1 Kerberos Version 5, Release 1.22 2 3 Release Notes 4 The MIT Kerberos Team 5 6Copyright and Other Notices 7--------------------------- 8 9Copyright (C) 1985-2026 by the Massachusetts Institute of Technology 10and its contributors. All rights reserved. 11 12Please see the file named NOTICE for additional notices. 13 14Documentation 15------------- 16 17Unified documentation for Kerberos V5 is available in both HTML and 18PDF formats. The table of contents of the HTML format documentation 19is at doc/html/index.html, and the PDF format documentation is in the 20doc/pdf directory. 21 22Additionally, you may find copies of the HTML format documentation 23online at 24 25 https://web.mit.edu/kerberos/krb5-latest/doc/ 26 27for the most recent supported release, or at 28 29 https://web.mit.edu/kerberos/krb5-devel/doc/ 30 31for the release under development. 32 33More information about Kerberos may be found at 34 35 https://web.mit.edu/kerberos/ 36 37and at the MIT Kerberos Consortium web site 38 39 https://kerberos.org/ 40 41Building and Installing Kerberos 5 42---------------------------------- 43 44Build documentation is in doc/html/build/index.html or 45doc/pdf/build.pdf. 46 47The installation guide is in doc/html/admin/install.html or 48doc/pdf/install.pdf. 49 50If you are attempting to build under Windows, please see the 51src/windows/README file. 52 53Reporting Bugs 54-------------- 55 56Please report any problems/bugs/comments by sending email to 57krb5-bugs@mit.edu. 58 59You may view bug reports by visiting 60 61https://krbdev.mit.edu/rt/ 62 63and using the "Guest Login" button. Please note that the web 64interface to our bug database is read-only for guests, and the primary 65way to interact with our bug database is via email. 66 67PAC transitions 68--------------- 69 70Beginning with release 1.20, the KDC will include minimal PACs in 71tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol 72transition and constrained delegation) must now contain valid PACs in 73the incoming tickets. Beginning with release 1.21, service ticket 74PACs will contain a new KDC checksum buffer, to mitigate a hash 75collision attack against the old KDC checksum. If only some KDCs in a 76realm have been upgraded across versions 1.20 or 1.21, the upgraded 77KDCs will reject S4U requests containing tickets from non-upgraded 78KDCs and vice versa. 79 80Triple-DES and RC4 transitions 81------------------------------ 82 83Beginning with the krb5-1.21 release, the KDC will not issue tickets 84with triple-DES or RC4 session keys unless explicitly configured using 85the new allow_des3 and allow_rc4 variables in [libdefaults]. To 86facilitate the negotiation of session keys, the KDC will assume that 87all services can handle aes256-sha1 session keys unless the service 88principal has a session_enctypes string attribute. 89 90Beginning with the krb5-1.19 release, a warning will be issued if 91initial credentials are acquired using the des3-cbc-sha1 encryption 92type. Beginning with the krb5-1.21 release, a warning will also be 93issued for the arcfour-hmac encryption type. In future releases, 94these encryption types will be disabled by default and eventually 95removed. 96 97Beginning with the krb5-1.18 release, all support for single-DES 98encryption types has been removed. 99 100Major changes in 1.22.2 (2026-01-29) 101------------------------------------ 102 103This is a bug fix release. 