README
1 Kerberos Version 5, Release 1.22
2
3 Release Notes
4 The MIT Kerberos Team
5
6Copyright and Other Notices
7---------------------------
8
9Copyright (C) 1985-2025 by the Massachusetts Institute of Technology
10and its contributors. All rights reserved.
11
12Please see the file named NOTICE for additional notices.
13
14Documentation
15-------------
16
17Unified documentation for Kerberos V5 is available in both HTML and
18PDF formats. The table of contents of the HTML format documentation
19is at doc/html/index.html, and the PDF format documentation is in the
20doc/pdf directory.
21
22Additionally, you may find copies of the HTML format documentation
23online at
24
25 https://web.mit.edu/kerberos/krb5-latest/doc/
26
27for the most recent supported release, or at
28
29 https://web.mit.edu/kerberos/krb5-devel/doc/
30
31for the release under development.
32
33More information about Kerberos may be found at
34
35 https://web.mit.edu/kerberos/
36
37and at the MIT Kerberos Consortium web site
38
39 https://kerberos.org/
40
41Building and Installing Kerberos 5
42----------------------------------
43
44Build documentation is in doc/html/build/index.html or
45doc/pdf/build.pdf.
46
47The installation guide is in doc/html/admin/install.html or
48doc/pdf/install.pdf.
49
50If you are attempting to build under Windows, please see the
51src/windows/README file.
52
53Reporting Bugs
54--------------
55
56Please report any problems/bugs/comments by sending email to
57krb5-bugs@mit.edu.
58
59You may view bug reports by visiting
60
61https://krbdev.mit.edu/rt/
62
63and using the "Guest Login" button. Please note that the web
64interface to our bug database is read-only for guests, and the primary
65way to interact with our bug database is via email.
66
67PAC transitions
68---------------
69
70Beginning with release 1.20, the KDC will include minimal PACs in
71tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol
72transition and constrained delegation) must now contain valid PACs in
73the incoming tickets. Beginning with release 1.21, service ticket
74PACs will contain a new KDC checksum buffer, to mitigate a hash
75collision attack against the old KDC checksum. If only some KDCs in a
76realm have been upgraded across versions 1.20 or 1.21, the upgraded
77KDCs will reject S4U requests containing tickets from non-upgraded
78KDCs and vice versa.
79
80Triple-DES and RC4 transitions
81------------------------------
82
83Beginning with the krb5-1.21 release, the KDC will not issue tickets
84with triple-DES or RC4 session keys unless explicitly configured using
85the new allow_des3 and allow_rc4 variables in [libdefaults]. To
86facilitate the negotiation of session keys, the KDC will assume that
87all services can handle aes256-sha1 session keys unless the service
88principal has a session_enctypes string attribute.
89
90Beginning with the krb5-1.19 release, a warning will be issued if
91initial credentials are acquired using the des3-cbc-sha1 encryption
92type. Beginning with the krb5-1.21 release, a warning will also be
93issued for the arcfour-hmac encryption type. In future releases,
94these encryption types will be disabled by default and eventually
95removed.
96
97Beginning with the krb5-1.18 release, all support for single-DES
98encryption types has been removed.
99
100Major changes in 1.22.1 (2025-08-20)
101------------------------------------
102
103This is a bug fix release.
104
105* Fix a vulnerability in GSS MIC verification [CVE-2025-57736].
106
107krb5-1.22.1 changes by ticket ID
108--------------------------------
109
1109181 verify_mic_v3 broken in 1.22
111
112Major changes in 1.22 (2025-08-05)
113----------------------------------
114
115User experience:
116
117* The libdefaults configuration variable "request_timeout" can be set
118 to limit the total timeout for KDC requests. When making a KDC
119 request, the client will now wait indefinitely (or until the request
120 timeout has elapsed) on a KDC which accepts a TCP connection,
121 without contacting any additional KDCs. Clients will make fewer DNS
122 queries in some configurations.
123
124* The realm configuration variable "sitename" can be set to cause the
125 client to query site-specific DNS records when making KDC requests.
126
127Administrator experience:
128
129* Principal aliases are supported in the DB2 and LMDB KDB modules and
130 in the kadmin protocol. (The LDAP KDB module has supported aliases
131 since release 1.7.)
132
133* UNIX domain sockets are supported for the Kerberos and kpasswd
134 protocols.
135
136* systemd socket activation is supported for krb5kdc and kadmind.
137
138Developer experience:
139
140* KDB modules can be be implemented in terms of other modules using
141 the new krb5_db_load_module() function.
142
143* The profile library supports the modification of empty profiles and
144 the copying of modified profiles, making it possible to construct an
145 in-memory profile and pass it to krb5_init_context_profile().
