Name Date Size #Lines LOC

..--

.github/workflows/H--181168

src/H--600,732444,822

NOTICEH A D10-Aug-202562.2 KiB1,3611,068

READMEH A D21-Aug-202515.5 KiB607541

README

1                   Kerberos Version 5, Release 1.22
2
3                            Release Notes
4                        The MIT Kerberos Team
5
6Copyright and Other Notices
7---------------------------
8
9Copyright (C) 1985-2025 by the Massachusetts Institute of Technology
10and its contributors.  All rights reserved.
11
12Please see the file named NOTICE for additional notices.
13
14Documentation
15-------------
16
17Unified documentation for Kerberos V5 is available in both HTML and
18PDF formats.  The table of contents of the HTML format documentation
19is at doc/html/index.html, and the PDF format documentation is in the
20doc/pdf directory.
21
22Additionally, you may find copies of the HTML format documentation
23online at
24
25    https://web.mit.edu/kerberos/krb5-latest/doc/
26
27for the most recent supported release, or at
28
29    https://web.mit.edu/kerberos/krb5-devel/doc/
30
31for the release under development.
32
33More information about Kerberos may be found at
34
35    https://web.mit.edu/kerberos/
36
37and at the MIT Kerberos Consortium web site
38
39    https://kerberos.org/
40
41Building and Installing Kerberos 5
42----------------------------------
43
44Build documentation is in doc/html/build/index.html or
45doc/pdf/build.pdf.
46
47The installation guide is in doc/html/admin/install.html or
48doc/pdf/install.pdf.
49
50If you are attempting to build under Windows, please see the
51src/windows/README file.
52
53Reporting Bugs
54--------------
55
56Please report any problems/bugs/comments by sending email to
57krb5-bugs@mit.edu.
58
59You may view bug reports by visiting
60
61https://krbdev.mit.edu/rt/
62
63and using the "Guest Login" button.  Please note that the web
64interface to our bug database is read-only for guests, and the primary
65way to interact with our bug database is via email.
66
67PAC transitions
68---------------
69
70Beginning with release 1.20, the KDC will include minimal PACs in
71tickets instead of AD-SIGNEDPATH authdata.  S4U requests (protocol
72transition and constrained delegation) must now contain valid PACs in
73the incoming tickets.  Beginning with release 1.21, service ticket
74PACs will contain a new KDC checksum buffer, to mitigate a hash
75collision attack against the old KDC checksum.  If only some KDCs in a
76realm have been upgraded across versions 1.20 or 1.21, the upgraded
77KDCs will reject S4U requests containing tickets from non-upgraded
78KDCs and vice versa.
79
80Triple-DES and RC4 transitions
81------------------------------
82
83Beginning with the krb5-1.21 release, the KDC will not issue tickets
84with triple-DES or RC4 session keys unless explicitly configured using
85the new allow_des3 and allow_rc4 variables in [libdefaults].  To
86facilitate the negotiation of session keys, the KDC will assume that
87all services can handle aes256-sha1 session keys unless the service
88principal has a session_enctypes string attribute.
89
90Beginning with the krb5-1.19 release, a warning will be issued if
91initial credentials are acquired using the des3-cbc-sha1 encryption
92type.  Beginning with the krb5-1.21 release, a warning will also be
93issued for the arcfour-hmac encryption type.  In future releases,
94these encryption types will be disabled by default and eventually
95removed.
96
97Beginning with the krb5-1.18 release, all support for single-DES
98encryption types has been removed.
99
100Major changes in 1.22.1 (2025-08-20)
101------------------------------------
102
103This is a bug fix release.
104
105* Fix a vulnerability in GSS MIC verification [CVE-2025-57736].
