Name Date Size #Lines LOC

..--

.github/workflows/H--181168

src/H--559,177415,135

NOTICEH A D30-Apr-202662.2 KiB1,3611,068

READMEH A D30-Apr-202616.1 KiB629558

README

1                   Kerberos Version 5, Release 1.22
2
3                            Release Notes
4                        The MIT Kerberos Team
5
6Copyright and Other Notices
7---------------------------
8
9Copyright (C) 1985-2026 by the Massachusetts Institute of Technology
10and its contributors.  All rights reserved.
11
12Please see the file named NOTICE for additional notices.
13
14Documentation
15-------------
16
17Unified documentation for Kerberos V5 is available in both HTML and
18PDF formats.  The table of contents of the HTML format documentation
19is at doc/html/index.html, and the PDF format documentation is in the
20doc/pdf directory.
21
22Additionally, you may find copies of the HTML format documentation
23online at
24
25    https://web.mit.edu/kerberos/krb5-latest/doc/
26
27for the most recent supported release, or at
28
29    https://web.mit.edu/kerberos/krb5-devel/doc/
30
31for the release under development.
32
33More information about Kerberos may be found at
34
35    https://web.mit.edu/kerberos/
36
37and at the MIT Kerberos Consortium web site
38
39    https://kerberos.org/
40
41Building and Installing Kerberos 5
42----------------------------------
43
44Build documentation is in doc/html/build/index.html or
45doc/pdf/build.pdf.
46
47The installation guide is in doc/html/admin/install.html or
48doc/pdf/install.pdf.
49
50If you are attempting to build under Windows, please see the
51src/windows/README file.
52
53Reporting Bugs
54--------------
55
56Please report any problems/bugs/comments by sending email to
57krb5-bugs@mit.edu.
58
59You may view bug reports by visiting
60
61https://krbdev.mit.edu/rt/
62
63and using the "Guest Login" button.  Please note that the web
64interface to our bug database is read-only for guests, and the primary
65way to interact with our bug database is via email.
66
67PAC transitions
68---------------
69
70Beginning with release 1.20, the KDC will include minimal PACs in
71tickets instead of AD-SIGNEDPATH authdata.  S4U requests (protocol
72transition and constrained delegation) must now contain valid PACs in
73the incoming tickets.  Beginning with release 1.21, service ticket
74PACs will contain a new KDC checksum buffer, to mitigate a hash
75collision attack against the old KDC checksum.  If only some KDCs in a
76realm have been upgraded across versions 1.20 or 1.21, the upgraded
77KDCs will reject S4U requests containing tickets from non-upgraded
78KDCs and vice versa.
79
80Triple-DES and RC4 transitions
81------------------------------
82
83Beginning with the krb5-1.21 release, the KDC will not issue tickets
84with triple-DES or RC4 session keys unless explicitly configured using
85the new allow_des3 and allow_rc4 variables in [libdefaults].  To
86facilitate the negotiation of session keys, the KDC will assume that
87all services can handle aes256-sha1 session keys unless the service
88principal has a session_enctypes string attribute.
89
90Beginning with the krb5-1.19 release, a warning will be issued if
91initial credentials are acquired using the des3-cbc-sha1 encryption
92type.  Beginning with the krb5-1.21 release, a warning will also be
93issued for the arcfour-hmac encryption type.  In future releases,
94these encryption types will be disabled by default and eventually
95removed.
96
97Beginning with the krb5-1.18 release, all support for single-DES
98encryption types has been removed.
99
100Major changes in 1.22.2 (2026-01-29)
101------------------------------------
102
103This is a bug fix release.
104
105* Fix a SPNEGO packet parsing bug which could cause GSS mechanism
106  negotiation failure.
107
108krb5-1.22.2 changes by ticket ID
109--------------------------------
110
1119183    Fix SPNEGO mechListMIC parsing
1129188    Improve MSLSA ccache timestamp conversion
1139189    Fix krb5 gss_acquire_cred() leak on some errors
1149190    Make atomic ccache replacement work on Windows
1159193    Fix uninitialized pointer dereference in libkrad
1169194    Fix IAKERB realm discovery state machine logic
117
118Major changes in 1.22.1 (2025-08-20)
119------------------------------------
120
121This is a bug fix release.
