1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
|
Kerberos Version 5, Release 1.13
Release Notes
The MIT Kerberos Team
Copyright and Other Notices
---------------------------
Copyright (C) 1985-2015 by the Massachusetts Institute of Technology
and its contributors. All rights reserved.
Please see the file named NOTICE for additional notices.
Documentation
-------------
Unified documentation for Kerberos V5 is available in both HTML and
PDF formats. The table of contents of the HTML format documentation
is at doc/html/index.html, and the PDF format documentation is in the
doc/pdf directory.
Additionally, you may find copies of the HTML format documentation
online at
http://web.mit.edu/kerberos/krb5-latest/doc/
for the most recent supported release, or at
http://web.mit.edu/kerberos/krb5-devel/doc/
for the release under development.
More information about Kerberos may be found at
http://web.mit.edu/kerberos/
and at the MIT Kerberos Consortium web site
http://kerberos.org/
Building and Installing Kerberos 5
----------------------------------
Build documentation is in doc/html/build/index.html or
doc/pdf/build.pdf.
The installation guide is in doc/html/admin/install.html or
doc/pdf/install.pdf.
If you are attempting to build under Windows, please see the
src/windows/README file.
Reporting Bugs
--------------
Please report any problems/bugs/comments by sending email to
krb5-bugs@mit.edu.
You may view bug reports by visiting
http://krbdev.mit.edu/rt/
and using the "Guest Login" button. Please note that the web
interface to our bug database is read-only for guests, and the primary
way to interact with our bug database is via email.
DES transition
--------------
The Data Encryption Standard (DES) is widely recognized as weak. The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
Major changes in 1.13.3 (2015-12-04)
------------------------------------
This is a bug fix release. The krb5-1.13 release series is in
maintenance, and for new deployments, installers should prefer the
krb5-1.14 release series or later.
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
[CVE-2015-2698]
* Fix build_principal memory bug that could cause a KDC
crash. [CVE-2015-2697]
* Allow an iprop slave to receive full resyncs from KDCs running
krb5-1.10 or earlier.
krb5-1.13.3 changes by ticket ID
--------------------------------
8031 Document multi-component profile paths
8173 Supply a hostrealm module to query the registry
8174 Bump KRB5_MINOR_RELEASE for windows
8196 Correct CSAIL KDC names
8197 Fix bindresvport_sa port byte swap bug
8201 Tolerate null oid pointer in gss_release_oid()
8204 Fix leak in gss_acquire_cred_with_password
8209 stale krb5.ini files still cause default realm WIN.MIT.EDU
8214 Fix uncommon null dereference in PKINIT client
8223 Uncommon memory leak of err_padata in krb5_init_creds_step()
8229 Do not allow stream socket retries in libkrad
8232 Fix gss_inquire_name() name_is_MN result
8238 Check for null name_type in gss_display_name_ext
8239 Fix krb5_rd_req() memory leak
8240 Fix error handling in gss_export_sec_context()
8241 Fix KDC client referrals
8282 SPNEGO and IAKERB context aliasing bugs [CVE-2015-2695][CVE-2015-2696]
8283 Fix build_principal memory bug [CVE-2015-2697]
8284 Fix IAKERB context export/import [CVE-2015-2698]
8285 Fix mechglue gss_acquire_cred_impersonate_name
8286 Fix compatibility with pre-1.11 iprop dump files
8287 Remove ksu -D flag documentation
8288 Untabify kerberos.schema and kerberos.ldif
8289 Fix error mappings for IOV MIC mechglue funcs
8290 Fix minor utf8-to-ucs2s read overrun bug
8291 Define error status GSS_S_BAD_MIC
8292 Fix typo in GSS_S_UNAUTHORIZED error message
8293 Fix gss_inquire_names_for_mech() on MS krb5 mech
8294 Check output params on GSS OID set functions
Major changes in 1.13.2 (2015-05-08)
------------------------------------
This is a bug fix release.
* Fix a minor vulnerability in krb5_read_message, which is primarily
used in the BSD-derived kcmd suite of applications. [CVE-2014-5355]
* Fix a bypass of requires_preauth in KDCs that have PKINIT enabled.
[CVE-2015-2694]
* Fix some issues with the LDAP KDC database back end.
* Fix an iteration-related memory leak in the DB2 KDC database back
end.
* Fix issues with some less-used kadm5.acl functionality.
