1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
|
Kerberos Version 5, Release 1.9
Release Notes
The MIT Kerberos Team
Copyright and Other Notices
---------------------------
Copyright (C) 1985-2011 by the Massachusetts Institute of Technology
and its contributors. All rights reserved.
Please see the file named NOTICE for additional notices.
MIT Kerberos is a project of the MIT Kerberos Consortium. For more
information about the Kerberos Consortium, see http://kerberos.org/
For more information about the MIT Kerberos software, see
http://web.mit.edu/kerberos/
People interested in participating in the MIT Kerberos development
effort should visit http://k5wiki.kerberos.org/
Building and Installing Kerberos 5
----------------------------------
The first file you should look at is doc/install-guide.ps; it contains
the notes for building and installing Kerberos 5. The info file
krb5-install.info has the same information in info file format. You
can view this using the GNU emacs info-mode, or by using the
standalone info file viewer from the Free Software Foundation. This
is also available as an HTML file, install.html.
Other good files to look at are admin-guide.ps and user-guide.ps,
which contain the system administrator's guide, and the user's guide,
respectively. They are also available as info files
kerberos-admin.info and krb5-user.info, respectively. These files are
also available as HTML files.
If you are attempting to build under Windows, please see the
src/windows/README file.
Reporting Bugs
--------------
Please report any problems/bugs/comments using the krb5-send-pr
program. The krb5-send-pr program will be installed in the sbin
directory once you have successfully compiled and installed Kerberos
V5 (or if you have installed one of our binary distributions).
If you are not able to use krb5-send-pr because you haven't been able
compile and install Kerberos V5 on any platform, you may send mail to
krb5-bugs@mit.edu.
Please keep in mind that unencrypted e-mail is not secure. If you need
to report a security vulnerability, or send sensitive information,
please PGP-encrypt it to krbcore-security@mit.edu.
You may view bug reports by visiting
http://krbdev.mit.edu/rt/
and logging in as "guest" with password "guest".
DES transition
--------------
The Data Encryption Standard (DES) is widely recognized as weak. The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
Major changes in 1.9.2
----------------------
This is primarily a bugfix release.
* Improve KDC performance by fully its disabling replay cache.
* Fix MITKRB5-SA-2011-006 KDC denial of service vulnerabilities
[CVE-2011-1527 CVE-2011-1528 CVE-2011-1529].
krb5-1.9.1 changes by ticket ID
-------------------------------
6844 Memory leak in save_error_string_nocopy()
6884 KDC memory leak in FAST error path
6885 KDC memory leak of reply padata for FAST replies
6886 rc4-hmac weak key checks break interoperability
6888 No explanation of failed passwd entry if REQUIRES_PWCHANGE is set
6906 modernize doc/Makefile somewhat
6907 setpw response parsing fails for lengths above 255
6908 Delete sec context properly in gss_krb5_export_lucid_sec_context
6912 Use hmac-md5 checksum for PA-FOR-USER padata
6913 Fix multiple tl-data updates over iprop
6916 Restore krb5_get_credentials caching for referral requests
6917 Restore fallback non-referral TGS request to same realm
6920 Fix old-style GSSRPC authentication
6932 Fix gss_set_cred_option cred creation with no name
6939 Legacy checksum APIs usually fail
6941 Fix accidental KDC use of replay cache
6943 incorrect reference in spnego_gss_set_cred_option
6949 TCP connection leak with 1.9.1, with connect_to_server()
6952 Fix cross-realm traversal TGT requests
6960 always include krb5_libinit.h in init_ctx.c
6970 gss_unwrap_iov crashes with stream buffers for 3des, des, rc4
6972 memory leak in version 1.9.1
6982 SA-2011-006 KDC denial of service [CVE-2011-1527 CVE-2011-1528
CVE-2011-1529]
6990 fix tar invocation in mkrel
Major changes in 1.9.1
----------------------
This is primarily a bugfix release.
* Fix vulnerabilities:
** kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
** KDC denial of service attacks [MITKRB5-SA-2011-002
CVE-2011-0281 CVE-2011-0282 CVE-2011-0283]
** KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003
CVE-2011-0284]
** kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285]
* Interoperability:
** Don't reject AP-REQ messages if their PAC doesn't validate;
suppress the PAC instead.
** Correctly validate HMAC-MD5 checksums that use DES keys
krb5-1.9.1 changes by ticket ID
-------------------------------
6596 [Michael Spang] Bug#561176: krb5-kdc-ldap: krb5kdc leaks file
descriptors
6675 segfault in gss_export_sec_context
6800 memory leak in kg_new_connection
6847 Suppress camellia-gen in 1.9 make check
6849 Fix edge case in LDAP last_admin_unlock processing
6852 Make gss_krb5_set_allowable_enctypes work for the acceptor
6856 Fix seg faulting trace log message for use of fallback realm
6859 kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
6860 KDC denial of service attacks [MITKRB5-SA-2011-002
CVE-2011-0281 CVE-2011-0282 CVE-2011-0283]
6867 Trace logging file descriptor leak
6869 hmac-md5 checksum doesn't work with DES keys
6870 Don't reject AP-REQs based on PACs
6871 "make distclean" leaves an object file behind.
