1 Kerberos Version 5, Release 1.22 2 3 Release Notes 4 The MIT Kerberos Team 5 6Copyright and Other Notices 7--------------------------- 8 9Copyright (C) 1985-2025 by the Massachusetts Institute of Technology 10and its contributors. All rights reserved. 11 12Please see the file named NOTICE for additional notices. 13 14Documentation 15------------- 16 17Unified documentation for Kerberos V5 is available in both HTML and 18PDF formats. The table of contents of the HTML format documentation 19is at doc/html/index.html, and the PDF format documentation is in the 20doc/pdf directory. 21 22Additionally, you may find copies of the HTML format documentation 23online at 24 25 https://web.mit.edu/kerberos/krb5-latest/doc/ 26 27for the most recent supported release, or at 28 29 https://web.mit.edu/kerberos/krb5-devel/doc/ 30 31for the release under development. 32 33More information about Kerberos may be found at 34 35 https://web.mit.edu/kerberos/ 36 37and at the MIT Kerberos Consortium web site 38 39 https://kerberos.org/ 40 41Building and Installing Kerberos 5 42---------------------------------- 43 44Build documentation is in doc/html/build/index.html or 45doc/pdf/build.pdf. 46 47The installation guide is in doc/html/admin/install.html or 48doc/pdf/install.pdf. 49 50If you are attempting to build under Windows, please see the 51src/windows/README file. 52 53Reporting Bugs 54-------------- 55 56Please report any problems/bugs/comments by sending email to 57krb5-bugs@mit.edu. 58 59You may view bug reports by visiting 60 61https://krbdev.mit.edu/rt/ 62 63and using the "Guest Login" button. Please note that the web 64interface to our bug database is read-only for guests, and the primary 65way to interact with our bug database is via email. 66 67PAC transitions 68--------------- 69 70Beginning with release 1.20, the KDC will include minimal PACs in 71tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol 72transition and constrained delegation) must now contain valid PACs in 73the incoming tickets. Beginning with release 1.21, service ticket 74PACs will contain a new KDC checksum buffer, to mitigate a hash 75collision attack against the old KDC checksum. If only some KDCs in a 76realm have been upgraded across versions 1.20 or 1.21, the upgraded 77KDCs will reject S4U requests containing tickets from non-upgraded 78KDCs and vice versa. 79 80Triple-DES and RC4 transitions 81------------------------------ 82 83Beginning with the krb5-1.21 release, the KDC will not issue tickets 84with triple-DES or RC4 session keys unless explicitly configured using 85the new allow_des3 and allow_rc4 variables in [libdefaults]. To 86facilitate the negotiation of session keys, the KDC will assume that 87all services can handle aes256-sha1 session keys unless the service 88principal has a session_enctypes string attribute. 89 90Beginning with the krb5-1.19 release, a warning will be issued if 91initial credentials are acquired using the des3-cbc-sha1 encryption 92type. Beginning with the krb5-1.21 release, a warning will also be 93issued for the arcfour-hmac encryption type. In future releases, 94these encryption types will be disabled by default and eventually 95removed. 96 97Beginning with the krb5-1.18 release, all support for single-DES 98encryption types has been removed. 99 100Major changes in 1.22 (2025-08-05) 101---------------------------------- 102 103User experience: 104 105* The libdefaults configuration variable "request_timeout" can be set 106 to limit the total timeout for KDC requests. When making a KDC 107 request, the client will now wait indefinitely (or until the request 108 timeout has elapsed) on a KDC which accepts a TCP connection, 109 without contacting any additional KDCs. Clients will make fewer DNS 110 queries in some configurations. 111 112* The realm configuration variable "sitename" can be set to cause the 113 client to query site-specific DNS records when making KDC requests. 