106
107krb5-1.22.1 changes by ticket ID
108--------------------------------
109
1109181    verify_mic_v3 broken in 1.22
111
112Major changes in 1.22 (2025-08-05)
113----------------------------------
114
115User experience:
116
117* The libdefaults configuration variable "request_timeout" can be set
118  to limit the total timeout for KDC requests.  When making a KDC
119  request, the client will now wait indefinitely (or until the request
120  timeout has elapsed) on a KDC which accepts a TCP connection,
121  without contacting any additional KDCs.  Clients will make fewer DNS
122  queries in some configurations.
123
124* The realm configuration variable "sitename" can be set to cause the
125  client to query site-specific DNS records when making KDC requests.
126
127Administrator experience:
128
129* Principal aliases are supported in the DB2 and LMDB KDB modules and
130  in the kadmin protocol.  (The LDAP KDB module has supported aliases
131  since release 1.7.)
132
133* UNIX domain sockets are supported for the Kerberos and kpasswd
134  protocols.
135
136* systemd socket activation is supported for krb5kdc and kadmind.
137
138Developer experience:
139
140* KDB modules can be be implemented in terms of other modules using
141  the new krb5_db_load_module() function.
142
143* The profile library supports the modification of empty profiles and
144  the copying of modified profiles, making it possible to construct an
145  in-memory profile and pass it to krb5_init_context_profile().
146
147* GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to
148  gss_init_sec_context() to request strict enforcement of channel
149  bindings by the acceptor.
150
151Protocol evolution:
152
153* The PKINIT preauth module supports elliptic curve client
154  certificates, ECDH key exchange, and the Microsoft paChecksum2
155  field.
156
157* The IAKERB implementation has been changed to comply with the most
158  recent draft standard and to support realm discovery.
159
160* Message-Authenticator is supported in the RADIUS implementation used
161  by the OTP kdcpreauth module.
162
163Code quality:
164
165* Removed old-style function declarations, to accomodate compilers
166  which have removed support for them.
167
168* Added OSS-Fuzz to the project's continuous integration
169  infrastructure.
170
171* Rewrote the GSS per-message token parsing code for improved safety.
172
173krb5-1.22 changes by ticket ID
174------------------------------
175
1767721    Primary KDC lookups happen sooner than necessary
1777899    Client waits before moving on after KDC_ERR_SVC_UNAVAILABLE
1788618    ksu doesn't exit nonzero
1799094    Get arm64-windows builds working
1809095    PKINIT ECDH support
1819096    Enable PKINIT if at least one group is available
1829100    Add ecdsa-with-sha512/256 to supportedCMSTypes
1839105    Wait indefinitely on KDC TCP connections
1849106    Add request_timeout configuration parameter
1859108    Remove PKINIT RSA support
1869110    profile library null dereference when modifying empty profile
1879111    Correct PKINIT EC cert signature metadata
1889112    Support PKCS11 EC client certs in PKINIT
1899113    Improve PKCS11 error reporting in PKINIT
1909114    Build fails with link-time optimization
1919116    Improve error message for DES kadmin/history key
1929118    profile write operation interactions with reloading
1939119    Make profile_copy() work on dirty profiles
1949120    profile final flag limitations
1959121    Don't flush libkrb5 context profiles