122
123* Fix a vulnerability in GSS MIC verification [CVE-2025-57736].
124
125krb5-1.22.1 changes by ticket ID
126--------------------------------
127
1289181    verify_mic_v3 broken in 1.22
129
130Major changes in 1.22 (2025-08-05)
131----------------------------------
132
133User experience:
134
135* The libdefaults configuration variable "request_timeout" can be set
136  to limit the total timeout for KDC requests.  When making a KDC
137  request, the client will now wait indefinitely (or until the request
138  timeout has elapsed) on a KDC which accepts a TCP connection,
139  without contacting any additional KDCs.  Clients will make fewer DNS
140  queries in some configurations.
141
142* The realm configuration variable "sitename" can be set to cause the
143  client to query site-specific DNS records when making KDC requests.
144
145Administrator experience:
146
147* Principal aliases are supported in the DB2 and LMDB KDB modules and
148  in the kadmin protocol.  (The LDAP KDB module has supported aliases
149  since release 1.7.)
150
151* UNIX domain sockets are supported for the Kerberos and kpasswd
152  protocols.
153
154* systemd socket activation is supported for krb5kdc and kadmind.
155
156Developer experience:
157
158* KDB modules can be be implemented in terms of other modules using
159  the new krb5_db_load_module() function.
160
161* The profile library supports the modification of empty profiles and
162  the copying of modified profiles, making it possible to construct an
163  in-memory profile and pass it to krb5_init_context_profile().
164
165* GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to
166  gss_init_sec_context() to request strict enforcement of channel
167  bindings by the acceptor.
168
169Protocol evolution:
170
171* The PKINIT preauth module supports elliptic curve client
172  certificates, ECDH key exchange, and the Microsoft paChecksum2
173  field.
174
175* The IAKERB implementation has been changed to comply with the most
176  recent draft standard and to support realm discovery.
177
178* Message-Authenticator is supported in the RADIUS implementation used
179  by the OTP kdcpreauth module.
180
181Code quality:
182
183* Removed old-style function declarations, to accomodate compilers
184  which have removed support for them.
185
186* Added OSS-Fuzz to the project's continuous integration
187  infrastructure.
188
189* Rewrote the GSS per-message token parsing code for improved safety.
190
191krb5-1.22 changes by ticket ID
192------------------------------
193
1947721    Primary KDC lookups happen sooner than necessary
1957899    Client waits before moving on after KDC_ERR_SVC_UNAVAILABLE
1968618    ksu doesn't exit nonzero
1979094    Get arm64-windows builds working
1989095    PKINIT ECDH support
1999096    Enable PKINIT if at least one group is available
2009100    Add ecdsa-with-sha512/256 to supportedCMSTypes
2019105    Wait indefinitely on KDC TCP connections
2029106    Add request_timeout configuration parameter
2039108    Remove PKINIT RSA support
2049110    profile library null dereference when modifying empty profile
2059111    Correct PKINIT EC cert signature metadata
2069112    Support PKCS11 EC client certs in PKINIT
2079113    Improve PKCS11 error reporting in PKINIT
2089114    Build fails with link-time optimization
2099116    Improve error message for DES kadmin/history key
2109118    profile write operation interactions with reloading
2119119    Make profile_copy() work on dirty profiles
2129120    profile final flag limitations
