1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
|
Kerberos Version 5, Release 1.14
Release Notes
The MIT Kerberos Team
Copyright and Other Notices
---------------------------
Copyright (C) 1985-2015 by the Massachusetts Institute of Technology
and its contributors. All rights reserved.
Please see the file named NOTICE for additional notices.
Documentation
-------------
Unified documentation for Kerberos V5 is available in both HTML and
PDF formats. The table of contents of the HTML format documentation
is at doc/html/index.html, and the PDF format documentation is in the
doc/pdf directory.
Additionally, you may find copies of the HTML format documentation
online at
http://web.mit.edu/kerberos/krb5-latest/doc/
for the most recent supported release, or at
http://web.mit.edu/kerberos/krb5-devel/doc/
for the release under development.
More information about Kerberos may be found at
http://web.mit.edu/kerberos/
and at the MIT Kerberos Consortium web site
http://kerberos.org/
Building and Installing Kerberos 5
----------------------------------
Build documentation is in doc/html/build/index.html or
doc/pdf/build.pdf.
The installation guide is in doc/html/admin/install.html or
doc/pdf/install.pdf.
If you are attempting to build under Windows, please see the
src/windows/README file.
Reporting Bugs
--------------
Please report any problems/bugs/comments by sending email to
krb5-bugs@mit.edu.
You may view bug reports by visiting
http://krbdev.mit.edu/rt/
and using the "Guest Login" button. Please note that the web
interface to our bug database is read-only for guests, and the primary
way to interact with our bug database is via email.
DES transition
--------------
The Data Encryption Standard (DES) is widely recognized as weak. The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
Major changes in 1.14
---------------------
Administrator experience:
* Add a new kdb5_util tabdump command to provide reporting-friendly
tabular dump formats (tab-separated or CSV) for the KDC database.
Unlike the normal dump format, each output table has a fixed number
of fields. Some tables include human-readable forms of data that
are opaque in ordinary dump files. This format is also suitable for
importing into relational databases for complex queries.
* Add support to kadmin and kadmin.local for specifying a single
command line following any global options, where the command
arguments are split by the shell--for example, "kadmin getprinc
principalname". Commands issued this way do not prompt for
confirmation or display warning messages, and exit with non-zero
status if the operation fails.
* Accept the same principal flag names in kadmin as we do for the
default_principal_flags kdc.conf variable, and vice versa. Also
accept flag specifiers in the form that kadmin prints, as well as
hexadecimal numbers.
* Remove the triple-DES and RC4 encryption types from the default
value of supported_enctypes, which determines the default key and
salt types for new password-derived keys. By default, keys will
only created only for AES128 and AES256. This mitigates some types
of password guessing attacks.
* Add support for directory names in the KRB5_CONFIG and
KRB5_KDC_PROFILE environment variables.
* Add support for authentication indicators, which are ticket
annotations to indicate the strength of the initial authentication.
Add support for the "require_auth" string attribute, which can be
set on server principal entries to require an indicator when
authenticating to the server.
* Add support for key version numbers larger than 255 in keytab files,
and for version numbers up to 65535 in KDC databases.
* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
during pre-authentication, corresponding to the client's most
preferred encryption type.
* Add support for server name identification (SNI) when proxying KDC
requests over HTTPS.
* Add support for the err_fmt profile parameter, which can be used to
generate custom-formatted error messages.
Code quality:
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
[CVE-2015-2698]
* Fix build_principal memory bug that could cause a KDC
crash. [CVE-2015-2697]
Developer experience:
* Change gss_acquire_cred_with_password() to acquire credentials into
a private memory credential cache. Applications can use
gss_store_cred() to make the resulting credentials visible to other
processes.
* Change gss_acquire_cred() and SPNEGO not to acquire credentials for
IAKERB or for non-standard variants of the krb5 mechanism OID unless
explicitly requested. (SPNEGO will still accept the Microsoft
variant of the krb5 mechanism OID during negotiation.)
* Change gss_accept_sec_context() not to accept tokens for IAKERB or
for non-standard variants of the krb5 mechanism OID unless an
acceptor credential is acquired for those mechanisms.
* Change gss_acquire_cred() to immediately resolve credentials if the
time_rec parameter is not NULL, so that a correct expiration time
can be returned. Normally credential resolution is delayed until
the target name is known.
* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
which can be used by plugin modules or applications to add prefixes
to existing detailed error messages.
* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
implement the RFC 6113 PRF+ operation and key derivation using PRF+.
* Add support for pre-authentication mechanisms which use multiple
round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth
interface; these callbacks can be used to save marshalled state
information in an encrypted cookie for the next request.
* Add a client_key() callback to the kdcpreauth interface to retrieve
the chosen client key, corresponding to the ETYPE-INFO2 entry sent
by the KDC.
* Add an add_auth_indicator() callback to the kdcpreauth interface,
allowing pre-authentication modules to assert authentication
indicators.
* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
suppress sending the confidentiality and integrity flags in GSS
initiator tokens unless they are requested by the caller. These
flags control the negotiated SASL security layer for the Microsoft
GSS-SPNEGO SASL mechanism.
