1 Kerberos Version 5, Release 1.22 2 3 Release Notes 4 The MIT Kerberos Team 5 6Copyright and Other Notices 7--------------------------- 8 9Copyright (C) 1985-2025 by the Massachusetts Institute of Technology 10and its contributors. All rights reserved. 11 12Please see the file named NOTICE for additional notices. 13 14Documentation 15------------- 16 17Unified documentation for Kerberos V5 is available in both HTML and 18PDF formats. The table of contents of the HTML format documentation 19is at doc/html/index.html, and the PDF format documentation is in the 20doc/pdf directory. 21 22Additionally, you may find copies of the HTML format documentation 23online at 24 25 https://web.mit.edu/kerberos/krb5-latest/doc/ 26 27for the most recent supported release, or at 28 29 https://web.mit.edu/kerberos/krb5-devel/doc/ 30 31for the release under development. 32 33More information about Kerberos may be found at 34 35 https://web.mit.edu/kerberos/ 36 37and at the MIT Kerberos Consortium web site 38 39 https://kerberos.org/ 40 41Building and Installing Kerberos 5 42---------------------------------- 43 44Build documentation is in doc/html/build/index.html or 45doc/pdf/build.pdf. 46 47The installation guide is in doc/html/admin/install.html or 48doc/pdf/install.pdf. 49 50If you are attempting to build under Windows, please see the 51src/windows/README file. 52 53Reporting Bugs 54-------------- 55 56Please report any problems/bugs/comments by sending email to 57krb5-bugs@mit.edu. 58 59You may view bug reports by visiting 60 61https://krbdev.mit.edu/rt/ 62 63and using the "Guest Login" button. Please note that the web 64interface to our bug database is read-only for guests, and the primary 65way to interact with our bug database is via email. 66 67PAC transitions 68--------------- 69 70Beginning with release 1.20, the KDC will include minimal PACs in 71tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol 72transition and constrained delegation) must now contain valid PACs in 73the incoming tickets. Beginning with release 1.21, service ticket 74PACs will contain a new KDC checksum buffer, to mitigate a hash 75collision attack against the old KDC checksum. If only some KDCs in a 76realm have been upgraded across versions 1.20 or 1.21, the upgraded 77KDCs will reject S4U requests containing tickets from non-upgraded 78KDCs and vice versa. 79 80Triple-DES and RC4 transitions 81------------------------------ 82 83Beginning with the krb5-1.21 release, the KDC will not issue tickets 84with triple-DES or RC4 session keys unless explicitly configured using 85the new allow_des3 and allow_rc4 variables in [libdefaults]. To 86facilitate the negotiation of session keys, the KDC will assume that 87all services can handle aes256-sha1 session keys unless the service 88principal has a session_enctypes string attribute. 89 90Beginning with the krb5-1.19 release, a warning will be issued if 91initial credentials are acquired using the des3-cbc-sha1 encryption 92type. Beginning with the krb5-1.21 release, a warning will also be 93issued for the arcfour-hmac encryption type. In future releases, 94these encryption types will be disabled by default and eventually 95removed. 96 97Beginning with the krb5-1.18 release, all support for single-DES 98encryption types has been removed. 99 100Major changes in 1.22.1 (2025-08-20) 101------------------------------------ 102 103This is a bug fix release. 104 105* Fix a vulnerability in GSS MIC verification [CVE-2025-57736]. 106 107krb5-1.22.1 changes by ticket ID 108-------------------------------- 109 1109181 verify_mic_v3 broken in 1.22 111 112Major changes in 1.22 (2025-08-05) 113---------------------------------- 114 115User experience: 116 117* The libdefaults configuration variable "request_timeout" can be set 118 to limit the total timeout for KDC requests. When making a KDC 119 request, the client will now wait indefinitely (or until the request 120 timeout has elapsed) on a KDC which accepts a TCP connection, 121 without contacting any additional KDCs. Clients will make fewer DNS 122 queries in some configurations. 