2139121    Don't flush libkrb5 context profiles
2149122    Add GSS flag to include KERB_AP_OPTIONS_CBT
2159123    Correct IAKERB protocol implementation
2169124    Support site-local KDC discovery via DNS
2179126    Handle empty initial buffer in IAKERB initiator
2189130    make krb5_get_default_config_files public
2199131    Adjust removed cred detection in FILE ccache
2209132    Change krb5_get_credentials() endtime behavior
2219133    Add acceptor-side IAKERB realm discovery
2229135    Replace Windows installer FilesInUse dialog text
2239139    Block library unloading to avoid finalizer races
2249141    Fix krb5_crypto_us_timeofday() microseconds check
2259142    Generate and verify message MACs in libkrad
2269143    Fix memory leak in PAC checksum verification
2279144    Fix potential PAC processing crash
2289145    Prevent late initialization of GSS error map
2299146    Allow null keyblocks in IOV checksum functions
2309147    Add numeric constants to krad.h and use them
2319148    Fix krb5_ldap_list_policy() filtering loop
2329149    Use getentropy() when available
2339151    Add kadmind support for disabling listening
2349152    Default kdc_tcp_listen to kdc_listen value
2359153    Fix LDAP module leak on authentication error
2369154    Components of the X509_user_identity string cannot contain ':'
2379155    UNIX domain socket support
2389156    Allow KDB module stacking
2399157    Add support for systemd socket activation
2409158    Set missing mask flags for kdb5_util operations
2419159    Prevent overflow when calculating ulog block size
2429160    Allow only one salt type per enctype in key data
2439161    Improve ulog block resize efficiency
2449162    Build PKINIT on Windows
2459163    Add alias support
2469164    Add database format documentation
2479165    Display NetBIOS ticket addresses in klist
2489166    Add PKINIT paChecksum2 from MS-PKCA v20230920
2499167    Add initiator-side IAKERB realm discovery
2509168    Fix IAKERB accept_sec_context null pointer crash
2519169    Fix IAKERB error handling
2529170    Avoid gss_inquire_attrs_for_mech() null outputs
2539171    Fix getsockname() call in Windows localaddr
2549172    Check lengths in xdr_krb5_key_data()
2559173    Limit -keepold for self-service key changes
2569179    Avoid large numbers of refresh_time cache entries
257
258Acknowledgements
259----------------
260
261Past Sponsors of the MIT Kerberos Consortium:
262
263    Apple
264    Carnegie Mellon University
265    Centrify Corporation
266    Columbia University
267    Cornell University
268    The Department of Defense of the United States of America (DoD)
269    Fidelity Investments
270    Google
271    Iowa State University
272    MIT
273    Michigan State University
274    Microsoft
275    MITRE Corporation
276    Morgan-Stanley
277    The National Aeronautics and Space Administration
278        of the United States of America (NASA)
279    Network Appliance (NetApp)
280    Nippon Telephone and Telegraph (NTT)
281    US Government Office of the National Coordinator for Health
282        Information Technology (ONC)
283    Oracle
284    Pennsylvania State University
285    Red Hat
286    Stanford University
287    TeamF1, Inc.
288    The University of Alaska
289    The University of Michigan
290    The University of Pennsylvania
291
292Past and present members of the Kerberos Team at MIT:
293
294    Danilo Almeida
295    Jeffrey Altman
296    Justin Anderson
297    Richard Basch
298    Mitch Berger
299    Jay Berkenbilt
300    Andrew Boardman
