:

* Add Trace logging support to ease the diagnosis of configuration

* Add support for purging old keys (e.g. from "cpw -randkey -keepold").

* Add plugin interface for password sync -- based on proposed patches
  by Russ Allbery that support his krb5-sync package

* Add plugin interface for password quality checks -- enables
  pluggable password quality checks similar to Russ Allbery's
  krb5-strength package.

* Add a configuration file validator script.

* Add KDC support for SecurID preauthentication -- this is the old
  SAM-2 protocol, implemented to support existing deployments, not the
  in-progress FAST-OTP work.

* Add "cheat" capability for kinit when running on a KDC host.

Protocol evolution:

* Add support for IAKERB -- a mechanism for tunneling Kerberos KDC
  transactions over GSS-API, enabling clients to authenticate to
  services even when the clients cannot directly reach the KDC that
  serves the services.

* Add support for Camellia encryption (experimental; disabled by

* Add GSS-API support for implementors of the SASL GS2 bridge

krb5-1.9 changes by ticket ID

1219    mechanism to delete old keys should exist
2032    No advanced warning of password expiry
5014    kadmin (and other utilities) should report enctypes as it takes them
6647    Memory leak in kdc
6672    Python test framework
6679    Lazy history key creation
6684    Simple kinit verbosity patch
6686    IPv6 support for kprop and kpropd
6688    mit-krb5-1.7 fails to compile against openssl-1.0.0
6699    Validate and renew should work on non-TGT creds
6700    Introduce new krb5_tkt_creds API
6712    Add IAKERB mechanism and gss_acquire_cred_with_password
6714    [patch] fix format errors in krb5-1.8.1
6715    cksum_body exports
6719    Add lockout-related performance tuning variables
6720    Negative enctypes improperly read from keytabs
6723    Negative enctypes improperly read from ccaches
6733    Make signedpath authdata visible via GSS naming exts
6736    Add krb5_enctype_to_name() API
6737    Trace logging
6746    Make kadmin work over IPv6
6749    DAL improvements
6753    Fix XDR decoding of large values in xdr_u_int
6755    Add GIC option for password/account expiration callback
6758    Allow krb5_gss_register_acceptor_identity to unset keytab name
6760    Fail properly when profile can't be accessed
6761    add profile include support
6762    key expiration computed incorrectly in libkdb_ldap
6763    New plugin infrastructure
6765    Password quality pluggable interface
6769    clean up memory leak and potential unused variable in crypto tests
6771    Fix memory leaks in kdb5_verify
6772    Ensure valid key in krb5int_yarrow_cipher_encrypt_block
6774    pkinit client cert matching can be disrupted by one of the
        candidate certs
6775    pkinit <KU> evaluation during certificate matching may fail
6776    Typos in src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
6777    Segmentation fault in krb library (sn2princ.c) if realm not resolved
6778    kdb: store mkey list in context and permit NULL mkey for
6779    kinit: add KDB keytab support
6783    KDC worker processes feature
6784    relicense Sun RPC to 3-clause BSD-style
6785    Add gss_krb5_import_cred
6786    kpasswd: if a credential cache is present, use FAST
6787    S4U memory leak
6791    kadm5_hook: new plugin interface
6792    Implement k5login_directory and k5login_authoritative options
6793    acquire_init_cred leaks interned name
6794    krb5.conf manpage missing reference to rdns setting
6795    Propagate modprinc -unlock from master to slave KDCs
6796    segfault due to uninitialized variable in S4U
6799    Performance issue in LDAP policy fetch
6801    Fix leaks in get_init_creds interface
6802    copyright notice updates
6804    Remove KDC replay cache
6805    securID code fixes
6806    securID error handling fix
6807    SecurID build support
6809    gss_krb5int_make_seal_token_v3_iov fails to set conf_state
6810    Better  libk5crypto NSS fork safety
6811    Mark Camellia-CCM code as experimental
6812    krb5_get_credentials should not fail due to inability to store
        a credential in a cache
6815    Failed kdb5_util load removes real database
6819    Handle referral realm in kprop client principal
6820    Read KDC profile settings in kpropd
6822    Implement Camellia-CTS-CMAC instead of Camellia-CCM
6823    getdate.y: declare yyparse
6824    Export krb5_tkt_creds_get
6825    Add missing KRB5_CALLCONV in callback declaration
6826    Fix Windows build
6827    SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
6828    Install kadm5_hook_plugin.h
6829    Implement restrict_anonymous_to_tgt realm flag
6838    Regression in renewable handling
6839    handle MS PACs that lack server checksum
6840    typo in plugin-related error message
6841    memory leak in changepw.c
6842    Ensure time() is prototyped in g_accept_sec_context.c