* Improve documentation.
krb5-1.13.2 changes by ticket ID
--------------------------------
8050 Fix krb5_read_message handling [CVE-2014-5355]
8149 Add formats section to documentation
8153 Import names immediately with COMPOSITE_EXPORT
8154 kadmind ACL back-references can affect later lines
8155 kadm5.acl flag restrictions don't use documented syntax
8160 requires_preauth bypass in PKINIT-enabled KDC [CVE-2015-2694]
8162 Disable principal renames for LDAP
8166 Fix LDAP ticket policies on big-endian LP64
8168 Fix memory leak in DB2 iteration
8170 Fix minor documentation errors
Major changes in 1.13.1 (2015-02-11)
------------------------------------
This is a bug fix release.
* Fix multiple vulnerabilities in the LDAP KDC back end.
[CVE-2014-5354] [CVE-2014-5353]
* Fix multiple kadmind vulnerabilities, some of which are based in the
gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421
CVE-2014-9422 CVE-2014-9423]
krb5-1.13.1 changes by ticket ID
--------------------------------
7880 Fix typo in doc for krb5_get_init_creds_keytab()
7962 remote kadmin client doesn't parse "-norandkey"
8011 PKINIT PKCS12 prompt length constraint limits certificate path
length
8024 Use gssalloc_malloc for GSS error tokens
8028 Report output ccache errors getting initial creds
8029 Fix cursor leak in krb5_verify_init_creds
8034 Fix input race condition in t_skew.py
8035 Update example enctypes in kdc_conf.rst
8038 Kadmind/kadmin.local issues after migration from version
1.12.2 to 1.13
8041 kadmind with ldap backend crashes when putting keyless entries
[CVE-2014-5354]
8049 Fix LDAP tests when sasl.h not found
8051 Fix LDAP misused policy name crash [CVE-2014-5353]
8053 Fix OTP tests with pyrad 2.x
8055 Fix gss_process_context_token() [CVE-2014-5352]
8056 Fix kadm5/gssrpc XDR double free [CVE-2014-9421]
8057 Fix kadmind server validation [CVE-2014-9422]
8058 Fix gssrpc data leakage [CVE-2014-9423]
8059 Check for null *iter_p in profile_iterator()
8060 kinit -C loops chasing realm referrals against MIT KDC
8061 Export function gss_add_cred_with_password
8066 Bump DAL major version for iterate change
8072 Avoid uninitialized data in t_prf.c
Major changes in 1.13 (2014-10-15)
----------------------------------
Administrator experience:
* Add support for accessing KDCs via an HTTPS proxy server using the
MS-KKDCP protocol.
* Add support for hierarchical incremental propagation, where slaves
can act as intermediates between an upstream master and other
downstream slaves.
* Add support for configuring GSS mechanisms using
/etc/gss/mech.d/*.conf files in addition to /etc/gss/mech.
* Add support to the LDAP KDB module for binding to the LDAP server
using SASL.
* The KDC listens for TCP connections by default.
* Fix a minor key disclosure vulnerability where using the "keepold"
option to the kadmin randkey operation could return the old keys.
[CVE-2014-5351]
User experience:
* Add client support for the Kerberos Cache Manager protocol. If the
host is running a Heimdal kcm daemon, caches served by the daemon
can be accessed with the KCM: cache type.
* When built on OS X 10.7 and higher, use "KCM:" as the default cache
type, unless overridden by command-line options or krb5-config
values.
Performance:
* Add support for doing unlocked database dumps for the DB2 KDC back
end, which would allow the KDC and kadmind to continue accessing the
database during lengthy database dumps.
krb5-1.13 changes by ticket ID
------------------------------
884 having "-" in key:salt separator list prevents salttype
defaulting from working
1794 don't use mktemp
3498 race opening/creating replay cache.