104 105* Fix a SPNEGO packet parsing bug which could cause GSS mechanism 106 negotiation failure. 107 108krb5-1.22.2 changes by ticket ID 109-------------------------------- 110 1119183 Fix SPNEGO mechListMIC parsing 1129188 Improve MSLSA ccache timestamp conversion 1139189 Fix krb5 gss_acquire_cred() leak on some errors 1149190 Make atomic ccache replacement work on Windows 1159193 Fix uninitialized pointer dereference in libkrad 1169194 Fix IAKERB realm discovery state machine logic 117 118Major changes in 1.22.1 (2025-08-20) 119------------------------------------ 120 121This is a bug fix release. 122 123* Fix a vulnerability in GSS MIC verification [CVE-2025-57736]. 124 125krb5-1.22.1 changes by ticket ID 126-------------------------------- 127 1289181 verify_mic_v3 broken in 1.22 129 130Major changes in 1.22 (2025-08-05) 131---------------------------------- 132 133User experience: 134 135* The libdefaults configuration variable "request_timeout" can be set 136 to limit the total timeout for KDC requests. When making a KDC 137 request, the client will now wait indefinitely (or until the request 138 timeout has elapsed) on a KDC which accepts a TCP connection, 139 without contacting any additional KDCs. Clients will make fewer DNS 140 queries in some configurations. 141 142* The realm configuration variable "sitename" can be set to cause the 143 client to query site-specific DNS records when making KDC requests. 144 145Administrator experience: 146 147* Principal aliases are supported in the DB2 and LMDB KDB modules and 148 in the kadmin protocol. (The LDAP KDB module has supported aliases 149 since release 1.7.) 150 151* UNIX domain sockets are supported for the Kerberos and kpasswd 152 protocols. 153 154* systemd socket activation is supported for krb5kdc and kadmind. 155 156Developer experience: 157 158* KDB modules can be be implemented in terms of other modules using 159 the new krb5_db_load_module() function. 160 161* The profile library supports the modification of empty profiles and 162 the copying of modified profiles, making it possible to construct an 163 in-memory profile and pass it to krb5_init_context_profile(). 164 165* GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to 166 gss_init_sec_context() to request strict enforcement of channel 167 bindings by the acceptor. 168 169Protocol evolution: 170 171* The PKINIT preauth module supports elliptic curve client 172 certificates, ECDH key exchange, and the Microsoft paChecksum2 173 field. 174 175* The IAKERB implementation has been changed to comply with the most 176 recent draft standard and to support realm discovery. 177 178* Message-Authenticator is supported in the RADIUS implementation used 179 by the OTP kdcpreauth module. 180 181Code quality: 182 183* Removed old-style function declarations, to accomodate compilers 184 which have removed support for them. 185 186* Added OSS-Fuzz to the project's continuous integration 187 infrastructure. 188 189* Rewrote the GSS per-message token parsing code for improved safety. 