* Make the FILE credential cache implementation less prone to
corruption issues in multi-threaded programs, especially on
platforms with support for open file description locks.
Performance:
* On slave KDCs, poll the master KDC immediately after processing a
full resync, and do not require two full resyncs after the master
KDC's log file is reset.
User experience:
* Make gss_accept_sec_context() accept tickets near their expiration
but within clock skew tolerances, rather than rejecting them
immediately after the server's view of the ticket expiration time.
krb5-1.14 changes by ticket ID
------------------------------
6938 krb5 and ldap signed traffic
7532 Improve support for large kvnos
7790 Make cross-realm S4U2Self work
7804 Can't write to file ccache with OPENCLOSE unset
7903 Remove des3 and arcfour from supported_enctypes
7991 kadmin should have a script-friendly mode
8002 Fix KCM ccache per-type cursor
8021 SPNEGO clients should not try IAKERB by default
8022 klist -s only looks for TGTs
8023 Use OFD locks where available
8025 krb5 gss_inquire_context doesn't work with partially established context
8026 Use stdio reads, O_APPEND writes in FILE ccache
8027 Client RPC timeout during kadmin listprincs command
8030 Add support for directories in profile paths
8046 Add new error message wrapping APIs
8047 Add err_fmt profile parameter
8048 Remove ksu -D flag documentation
8052 Include file ccache name in error messages
8062 Fix const correctness on krb5_c_fx_cf2_simple()
8063 Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED
8123 Check timestamp in PKINIT kdcpreauth module
8124 Use preauth timestamp in PKINIT clpreauth module
8139 SIGNTICKET creation and verification doesn't always use the right key
8152 gss_acquire_cred_with_password() ignores expired creds
8157 Authentication indicator support
8161 kpropd -t (runonce) doesn't work for full dumps
8163 python test issues
8164 Avoid unnecessary iprop full resyncs after resets
8171 kadm5_hook does not have rename method
8198 Support SNI in MS-KKDCP client
8199 Only include one key in etype-info
8200 Add client_keyblock kdcpreauth callback
8213 Policy extensions in 1.11 break iprop dump compatibility
8215 Unify KDB principal flag specifiers
8217 Limit use of deprecated krb5 mech OIDs
8219 Conditionalize iprop stderr output in kadmind
8221 Fail during configure if stdint.h missing
8224 Add KDC_ERR_PREAUTH_EXPIRED support
8225 Improve krb5_cccol_have_content() error messages
8227 Allow missing authenticator checksum with GSSAPI
8228 Add krb5_c_prfplus() and krb5_c_derive_prfplus()
8233 Add secure cookie support
8234 Add etype-info2 to MORE_PREAUTH_DATA_REQUIRED
8235 Resolve krb5 GSS creds if time_rec is requested
8236 Update SPNEGO hintName value to current spec
8242 Improve PKINIT OpenSSL error reporting
8243 Add tabular dump capability to kdb5_util
8244 SPNEGO and IAKERB context aliasing bugs [CVE-2015-2695][CVE-2015-2696]
8245 kerberos.ldif file has malformed entries
8246 Fix error mappings for IOV MIC mechglue funcs
8251 Fix kadmin with e2fsprogs libss
8252 Fix build_principal memory bug [CVE-2015-2697]
8253 Fix minor utf8-to-ucs2s read overrun bug
8254 use appropriate default for krb5_cv_sys_rcdir when cross-compiling
8255 Define error status GSS_S_BAD_MIC
8256 Fix typo in GSS_S_UNAUTHORIZED error message
8257 Fix gss_inquire_names_for_mech() on MS krb5 mech
8258 Correct GSS major code for non-default QOP values
8259 Check output params on GSS OID set functions
8260 Fix gss_store_cred() minor code on acceptor cred
8262 Set plugin_base_dir for kadmin tests
8264 kdb_check test target uses installed message catalog
8266 Installed krb5.conf files can affect test suite
8267 unsetenv() returns void
8268 krb5 gss_accept_sec_context() does not allow clock skew
8269 Accept new passwords as const char pointers
8271 Zap secure cookie contents when freeing
8273 Fix IAKERB context export/import [CVE-2015-2698]
Acknowledgements
----------------
Past and present Sponsors of the MIT Kerberos Consortium:
Apple
Carnegie Mellon University
Centrify Corporation
Columbia University
Cornell University
The Department of Defense of the United States of America (DoD)
Fidelity Investments
Google
Iowa State University
MIT
Michigan State University
Microsoft
The National Aeronautics and Space Administration
of the United States of America (NASA)
Network Appliance (NetApp)
Nippon Telephone and Telegraph (NTT)
Oracle
Pennsylvania State University
Red Hat
Stanford University
TeamF1, Inc.