Past and present Sponsors of the MIT Kerberos Consortium:

    Carnegie Mellon University
    Centrify Corporation
    Columbia University
    Cornell University
    The Department of Defense of the United States of America (DoD)
    Fidelity Investments
    Iowa State University
    Michigan State University
    The National Aeronautics and Space Administration
        of the United States of America (NASA)
    Network Appliance (NetApp)
    Nippon Telephone and Telegraph (NTT)
    Pennsylvania State University
    Red Hat
    Stanford University
    TeamF1, Inc.
    The University of Alaska
    The University of Michigan
    The University of Pennsylvania

Past and present members of the Kerberos Team at MIT:

    Danilo Almeida
    Jeffrey Altman
    Justin Anderson
    Richard Basch
    Mitch Berger
    Jay Berkenbilt
    Andrew Boardman
    Bill Bryant
    Steve Buckley
    Joe Calzaretta
    John Carr
    Mark Colan
    Don Davis
    Alexandra Ellwood
    Carlos Garay
    Dan Geer
    Nancy Gilman
    Matt Hancher
    Thomas Hardjono
    Sam Hartman
    Paul Hill
    Marc Horowitz
    Eva Jacobus
    Miroslav Jurisic
    Barry Jaspan
    Geoffrey King
    Kevin Koch
    John Kohl
    HaoQi Li
    Jonathan Lin
    Peter Litwack
    Scott McGuire
    Steve Miller
    Kevin Mitchell
    Cliff Neuman
    Paul Park
    Ezra Peisach
    Chris Provenzano
    Ken Raeburn
    Jon Rochlis
    Jeff Schiller
    Jen Selby
    Robert Silk
    Bill Sommerfeld
    Jennifer Steiner
    Ralph Swick
    Brad Thompson
    Harry Tsai
    Zhanna Tsitkova
    Ted Ts'o
    Marshall Vale
    Tom Yu

The following external contributors have provided code, patches, bug
reports, suggestions, and valuable resources:

    Brandon Allbery
    Russell Allbery
    Brian Almeida
    Michael B Allen
    Derek Atkins
    David Bantz
    Alex Baule
    Arlene Berry
    Jeff Blaine
    Radoslav Bodo
    Emmanuel Bouillon
    Michael Calmer
    Julien Chaffraix
    Ravi Channavajhala
    Srinivas Cheruku
    Leonardo Chiquitto
    Howard Chu
    Andrea Cirulli
    Christopher D. Clausen
    Kevin Coffman
    Simon Cooper
    Sylvain Cortes
    Nalin Dahyabhai
    Dennis Davis
    Roland Dowdeswell
    Jason Edgecombe
    Mark Eichin
    Shawn M. Emery
    Douglas E. Engert
    Peter Eriksson
    Ronni Feldt
    Bill Fellows
    JC Ferguson
    William Fiveash
    Ákos Frohner
    Marcus Granado
    Scott Grizzard
    Helmut Grohne
    Steve Grubb
    Philip Guenther
    Dominic Hargreaves
    Jakob Haufe
    Jeff Hodges
    Love Hörnquist Åstrand
    Ken Hornstein
    Henry B. Hotz
    Luke Howard
    Jakub Hrozek
    Shumon Huque
    Jeffrey Hutzelman
    Wyllys Ingersoll
    Holger Isenberg
    Pavel Jindra
    Joel Johnson
    Mikkel Kruse
    Volker Lendecke
    Jan iankko Lieskovsky
    Kevin Longfellow
    Ryan Lynch
    Nathaniel McCallum
    Cameron Meadors
    Franklyn Mendez
    Markus Moeller
    Paul Moore
    Keiichi Mori
    Zbysek Mraz
    Edward Murrell
    Nikos Nikoleris
    Felipe Ortega
    Dmitri Pal
    Javier Palacios
    Ezra Peisach
    W. Michael Petullo
    Mark Phalan
    Robert Relyea
    Martin Rex
    Jason Rogers
    Mike Roszkowski
    Guillaume Rousse
    Tom Shaw
    Peter Shoults
    Simo Sorce
    Michael Spang
    Michael Ströder
    Bjørn Tore Sund
    Rathor Vipin
    Jorgen Wahlsten
    Max (Weijun) Wang
    John Washington
    Marcus Watts
    Simon Wilkinson
    Nicolas Williams
    Ross Wilper
    Xu Qiang
    Hanz van Zijst

The above is not an exhaustive list; many others have contributed in
various ways to the MIT Kerberos development effort over the years.
Other acknowledgments (for bug reports and patches) are in the
doc/CHANGES file.
Something went wrong with that request. Please try again.