190 191krb5-1.22 changes by ticket ID 192------------------------------ 193 1947721 Primary KDC lookups happen sooner than necessary 1957899 Client waits before moving on after KDC_ERR_SVC_UNAVAILABLE 1968618 ksu doesn't exit nonzero 1979094 Get arm64-windows builds working 1989095 PKINIT ECDH support 1999096 Enable PKINIT if at least one group is available 2009100 Add ecdsa-with-sha512/256 to supportedCMSTypes 2019105 Wait indefinitely on KDC TCP connections 2029106 Add request_timeout configuration parameter 2039108 Remove PKINIT RSA support 2049110 profile library null dereference when modifying empty profile 2059111 Correct PKINIT EC cert signature metadata 2069112 Support PKCS11 EC client certs in PKINIT 2079113 Improve PKCS11 error reporting in PKINIT 2089114 Build fails with link-time optimization 2099116 Improve error message for DES kadmin/history key 2109118 profile write operation interactions with reloading 2119119 Make profile_copy() work on dirty profiles 2129120 profile final flag limitations 2139121 Don't flush libkrb5 context profiles 2149122 Add GSS flag to include KERB_AP_OPTIONS_CBT 2159123 Correct IAKERB protocol implementation 2169124 Support site-local KDC discovery via DNS 2179126 Handle empty initial buffer in IAKERB initiator 2189130 make krb5_get_default_config_files public 2199131 Adjust removed cred detection in FILE ccache 2209132 Change krb5_get_credentials() endtime behavior 2219133 Add acceptor-side IAKERB realm discovery 2229135 Replace Windows installer FilesInUse dialog text 2239139 Block library unloading to avoid finalizer races 2249141 Fix krb5_crypto_us_timeofday() microseconds check 2259142 Generate and verify message MACs in libkrad 2269143 Fix memory leak in PAC checksum verification 2279144 Fix potential PAC processing crash 2289145 Prevent late initialization of GSS error map 2299146 Allow null keyblocks in IOV checksum functions 2309147 Add numeric constants to krad.h and use them 2319148 Fix krb5_ldap_list_policy() filtering loop 2329149 Use getentropy() when available 2339151 Add kadmind support for disabling listening 2349152 Default kdc_tcp_listen to kdc_listen value 2359153 Fix LDAP module leak on authentication error 2369154 Components of the X509_user_identity string cannot contain ':' 2379155 UNIX domain socket support 2389156 Allow KDB module stacking 2399157 Add support for systemd socket activation 2409158 Set missing mask flags for kdb5_util operations 2419159 Prevent overflow when calculating ulog block size 2429160 Allow only one salt type per enctype in key data 2439161 Improve ulog block resize efficiency 2449162 Build PKINIT on Windows 2459163 Add alias support 2469164 Add database format documentation 2479165 Display NetBIOS ticket addresses in klist 2489166 Add PKINIT paChecksum2 from MS-PKCA v20230920 2499167 Add initiator-side IAKERB realm discovery 2509168 Fix IAKERB accept_sec_context null pointer crash 2519169 Fix IAKERB error handling 2529170 Avoid gss_inquire_attrs_for_mech() null outputs 2539171 Fix getsockname() call in Windows localaddr 2549172 Check lengths in xdr_krb5_key_data() 2559173 Limit -keepold for self-service key changes 2569179 Avoid large numbers of refresh_time cache entries 257 258Acknowledgements 259---------------- 260 261Past Sponsors of the MIT Kerberos Consortium: 262 263 Apple 264 Carnegie Mellon University 265 Centrify Corporation 266 Columbia University 267 Cornell University 268 The Department of Defense of the United States of America (DoD) 269 Fidelity Investments 270 Google 271 Iowa State University 272 MIT 273 Michigan State University 274 Microsoft 275 MITRE Corporation 276 Morgan-Stanley 277 