Fork of https://salsa.debian.org/debian/krb5 so that we can use single-DES with our old NetApp
Max Erenberg
ec8d1c7cd2
|
||
|---|---|---|
| .github/workflows | ||
| debian | ||
| doc | ||
| src | ||
| NOTICE | ||
| README | ||
README
Kerberos Version 5, Release 1.20
Release Notes
The MIT Kerberos Team
Copyright and Other Notices
---------------------------
Copyright (C) 1985-2022 by the Massachusetts Institute of Technology
and its contributors. All rights reserved.
Please see the file named NOTICE for additional notices.
Documentation
-------------
Unified documentation for Kerberos V5 is available in both HTML and
PDF formats. The table of contents of the HTML format documentation
is at doc/html/index.html, and the PDF format documentation is in the
doc/pdf directory.
Additionally, you may find copies of the HTML format documentation
online at
https://web.mit.edu/kerberos/krb5-latest/doc/
for the most recent supported release, or at
https://web.mit.edu/kerberos/krb5-devel/doc/
for the release under development.
More information about Kerberos may be found at
https://web.mit.edu/kerberos/
and at the MIT Kerberos Consortium web site
https://kerberos.org/
Building and Installing Kerberos 5
----------------------------------
Build documentation is in doc/html/build/index.html or
doc/pdf/build.pdf.
The installation guide is in doc/html/admin/install.html or
doc/pdf/install.pdf.
If you are attempting to build under Windows, please see the
src/windows/README file.
Reporting Bugs
--------------
Please report any problems/bugs/comments by sending email to
krb5-bugs@mit.edu.
You may view bug reports by visiting
https://krbdev.mit.edu/rt/
and using the "Guest Login" button. Please note that the web
interface to our bug database is read-only for guests, and the primary
way to interact with our bug database is via email.
PAC transition
--------------
Beginning with release 1.20, the KDC will include minimal PACs in
tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol
transition and constrained delegation) must now contain valid PACs in
the incoming tickets. If only some KDCs in a realm have been upgraded
across version 1.20, the upgraded KDCs will reject S4U requests
containing tickets from non-upgraded KDCs and vice versa.
Triple-DES transition
---------------------
Beginning with the krb5-1.19 release, a warning will be issued if
initial credentials are acquired using the des3-cbc-sha1 encryption
type. In future releases, this encryption type will be disabled by
default and eventually removed.
Beginning with the krb5-1.18 release, single-DES encryption types have
been removed.
Major changes in 1.20.1 (2022-11-15)
------------------------------------
This is a bug fix release.
* Fix integer overflows in PAC parsing [CVE-2022-42898].
* Fix null deref in KDC when decoding invalid NDR.
* Fix memory leak in OTP kdcpreauth module.
* Fix PKCS11 module path search.
krb5-1.20.1 changes by ticket ID
--------------------------------
9061 Fix memory leak in SPAKE kdcpreauth module
9062 Fix net-server.c when AI_NUMERICSERV is undefined
9063 Fix memory leak in OTP kdcpreauth module
9064 Free verto context later in KDC cleanup
9065 Fix uncommon PKINIT memory leak
9067 Fix PKCS11 module path search
9073 Fix null deref in KDC when decoding invalid NDR
9074 Fix integer overflows in PAC parsing
Major changes in 1.20 (2022-05-26)
----------------------------------
Administrator experience:
* Added a "disable_pac" realm relation to suppress adding PAC authdata
to tickets, for realms which do not need to support S4U requests.
* Most credential cache types will use atomic replacement when a cache
is reinitialized using kinit or refreshed from the client keytab.
* kprop can now propagate databases with a dump size larger than 4GB,
if both the client and server are upgraded.
* kprop can now work over NATs that change the destination IP address,
if the client is upgraded.
Developer experience:
* Updated the KDB interface. The sign_authdata() method is replaced
with the issue_pac() method, allowing KDB modules to add logon info
and other buffers to the PAC issued by the KDC.
* Host-based initiator names are better supported in the GSS krb5
mechanism.
Protocol evolution:
* Replaced AD-SIGNEDPATH authdata with minimal PACs.
* To avoid spurious replay errors, password change requests will not
be attempted over UDP until the attempt over TCP fails.
* PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
Code quality:
* Updated all code using OpenSSL to be compatible with OpenSSL 3.
* Reorganized the libk5crypto build system to allow the OpenSSL
back-end to pull in material from the builtin back-end depending on
the OpenSSL version.
* Simplified the PRNG logic to always use the platform PRNG.