114 115Administrator experience: 116 117* Principal aliases are supported in the DB2 and LMDB KDB modules and 118 in the kadmin protocol. (The LDAP KDB module has supported aliases 119 since release 1.7.) 120 121* UNIX domain sockets are supported for the Kerberos and kpasswd 122 protocols. 123 124* systemd socket activation is supported for krb5kdc and kadmind. 125 126Developer experience: 127 128* KDB modules can be be implemented in terms of other modules using 129 the new krb5_db_load_module() function. 130 131* The profile library supports the modification of empty profiles and 132 the copying of modified profiles, making it possible to construct an 133 in-memory profile and pass it to krb5_init_context_profile(). 134 135* GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to 136 gss_init_sec_context() to request strict enforcement of channel 137 bindings by the acceptor. 138 139Protocol evolution: 140 141* The PKINIT preauth module supports elliptic curve client 142 certificates, ECDH key exchange, and the Microsoft paChecksum2 143 field. 144 145* The IAKERB implementation has been changed to comply with the most 146 recent draft standard and to support realm discovery. 147 148* Message-Authenticator is supported in the RADIUS implementation used 149 by the OTP kdcpreauth module. 150 151Code quality: 152 153* Removed old-style function declarations, to accomodate compilers 154 which have removed support for them. 155 156* Added OSS-Fuzz to the project's continuous integration 157 infrastructure. 158 159* Rewrote the GSS per-message token parsing code for improved safety. 160 161krb5-1.22 changes by ticket ID 162------------------------------ 163 1647721 Primary KDC lookups happen sooner than necessary 1657899 Client waits before moving on after KDC_ERR_SVC_UNAVAILABLE 1668618 ksu doesn't exit nonzero 1679094 Get arm64-windows builds working 1689095 PKINIT ECDH support 1699096 Enable PKINIT if at least one group is available 1709100 Add ecdsa-with-sha512/256 to supportedCMSTypes 1719105 Wait indefinitely on KDC TCP connections 1729106 Add request_timeout configuration parameter 1739108 Remove PKINIT RSA support 1749110 profile library null dereference when modifying empty profile 1759111 Correct PKINIT EC cert signature metadata 1769112 Support PKCS11 EC client certs in PKINIT 1779113 Improve PKCS11 error reporting in PKINIT 1789114 Build fails with link-time optimization 1799116 Improve error message for DES kadmin/history key 1809118 profile write operation interactions with reloading 1819119 Make profile_copy() work on dirty profiles 1829120 profile final flag limitations 1839121 Don't flush libkrb5 context profiles 1849122 Add GSS flag to include KERB_AP_OPTIONS_CBT 1859123 Correct IAKERB protocol implementation 1869124 Support site-local KDC discovery via DNS 1879126 Handle empty initial buffer in IAKERB initiator 1889130 make krb5_get_default_config_files public 1899131 Adjust removed cred detection in FILE ccache 1909132 Change krb5_get_credentials() endtime behavior 1919133 Add acceptor-side IAKERB realm discovery 1929135 Replace Windows installer FilesInUse dialog text 1939139 Block library unloading to avoid finalizer races 1949141 Fix krb5_crypto_us_timeofday() microseconds check 1959142 Generate and verify message MACs in libkrad 1969143 Fix memory leak in PAC checksum verification 1979144 Fix potential PAC processing crash 1989145 Prevent late initialization of GSS error map 1999146 Allow null keyblocks in IOV checksum functions 2009147 Add numeric constants to krad.h and use them 2019148 Fix krb5_ldap_list_policy() filtering loop 2029149 Use getentropy() when available 2039151 Add kadmind support for disabling listening 2049152 Default kdc_tcp_listen to kdc_listen value 2059153 Fix LDAP module leak on authentication