1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
|
Kerberos Version 5, Release 1.14
Release Notes
The MIT Kerberos Team
Copyright and Other Notices
---------------------------
Copyright (C) 1985-2016 by the Massachusetts Institute of Technology
and its contributors. All rights reserved.
Please see the file named NOTICE for additional notices.
Documentation
-------------
Unified documentation for Kerberos V5 is available in both HTML and
PDF formats. The table of contents of the HTML format documentation
is at doc/html/index.html, and the PDF format documentation is in the
doc/pdf directory.
Additionally, you may find copies of the HTML format documentation
online at
http://web.mit.edu/kerberos/krb5-latest/doc/
for the most recent supported release, or at
http://web.mit.edu/kerberos/krb5-devel/doc/
for the release under development.
More information about Kerberos may be found at
http://web.mit.edu/kerberos/
and at the MIT Kerberos Consortium web site
http://kerberos.org/
Building and Installing Kerberos 5
----------------------------------
Build documentation is in doc/html/build/index.html or
doc/pdf/build.pdf.
The installation guide is in doc/html/admin/install.html or
doc/pdf/install.pdf.
If you are attempting to build under Windows, please see the
src/windows/README file.
Reporting Bugs
--------------
Please report any problems/bugs/comments by sending email to
krb5-bugs@mit.edu.
You may view bug reports by visiting
http://krbdev.mit.edu/rt/
and using the "Guest Login" button. Please note that the web
interface to our bug database is read-only for guests, and the primary
way to interact with our bug database is via email.
DES transition
--------------
The Data Encryption Standard (DES) is widely recognized as weak. The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
Major changes in 1.14.4 (2016-09-13)
------------------------------------
This is a bug fix release.
* Fix some rare btree data corruption bugs
* Fix numerous minor memory leaks
* Improve portability (Linux-ppc64el, FreeBSD)
* Improve some error messages
* Improve documentation
krb5-1.14.4 changes by ticket ID
--------------------------------
8432 Fix memory leak in db2 policy DB initialization
8433 Fix memory leak destroying DIR ccache
8435 Fix leak on error in libkadm5_clnt initialization
8437 Fix leaks on error in krb5 gss_acquire_cred()
8438 Fix leak in k5_free_cammac()
8439 Fix leak in gss_display_name() for non-MN names
8440 Fix krb5_get_init_creds_password() pwchange leak
8441 Fix leak in ulog_replay()
8442 Fix leak in DB2 krb5_db_promote() implementation
8443 Fix leak in FAST OTP client processing
8444 Fix unlikely leak in sendto_kdc
8445 Fix leak in kadm5_hook interface
8447 Fix leak in capaths processing
8453 Fix leak on error in libkadm5_srv initialization
8454 Missing responder if there is no pre-auth
8460 Fix SPNEGO imported cred initialization
8469 Properly escape quotes for otp set_string example
8470 Warn about dump -recurse nonfunctionality
8472 Add Host HTTP header to MS-KKDCP requests
8473 Handle errors from curs_init in db2 back end
8474 gnu libc OFD lock bug affects krb5
8475 Fix build with -O3 on ppc64el
8477 Fix KDC to drop repeated in-progress requests
8480 Fix GSSRPC server credential memory leak
8481 Improve checking of decoded DB2 principal values
8482 Memory leak in krb5_server_decrypt_ticket_keytab()
8483 Avoid byte-swap cache corruption in libdb2
8484 Avoid unaligned access in btree byte swapping
8485 Fix btree byte swapping for overflow data
8486 Guess Samba client mutual flag using ap_options
8489 Update config.guess, config.sub
8491 Remove meaningless checks decoding DB2 principals
8492 Fix directory changes to use explicit subshells
8493 Fix unaligned accesses in bt_split.c
Major changes in 1.14.3 (2016-07-20)
------------------------------------
This is a bug fix release.