123 124* The realm configuration variable "sitename" can be set to cause the 125 client to query site-specific DNS records when making KDC requests. 126 127Administrator experience: 128 129* Principal aliases are supported in the DB2 and LMDB KDB modules and 130 in the kadmin protocol. (The LDAP KDB module has supported aliases 131 since release 1.7.) 132 133* UNIX domain sockets are supported for the Kerberos and kpasswd 134 protocols. 135 136* systemd socket activation is supported for krb5kdc and kadmind. 137 138Developer experience: 139 140* KDB modules can be be implemented in terms of other modules using 141 the new krb5_db_load_module() function. 142 143* The profile library supports the modification of empty profiles and 144 the copying of modified profiles, making it possible to construct an 145 in-memory profile and pass it to krb5_init_context_profile(). 146 147* GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to 148 gss_init_sec_context() to request strict enforcement of channel 149 bindings by the acceptor. 150 151Protocol evolution: 152 153* The PKINIT preauth module supports elliptic curve client 154 certificates, ECDH key exchange, and the Microsoft paChecksum2 155 field. 156 157* The IAKERB implementation has been changed to comply with the most 158 recent draft standard and to support realm discovery. 159 160* Message-Authenticator is supported in the RADIUS implementation used 161 by the OTP kdcpreauth module. 162 163Code quality: 164 165* Removed old-style function declarations, to accomodate compilers 166 which have removed support for them. 167 168* Added OSS-Fuzz to the project's continuous integration 169 infrastructure. 170 171* Rewrote the GSS per-message token parsing code for improved safety. 172 173krb5-1.22 changes by ticket ID 174------------------------------ 175 1767721 Primary KDC lookups happen sooner than necessary 1777899 Client waits before moving on after KDC_ERR_SVC_UNAVAILABLE 1788618 ksu doesn't exit nonzero 1799094 Get arm64-windows builds working 1809095 PKINIT ECDH support 1819096 Enable PKINIT if at least one group is available 1829100 Add ecdsa-with-sha512/256 to supportedCMSTypes 1839105 Wait indefinitely on KDC TCP connections 1849106 Add request_timeout configuration parameter 1859108 Remove PKINIT RSA support 1869110 profile library null dereference when modifying empty profile 1879111 Correct PKINIT EC cert signature metadata 1889112 Support PKCS11 EC client certs in PKINIT 1899113 Improve PKCS11 error reporting in PKINIT 1909114 Build fails with link-time optimization 1919116 Improve error message for DES kadmin/history key 1929118 profile write operation interactions with reloading 1939119 Make profile_copy() work on dirty profiles 1949120 profile final flag limitations 1959121 Don't flush libkrb5 context profiles 1969122 Add GSS flag to include KERB_AP_OPTIONS_CBT 1979123 Correct IAKERB protocol implementation 1989124 Support site-local KDC discovery via DNS 1999126 Handle empty initial buffer in IAKERB initiator 2009130 make krb5_get_default_config_files public 2019131 Adjust removed cred detection in FILE ccache 2029132 Change krb5_get_credentials() endtime behavior 2039133 Add acceptor-side IAKERB realm discovery 2049135 Replace Windows installer FilesInUse dialog text 2059139 Block library unloading to avoid finalizer races 2069141 Fix krb5_crypto_us_timeofday() microseconds check 2079142 Generate and verify message MACs in libkrad 2089143 Fix memory leak in PAC checksum verification 2099144 Fix potential PAC processing crash 2109145 Prevent late initialization of GSS error map 2119146 Allow null keyblocks in IOV checksum functions 2129147 Add numeric constants to krad.h and use them 2139148 Fix krb5_ldap_list_policy() filtering loop 2149149 Use getentropy() when available 2159151 Add kadmind support for disabling listening 2169152 Default kdc_tcp_listen to kdc_listen value 2179153 Fix LDAP module leak on authentication error 2189154 Components of the