error 2069154 Components of the X509_user_identity string cannot contain ':' 2079155 UNIX domain socket support 2089156 Allow KDB module stacking 2099157 Add support for systemd socket activation 2109158 Set missing mask flags for kdb5_util operations 2119159 Prevent overflow when calculating ulog block size 2129160 Allow only one salt type per enctype in key data 2139161 Improve ulog block resize efficiency 2149162 Build PKINIT on Windows 2159163 Add alias support 2169164 Add database format documentation 2179165 Display NetBIOS ticket addresses in klist 2189166 Add PKINIT paChecksum2 from MS-PKCA v20230920 2199167 Add initiator-side IAKERB realm discovery 2209168 Fix IAKERB accept_sec_context null pointer crash 2219169 Fix IAKERB error handling 2229170 Avoid gss_inquire_attrs_for_mech() null outputs 2239171 Fix getsockname() call in Windows localaddr 2249172 Check lengths in xdr_krb5_key_data() 2259173 Limit -keepold for self-service key changes 2269179 Avoid large numbers of refresh_time cache entries 227 228Acknowledgements 229---------------- 230 231Past Sponsors of the MIT Kerberos Consortium: 232 233 Apple 234 Carnegie Mellon University 235 Centrify Corporation 236 Columbia University 237 Cornell University 238 The Department of Defense of the United States of America (DoD) 239 Fidelity Investments 240 Google 241 Iowa State University 242 MIT 243 Michigan State University 244 Microsoft 245 MITRE Corporation 246 Morgan-Stanley 247 The National Aeronautics and Space Administration 248 of the United States of America (NASA) 249 Network Appliance (NetApp) 250 Nippon Telephone and Telegraph (NTT) 251 US Government Office of the National Coordinator for Health 252 Information Technology (ONC) 253 Oracle 254 Pennsylvania State University 255 Red Hat 256 Stanford University 257 TeamF1, Inc. 258 The University of Alaska 259 The University of Michigan 260 The University of Pennsylvania 261 262Past and present members of the Kerberos Team at MIT: 263 264 Danilo Almeida 265 Jeffrey Altman 266 Justin Anderson 267 Richard Basch 268 Mitch Berger 269 Jay Berkenbilt 270 Andrew Boardman 271 Bill Bryant 272 Steve Buckley 273 Joe Calzaretta 274 John Carr 275 Mark Colan 276 Don Davis 277 Sarah Day 278 Alexandra Ellwood 279 Carlos Garay 280 Dan Geer 281 Nancy Gilman 282 Matt Hancher 283 Thomas Hardjono 284 Sam Hartman 285 Paul Hill 286 Marc Horowitz 287 Eva Jacobus 288 Miroslav Jurisic 289 Barry Jaspan 290 Benjamin Kaduk 291 Geoffrey King 292 Kevin Koch 293 John Kohl 294 HaoQi Li 295 Jonathan Lin 296 Peter Litwack 297 Scott McGuire 298 Steve Miller 299 Kevin Mitchell 300 Cliff Neuman 301 Paul Park 302 Ezra Peisach 303 Chris Provenzano 304 Ken Raeburn 305 Jon Rochlis 306 Jeff Schiller 307 Jen Selby 308 Robert Silk 309 Bill Sommerfeld 310 Jennifer Steiner 311 Ralph Swick 312 Brad Thompson 313 Harry Tsai 314 Zhanna Tsitkova 315 Ted Ts'o 316 Marshall Vale 317 Taylor Yu 318 319The following external contributors have provided code, patches, bug 320reports, suggestions, and valuable resources: 321 322 Ian Abbott 323 Daniel Albers 324 Brandon Allbery 325 Russell Allbery 326 Brian Almeida 327 Michael B Allen 328 Pooja Anil 329 Jeffrey Arbuckle 330 Heinz-Ado Arnolds 331 Derek Atkins 332 Mark Bannister 333 David Bantz 334 Alex Baule 335 Nikhil Benesch 336 David Benjamin 337 Thomas Bernard 338 Adam Bernstein 339 Arlene Berry 340 Jeff Blaine 341 Toby Blake 342 Radoslav Bodo 343 Alexander Bokovoy 344 Zoltan Borbely 345 Sumit Bose 346 Emmanuel Bouillon 347 Isaac Boukris 348 Ulf Bremer 349 Pavel Březina 350 Philip Brown 351 Samuel Cabrero 352 Michael Calmer 353 Andrea Campi 354 Julien Chaffraix 355 Jacob Champion 356 Puran Chand 357 Ravi Channavajhala 358 Srinivas Cheruku 359 Leonardo Chiquitto 360 Rachit Chokshi 361 Seemant Choudhary 362 Howard Chu 363 Andrea Cirulli 364 Christopher D. Clausen 365 Kevin Coffman 366 Gerald Combs 367 Simon