* Improve some error messages
* Improve documentation
* Allow a principal with nonexistent policy to bypass the minimum
password lifetime check, consistent with other aspects of
nonexistent policies
* Fix a rare KDC denial of service vulnerability when anonymous client
principals are restricted to obtaining TGTs only [CVE-2016-3120]
krb5-1.14.3 changes by ticket ID
--------------------------------
8378 Improve error message "kadmind: No such file or directory
while initializing, aborting"
8392 Add missing newline in kinit usage message
8395 Fetching master key list crashes if K/M has no key data
8413 Fix unlikely pointer error in get_in_tkt.c
8415 Uninitialized read in krb5_sname_match
8417 Fix typo in doc/user/tkt_mgmt.rst
8421 Avoid setting AS key when OTP preauth fails
8422 Relax t_sn2princ.py reverse resolution test
8427 kadmind minimum life check fails for nonexistent policies
8430 Fix incorrect recv() size calculation in libkrad
8431 profile_flush_to_file() can corrupt shared tree state
8448 Confusing error text for unset default_realm
8452 Update LDAP docs for password lockout
8455 k5_expand_path_tokens_extra() always returns 0 even if
expand_token() fails
8457 Fix error code on clpreauth module failure
8458 Fix S4U2Self KDC crash when anon is restricted [CVE-2016-3120]
Major changes in 1.14.2 (2016-04-18)
------------------------------------
This is a bug fix release.
* Fix a moderate-severity vulnerability in the LDAP KDC back end that
could be exploited by a privileged kadmin user [CVE-2016-3119]
* Improve documentation
* Fix some interactions with GSSAPI interposer mechanisms
krb5-1.14.2 changes by ticket ID
--------------------------------
8330 Enable interposing gss_inquire_attrs_for_mech()
8358 Report inquire_attrs_for_mech mech failures
8359 Enable interposing gss_inquire_saslname_for_mech
8360 Use public OID for interposing several functions
8362 memleak in decrypt_2ndtkt()
8363 s4u protocol transition tests revealing memleaks in krb5kdc
8373 SPNEGO gss_init_sec_context() can fail or prematurely resolve creds
8383 Fix LDAP null deref on empty arg [CVE-2016-3119]
8385 Fix keytab file format description
8387 Add documentation for krb5_error_code
8390 Default to LSA when TGT in LSA is inaccessible
Major changes in 1.14.1 (2016-02-29)
------------------------------------
* Fix some moderate-severity vulnerabilities [CVE-2015-8629,
CVE-2015-8630, CVE-2015-8631] in kadmind.
* Improve behavior on hosts with long hostnames.
* Avoid spurious failures when doing normal kprop to heavily loaded
slave KDCs.
krb5-1.14.1 changes by ticket ID
--------------------------------
8276 Fix mechglue gss_acquire_cred_impersonate_name
8281 Fix memory leak in SPNEGO gss_init_sec_context()
8300 Fix k5crypto NSS iov processing bug
8301 Correctly use k5_wrapmsg() in ldap_principal2.c
8326 hostrealm code won't compile in debug mode using Solaris
Studio C
8327 Set TL_DATA mask flag for master key operations
8334 Check context handle in gss_export_sec_context()
8335 Work around uninitialized warning in cc_kcm.c
8336 MAXHOSTNAMELEN is too short for some FQDNs
8337 Check internal context on init context errors
8338 Fix interposed gss_accept_sec_context()
8339 Add .travis.yml
8340 ksu broken with 2FA principals again
8341 Verify decoded kadmin C strings [CVE-2015-8629]
8342 Check for null kadm5 policy name [CVE-2015-8630]
8343 Fix leaks in kadmin server stubs [CVE-2015-8631]
8346 Fix EOF check in kadm5.acl line processing
8347 Fix iprop server stub error management
8367 Use blocking lock when creating db2 KDB
Major changes in 1.14 (2015-11-20)
----------------------------------
Administrator experience:
* Add a new kdb5_util tabdump command to provide reporting-friendly
tabular dump formats (tab-separated or CSV) for the KDC database.
Unlike the normal dump format, each output table has a fixed number
of fields. Some tables include human-readable forms of data that
are opaque in ordinary dump files. This format is also suitable for
importing into relational databases for complex queries.
* Add support to kadmin and kadmin.local for specifying a single
command line following any global options, where the command
arguments are split by the shell--for example, "kadmin getprinc
principalname". Commands issued this way do not prompt for
confirmation or display warning messages, and exit with non-zero
status if the operation fails.
* Accept the same principal flag names in kadmin as we do for the
default_principal_flags kdc.conf variable, and vice versa. Also
accept flag specifiers in the form that kadmin prints, as well as
hexadecimal numbers.