6875 kdb5_util mkey operations hit assertion when iprop is enabled
6881 KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284]
6899 kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285]
Major changes in 1.9
--------------------
Additional background information on these changes may be found at
http://k5wiki.kerberos.org/wiki/Release_1.9
and
http://k5wiki.kerberos.org/wiki/Category:Release_1.9_projects
Code quality:
* Fix MITKRB5-SA-2010-007 checksum vulnerabilities (CVE-2010-1324 and
others).
* Add a Python-based testing framework.
* Perform DAL cleanup.
Developer experience:
* Add NSS crypto back end.
* Improve PRNG modularity.
* Add a Fortuna-like PRNG back end.
Performance:
* Account lockout performance improvements -- allow disabling of some
account lockout functionality to reduce the number of write
operations to the database during authentication
* Add support for multiple KDC worker processes.
Administrator experience:
* Add Trace logging support to ease the diagnosis of configuration
problems.
* Add support for purging old keys (e.g. from "cpw -randkey -keepold").
* Add plugin interface for password sync -- based on proposed patches
by Russ Allbery that support his krb5-sync package
* Add plugin interface for password quality checks -- enables
pluggable password quality checks similar to Russ Allbery's
krb5-strength package.
* Add a configuration file validator script.
* Add KDC support for SecurID preauthentication -- this is the old
SAM-2 protocol, implemented to support existing deployments, not the
in-progress FAST-OTP work.
* Add "cheat" capability for kinit when running on a KDC host.
Protocol evolution:
* Add support for IAKERB -- a mechanism for tunneling Kerberos KDC
transactions over GSS-API, enabling clients to authenticate to
services even when the clients cannot directly reach the KDC that
serves the services.
* Add support for Camellia encryption (experimental; disabled by
default).
* Add GSS-API support for implementors of the SASL GS2 bridge
mechanism.
krb5-1.9 changes by ticket ID
-----------------------------
1219 mechanism to delete old keys should exist
2032 No advanced warning of password expiry
5014 kadmin (and other utilities) should report enctypes as it takes them
6647 Memory leak in kdc
6672 Python test framework
6679 Lazy history key creation
6684 Simple kinit verbosity patch
6686 IPv6 support for kprop and kpropd
6688 mit-krb5-1.7 fails to compile against openssl-1.0.0
6699 Validate and renew should work on non-TGT creds
6700 Introduce new krb5_tkt_creds API
6712 Add IAKERB mechanism and gss_acquire_cred_with_password
6714 [patch] fix format errors in krb5-1.8.1
6715 cksum_body exports
6719 Add lockout-related performance tuning variables
6720 Negative enctypes improperly read from keytabs
6723 Negative enctypes improperly read from ccaches
6733 Make signedpath authdata visible via GSS naming exts
6736 Add krb5_enctype_to_name() API
6737 Trace logging
6746 Make kadmin work over IPv6
6749 DAL improvements
6753 Fix XDR decoding of large values in xdr_u_int
6755 Add GIC option for password/account expiration callback
6758 Allow krb5_gss_register_acceptor_identity to unset keytab name
6760 Fail properly when profile can't be accessed
6761 add profile include support
6762 key expiration computed incorrectly in libkdb_ldap
6763 New plugin infrastructure
6765 Password quality pluggable interface
6769 clean up memory leak and potential unused variable in crypto tests
6771 Fix memory leaks in kdb5_verify
6772 Ensure valid key in krb5int_yarrow_cipher_encrypt_block
6774 pkinit client cert matching can be disrupted by one of the
candidate certs
6775 pkinit <KU> evaluation during certificate matching may fail
6776 Typos in src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
6777 Segmentation fault in krb library (sn2princ.c) if realm not resolved
6778 kdb: store mkey list in context and permit NULL mkey for
kdb_dbe_decrypt_key_data
6779 kinit: add KDB keytab support
6783 KDC worker processes feature
6784 relicense Sun RPC to 3-clause BSD-style
6785 Add gss_krb5_import_cred
6786 kpasswd: if a credential cache is present, use FAST
6787 S4U memory leak
6791 kadm5_hook: new plugin interface
6792 Implement k5login_directory and k5login_authoritative options
6793 acquire_init_cred leaks interned name
6794 krb5.conf manpage missing reference to rdns setting
6795 Propagate modprinc -unlock from master to slave KDCs
6796 segfault due to uninitialized variable in S4U
6799 Performance issue in LDAP policy fetch
6801 Fix leaks in get_init_creds interface
6802 copyright notice updates
6804 Remove KDC replay cache
6805 securID code fixes
6806 securID error handling fix
6807 SecurID build support
6809 gss_krb5int_make_seal_token_v3_iov fails to set conf_state
6810 Better libk5crypto NSS fork safety
6811 Mark Camellia-CCM code as experimental
6812 krb5_get_credentials should not fail due to inability to store
a credential in a cache
6815 Failed kdb5_util load removes real database
6819 Handle referral realm in kprop client principal
6820 Read KDC profile settings in kpropd
6822 Implement Camellia-CTS-CMAC instead of Camellia-CCM
6823 getdate.y: declare yyparse
6824 Export krb5_tkt_creds_get
6825 Add missing KRB5_CALLCONV in callback declaration
6826 Fix Windows build
6827 SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
6828 Install kadm5_hook_plugin.h
6829 Implement restrict_anonymous_to_tgt realm flag
6838 Regression in renewable handling
6839 handle MS PACs that lack server checksum
6840 typo in plugin-related error message
6841 memory leak in changepw.c
6842 Ensure time() is prototyped in g_accept_sec_context.c
Acknowledgements
----------------
Past and present Sponsors of the MIT Kerberos Consortium:
Apple
Carnegie Mellon University
Centrify Corporation
Columbia University
Cornell University
The Department of Defense of the United States of America (DoD)
Fidelity Investments
Google
Iowa State University
MIT
Michigan State University
Microsoft
The National Aeronautics and Space Administration
of the United States of America (NASA)
Network Appliance (NetApp)
Nippon Telephone and Telegraph (NTT)
Oracle
Pennsylvania State University
Red Hat
Stanford University
TeamF1, Inc.