* Converted the remaining Tcl tests to Python.
krb5-1.20 changes by ticket ID
------------------------------
7707 Credential cache API does not support atomic reinitialization
8010 gss_store_cred should initialize ccache and work with collections
8970 Wrong Encryption types shown in MIT Kerberos Ticket Manager on Windows
8976 all-liblinks build target fails when symlinks not supported
8977 Allow kprop over more types of NATs
8978 Support host-based GSS initiator names
8980 Add APIs for marshalling credentials
8981 Documentation__krb5.conf
8983 Infer name type when creating principals
8988 Only require one valid pkinit anchor/pool value
8990 Add KCM_OP_GET_CRED_LIST for faster iteration
8991 Fix PKINIT memory leaks
8994 Fix gss-krb5 handling of high sequence numbers
8995 KCM interop issue with KRB5_TC_ flags
8997 Use KCM_OP_RETRIEVE in KCM client
8998 Simplify krb5_cccol_have_content()
8999 Add additional KRB5_TRACE points
9000 Fix multiple UPN handling in PKINIT client certs
9002 Check for undefined kadm5 policy mask bits
9003 Add duplicate check to kadm5_create_policy()
9009 Update IRC pointer in resources.rst
9010 Add MAXHOSTNAME guard in Windows public header
9011 Fix some principal realm canonicalization cases
9012 Allow kinit with keytab to defer canonicalization
9013 Fix kadmin -k with fallback or referral realm
9017 Clarify and correct interposer plugin docs
9019 make check fails: OSError: AF_UNIX path too long
9022 Potential integer overflows
9024 Find gss_get_mic_iov extensions in GSS modules
9025 Use version-independent OpenLDAP links in docs
9027 Add OpenLDAP advice to princ_dns.rst
9028 Constify name field in four plugin vtables
9031 Fix verification of RODC-issued PAC KDC signature
9032 Always use platform PRNG
9034 Use builtin MD4, RC4 for OpenSSL 3.0
9035 Avoid use after free during libkrad cleanup
9036 Support larger RADIUS attributes in libkrad
9037 Race condition in krb5_set_password()
9038 Issue an error from KDC on S4U2Self failures
9039 Fix PAC handling of authtimes after y2038
9040 Use 14 instead of 9 for unkeyed SHA-1 checksum
9041 Add PA-REDHAT-IDP-OAUTH2 padata type
9042 Don't fail krb5_cc_select() for no default realm
9043 Add PAC ticket signature APIs
9044 Replace AD-SIGNEDPATH with minimal PACs
9047 Avoid passing null for asprintf strings
9048 Pass client flag to KDB for client preauth match
9049 Add replace_reply_key kdcpreauth callback
9050 Implement replaced_reply_key input to issue_pac()
9051 Clarify certauth interface documentation
9056 Fix iprop with fallback
9060 Read GSS configuration files with mtime 0
Acknowledgements
----------------
Past Sponsors of the MIT Kerberos Consortium:
Apple
Carnegie Mellon University
Centrify Corporation
Columbia University
Cornell University
The Department of Defense of the United States of America (DoD)
Fidelity Investments
Google
Iowa State University
MIT
Michigan State University
Microsoft
MITRE Corporation
Morgan-Stanley
The National Aeronautics and Space Administration
of the United States of America (NASA)
Network Appliance (NetApp)
Nippon Telephone and Telegraph (NTT)
US Government Office of the National Coordinator for Health
Information Technology (ONC)
Oracle
Pennsylvania State University
Red Hat
Stanford University
TeamF1, Inc.
The University of Alaska
The University of Michigan
The University of Pennsylvania
Past and present members of the Kerberos Team at MIT:
Danilo Almeida
Jeffrey Altman
Justin Anderson
Richard Basch
Mitch Berger
Jay Berkenbilt
Andrew Boardman
Bill Bryant
Steve Buckley
Joe Calzaretta
John Carr
Mark Colan
Don Davis
Sarah Day
Alexandra Ellwood
Carlos Garay
Dan Geer
Nancy Gilman
Matt Hancher
Thomas Hardjono
Sam Hartman
Paul Hill
Marc Horowitz
Eva Jacobus
Miroslav Jurisic
Barry Jaspan
Benjamin Kaduk
Geoffrey King
Kevin Koch
John Kohl
HaoQi Li
Jonathan Lin
Peter Litwack
Scott McGuire
Steve Miller
Kevin Mitchell
Cliff Neuman
Paul Park
Ezra Peisach
Chris Provenzano
Ken Raeburn
Jon Rochlis
Jeff Schiller
Jen Selby
Robert Silk
Bill Sommerfeld
Jennifer Steiner