* Remove the triple-DES and RC4 encryption types from the default
value of supported_enctypes, which determines the default key and
salt types for new password-derived keys. By default, keys will
only created only for AES128 and AES256. This mitigates some types
of password guessing attacks.
* Add support for directory names in the KRB5_CONFIG and
KRB5_KDC_PROFILE environment variables.
* Add support for authentication indicators, which are ticket
annotations to indicate the strength of the initial authentication.
Add support for the "require_auth" string attribute, which can be
set on server principal entries to require an indicator when
authenticating to the server.
* Add support for key version numbers larger than 255 in keytab files,
and for version numbers up to 65535 in KDC databases.
* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
during pre-authentication, corresponding to the client's most
preferred encryption type.
* Add support for server name identification (SNI) when proxying KDC
requests over HTTPS.
* Add support for the err_fmt profile parameter, which can be used to
generate custom-formatted error messages.
Code quality:
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
[CVE-2015-2698]
* Fix build_principal memory bug that could cause a KDC
crash. [CVE-2015-2697]
Developer experience:
* Change gss_acquire_cred_with_password() to acquire credentials into
a private memory credential cache. Applications can use
gss_store_cred() to make the resulting credentials visible to other
processes.
* Change gss_acquire_cred() and SPNEGO not to acquire credentials for
IAKERB or for non-standard variants of the krb5 mechanism OID unless
explicitly requested. (SPNEGO will still accept the Microsoft
variant of the krb5 mechanism OID during negotiation.)
* Change gss_accept_sec_context() not to accept tokens for IAKERB or
for non-standard variants of the krb5 mechanism OID unless an
acceptor credential is acquired for those mechanisms.
* Change gss_acquire_cred() to immediately resolve credentials if the
time_rec parameter is not NULL, so that a correct expiration time
can be returned. Normally credential resolution is delayed until
the target name is known.
* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
which can be used by plugin modules or applications to add prefixes
to existing detailed error messages.
* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
implement the RFC 6113 PRF+ operation and key derivation using PRF+.
* Add support for pre-authentication mechanisms which use multiple
round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth
interface; these callbacks can be used to save marshalled state
information in an encrypted cookie for the next request.
* Add a client_key() callback to the kdcpreauth interface to retrieve
the chosen client key, corresponding to the ETYPE-INFO2 entry sent
by the KDC.
* Add an add_auth_indicator() callback to the kdcpreauth interface,
allowing pre-authentication modules to assert authentication
indicators.
* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
suppress sending the confidentiality and integrity flags in GSS
initiator tokens unless they are requested by the caller. These
flags control the negotiated SASL security layer for the Microsoft
GSS-SPNEGO SASL mechanism.
* Make the FILE credential cache implementation less prone to
corruption issues in multi-threaded programs, especially on
platforms with support for open file description locks.
Performance:
* On slave KDCs, poll the master KDC immediately after processing a
full resync, and do not require two full resyncs after the master
KDC's log file is reset.
User experience:
* Make gss_accept_sec_context() accept tickets near their expiration
but within clock skew tolerances, rather than rejecting them
immediately after the server's view of the ticket expiration time.