The University of Alaska
The University of Michigan
The University of Pennsylvania
Past and present members of the Kerberos Team at MIT:
Danilo Almeida
Jeffrey Altman
Justin Anderson
Richard Basch
Mitch Berger
Jay Berkenbilt
Andrew Boardman
Bill Bryant
Steve Buckley
Joe Calzaretta
John Carr
Mark Colan
Don Davis
Alexandra Ellwood
Carlos Garay
Dan Geer
Nancy Gilman
Matt Hancher
Thomas Hardjono
Sam Hartman
Paul Hill
Marc Horowitz
Eva Jacobus
Miroslav Jurisic
Barry Jaspan
Geoffrey King
Kevin Koch
John Kohl
HaoQi Li
Jonathan Lin
Peter Litwack
Scott McGuire
Steve Miller
Kevin Mitchell
Cliff Neuman
Paul Park
Ezra Peisach
Chris Provenzano
Ken Raeburn
Jon Rochlis
Jeff Schiller
Jen Selby
Robert Silk
Bill Sommerfeld
Jennifer Steiner
Ralph Swick
Brad Thompson
Harry Tsai
Zhanna Tsitkova
Ted Ts'o
Marshall Vale
Tom Yu
The following external contributors have provided code, patches, bug
reports, suggestions, and valuable resources:
Brandon Allbery
Russell Allbery
Brian Almeida
Michael B Allen
Heinz-Ado Arnolds
Derek Atkins
David Bantz
Alex Baule
Arlene Berry
Jeff Blaine
Radoslav Bodo
Emmanuel Bouillon
Michael Calmer
Julien Chaffraix
Ravi Channavajhala
Srinivas Cheruku
Leonardo Chiquitto
Howard Chu
Andrea Cirulli
Christopher D. Clausen
Kevin Coffman
Simon Cooper
Sylvain Cortes
Nalin Dahyabhai
Dennis Davis
Mark Deneen
Roland Dowdeswell
Jason Edgecombe
Mark Eichin
Shawn M. Emery
Douglas E. Engert
Peter Eriksson
Juha Erkkilä
Ronni Feldt
Bill Fellows
JC Ferguson
William Fiveash
Ákos Frohner
Marcus Granado
Scott Grizzard
Helmut Grohne
Steve Grubb
Philip Guenther
Dominic Hargreaves
Jakob Haufe
Jeff Hodges
Love Hörnquist Åstrand
Ken Hornstein
Henry B. Hotz
Luke Howard
Jakub Hrozek
Shumon Huque
Jeffrey Hutzelman
Wyllys Ingersoll
Holger Isenberg
Pavel Jindra
Joel Johnson
Mikkel Kruse
Volker Lendecke
Jan iankko Lieskovsky
Kevin Longfellow
Ryan Lynch
Nathaniel McCallum
Greg McClement
Cameron Meadors
Franklyn Mendez
Markus Moeller
Kyle Moffett
Paul Moore
Keiichi Mori
Zbysek Mraz
Edward Murrell
Nikos Nikoleris
Felipe Ortega
Andrej Ota
Dmitri Pal
Javier Palacios
Ezra Peisach
W. Michael Petullo
Mark Phalan
Jonathan Reams
Robert Relyea
Martin Rex
Jason Rogers
Mike Roszkowski
Guillaume Rousse
Tom Shaw
Peter Shoults
Simo Sorce
Michael Spang
Michael Ströder
Bjørn Tore Sund
Rathor Vipin
Jorgen Wahlsten
Max (Weijun) Wang
John Washington
Marcus Watts
Simon Wilkinson
Nicolas Williams
Ross Wilper
Xu Qiang
Hanz van Zijst
The above is not an exhaustive list; many others have contributed in
various ways to the MIT Kerberos development effort over the years.
Other acknowledgments (for bug reports and patches) are in the
doc/CHANGES file.
|