301    Bill Bryant
302    Steve Buckley
303    Joe Calzaretta
304    John Carr
305    Mark Colan
306    Don Davis
307    Sarah Day
308    Alexandra Ellwood
309    Carlos Garay
310    Dan Geer
311    Nancy Gilman
312    Matt Hancher
313    Thomas Hardjono
314    Sam Hartman
315    Paul Hill
316    Marc Horowitz
317    Eva Jacobus
318    Miroslav Jurisic
319    Barry Jaspan
320    Benjamin Kaduk
321    Geoffrey King
322    Kevin Koch
323    John Kohl
324    HaoQi Li
325    Jonathan Lin
326    Peter Litwack
327    Scott McGuire
328    Steve Miller
329    Kevin Mitchell
330    Cliff Neuman
331    Paul Park
332    Ezra Peisach
333    Chris Provenzano
334    Ken Raeburn
335    Jon Rochlis
336    Jeff Schiller
337    Jen Selby
338    Robert Silk
339    Bill Sommerfeld
340    Jennifer Steiner
341    Ralph Swick
342    Brad Thompson
343    Harry Tsai
344    Zhanna Tsitkova
345    Ted Ts'o
346    Marshall Vale
347    Taylor Yu
348
349The following external contributors have provided code, patches, bug
350reports, suggestions, and valuable resources:
351
352    Ian Abbott
353    Daniel Albers
354    Brandon Allbery
355    Russell Allbery
356    Brian Almeida
357    Michael B Allen
358    Pooja Anil
359    Jeffrey Arbuckle
360    Heinz-Ado Arnolds
361    Derek Atkins
362    Mark Bannister
363    David Bantz
364    Alex Baule
365    Nikhil Benesch
366    David Benjamin
367    Thomas Bernard
368    Adam Bernstein
369    Arlene Berry
370    Jeff Blaine
371    Toby Blake
372    Radoslav Bodo
373    Alexander Bokovoy
374    Zoltan Borbely
375    Sumit Bose
376    Emmanuel Bouillon
377    Isaac Boukris
378    Ulf Bremer
379    Pavel Březina
380    Philip Brown
381    Samuel Cabrero
382    Michael Calmer
383    Andrea Campi
384    Julien Chaffraix
385    Jacob Champion
386    Puran Chand
387    Ravi Channavajhala
388    Srinivas Cheruku
389    Leonardo Chiquitto
390    Rachit Chokshi
391    Seemant Choudhary
392    Howard Chu
393    Andrea Cirulli
394    Christopher D. Clausen
395    Kevin Coffman
396    Gerald Combs
397    Simon Cooper
398    Sylvain Cortes
399    Robert Crowston
400    Ian Crowther
401    Arran Cudbard-Bell
402    Adam Dabrowski
403    Jeff D'Angelo
404    Nalin Dahyabhai
405    Mark Davies
406    Dennis Davis
407    Rull Deef
408    Alex Dehnert
409    Misty De Meo
410    Mark Deneen
411    Günther Deschner
412    John Devitofranceschi
413    Marc Dionne
414    Roland Dowdeswell
415    Ken Dreyer
416    Dorian Ducournau
417    Francis Dupont
418    Viktor Dukhovni
419    Jason Edgecombe
420    Mark Eichin
421    Shawn M. Emery
422    Douglas E. Engert
423    Peter Eriksson
424    Juha Erkkilä
425    Gilles Espinasse
426    Valery Fedorenko
427    Sergey Fedorov
428    Ronni Feldt
429    Bill Fellows
430    JC Ferguson
431    Remi Ferrand
432    Paul Fertser
433    Fabiano Fidêncio
434    Frank Filz
435    William Fiveash
436    Jacques Florent
437    Oliver Freyermuth
438    Ákos Frohner
439    Sebastian Galiano
440    Ilya Gladyshev
441    Marcus Granado
442    Dylan Gray
443    Norm Green
444    Scott Grizzard
445    Helmut Grohne
446    Steve Grubb
447    Philip Guenther
448    Feng Guo
449    Timo Gurr
450    Dominic Hargreaves
451    Robbie Harwood
452    John Hascall
453    Jakob Haufe
454    Matthieu Hautreux
455    Jochen Hein
456    Paul B. Henson
457    Kihong Heo
458    Jeff Hodges
459    Christopher Hogan
460    Love Hörnquist Åstrand
461    Ken Hornstein
462    Henry B. Hotz
463    Luke Howard
464    Jakub Hrozek
465    Shumon Huque
466    Jeffrey Hutzelman