krb5-1.14 changes by ticket ID
------------------------------
6938 krb5 and ldap signed traffic
7532 Improve support for large kvnos
7790 Make cross-realm S4U2Self work
7804 Can't write to file ccache with OPENCLOSE unset
7903 Remove des3 and arcfour from supported_enctypes
7991 kadmin should have a script-friendly mode
8002 Fix KCM ccache per-type cursor
8021 SPNEGO clients should not try IAKERB by default
8022 klist -s only looks for TGTs
8023 Use OFD locks where available
8025 krb5 gss_inquire_context doesn't work with partially established context
8026 Use stdio reads, O_APPEND writes in FILE ccache
8027 Client RPC timeout during kadmin listprincs command
8030 Add support for directories in profile paths
8046 Add new error message wrapping APIs
8047 Add err_fmt profile parameter
8048 Remove ksu -D flag documentation
8052 Include file ccache name in error messages
8062 Fix const correctness on krb5_c_fx_cf2_simple()
8063 Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED
8123 Check timestamp in PKINIT kdcpreauth module
8124 Use preauth timestamp in PKINIT clpreauth module
8139 SIGNTICKET creation and verification doesn't always use the right key
8152 gss_acquire_cred_with_password() ignores expired creds
8157 Authentication indicator support
8161 kpropd -t (runonce) doesn't work for full dumps
8163 python test issues
8164 Avoid unnecessary iprop full resyncs after resets
8171 kadm5_hook does not have rename method
8198 Support SNI in MS-KKDCP client
8199 Only include one key in etype-info
8200 Add client_keyblock kdcpreauth callback
8213 Policy extensions in 1.11 break iprop dump compatibility
8215 Unify KDB principal flag specifiers
8217 Limit use of deprecated krb5 mech OIDs
8219 Conditionalize iprop stderr output in kadmind
8221 Fail during configure if stdint.h missing
8224 Add KDC_ERR_PREAUTH_EXPIRED support
8225 Improve krb5_cccol_have_content() error messages
8227 Allow missing authenticator checksum with GSSAPI
8228 Add krb5_c_prfplus() and krb5_c_derive_prfplus()
8233 Add secure cookie support
8234 Add etype-info2 to MORE_PREAUTH_DATA_REQUIRED
8235 Resolve krb5 GSS creds if time_rec is requested
8236 Update SPNEGO hintName value to current spec
8242 Improve PKINIT OpenSSL error reporting
8243 Add tabular dump capability to kdb5_util
8244 SPNEGO and IAKERB context aliasing bugs [CVE-2015-2695][CVE-2015-2696]
8245 kerberos.ldif file has malformed entries
8246 Fix error mappings for IOV MIC mechglue funcs
8251 Fix kadmin with e2fsprogs libss
8252 Fix build_principal memory bug [CVE-2015-2697]
8253 Fix minor utf8-to-ucs2s read overrun bug
8254 use appropriate default for krb5_cv_sys_rcdir when cross-compiling
8255 Define error status GSS_S_BAD_MIC
8256 Fix typo in GSS_S_UNAUTHORIZED error message
8257 Fix gss_inquire_names_for_mech() on MS krb5 mech
8258 Correct GSS major code for non-default QOP values
8259 Check output params on GSS OID set functions
8260 Fix gss_store_cred() minor code on acceptor cred
8262 Set plugin_base_dir for kadmin tests
8264 kdb_check test target uses installed message catalog
8266 Installed krb5.conf files can affect test suite
8267 unsetenv() returns void
8268 krb5 gss_accept_sec_context() does not allow clock skew
8269 Accept new passwords as const char pointers
8271 Zap secure cookie contents when freeing
8273 Fix IAKERB context export/import [CVE-2015-2698]
Acknowledgements
----------------
Past Sponsors of the MIT Kerberos Consortium:
Apple
Carnegie Mellon University
Centrify Corporation
Columbia University
Cornell University
The Department of Defense of the United States of America (DoD)
Fidelity Investments
Google
Iowa State University
MIT
Michigan State University
Microsoft
MITRE Corporation
Morgan-Stanley
The National Aeronautics and Space Administration
of the United States of America (NASA)
Network Appliance (NetApp)
Nippon Telephone and Telegraph (NTT)
US Government Office of the National Coordinator for Health
Information Technology (ONC)
Oracle
Pennsylvania State University
Red Hat
Stanford University
TeamF1, Inc.