5958 kadmin salttype "no salt" means really means "default/normal
salt"
6034 rework gic_opt_ext to be more portable
6042 krb5_string_to_keysalts should default to normal salt rather
than "ignore salttype"
6413 pkinit thread safety
6550 old_stash_bendian is a keytab
6731 KDC should listen to TCP by default
7232 Confusing error message for key version mismatch
7704 Anonymous kadmin does not work
7728 ksu assumes the invoking user's using a FILE: ccache
7761 Document that newer AFS supports stronger crypto
7795 Allow ":port" suffixes in sn2princ hostnames
7800 krb5-1.11/1.12: kadm5_init_with_* interface
7816 Don't produce context deletion token in krb5 mech
7819 Add rcache feature to gss_acquire_cred_from
7838 Fix gss_pseudo_random leak on zero length output
7840 Remove krb5-send-pr
7850 Remove kdb5_util load iprop safety net
7855 Add hierarchical iprop support
7857 Web Documentation: Missing reference to 1.12
7859 Move OTP sockets to KDC_RUN_DIR
7861 iprop can deadlock on master KDC
7868 krb5_get_init_creds_password ignores preauth options when
changing password
7869 In kdb5_util dump, only lock DB for iprop dumps
7879 Rewrite GSS sequence state tracking code
7882 Load mechglue config files from /etc/gss/mech.d
7883 Try compatible keys in rd_req_dec "any" path
7884 profile writes may not be immediately detected within same
process
7886 Don't check kpasswd reply address
7889 PKINIT use of OpenSSL OID table is not thread-safe or
application-friendly
7891 Don't free cred handle used in kadm5 server handle
7892 mismatch between client keytab default principal for kinit and
GSS-API
7901 Update sample configs to include master_kdc
7906 Don't remove ccache creds before storing them
7907 Allow GSS mechs to force mechlistMIC in SPNEGO
7908 Fix unlikely memory error in krb5_rd_cred
7910 KDC does not log client principal if TGS header ticket
verification fails
7913 Use case insensitive DNS SAN matching in PKINIT
7915 Improve pointer hygiene around gss_display_name
7918 LDAP key data decoder ignores salt type if salt value is empty
7923 x-deltat.y is not compatible with bison 3
7925 05cbef80d53 breaks /etc/gss/mech
7927 Better document how to verify PGP signature
7929 HTTP proxy support
7933 pkinit_win2k_require_binding behavior does not match
documentation
7934 Remove PKINIT longhorn compatibility option
7935 Add a family-independent bindresvport_sa function
7939 kadm5.acl docs wrongly imply that list permission can have a
target
7944 Add SASL support to LDAP KDB module
7947 Load plugins with RTLD_NODELETE if possible
7961 Define _GNU_SOURCE as part of build
7964 Add KCM credential cache type (client only)
7968 Improve error message for PRNG seeding failure
7974 Don't equate IAKERB and krb5 in SPNEGO initiator
7975 Negotiating NTLM with SPNEGO against Windows Server 2003
doesn't work
7977 Enable unlocked KDB iteration
7978 Support kdb5_util dump -rev again
7979 Add kiprop/<master-hostname> during KDB creation
7981 Minor memory leak in GSS-API mechanism initialization
7983 In ksu, without the -e flag, also check .k5users
7984 Make ksu respect the default_ccache_name setting
7986 Copy config entries to the ksu target ccache
7987 Fix GSS krb5 GSS_C_DELEG_FLAG ret_flags result
7988 Make krb5_cc_new_unique create DIR: directories
7990 Fix HP-UX build support
7992 Fix test syntax in configure.in
7993 Autodetect OpenSSL CMS for LibreSSL compatibility
7994 randkey does not update principal's master key version
7995 kadmin change_password -keepold does not work with master key
migration
7996 Simplify and improve ksu cred verification
7997 kadm5_randkey_principal interop with Solaris KDC
7998 gssapi.dll tries to get initial creds even when some are
present
8000 gssapi.dll fails to detect TGTs in the MSLSA cache when UAC is
enabled
8001 Allow logger.c to work with redirected stderr
8003 Export gssrpc_bindresvport_sa
8004 Map .hin files to the C language for doxygen
8005 Initialize iterflags in update_princ_encryption
8006 Update NOTICE for 1.13
8007 In ksu, handle typeless default_ccache_name values
8008 Document clock skew tolerance for ticket times
8015 Fix ksu crash in cases where it obtains the TGT
8016 Restore providing password TGTs for the ksu target
8017 gss_acquire_cred_impersonate_name crashes with acceptor-only
impersonator creds
8018 Return only new keys in randkey [CVE-2014-5351]
Acknowledgements
----------------
Past and present Sponsors of the MIT Kerberos Consortium:
Apple
Carnegie Mellon University
Centrify Corporation
Columbia University
Cornell University
The Department of Defense of the United States of America (DoD)
Fidelity Investments
Google
Iowa State University
MIT
Michigan State University
Microsoft
The National Aeronautics and Space Administration
of the United States of America (NASA)
Network Appliance (NetApp)
Nippon Telephone and Telegraph (NTT)
Oracle
Pennsylvania State University
Red Hat
Stanford University
TeamF1, Inc.