146
147* GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to
148 gss_init_sec_context() to request strict enforcement of channel
149 bindings by the acceptor.
150
151Protocol evolution:
152
153* The PKINIT preauth module supports elliptic curve client
154 certificates, ECDH key exchange, and the Microsoft paChecksum2
155 field.
156
157* The IAKERB implementation has been changed to comply with the most
158 recent draft standard and to support realm discovery.
159
160* Message-Authenticator is supported in the RADIUS implementation used
161 by the OTP kdcpreauth module.
162
163Code quality:
164
165* Removed old-style function declarations, to accomodate compilers
166 which have removed support for them.
167
168* Added OSS-Fuzz to the project's continuous integration
169 infrastructure.
170
171* Rewrote the GSS per-message token parsing code for improved safety.
172
173krb5-1.22 changes by ticket ID
174------------------------------
175
1767721 Primary KDC lookups happen sooner than necessary
1777899 Client waits before moving on after KDC_ERR_SVC_UNAVAILABLE
1788618 ksu doesn't exit nonzero
1799094 Get arm64-windows builds working
1809095 PKINIT ECDH support
1819096 Enable PKINIT if at least one group is available
1829100 Add ecdsa-with-sha512/256 to supportedCMSTypes
1839105 Wait indefinitely on KDC TCP connections
1849106 Add request_timeout configuration parameter
1859108 Remove PKINIT RSA support
1869110 profile library null dereference when modifying empty profile
1879111 Correct PKINIT EC cert signature metadata
1889112 Support PKCS11 EC client certs in PKINIT
1899113 Improve PKCS11 error reporting in PKINIT
1909114 Build fails with link-time optimization
1919116 Improve error message for DES kadmin/history key
1929118 profile write operation interactions with reloading
1939119 Make profile_copy() work on dirty profiles
1949120 profile final flag limitations
1959121 Don't flush libkrb5 context profiles
1969122 Add GSS flag to include KERB_AP_OPTIONS_CBT
1979123 Correct IAKERB protocol implementation
1989124 Support site-local KDC discovery via DNS
1999126 Handle empty initial buffer in IAKERB initiator
2009130 make krb5_get_default_config_files public
2019131 Adjust removed cred detection in FILE ccache
2029132 Change krb5_get_credentials() endtime behavior
2039133 Add acceptor-side IAKERB realm discovery
2049135 Replace Windows installer FilesInUse dialog text
2059139 Block library unloading to avoid finalizer races
2069141 Fix krb5_crypto_us_timeofday() microseconds check
2079142 Generate and verify message MACs in libkrad
2089143 Fix memory leak in PAC checksum verification
2099144 Fix potential PAC processing crash
2109145 Prevent late initialization of GSS error map
2119146 Allow null keyblocks in IOV checksum functions
2129147 Add numeric constants to krad.h and use them
2139148 Fix krb5_ldap_list_policy() filtering loop
2149149 Use getentropy() when available
2159151 Add kadmind support for disabling listening
2169152 Default kdc_tcp_listen to kdc_listen value
2179153 Fix LDAP module leak on authentication error
2189154 Components of the X509_user_identity string cannot contain ':'
2199155 UNIX domain socket support
2209156 Allow KDB module stacking
2219157 Add support for systemd socket activation
2229158 Set missing mask flags for kdb5_util operations
2239159 Prevent overflow when calculating ulog block size
2249160 Allow only one salt type per enctype in key data
2259161 Improve ulog block resize efficiency
2269162 Build PKINIT on Windows
2279163 Add alias support
2289164 Add database format documentation
2299165 Display NetBIOS ticket addresses in klist
2309166 Add PKINIT paChecksum2 from MS-PKCA v20230920
2319167 Add initiator-side IAKERB realm discovery
2329168 Fix IAKERB accept_sec_context null pointer crash
2339169 Fix IAKERB error handling
2349170 Avoid gss_inquire_attrs_for_mech() null outputs
2359171 Fix getsockname() call in Windows localaddr
2369172 Check lengths in xdr_krb5_key_data()
2379173 Limit -keepold for self-service key changes
2389179 Avoid large numbers of refresh_time cache entries
239
240Acknowledgements
241----------------
242
243Past Sponsors of the MIT Kerberos Consortium:
244
245 Apple
246 Carnegie Mellon University
247 Centrify Corporation
248 Columbia University
249 Cornell University
250 The Department of Defense of the United States of America (DoD)
251 Fidelity Investments
252 Google
253 Iowa State University
254 MIT
255 Michigan State University
256 Microsoft
257 MITRE Corporation
258 Morgan-Stanley
259 The National Aeronautics and Space Administration
260 of the United States of America (NASA)