The University of Alaska
The University of Michigan
The University of Pennsylvania
Past and present members of the Kerberos Team at MIT:
Danilo Almeida
Jeffrey Altman
Justin Anderson
Richard Basch
Mitch Berger
Jay Berkenbilt
Andrew Boardman
Bill Bryant
Steve Buckley
Joe Calzaretta
John Carr
Mark Colan
Don Davis
Sarah Day
Alexandra Ellwood
Carlos Garay
Dan Geer
Nancy Gilman
Matt Hancher
Thomas Hardjono
Sam Hartman
Paul Hill
Marc Horowitz
Eva Jacobus
Miroslav Jurisic
Barry Jaspan
Benjamin Kaduk
Geoffrey King
Kevin Koch
John Kohl
HaoQi Li
Jonathan Lin
Peter Litwack
Scott McGuire
Steve Miller
Kevin Mitchell
Cliff Neuman
Paul Park
Ezra Peisach
Chris Provenzano
Ken Raeburn
Jon Rochlis
Jeff Schiller
Jen Selby
Robert Silk
Bill Sommerfeld
Jennifer Steiner
Ralph Swick
Brad Thompson
Harry Tsai
Zhanna Tsitkova
Ted Ts'o
Marshall Vale
Tom Yu
The following external contributors have provided code, patches, bug
reports, suggestions, and valuable resources:
Ian Abbott
Brandon Allbery
Russell Allbery
Brian Almeida
Michael B Allen
Heinz-Ado Arnolds
Derek Atkins
Mark Bannister
David Bantz
Alex Baule
David Benjamin
Thomas Bernard
Adam Bernstein
Arlene Berry
Jeff Blaine
Radoslav Bodo
Sumit Bose
Emmanuel Bouillon
Philip Brown
Michael Calmer
Andrea Campi
Julien Chaffraix
Ravi Channavajhala
Srinivas Cheruku
Leonardo Chiquitto
Seemant Choudhary
Howard Chu
Andrea Cirulli
Christopher D. Clausen
Kevin Coffman
Simon Cooper
Sylvain Cortes
Ian Crowther
Arran Cudbard-Bell
Jeff D'Angelo
Nalin Dahyabhai
Mark Davies
Dennis Davis
Alex Dehnert
Mark Deneen
Günther Deschner
John Devitofranceschi
Roland Dowdeswell
Viktor Dukhovni
Jason Edgecombe
Mark Eichin
Shawn M. Emery
Douglas E. Engert
Peter Eriksson
Juha Erkkilä
Gilles Espinasse
Ronni Feldt
Bill Fellows
JC Ferguson
Remi Ferrand
Paul Fertser
William Fiveash
Ákos Frohner
Sebastian Galiano
Marcus Granado
Scott Grizzard
Helmut Grohne
Steve Grubb
Philip Guenther
Dominic Hargreaves
Robbie Harwood
Jakob Haufe
Matthieu Hautreux
Paul B. Henson
Jeff Hodges
Christopher Hogan
Love Hörnquist Åstrand
Ken Hornstein
Henry B. Hotz
Luke Howard
Jakub Hrozek
Shumon Huque
Jeffrey Hutzelman
Wyllys Ingersoll
Holger Isenberg
Spencer Jackson
Diogenes S. Jesus
Pavel Jindra
Joel Johnson
Anders Kaseorg
W. Trevor King
Patrik Kis
Mikkel Kruse
Reinhard Kugler
Tomas Kuthan
Pierre Labastie
Volker Lendecke
Jan iankko Lieskovsky
Oliver Loch
Kevin Longfellow
Jon Looney
Nuno Lopes
Ryan Lynch
Roland Mainz
Andrei Maslennikov
Michael Mattioli
Nathaniel McCallum
Greg McClement
Cameron Meadors
Alexey Melnikov
Franklyn Mendez
Markus Moeller
Kyle Moffett
Paul Moore
Keiichi Mori
Michael Morony
Zbysek Mraz
Edward Murrell
Nikos Nikoleris
Felipe Ortega
Michael Osipov
Andrej Ota
Dmitri Pal
Javier Palacios
Tom Parker
Ezra Peisach
Zoran Pericic
W. Michael Petullo
Mark Phalan
Brett Randall
Jonathan Reams
Jonathan Reed
Robert Relyea
Martin Rex
Jason Rogers
Matt Rogers
Nate Rosenblum
Solly Ross
Mike Roszkowski
Guillaume Rousse
Andreas Schneider
Tom Shaw
Jim Shi
Peter Shoults
Simo Sorce
Michael Spang
Michael Ströder
Bjørn Tore Sund
Joe Travaglini
Tim Uglow
Rathor Vipin
Denis Vlasenko
Jorgen Wahlsten
Stef Walter
Max (Weijun) Wang
John Washington
Stef Walter
Xi Wang
Kevin Wasserman
Margaret Wasserman
Marcus Watts
Andreas Wiese
Simon Wilkinson
Nicolas Williams
Ross Wilper
Augustin Wolf
David Woodhouse
Tsu-Phong Wu
Xu Qiang
Neng Xue
Nickolai Zeldovich
Hanz van Zijst
Gertjan Zwartjes
The above is not an exhaustive list; many others have contributed in
various ways to the MIT Kerberos development effort over the years.
Other acknowledgments (for bug reports and patches) are in the
doc/CHANGES file.
|