1969122    Add GSS flag to include KERB_AP_OPTIONS_CBT
1979123    Correct IAKERB protocol implementation
1989124    Support site-local KDC discovery via DNS
1999126    Handle empty initial buffer in IAKERB initiator
2009130    make krb5_get_default_config_files public
2019131    Adjust removed cred detection in FILE ccache
2029132    Change krb5_get_credentials() endtime behavior
2039133    Add acceptor-side IAKERB realm discovery
2049135    Replace Windows installer FilesInUse dialog text
2059139    Block library unloading to avoid finalizer races
2069141    Fix krb5_crypto_us_timeofday() microseconds check
2079142    Generate and verify message MACs in libkrad
2089143    Fix memory leak in PAC checksum verification
2099144    Fix potential PAC processing crash
2109145    Prevent late initialization of GSS error map
2119146    Allow null keyblocks in IOV checksum functions
2129147    Add numeric constants to krad.h and use them
2139148    Fix krb5_ldap_list_policy() filtering loop
2149149    Use getentropy() when available
2159151    Add kadmind support for disabling listening
2169152    Default kdc_tcp_listen to kdc_listen value
2179153    Fix LDAP module leak on authentication error
2189154    Components of the X509_user_identity string cannot contain ':'
2199155    UNIX domain socket support
2209156    Allow KDB module stacking
2219157    Add support for systemd socket activation
2229158    Set missing mask flags for kdb5_util operations
2239159    Prevent overflow when calculating ulog block size
2249160    Allow only one salt type per enctype in key data
2259161    Improve ulog block resize efficiency
2269162    Build PKINIT on Windows
2279163    Add alias support
2289164    Add database format documentation
2299165    Display NetBIOS ticket addresses in klist
2309166    Add PKINIT paChecksum2 from MS-PKCA v20230920
2319167    Add initiator-side IAKERB realm discovery
2329168    Fix IAKERB accept_sec_context null pointer crash
2339169    Fix IAKERB error handling
2349170    Avoid gss_inquire_attrs_for_mech() null outputs
2359171    Fix getsockname() call in Windows localaddr
2369172    Check lengths in xdr_krb5_key_data()
2379173    Limit -keepold for self-service key changes
2389179    Avoid large numbers of refresh_time cache entries
239
240Acknowledgements
241----------------
242
243Past Sponsors of the MIT Kerberos Consortium:
244
245    Apple
246    Carnegie Mellon University
247    Centrify Corporation
248    Columbia University
249    Cornell University
250    The Department of Defense of the United States of America (DoD)
251    Fidelity Investments
252    Google
253    Iowa State University
254    MIT
255    Michigan State University
256    Microsoft
257    MITRE Corporation
258    Morgan-Stanley
259    The National Aeronautics and Space Administration
260        of the United States of America (NASA)
261    Network Appliance (NetApp)
262    Nippon Telephone and Telegraph (NTT)
263    US Government Office of the National Coordinator for Health
264        Information Technology (ONC)
265    Oracle
266    Pennsylvania State University
267    Red Hat
268    Stanford University
269    TeamF1, Inc.
270    The University of Alaska
271    The University of Michigan
272    The University of Pennsylvania
273
274Past and present members of the Kerberos Team at MIT:
275
276    Danilo Almeida
277    Jeffrey Altman
278    Justin Anderson
279    Richard Basch
280    Mitch Berger
281    Jay Berkenbilt