261 Network Appliance (NetApp)
262 Nippon Telephone and Telegraph (NTT)
263 US Government Office of the National Coordinator for Health
264 Information Technology (ONC)
265 Oracle
266 Pennsylvania State University
267 Red Hat
268 Stanford University
269 TeamF1, Inc.
270 The University of Alaska
271 The University of Michigan
272 The University of Pennsylvania
273
274Past and present members of the Kerberos Team at MIT:
275
276 Danilo Almeida
277 Jeffrey Altman
278 Justin Anderson
279 Richard Basch
280 Mitch Berger
281 Jay Berkenbilt
282 Andrew Boardman
283 Bill Bryant
284 Steve Buckley
285 Joe Calzaretta
286 John Carr
287 Mark Colan
288 Don Davis
289 Sarah Day
290 Alexandra Ellwood
291 Carlos Garay
292 Dan Geer
293 Nancy Gilman
294 Matt Hancher
295 Thomas Hardjono
296 Sam Hartman
297 Paul Hill
298 Marc Horowitz
299 Eva Jacobus
300 Miroslav Jurisic
301 Barry Jaspan
302 Benjamin Kaduk
303 Geoffrey King
304 Kevin Koch
305 John Kohl
306 HaoQi Li
307 Jonathan Lin
308 Peter Litwack
309 Scott McGuire
310 Steve Miller
311 Kevin Mitchell
312 Cliff Neuman
313 Paul Park
314 Ezra Peisach
315 Chris Provenzano
316 Ken Raeburn
317 Jon Rochlis
318 Jeff Schiller
319 Jen Selby
320 Robert Silk
321 Bill Sommerfeld
322 Jennifer Steiner
323 Ralph Swick
324 Brad Thompson
325 Harry Tsai
326 Zhanna Tsitkova
327 Ted Ts'o
328 Marshall Vale
329 Taylor Yu
330
331The following external contributors have provided code, patches, bug
332reports, suggestions, and valuable resources:
333
334 Ian Abbott
335 Daniel Albers
336 Brandon Allbery
337 Russell Allbery
338 Brian Almeida
339 Michael B Allen
340 Pooja Anil
341 Jeffrey Arbuckle
342 Heinz-Ado Arnolds
343 Derek Atkins
344 Mark Bannister
345 David Bantz
346 Alex Baule
347 Nikhil Benesch
348 David Benjamin
349 Thomas Bernard
350 Adam Bernstein
351 Arlene Berry
352 Jeff Blaine
353 Toby Blake
354 Radoslav Bodo
355 Alexander Bokovoy
356 Zoltan Borbely
357 Sumit Bose
358 Emmanuel Bouillon
359 Isaac Boukris
360 Ulf Bremer
361 Pavel Březina
362 Philip Brown
363 Samuel Cabrero
364 Michael Calmer
365 Andrea Campi
366 Julien Chaffraix
367 Jacob Champion
368 Puran Chand
369 Ravi Channavajhala
370 Srinivas Cheruku
371 Leonardo Chiquitto
372 Rachit Chokshi
373 Seemant Choudhary
374 Howard Chu
375 Andrea Cirulli
376 Christopher D. Clausen
377 Kevin Coffman
378 Gerald Combs
379 Simon Cooper
380 Sylvain Cortes
381 Ian Crowther
382 Arran Cudbard-Bell
383 Adam Dabrowski
384 Jeff D'Angelo
385 Nalin Dahyabhai
386 Mark Davies
387 Dennis Davis
388 Rull Deef
389 Alex Dehnert
390 Misty De Meo
391 Mark Deneen
392 Günther Deschner
393 John Devitofranceschi
394 Marc Dionne
395 Roland Dowdeswell
396 Ken Dreyer
397 Dorian Ducournau
398 Francis Dupont
399 Viktor Dukhovni
400 Jason Edgecombe
401 Mark Eichin
402 Shawn M. Emery
403 Douglas E. Engert
404 Peter Eriksson
405 Juha Erkkilä
406 Gilles Espinasse
407 Valery Fedorenko
408 Sergey Fedorov
409 Ronni Feldt
410 Bill Fellows
411 JC Ferguson
412 Remi Ferrand
413 Paul Fertser
414 Fabiano Fidêncio
415 Frank Filz
416 William Fiveash
417 Jacques Florent
418 Oliver Freyermuth
419 Ákos Frohner
420 Sebastian Galiano
421 Ilya Gladyshev
422 Marcus Granado
423 Dylan Gray
424 Norm Green
425 Scott Grizzard
426 Helmut Grohne
427 Steve Grubb
428 Philip Guenther
429 Feng Guo
430 Timo Gurr
431 Dominic Hargreaves