The University of Alaska
The University of Michigan
The University of Pennsylvania
Past and present members of the Kerberos Team at MIT:
Danilo Almeida
Jeffrey Altman
Justin Anderson
Richard Basch
Mitch Berger
Jay Berkenbilt
Andrew Boardman
Bill Bryant
Steve Buckley
Joe Calzaretta
John Carr
Mark Colan
Don Davis
Alexandra Ellwood
Carlos Garay
Dan Geer
Nancy Gilman
Matt Hancher
Thomas Hardjono
Sam Hartman
Paul Hill
Marc Horowitz
Eva Jacobus
Miroslav Jurisic
Barry Jaspan
Benjamin Kaduk
Geoffrey King
Kevin Koch
John Kohl
HaoQi Li
Jonathan Lin
Peter Litwack
Scott McGuire
Steve Miller
Kevin Mitchell
Cliff Neuman
Paul Park
Ezra Peisach
Chris Provenzano
Ken Raeburn
Jon Rochlis
Jeff Schiller
Jen Selby
Robert Silk
Bill Sommerfeld
Jennifer Steiner
Ralph Swick
Brad Thompson
Harry Tsai
Zhanna Tsitkova
Ted Ts'o
Marshall Vale
Tom Yu
The following external contributors have provided code, patches, bug
reports, suggestions, and valuable resources:
Ian Abbott
Brandon Allbery
Russell Allbery
Brian Almeida
Michael B Allen
Heinz-Ado Arnolds
Derek Atkins
Mark Bannister
David Bantz
Alex Baule
David Benjamin
Thomas Bernard
Adam Bernstein
Arlene Berry
Jeff Blaine
Radoslav Bodo
Sumit Bose
Emmanuel Bouillon
Philip Brown
Michael Calmer
Andrea Campi
Julien Chaffraix
Ravi Channavajhala
Srinivas Cheruku
Leonardo Chiquitto
Howard Chu
Andrea Cirulli
Christopher D. Clausen
Kevin Coffman
Simon Cooper
Sylvain Cortes
Ian Crowther
Arran Cudbard-Bell
Jeff D'Angelo
Nalin Dahyabhai
Mark Davies
Dennis Davis
Alex Dehnert
Mark Deneen
Günther Deschner
John Devitofranceschi
Roland Dowdeswell
Viktor Dukhovni
Jason Edgecombe
Mark Eichin
Shawn M. Emery
Douglas E. Engert
Peter Eriksson
Juha Erkkilä
Gilles Espinasse
Ronni Feldt
Bill Fellows
JC Ferguson
Remi Ferrand
Paul Fertser
William Fiveash
Ákos Frohner
Sebastian Galiano
Marcus Granado
Scott Grizzard
Helmut Grohne
Steve Grubb
Philip Guenther
Dominic Hargreaves
Robbie Harwood
Jakob Haufe
Matthieu Hautreux
Paul B. Henson
Jeff Hodges
Christopher Hogan
Love Hörnquist Åstrand
Ken Hornstein
Henry B. Hotz
Luke Howard
Jakub Hrozek
Shumon Huque
Jeffrey Hutzelman
Wyllys Ingersoll
Holger Isenberg
Pavel Jindra
Joel Johnson
Anders Kaseorg
W. Trevor King
Patrik Kis
Mikkel Kruse
Reinhard Kugler
Tomas Kuthan
Pierre Labastie
Volker Lendecke
Jan iankko Lieskovsky
Oliver Loch
Kevin Longfellow
Jon Looney
Nuno Lopes
Ryan Lynch
Roland Mainz
Andrei Maslennikov
Michael Mattioli
Nathaniel McCallum
Greg McClement
Cameron Meadors
Alexey Melnikov
Franklyn Mendez
Markus Moeller
Kyle Moffett
Paul Moore
Keiichi Mori
Michael Morony
Zbysek Mraz
Edward Murrell
Nikos Nikoleris
Felipe Ortega
Michael Osipov
Andrej Ota
Dmitri Pal
Javier Palacios
Tom Parker
Ezra Peisach
Zoran Pericic
W. Michael Petullo
Mark Phalan
Brett Randall
Jonathan Reams
Jonathan Reed
Robert Relyea
Martin Rex
Jason Rogers
Nate Rosenblum
Solly Ross
Mike Roszkowski
Guillaume Rousse
Andreas Schneider
Tom Shaw
Jim Shi
Peter Shoults
Simo Sorce
Michael Spang
Michael Ströder
Bjørn Tore Sund
Joe Travaglini
Tim Uglow
Rathor Vipin
Denis Vlasenko
Jorgen Wahlsten
Stef Walter
Max (Weijun) Wang
John Washington
Stef Walter
Xi Wang
Kevin Wasserman
Margaret Wasserman
Marcus Watts
Andreas Wiese
Simon Wilkinson
Nicolas Williams
Ross Wilper
Augustin Wolf
David Woodhouse
Tsu-Phong Wu
Xu Qiang
Neng Xue
Nickolai Zeldovich
Hanz van Zijst
Gertjan Zwartjes
The above is not an exhaustive list; many others have contributed in
various ways to the MIT Kerberos development effort over the years.
Other acknowledgments (for bug reports and patches) are in the
doc/CHANGES file.
|