The National Aeronautics and Space Administration 278 of the United States of America (NASA) 279 Network Appliance (NetApp) 280 Nippon Telephone and Telegraph (NTT) 281 US Government Office of the National Coordinator for Health 282 Information Technology (ONC) 283 Oracle 284 Pennsylvania State University 285 Red Hat 286 Stanford University 287 TeamF1, Inc. 288 The University of Alaska 289 The University of Michigan 290 The University of Pennsylvania 291 292Past and present members of the Kerberos Team at MIT: 293 294 Danilo Almeida 295 Jeffrey Altman 296 Justin Anderson 297 Richard Basch 298 Mitch Berger 299 Jay Berkenbilt 300 Andrew Boardman 301 Bill Bryant 302 Steve Buckley 303 Joe Calzaretta 304 John Carr 305 Mark Colan 306 Don Davis 307 Sarah Day 308 Alexandra Ellwood 309 Carlos Garay 310 Dan Geer 311 Nancy Gilman 312 Matt Hancher 313 Thomas Hardjono 314 Sam Hartman 315 Paul Hill 316 Marc Horowitz 317 Eva Jacobus 318 Miroslav Jurisic 319 Barry Jaspan 320 Benjamin Kaduk 321 Geoffrey King 322 Kevin Koch 323 John Kohl 324 HaoQi Li 325 Jonathan Lin 326 Peter Litwack 327 Scott McGuire 328 Steve Miller 329 Kevin Mitchell 330 Cliff Neuman 331 Paul Park 332 Ezra Peisach 333 Chris Provenzano 334 Ken Raeburn 335 Jon Rochlis 336 Jeff Schiller 337 Jen Selby 338 Robert Silk 339 Bill Sommerfeld 340 Jennifer Steiner 341 Ralph Swick 342 Brad Thompson 343 Harry Tsai 344 Zhanna Tsitkova 345 Ted Ts'o 346 Marshall Vale 347 Taylor Yu 348 349The following external contributors have provided code, patches, bug 350reports, suggestions, and valuable resources: 351 352 Ian Abbott 353 Daniel Albers 354 Brandon Allbery 355 Russell Allbery 356 Brian Almeida 357 Michael B Allen 358 Pooja Anil 359 Jeffrey Arbuckle 360 Heinz-Ado Arnolds 361 Derek Atkins 362 Mark Bannister 363 David Bantz 364 Alex Baule 365 Nikhil Benesch 366 David Benjamin 367 Thomas Bernard 368 Adam Bernstein 369 Arlene Berry 370 Jeff Blaine 371 Toby Blake 372 Radoslav Bodo 373 Alexander Bokovoy 374 Zoltan Borbely 375 Sumit Bose 376 Emmanuel Bouillon 377 Isaac Boukris 378 Ulf Bremer 379 Pavel Březina 380 Philip Brown 381 Samuel Cabrero 382 Michael Calmer 383 Andrea Campi 384 Julien Chaffraix 385 Jacob Champion 386 Puran Chand 387 Ravi Channavajhala 388 Srinivas Cheruku 389 Leonardo Chiquitto 390 Rachit Chokshi 391 Seemant Choudhary 392 Howard Chu 393 Andrea Cirulli 394 Christopher D. Clausen 395 Kevin Coffman 396 Gerald Combs 397 Simon Cooper 398 Sylvain Cortes 399 Robert Crowston 400 Ian Crowther 401 Arran Cudbard-Bell 402 Adam Dabrowski 403 Jeff D'Angelo 404 Nalin Dahyabhai 405 Mark Davies 406 Dennis Davis 407 Rull Deef 408 Alex Dehnert 409 Misty De Meo 410 Mark Deneen 411 Günther Deschner 412 John Devitofranceschi 413 Marc Dionne 414 Roland Dowdeswell 415 Ken Dreyer 416 Dorian Ducournau 417 Francis Dupont 418 Viktor Dukhovni 419 Jason Edgecombe 420 Mark Eichin 421 Shawn M. Emery 422 Douglas E. Engert 423 Peter Eriksson 424 Juha Erkkilä 425 Gilles Espinasse 426 Valery Fedorenko 427 Sergey Fedorov 428 Ronni Feldt 429 Bill Fellows 430 JC Ferguson 431 Remi Ferrand 432 Paul Fertser 433 Fabiano Fidêncio 434 Frank Filz 435 William Fiveash 436 Jacques Florent 437 Oliver Freyermuth 438 Ákos Frohner 439 Sebastian Galiano 440 Ilya Gladyshev 441 Marcus Granado 442 Dylan Gray 443 Norm Green 444 Scott Grizzard 445 Helmut Grohne 446 Steve Grubb 447 Philip Guenther 448 Feng Guo 449 Timo