X509_user_identity string cannot contain ':' 2199155 UNIX domain socket support 2209156 Allow KDB module stacking 2219157 Add support for systemd socket activation 2229158 Set missing mask flags for kdb5_util operations 2239159 Prevent overflow when calculating ulog block size 2249160 Allow only one salt type per enctype in key data 2259161 Improve ulog block resize efficiency 2269162 Build PKINIT on Windows 2279163 Add alias support 2289164 Add database format documentation 2299165 Display NetBIOS ticket addresses in klist 2309166 Add PKINIT paChecksum2 from MS-PKCA v20230920 2319167 Add initiator-side IAKERB realm discovery 2329168 Fix IAKERB accept_sec_context null pointer crash 2339169 Fix IAKERB error handling 2349170 Avoid gss_inquire_attrs_for_mech() null outputs 2359171 Fix getsockname() call in Windows localaddr 2369172 Check lengths in xdr_krb5_key_data() 2379173 Limit -keepold for self-service key changes 2389179 Avoid large numbers of refresh_time cache entries 239 240Acknowledgements 241---------------- 242 243Past Sponsors of the MIT Kerberos Consortium: 244 245 Apple 246 Carnegie Mellon University 247 Centrify Corporation 248 Columbia University 249 Cornell University 250 The Department of Defense of the United States of America (DoD) 251 Fidelity Investments 252 Google 253 Iowa State University 254 MIT 255 Michigan State University 256 Microsoft 257 MITRE Corporation 258 Morgan-Stanley 259 The National Aeronautics and Space Administration 260 of the United States of America (NASA) 261 Network Appliance (NetApp) 262 Nippon Telephone and Telegraph (NTT) 263 US Government Office of the National Coordinator for Health 264 Information Technology (ONC) 265 Oracle 266 Pennsylvania State University 267 Red Hat 268 Stanford University 269 TeamF1, Inc. 270 The University of Alaska 271 The University of Michigan 272 The University of Pennsylvania 273 274Past and present members of the Kerberos Team at MIT: 275 276 Danilo Almeida 277 Jeffrey Altman 278 Justin Anderson 279 Richard Basch 280 Mitch Berger 281 Jay Berkenbilt 282 Andrew Boardman 283 Bill Bryant 284 Steve Buckley 285 Joe Calzaretta 286 John Carr 287 Mark Colan 288 Don Davis 289 Sarah Day 290 Alexandra Ellwood 291 Carlos Garay 292 Dan Geer 293 Nancy Gilman 294 Matt Hancher 295 Thomas Hardjono 296 Sam Hartman 297 Paul Hill 298 Marc Horowitz 299 Eva Jacobus 300 Miroslav Jurisic 301 Barry Jaspan 302 Benjamin Kaduk 303 Geoffrey King 304 Kevin Koch 305 John Kohl 306 HaoQi Li 307 Jonathan Lin 308 Peter Litwack 309 Scott McGuire 310 Steve Miller 311 Kevin Mitchell 312 Cliff Neuman 313 Paul Park 314 Ezra Peisach 315 Chris Provenzano 316 Ken Raeburn 317 Jon Rochlis 318 Jeff Schiller 319 Jen Selby 320 Robert Silk 321 Bill Sommerfeld 322 Jennifer Steiner 323 Ralph Swick 324 Brad Thompson 325 Harry Tsai 326 Zhanna Tsitkova 327 Ted Ts'o 328 Marshall Vale 329 Taylor Yu 330 331The following external contributors have provided code, patches, bug 332reports, suggestions, and valuable resources: 333 334 Ian Abbott 335 Daniel Albers 336 Brandon Allbery 337 Russell Allbery 338 Brian Almeida 339 Michael B Allen 340 Pooja Anil 341 Jeffrey Arbuckle 342 Heinz-Ado Arnolds 343 Derek Atkins 344 Mark Bannister 345 David Bantz 346 Alex Baule 347 Nikhil Benesch 348 David Benjamin 349 Thomas Bernard 350 Adam Bernstein 351 Arlene Berry 352 Jeff Blaine 353 Toby Blake 354 Radoslav Bodo 355 Alexander Bokovoy 356 Zoltan Borbely 357 Sumit Bose 358 Emmanuel Bouillon 359 Isaac Boukris 360 Ulf Bremer 361 Pavel Březina 362 Philip Brown 363 Samuel Cabrero 364 Michael Calmer 365 Andrea Campi 366 Julien Chaffraix 367 Jacob Champion 368 Puran Chand 369 Ravi Channavajhala 370 Srinivas Cheruku 371 Leonardo Chiquitto 372 Rachit Chokshi 373 Seemant Choudhary 374 Howard Chu 375 Andrea Cirulli 376 Christopher D. Clausen 377 Kevin Coffman 378 Gerald Combs 379 Simon Cooper 380 Sylvain Cortes 381 Ian Crowther 382 Arran Cudbard-Bell 383 Adam Dabrowski 384 Jeff D'Angelo 385 Nalin Dahyabhai 386 Mark Davies 387 Dennis Davis 388 Rull Deef 389 Alex Dehnert 390 Misty De Meo 391 Mark