Ralph Swick
Brad Thompson
Harry Tsai
Zhanna Tsitkova
Ted Ts'o
Marshall Vale
Taylor Yu
The following external contributors have provided code, patches, bug
reports, suggestions, and valuable resources:
Ian Abbott
Daniel Albers
Brandon Allbery
Russell Allbery
Brian Almeida
Michael B Allen
Pooja Anil
Jeffrey Arbuckle
Heinz-Ado Arnolds
Derek Atkins
Mark Bannister
David Bantz
Alex Baule
Nikhil Benesch
David Benjamin
Thomas Bernard
Adam Bernstein
Arlene Berry
Jeff Blaine
Toby Blake
Radoslav Bodo
Alexander Bokovoy
Sumit Bose
Emmanuel Bouillon
Isaac Boukris
Ulf Bremer
Pavel Březina
Philip Brown
Samuel Cabrero
Michael Calmer
Andrea Campi
Julien Chaffraix
Puran Chand
Ravi Channavajhala
Srinivas Cheruku
Leonardo Chiquitto
Rachit Chokshi
Seemant Choudhary
Howard Chu
Andrea Cirulli
Christopher D. Clausen
Kevin Coffman
Simon Cooper
Sylvain Cortes
Ian Crowther
Arran Cudbard-Bell
Adam Dabrowski
Jeff D'Angelo
Nalin Dahyabhai
Mark Davies
Dennis Davis
Alex Dehnert
Misty De Meo
Mark Deneen
Günther Deschner
John Devitofranceschi
Marc Dionne
Roland Dowdeswell
Ken Dreyer
Dorian Ducournau
Viktor Dukhovni
Jason Edgecombe
Mark Eichin
Shawn M. Emery
Douglas E. Engert
Peter Eriksson
Juha Erkkilä
Gilles Espinasse
Ronni Feldt
Bill Fellows
JC Ferguson
Remi Ferrand
Paul Fertser
Fabiano Fidêncio
Frank Filz
William Fiveash
Jacques Florent
Oliver Freyermuth
Ákos Frohner
Sebastian Galiano
Marcus Granado
Dylan Gray
Norm Green
Scott Grizzard
Helmut Grohne
Steve Grubb
Philip Guenther
Timo Gurr
Dominic Hargreaves
Robbie Harwood
John Hascall
Jakob Haufe
Matthieu Hautreux
Jochen Hein
Paul B. Henson
Kihong Heo
Jeff Hodges
Christopher Hogan
Love Hörnquist Åstrand
Ken Hornstein
Henry B. Hotz
Luke Howard
Jakub Hrozek
Shumon Huque
Jeffrey Hutzelman
Sergey Ilinykh
Wyllys Ingersoll
Holger Isenberg
Spencer Jackson
Diogenes S. Jesus
Mike Jetzer
Pavel Jindra
Brian Johannesmeyer
Joel Johnson
Lutz Justen
Alexander Karaivanov
Anders Kaseorg
Bar Katz
Zentaro Kavanagh
Mubashir Kazia
W. Trevor King
Patrik Kis
Martin Kittel
Thomas Klausner
Tomasz Kłoczko
Matthew Krupcale
Mikkel Kruse
Reinhard Kugler
Harshawardhan Kulkarni
Tomas Kuthan
Pierre Labastie
Andreas Ladanyi
Chris Leick
Volker Lendecke
Jan iankko Lieskovsky
Todd Lipcon
Oliver Loch
Chris Long
Kevin Longfellow
Frank Lonigro
Jon Looney
Nuno Lopes
Todd Lubin
Ryan Lynch
Glenn Machin
Roland Mainz
Sorin Manolache
Robert Marshall
Andrei Maslennikov
Michael Mattioli
Nathaniel McCallum
Greg McClement
Cameron Meadors
Vipul Mehta
Alexey Melnikov
Ivan A. Melnikov
Franklyn Mendez
Mantas Mikulėnas
Markus Moeller
Kyle Moffett
Paul Moore
Keiichi Mori
Michael Morony
Sam Morris
Zbysek Mraz
Edward Murrell
Joshua Neuheisel
Nikos Nikoleris
Demi Obenour
Felipe Ortega
Michael Osipov
Andrej Ota
Dmitri Pal
Javier Palacios
Dilyan Palauzov
Tom Parker
Eric Pauly
Leonard Peirce
Ezra Peisach
Alejandro Perez
Zoran Pericic
W. Michael Petullo
Mark Phalan
Sharwan Ram
Brett Randall
Jonathan Reams
Jonathan Reed
Robert Relyea
Tony Reix
Martin Rex
Pat Riehecky
Julien Rische
Jason Rogers
Matt Rogers
Nate Rosenblum
Solly Ross
Mike Roszkowski
Guillaume Rousse
Joshua Schaeffer
Alexander Scheel
Jens Schleusener
Ryan Schmidt
Andreas Schneider
Paul Seyfert
Tom Shaw
Jim Shi
Jerry Shipman
Peter Shoults
Richard Silverman
Cel Skeggs
Simo Sorce
Michael Spang
Michael Ströder
Bjørn Tore Sund
Ondřej Surý
Joseph Sutton
Joe Travaglini
Sergei Trofimovich
Greg Troxel
Fraser Tweedale
Tim Uglow
Rathor Vipin
Denis Vlasenko
Thomas Wagner
Jorgen Wahlsten
Stef Walter
Max (Weijun) Wang
John Washington
Stef Walter
Xi Wang
Nehal J Wani
Kevin Wasserman
Margaret Wasserman
Marcus Watts
Andreas Wiese
Simon Wilkinson
Nicolas Williams
Ross Wilper
Augustin Wolf
Garrett Wollman
David Woodhouse
Tsu-Phong Wu
Xu Qiang
Neng Xue
Zhaomo Yang
Tianjiao Yin
Nickolai Zeldovich
Bean Zhang
Hanz van Zijst
Gertjan Zwartjes
The above is not an exhaustive list; many others have contributed in
various ways to the MIT Kerberos development effort over the years.
Other acknowledgments (for bug reports and patches) are in the
doc/CHANGES file.