Gurr 450 Dominic Hargreaves 451 Robbie Harwood 452 John Hascall 453 Jakob Haufe 454 Matthieu Hautreux 455 Jochen Hein 456 Paul B. Henson 457 Kihong Heo 458 Jeff Hodges 459 Christopher Hogan 460 Love Hörnquist Åstrand 461 Ken Hornstein 462 Henry B. Hotz 463 Luke Howard 464 Jakub Hrozek 465 Shumon Huque 466 Jeffrey Hutzelman 467 Sergey Ilinykh 468 Wyllys Ingersoll 469 Holger Isenberg 470 Spencer Jackson 471 Diogenes S. Jesus 472 Mike Jetzer 473 Pavel Jindra 474 Brian Johannesmeyer 475 Joel Johnson 476 Lutz Justen 477 Ganesh Kamath 478 Alexander Karaivanov 479 Anders Kaseorg 480 Bar Katz 481 Zentaro Kavanagh 482 Mubashir Kazia 483 W. Trevor King 484 Steffen Kieß 485 Patrik Kis 486 Martin Kittel 487 Thomas Klausner 488 Tomasz Kłoczko 489 Ivan Korytov 490 Matthew Krupcale 491 Mikkel Kruse 492 Reinhard Kugler 493 Harshawardhan Kulkarni 494 Tomas Kuthan 495 Pierre Labastie 496 Andreas Ladanyi 497 Yubi Lee 498 Chris Leick 499 Volker Lendecke 500 Jan iankko Lieskovsky 501 Todd Lipcon 502 Oliver Loch 503 Chris Long 504 Kevin Longfellow 505 Frank Lonigro 506 Jon Looney 507 Nuno Lopes 508 Todd Lubin 509 Ryan Lynch 510 Glenn Machin 511 Roland Mainz 512 Sorin Manolache 513 Robert Marshall 514 Andrei Maslennikov 515 Michael Mattioli 516 Nathaniel McCallum 517 Greg McClement 518 Cameron Meadors 519 Vipul Mehta 520 Alexey Melnikov 521 Ivan A. Melnikov 522 Franklyn Mendez 523 Stefan Metzmacher 524 Mantas Mikulėnas 525 Markus Moeller 526 Kyle Moffett 527 Jon Moore 528 Paul Moore 529 Keiichi Mori 530 Michael Morony 531 Robert Morris 532 Sam Morris 533 Zbysek Mraz 534 Edward Murrell 535 Bahaa Naamneh 536 Joshua Neuheisel 537 Nikos Nikoleris 538 Demi Obenour 539 Felipe Ortega 540 Michael Osipov 541 Andrej Ota 542 Dmitry Ovsyannikov 543 Dmitri Pal 544 Javier Palacios 545 Dilyan Palauzov 546 Tom Parker 547 Eric Pauly 548 Leonard Peirce 549 Ezra Peisach 550 Alejandro Perez 551 Zoran Pericic 552 W. Michael Petullo 553 Mark Phalan 554 Ben Pope 555 Sharwan Ram 556 Brett Randall 557 Jonathan Reams 558 Jonathan Reed 559 Robert Relyea 560 Tony Reix 561 Martin Rex 562 Pat Riehecky 563 Julien Rische 564 Jason Rogers 565 Matt Rogers 566 Nate Rosenblum 567 Solly Ross 568 Mike Roszkowski 569 Guillaume Rousse 570 Joshua Schaeffer 571 Alexander Scheel 572 Jens Schleusener 573 Ryan Schmidt 574 Andreas Schneider 575 Eli Schwartz 576 Paul Seyfert 577 Tom Shaw 578 Jim Shi 579 Jerry Shipman 580 Peter Shoults 581 Richard Silverman 582 Cel Skeggs 583 Simo Sorce 584 Anthony Sottile 585 Michael Spang 586 Michael Ströder 587 Bjørn Tore Sund 588 Ondřej Surý 589 Joseph Sutton 590 Alexey Tikhonov 591 Joe Travaglini 592 Sergei Trofimovich 593 Greg Troxel 594 Fraser Tweedale 595 Tim Uglow 596 Rathor Vipin 597 Denis Vlasenko 598 Thomas Wagner 599 Jorgen Wahlsten 600 Stef Walter 601 Max (Weijun) Wang 602 John Washington 603 Stef Walter 604 Xi Wang 605 Nehal J Wani 606 Kevin Wasserman 607 Margaret Wasserman 608 Marcus Watts 609 Andreas Wiese 610 Simon Wilkinson 611 Nicolas Williams 612 Ross Wilper 613 Augustin Wolf 614 Garrett Wollman 615 David Woodhouse 616 Tsu-Phong Wu 617 Xu Qiang 618 Neng Xue 619 Zhaomo Yang 620 Tianjiao Yin 621 Nickolai Zeldovich 622 Bean Zhang 623 ChenChen Zhou 624 Hanz van Zijst 625 Gertjan Zwartjes 626 627The above is not an exhaustive list; many others have contributed in 628various ways to the MIT Kerberos development effort over the years. 629