Deneen 392 Günther Deschner 393 John Devitofranceschi 394 Marc Dionne 395 Roland Dowdeswell 396 Ken Dreyer 397 Dorian Ducournau 398 Francis Dupont 399 Viktor Dukhovni 400 Jason Edgecombe 401 Mark Eichin 402 Shawn M. Emery 403 Douglas E. Engert 404 Peter Eriksson 405 Juha Erkkilä 406 Gilles Espinasse 407 Valery Fedorenko 408 Sergey Fedorov 409 Ronni Feldt 410 Bill Fellows 411 JC Ferguson 412 Remi Ferrand 413 Paul Fertser 414 Fabiano Fidêncio 415 Frank Filz 416 William Fiveash 417 Jacques Florent 418 Oliver Freyermuth 419 Ákos Frohner 420 Sebastian Galiano 421 Ilya Gladyshev 422 Marcus Granado 423 Dylan Gray 424 Norm Green 425 Scott Grizzard 426 Helmut Grohne 427 Steve Grubb 428 Philip Guenther 429 Feng Guo 430 Timo Gurr 431 Dominic Hargreaves 432 Robbie Harwood 433 John Hascall 434 Jakob Haufe 435 Matthieu Hautreux 436 Jochen Hein 437 Paul B. Henson 438 Kihong Heo 439 Jeff Hodges 440 Christopher Hogan 441 Love Hörnquist Åstrand 442 Ken Hornstein 443 Henry B. Hotz 444 Luke Howard 445 Jakub Hrozek 446 Shumon Huque 447 Jeffrey Hutzelman 448 Sergey Ilinykh 449 Wyllys Ingersoll 450 Holger Isenberg 451 Spencer Jackson 452 Diogenes S. Jesus 453 Mike Jetzer 454 Pavel Jindra 455 Brian Johannesmeyer 456 Joel Johnson 457 Lutz Justen 458 Ganesh Kamath 459 Alexander Karaivanov 460 Anders Kaseorg 461 Bar Katz 462 Zentaro Kavanagh 463 Mubashir Kazia 464 W. Trevor King 465 Steffen Kieß 466 Patrik Kis 467 Martin Kittel 468 Thomas Klausner 469 Tomasz Kłoczko 470 Ivan Korytov 471 Matthew Krupcale 472 Mikkel Kruse 473 Reinhard Kugler 474 Harshawardhan Kulkarni 475 Tomas Kuthan 476 Pierre Labastie 477 Andreas Ladanyi 478 Chris Leick 479 Volker Lendecke 480 Jan iankko Lieskovsky 481 Todd Lipcon 482 Oliver Loch 483 Chris Long 484 Kevin Longfellow 485 Frank Lonigro 486 Jon Looney 487 Nuno Lopes 488 Todd Lubin 489 Ryan Lynch 490 Glenn Machin 491 Roland Mainz 492 Sorin Manolache 493 Robert Marshall 494 Andrei Maslennikov 495 Michael Mattioli 496 Nathaniel McCallum 497 Greg McClement 498 Cameron Meadors 499 Vipul Mehta 500 Alexey Melnikov 501 Ivan A. Melnikov 502 Franklyn Mendez 503 Stefan Metzmacher 504 Mantas Mikulėnas 505 Markus Moeller 506 Kyle Moffett 507 Jon Moore 508 Paul Moore 509 Keiichi Mori 510 Michael Morony 511 Robert Morris 512 Sam Morris 513 Zbysek Mraz 514 Edward Murrell 515 Bahaa Naamneh 516 Joshua Neuheisel 517 Nikos Nikoleris 518 Demi Obenour 519 Felipe Ortega 520 Michael Osipov 521 Andrej Ota 522 Dmitri Pal 523 Javier Palacios 524 Dilyan Palauzov 525 Tom Parker 526 Eric Pauly 527 Leonard Peirce 528 Ezra Peisach 529 Alejandro Perez 530 Zoran Pericic 531 W. Michael Petullo 532 Mark Phalan 533 Sharwan Ram 534 Brett Randall 535 Jonathan Reams 536 Jonathan Reed 537 Robert Relyea 538 Tony Reix 539 Martin Rex 540 Pat Riehecky 541 Julien Rische 542 Jason Rogers 543 Matt Rogers 544 Nate Rosenblum 545 Solly Ross 546 Mike Roszkowski 547 Guillaume Rousse 548 Joshua Schaeffer 549 Alexander Scheel 550 Jens Schleusener 551 Ryan Schmidt 552 Andreas Schneider 553 Eli Schwartz 554 Paul Seyfert 555 Tom Shaw 556 Jim Shi 557 Jerry Shipman 558 Peter Shoults 559 Richard Silverman 560 Cel Skeggs 561 Simo Sorce 562 Anthony Sottile 563 Michael Spang 564 Michael Ströder 565 Bjørn Tore Sund 566 Ondřej Surý 567 Joseph Sutton 568 Alexey Tikhonov 569 Joe Travaglini 570 Sergei Trofimovich 571 Greg Troxel 572 Fraser Tweedale 573 Tim Uglow 574 Rathor Vipin 575 Denis Vlasenko 576 Thomas Wagner 577 Jorgen Wahlsten 578 Stef Walter 579 Max (Weijun) Wang 580 John Washington 581 Stef Walter 582 Xi Wang 583 Nehal J Wani 584 Kevin Wasserman 585 Margaret Wasserman 586 Marcus Watts 587 Andreas Wiese 588 Simon Wilkinson 589 Nicolas Williams 590 Ross Wilper 591 Augustin Wolf 592 Garrett Wollman 593 David Woodhouse 594 Tsu-Phong Wu 595 Xu Qiang 596 Neng Xue 597 Zhaomo Yang 598 Tianjiao Yin 599 Nickolai Zeldovich 600 Bean Zhang 601 ChenChen Zhou 602 Hanz van Zijst 603 Gertjan Zwartjes 604 605The above is not an exhaustive list; many others have contributed in 606various ways to the MIT Kerberos development effort over the years. 607