The University of Alaska
The University of Michigan
The University of Pennsylvania
Past and present members of the Kerberos Team at MIT:
Danilo Almeida
Jeffrey Altman
Justin Anderson
Richard Basch
Mitch Berger
Jay Berkenbilt
Andrew Boardman
Bill Bryant
Steve Buckley
Joe Calzaretta
John Carr
Mark Colan
Don Davis
Alexandra Ellwood
Carlos Garay
Dan Geer
Nancy Gilman
Matt Hancher
Thomas Hardjono
Sam Hartman
Paul Hill
Marc Horowitz
Eva Jacobus
Miroslav Jurisic
Barry Jaspan
Benjamin Kaduk
Geoffrey King
Kevin Koch
John Kohl
HaoQi Li
Jonathan Lin
Peter Litwack
Scott McGuire
Steve Miller
Kevin Mitchell
Cliff Neuman
Paul Park
Ezra Peisach
Chris Provenzano
Ken Raeburn
Jon Rochlis
Jeff Schiller
Jen Selby
Robert Silk
Bill Sommerfeld
Jennifer Steiner
Ralph Swick
Brad Thompson
Harry Tsai
Zhanna Tsitkova
Ted Ts'o
Marshall Vale
Tom Yu
The following external contributors have provided code, patches, bug
reports, suggestions, and valuable resources:
Ian Abbott
Brandon Allbery
Russell Allbery
Brian Almeida
Michael B Allen
Heinz-Ado Arnolds
Derek Atkins
Mark Bannister
David Bantz
Alex Baule
David Benjamin
Thomas Bernard
Adam Bernstein
Arlene Berry
Jeff Blaine
Radoslav Bodo
Sumit Bose
Emmanuel Bouillon
Philip Brown
Michael Calmer
Andrea Campi
Julien Chaffraix
Ravi Channavajhala
Srinivas Cheruku
Leonardo Chiquitto
Howard Chu
Andrea Cirulli
Christopher D. Clausen
Kevin Coffman
Simon Cooper
Sylvain Cortes
Ian Crowther
Arran Cudbard-Bell
Jeff D'Angelo
Nalin Dahyabhai
Mark Davies
Dennis Davis
Alex Dehnert
Mark Deneen
Günther Deschner
John Devitofranceschi
Roland Dowdeswell
Viktor Dukhovni
Jason Edgecombe
Mark Eichin
Shawn M. Emery
Douglas E. Engert
Peter Eriksson
Juha Erkkilä
Gilles Espinasse
Ronni Feldt
Bill Fellows
JC Ferguson
Remi Ferrand
Paul Fertser
William Fiveash
Ákos Frohner
Sebastian Galiano
Marcus Granado
Scott Grizzard
Helmut Grohne
Steve Grubb
Philip Guenther
Dominic Hargreaves
Robbie Harwood
Jakob Haufe
Matthieu Hautreux
Paul B. Henson
Jeff Hodges
Christopher Hogan
Love Hörnquist Åstrand
Ken Hornstein
Henry B. Hotz
Luke Howard
Jakub Hrozek
Shumon Huque
Jeffrey Hutzelman
Wyllys Ingersoll
Holger Isenberg
Pavel Jindra
Joel Johnson
Anders Kaseorg
W. Trevor King
Patrik Kis
Mikkel Kruse
Reinhard Kugler
Tomas Kuthan
Pierre Labastie
Volker Lendecke
Jan iankko Lieskovsky
Oliver Loch
Kevin Longfellow
Jon Looney
Nuno Lopes
Ryan Lynch
Roland Mainz
Andrei Maslennikov
Michael Mattioli
Nathaniel McCallum
Greg McClement
Cameron Meadors
Alexey Melnikov
Franklyn Mendez
Markus Moeller
Kyle Moffett
Paul Moore
Keiichi Mori
Michael Morony
Zbysek Mraz
Edward Murrell
Nikos Nikoleris
Felipe Ortega
Michael Osipov
Andrej Ota
Dmitri Pal
Javier Palacios
Tom Parker
Ezra Peisach
Zoran Pericic
W. Michael Petullo
Mark Phalan
Brett Randall
Jonathan Reams
Jonathan Reed
Robert Relyea
Martin Rex
Jason Rogers
Nate Rosenblum
Solly Ross
Mike Roszkowski
Guillaume Rousse
Andreas Schneider
Tom Shaw
Jim Shi
Peter Shoults
Simo Sorce
Michael Spang
Michael Ströder
Bjørn Tore Sund
Joe Travaglini
Tim Uglow
Rathor Vipin
Denis Vlasenko
Jorgen Wahlsten
Stef Walter
Max (Weijun) Wang
John Washington
Stef Walter
Xi Wang
Kevin Wasserman
Margaret Wasserman
Marcus Watts
Andreas Wiese
Simon Wilkinson
Nicolas Williams
Ross Wilper
Augustin Wolf
David Woodhouse
Tsu-Phong Wu
Xu Qiang
Neng Xue
Nickolai Zeldovich
Hanz van Zijst
Gertjan Zwartjes
The above is not an exhaustive list; many others have contributed in
various ways to the MIT Kerberos development effort over the years.
Other acknowledgments (for bug reports and patches) are in the
doc/CHANGES file.
|