282    Andrew Boardman
283    Bill Bryant
284    Steve Buckley
285    Joe Calzaretta
286    John Carr
287    Mark Colan
288    Don Davis
289    Sarah Day
290    Alexandra Ellwood
291    Carlos Garay
292    Dan Geer
293    Nancy Gilman
294    Matt Hancher
295    Thomas Hardjono
296    Sam Hartman
297    Paul Hill
298    Marc Horowitz
299    Eva Jacobus
300    Miroslav Jurisic
301    Barry Jaspan
302    Benjamin Kaduk
303    Geoffrey King
304    Kevin Koch
305    John Kohl
306    HaoQi Li
307    Jonathan Lin
308    Peter Litwack
309    Scott McGuire
310    Steve Miller
311    Kevin Mitchell
312    Cliff Neuman
313    Paul Park
314    Ezra Peisach
315    Chris Provenzano
316    Ken Raeburn
317    Jon Rochlis
318    Jeff Schiller
319    Jen Selby
320    Robert Silk
321    Bill Sommerfeld
322    Jennifer Steiner
323    Ralph Swick
324    Brad Thompson
325    Harry Tsai
326    Zhanna Tsitkova
327    Ted Ts'o
328    Marshall Vale
329    Taylor Yu
330
331The following external contributors have provided code, patches, bug
332reports, suggestions, and valuable resources:
333
334    Ian Abbott
335    Daniel Albers
336    Brandon Allbery
337    Russell Allbery
338    Brian Almeida
339    Michael B Allen
340    Pooja Anil
341    Jeffrey Arbuckle
342    Heinz-Ado Arnolds
343    Derek Atkins
344    Mark Bannister
345    David Bantz
346    Alex Baule
347    Nikhil Benesch
348    David Benjamin
349    Thomas Bernard
350    Adam Bernstein
351    Arlene Berry
352    Jeff Blaine
353    Toby Blake
354    Radoslav Bodo
355    Alexander Bokovoy
356    Zoltan Borbely
357    Sumit Bose
358    Emmanuel Bouillon
359    Isaac Boukris
360    Ulf Bremer
361    Pavel Březina
362    Philip Brown
363    Samuel Cabrero
364    Michael Calmer
365    Andrea Campi
366    Julien Chaffraix
367    Jacob Champion
368    Puran Chand
369    Ravi Channavajhala
370    Srinivas Cheruku
371    Leonardo Chiquitto
372    Rachit Chokshi
373    Seemant Choudhary
374    Howard Chu
375    Andrea Cirulli
376    Christopher D. Clausen
377    Kevin Coffman
378    Gerald Combs
379    Simon Cooper
380    Sylvain Cortes
381    Ian Crowther
382    Arran Cudbard-Bell
383    Adam Dabrowski
384    Jeff D'Angelo
385    Nalin Dahyabhai
386    Mark Davies
387    Dennis Davis
388    Rull Deef
389    Alex Dehnert
390    Misty De Meo
391    Mark Deneen
392    Günther Deschner
393    John Devitofranceschi
394    Marc Dionne
395    Roland Dowdeswell
396    Ken Dreyer
397    Dorian Ducournau
398    Francis Dupont
399    Viktor Dukhovni
400    Jason Edgecombe
401    Mark Eichin
402    Shawn M. Emery
403    Douglas E. Engert
404    Peter Eriksson
405    Juha Erkkilä
406    Gilles Espinasse
407    Valery Fedorenko
408    Sergey Fedorov
409    Ronni Feldt
410    Bill Fellows
411    JC Ferguson
412    Remi Ferrand
413    Paul Fertser
414    Fabiano Fidêncio
415    Frank Filz
416    William Fiveash
417    Jacques Florent
418    Oliver Freyermuth
419    Ákos Frohner
420    Sebastian Galiano
421    Ilya Gladyshev
422    Marcus Granado
423    Dylan Gray
424    Norm Green
425    Scott Grizzard
426    Helmut Grohne
427    Steve Grubb
428    Philip Guenther
429    Feng Guo
430    Timo Gurr
431    Dominic Hargreaves
432    Robbie Harwood
433    John Hascall
434    Jakob Haufe
435    Matthieu Hautreux
436    Jochen Hein
437    Paul B. Henson
438    Kihong Heo
439    Jeff Hodges
440    Christopher Hogan
441    Love Hörnquist Åstrand
442    Ken Hornstein
443    Henry B. Hotz
444    Luke Howard
445    Jakub Hrozek
446    Shumon Huque