467    Sergey Ilinykh
468    Wyllys Ingersoll
469    Holger Isenberg
470    Spencer Jackson
471    Diogenes S. Jesus
472    Mike Jetzer
473    Pavel Jindra
474    Brian Johannesmeyer
475    Joel Johnson
476    Lutz Justen
477    Ganesh Kamath
478    Alexander Karaivanov
479    Anders Kaseorg
480    Bar Katz
481    Zentaro Kavanagh
482    Mubashir Kazia
483    W. Trevor King
484    Steffen Kieß
485    Patrik Kis
486    Martin Kittel
487    Thomas Klausner
488    Tomasz Kłoczko
489    Ivan Korytov
490    Matthew Krupcale
491    Mikkel Kruse
492    Reinhard Kugler
493    Harshawardhan Kulkarni
494    Tomas Kuthan
495    Pierre Labastie
496    Andreas Ladanyi
497    Yubi Lee
498    Chris Leick
499    Volker Lendecke
500    Jan iankko Lieskovsky
501    Todd Lipcon
502    Oliver Loch
503    Chris Long
504    Kevin Longfellow
505    Frank Lonigro
506    Jon Looney
507    Nuno Lopes
508    Todd Lubin
509    Ryan Lynch
510    Glenn Machin
511    Roland Mainz
512    Sorin Manolache
513    Robert Marshall
514    Andrei Maslennikov
515    Michael Mattioli
516    Nathaniel McCallum
517    Greg McClement
518    Cameron Meadors
519    Vipul Mehta
520    Alexey Melnikov
521    Ivan A. Melnikov
522    Franklyn Mendez
523    Stefan Metzmacher
524    Mantas Mikulėnas
525    Markus Moeller
526    Kyle Moffett
527    Jon Moore
528    Paul Moore
529    Keiichi Mori
530    Michael Morony
531    Robert Morris
532    Sam Morris
533    Zbysek Mraz
534    Edward Murrell
535    Bahaa Naamneh
536    Joshua Neuheisel
537    Nikos Nikoleris
538    Demi Obenour
539    Felipe Ortega
540    Michael Osipov
541    Andrej Ota
542    Dmitry Ovsyannikov
543    Dmitri Pal
544    Javier Palacios
545    Dilyan Palauzov
546    Tom Parker
547    Eric Pauly
548    Leonard Peirce
549    Ezra Peisach
550    Alejandro Perez
551    Zoran Pericic
552    W. Michael Petullo
553    Mark Phalan
554    Ben Pope
555    Sharwan Ram
556    Brett Randall
557    Jonathan Reams
558    Jonathan Reed
559    Robert Relyea
560    Tony Reix
561    Martin Rex
562    Pat Riehecky
563    Julien Rische
564    Jason Rogers
565    Matt Rogers
566    Nate Rosenblum
567    Solly Ross
568    Mike Roszkowski
569    Guillaume Rousse
570    Joshua Schaeffer
571    Alexander Scheel
572    Jens Schleusener
573    Ryan Schmidt
574    Andreas Schneider
575    Eli Schwartz
576    Paul Seyfert
577    Tom Shaw
578    Jim Shi
579    Jerry Shipman
580    Peter Shoults
581    Richard Silverman
582    Cel Skeggs
583    Simo Sorce
584    Anthony Sottile
585    Michael Spang
586    Michael Ströder
587    Bjørn Tore Sund
588    Ondřej Surý
589    Joseph Sutton
590    Alexey Tikhonov
591    Joe Travaglini
592    Sergei Trofimovich
593    Greg Troxel
594    Fraser Tweedale
595    Tim Uglow
596    Rathor Vipin
597    Denis Vlasenko
598    Thomas Wagner
599    Jorgen Wahlsten
600    Stef Walter
601    Max (Weijun) Wang
602    John Washington
603    Stef Walter
604    Xi Wang
605    Nehal J Wani
606    Kevin Wasserman
607    Margaret Wasserman
608    Marcus Watts
609    Andreas Wiese
610    Simon Wilkinson
611    Nicolas Williams
612    Ross Wilper
613    Augustin Wolf
614    Garrett Wollman
615    David Woodhouse
616    Tsu-Phong Wu
617    Xu Qiang
618    Neng Xue
619    Zhaomo Yang
620    Tianjiao Yin
621    Nickolai Zeldovich
622    Bean Zhang
623    ChenChen Zhou
624    Hanz van Zijst
625    Gertjan Zwartjes
626
627The above is not an exhaustive list; many others have contributed in
628various ways to the MIT Kerberos development effort over the years.
629