432 Robbie Harwood
433 John Hascall
434 Jakob Haufe
435 Matthieu Hautreux
436 Jochen Hein
437 Paul B. Henson
438 Kihong Heo
439 Jeff Hodges
440 Christopher Hogan
441 Love Hörnquist Åstrand
442 Ken Hornstein
443 Henry B. Hotz
444 Luke Howard
445 Jakub Hrozek
446 Shumon Huque
447 Jeffrey Hutzelman
448 Sergey Ilinykh
449 Wyllys Ingersoll
450 Holger Isenberg
451 Spencer Jackson
452 Diogenes S. Jesus
453 Mike Jetzer
454 Pavel Jindra
455 Brian Johannesmeyer
456 Joel Johnson
457 Lutz Justen
458 Ganesh Kamath
459 Alexander Karaivanov
460 Anders Kaseorg
461 Bar Katz
462 Zentaro Kavanagh
463 Mubashir Kazia
464 W. Trevor King
465 Steffen Kieß
466 Patrik Kis
467 Martin Kittel
468 Thomas Klausner
469 Tomasz Kłoczko
470 Ivan Korytov
471 Matthew Krupcale
472 Mikkel Kruse
473 Reinhard Kugler
474 Harshawardhan Kulkarni
475 Tomas Kuthan
476 Pierre Labastie
477 Andreas Ladanyi
478 Chris Leick
479 Volker Lendecke
480 Jan iankko Lieskovsky
481 Todd Lipcon
482 Oliver Loch
483 Chris Long
484 Kevin Longfellow
485 Frank Lonigro
486 Jon Looney
487 Nuno Lopes
488 Todd Lubin
489 Ryan Lynch
490 Glenn Machin
491 Roland Mainz
492 Sorin Manolache
493 Robert Marshall
494 Andrei Maslennikov
495 Michael Mattioli
496 Nathaniel McCallum
497 Greg McClement
498 Cameron Meadors
499 Vipul Mehta
500 Alexey Melnikov
501 Ivan A. Melnikov
502 Franklyn Mendez
503 Stefan Metzmacher
504 Mantas Mikulėnas
505 Markus Moeller
506 Kyle Moffett
507 Jon Moore
508 Paul Moore
509 Keiichi Mori
510 Michael Morony
511 Robert Morris
512 Sam Morris
513 Zbysek Mraz
514 Edward Murrell
515 Bahaa Naamneh
516 Joshua Neuheisel
517 Nikos Nikoleris
518 Demi Obenour
519 Felipe Ortega
520 Michael Osipov
521 Andrej Ota
522 Dmitri Pal
523 Javier Palacios
524 Dilyan Palauzov
525 Tom Parker
526 Eric Pauly
527 Leonard Peirce
528 Ezra Peisach
529 Alejandro Perez
530 Zoran Pericic
531 W. Michael Petullo
532 Mark Phalan
533 Sharwan Ram
534 Brett Randall
535 Jonathan Reams
536 Jonathan Reed
537 Robert Relyea
538 Tony Reix
539 Martin Rex
540 Pat Riehecky
541 Julien Rische
542 Jason Rogers
543 Matt Rogers
544 Nate Rosenblum
545 Solly Ross
546 Mike Roszkowski
547 Guillaume Rousse
548 Joshua Schaeffer
549 Alexander Scheel
550 Jens Schleusener
551 Ryan Schmidt
552 Andreas Schneider
553 Eli Schwartz
554 Paul Seyfert
555 Tom Shaw
556 Jim Shi
557 Jerry Shipman
558 Peter Shoults
559 Richard Silverman
560 Cel Skeggs
561 Simo Sorce
562 Anthony Sottile
563 Michael Spang
564 Michael Ströder
565 Bjørn Tore Sund
566 Ondřej Surý
567 Joseph Sutton
568 Alexey Tikhonov
569 Joe Travaglini
570 Sergei Trofimovich
571 Greg Troxel
572 Fraser Tweedale
573 Tim Uglow
574 Rathor Vipin
575 Denis Vlasenko
576 Thomas Wagner
577 Jorgen Wahlsten
578 Stef Walter
579 Max (Weijun) Wang
580 John Washington
581 Stef Walter
582 Xi Wang
583 Nehal J Wani
584 Kevin Wasserman
585 Margaret Wasserman
586 Marcus Watts
587 Andreas Wiese
588 Simon Wilkinson
589 Nicolas Williams
590 Ross Wilper
591 Augustin Wolf
592 Garrett Wollman
593 David Woodhouse
594 Tsu-Phong Wu
595 Xu Qiang
596 Neng Xue
597 Zhaomo Yang
598 Tianjiao Yin
599 Nickolai Zeldovich
600 Bean Zhang
601 ChenChen Zhou
602 Hanz van Zijst
603 Gertjan Zwartjes
604
605The above is not an exhaustive list; many others have contributed in
606various ways to the MIT Kerberos development effort over the years.
607