447    Jeffrey Hutzelman
448    Sergey Ilinykh
449    Wyllys Ingersoll
450    Holger Isenberg
451    Spencer Jackson
452    Diogenes S. Jesus
453    Mike Jetzer
454    Pavel Jindra
455    Brian Johannesmeyer
456    Joel Johnson
457    Lutz Justen
458    Ganesh Kamath
459    Alexander Karaivanov
460    Anders Kaseorg
461    Bar Katz
462    Zentaro Kavanagh
463    Mubashir Kazia
464    W. Trevor King
465    Steffen Kieß
466    Patrik Kis
467    Martin Kittel
468    Thomas Klausner
469    Tomasz Kłoczko
470    Ivan Korytov
471    Matthew Krupcale
472    Mikkel Kruse
473    Reinhard Kugler
474    Harshawardhan Kulkarni
475    Tomas Kuthan
476    Pierre Labastie
477    Andreas Ladanyi
478    Chris Leick
479    Volker Lendecke
480    Jan iankko Lieskovsky
481    Todd Lipcon
482    Oliver Loch
483    Chris Long
484    Kevin Longfellow
485    Frank Lonigro
486    Jon Looney
487    Nuno Lopes
488    Todd Lubin
489    Ryan Lynch
490    Glenn Machin
491    Roland Mainz
492    Sorin Manolache
493    Robert Marshall
494    Andrei Maslennikov
495    Michael Mattioli
496    Nathaniel McCallum
497    Greg McClement
498    Cameron Meadors
499    Vipul Mehta
500    Alexey Melnikov
501    Ivan A. Melnikov
502    Franklyn Mendez
503    Stefan Metzmacher
504    Mantas Mikulėnas
505    Markus Moeller
506    Kyle Moffett
507    Jon Moore
508    Paul Moore
509    Keiichi Mori
510    Michael Morony
511    Robert Morris
512    Sam Morris
513    Zbysek Mraz
514    Edward Murrell
515    Bahaa Naamneh
516    Joshua Neuheisel
517    Nikos Nikoleris
518    Demi Obenour
519    Felipe Ortega
520    Michael Osipov
521    Andrej Ota
522    Dmitri Pal
523    Javier Palacios
524    Dilyan Palauzov
525    Tom Parker
526    Eric Pauly
527    Leonard Peirce
528    Ezra Peisach
529    Alejandro Perez
530    Zoran Pericic
531    W. Michael Petullo
532    Mark Phalan
533    Sharwan Ram
534    Brett Randall
535    Jonathan Reams
536    Jonathan Reed
537    Robert Relyea
538    Tony Reix
539    Martin Rex
540    Pat Riehecky
541    Julien Rische
542    Jason Rogers
543    Matt Rogers
544    Nate Rosenblum
545    Solly Ross
546    Mike Roszkowski
547    Guillaume Rousse
548    Joshua Schaeffer
549    Alexander Scheel
550    Jens Schleusener
551    Ryan Schmidt
552    Andreas Schneider
553    Eli Schwartz
554    Paul Seyfert
555    Tom Shaw
556    Jim Shi
557    Jerry Shipman
558    Peter Shoults
559    Richard Silverman
560    Cel Skeggs
561    Simo Sorce
562    Anthony Sottile
563    Michael Spang
564    Michael Ströder
565    Bjørn Tore Sund
566    Ondřej Surý
567    Joseph Sutton
568    Alexey Tikhonov
569    Joe Travaglini
570    Sergei Trofimovich
571    Greg Troxel
572    Fraser Tweedale
573    Tim Uglow
574    Rathor Vipin
575    Denis Vlasenko
576    Thomas Wagner
577    Jorgen Wahlsten
578    Stef Walter
579    Max (Weijun) Wang
580    John Washington
581    Stef Walter
582    Xi Wang
583    Nehal J Wani
584    Kevin Wasserman
585    Margaret Wasserman
586    Marcus Watts
587    Andreas Wiese
588    Simon Wilkinson
589    Nicolas Williams
590    Ross Wilper
591    Augustin Wolf
592    Garrett Wollman
593    David Woodhouse
594    Tsu-Phong Wu
595    Xu Qiang
596    Neng Xue
597    Zhaomo Yang
598    Tianjiao Yin
599    Nickolai Zeldovich
600    Bean Zhang
601    ChenChen Zhou
602    Hanz van Zijst
603    Gertjan Zwartjes
604
605The above is not an exhaustive list; many others have contributed in
606various ways to the MIT Kerberos development effort over the years.
607