Cooper 368 Sylvain Cortes 369 Ian Crowther 370 Arran Cudbard-Bell 371 Adam Dabrowski 372 Jeff D'Angelo 373 Nalin Dahyabhai 374 Mark Davies 375 Dennis Davis 376 Rull Deef 377 Alex Dehnert 378 Misty De Meo 379 Mark Deneen 380 Günther Deschner 381 John Devitofranceschi 382 Marc Dionne 383 Roland Dowdeswell 384 Ken Dreyer 385 Dorian Ducournau 386 Viktor Dukhovni 387 Jason Edgecombe 388 Mark Eichin 389 Shawn M. Emery 390 Douglas E. Engert 391 Peter Eriksson 392 Juha Erkkilä 393 Gilles Espinasse 394 Valery Fedorenko 395 Sergey Fedorov 396 Ronni Feldt 397 Bill Fellows 398 JC Ferguson 399 Remi Ferrand 400 Paul Fertser 401 Fabiano Fidêncio 402 Frank Filz 403 William Fiveash 404 Jacques Florent 405 Oliver Freyermuth 406 Ákos Frohner 407 Sebastian Galiano 408 Ilya Gladyshev 409 Marcus Granado 410 Dylan Gray 411 Norm Green 412 Scott Grizzard 413 Helmut Grohne 414 Steve Grubb 415 Philip Guenther 416 Feng Guo 417 Timo Gurr 418 Dominic Hargreaves 419 Robbie Harwood 420 John Hascall 421 Jakob Haufe 422 Matthieu Hautreux 423 Jochen Hein 424 Paul B. Henson 425 Kihong Heo 426 Jeff Hodges 427 Christopher Hogan 428 Love Hörnquist Åstrand 429 Ken Hornstein 430 Henry B. Hotz 431 Luke Howard 432 Jakub Hrozek 433 Shumon Huque 434 Jeffrey Hutzelman 435 Sergey Ilinykh 436 Wyllys Ingersoll 437 Holger Isenberg 438 Spencer Jackson 439 Diogenes S. Jesus 440 Mike Jetzer 441 Pavel Jindra 442 Brian Johannesmeyer 443 Joel Johnson 444 Lutz Justen 445 Ganesh Kamath 446 Alexander Karaivanov 447 Anders Kaseorg 448 Bar Katz 449 Zentaro Kavanagh 450 Mubashir Kazia 451 W. Trevor King 452 Steffen Kieß 453 Patrik Kis 454 Martin Kittel 455 Thomas Klausner 456 Tomasz Kłoczko 457 Ivan Korytov 458 Matthew Krupcale 459 Mikkel Kruse 460 Reinhard Kugler 461 Harshawardhan Kulkarni 462 Tomas Kuthan 463 Pierre Labastie 464 Andreas Ladanyi 465 Chris Leick 466 Volker Lendecke 467 Jan iankko Lieskovsky 468 Todd Lipcon 469 Oliver Loch 470 Chris Long 471 Kevin Longfellow 472 Frank Lonigro 473 Jon Looney 474 Nuno Lopes 475 Todd Lubin 476 Ryan Lynch 477 Glenn Machin 478 Roland Mainz 479 Sorin Manolache 480 Robert Marshall 481 Andrei Maslennikov 482 Michael Mattioli 483 Nathaniel McCallum 484 Greg McClement 485 Cameron Meadors 486 Vipul Mehta 487 Alexey Melnikov 488 Ivan A. Melnikov 489 Franklyn Mendez 490 Stefan Metzmacher 491 Mantas Mikulėnas 492 Markus Moeller 493 Kyle Moffett 494 Jon Moore 495 Paul Moore 496 Keiichi Mori 497 Michael Morony 498 Robert Morris 499 Sam Morris 500 Zbysek Mraz 501 Edward Murrell 502 Bahaa Naamneh 503 Joshua Neuheisel 504 Nikos Nikoleris 505 Demi Obenour 506 Felipe Ortega 507 Michael Osipov 508 Andrej Ota 509 Dmitri Pal 510 Javier Palacios 511 Dilyan Palauzov 512 Tom Parker 513 Eric Pauly 514 Leonard Peirce 515 Ezra Peisach 516 Alejandro Perez 517 Zoran Pericic 518 W. Michael Petullo 519 Mark Phalan 520 Sharwan Ram 521 Brett Randall 522 Jonathan Reams 523 Jonathan Reed 524 Robert Relyea 525 Tony Reix 526 Martin Rex 527 Pat Riehecky 528 Julien Rische 529 Jason Rogers 530 Matt Rogers 531 Nate Rosenblum 532 Solly Ross 533 Mike Roszkowski 534 Guillaume Rousse 535 Joshua Schaeffer 536 Alexander Scheel 537 Jens Schleusener 538 Ryan Schmidt 539 Andreas Schneider 540 Eli Schwartz 541 Paul Seyfert 542 Tom Shaw 543 Jim Shi 544 Jerry Shipman 545 Peter Shoults 546 Richard Silverman 547 Cel Skeggs 548 Simo Sorce 549 Anthony Sottile 550 Michael Spang 551 Michael Ströder 552 Bjørn Tore Sund 553 Ondřej Surý 554 Joseph Sutton 555 Alexey Tikhonov 556 Joe Travaglini 557 Sergei Trofimovich 558 Greg Troxel 559 Fraser Tweedale 560 Tim Uglow 561 Rathor Vipin 562 Denis Vlasenko 563 Thomas Wagner 564 Jorgen Wahlsten 565 Stef Walter 566 Max (Weijun) Wang 567 John Washington 568 Stef Walter 569 Xi Wang 570 Nehal J Wani 571 Kevin Wasserman 572 Margaret Wasserman 573 Marcus Watts 574 Andreas Wiese 575 Simon Wilkinson 576 Nicolas Williams 577 Ross Wilper 578 Augustin Wolf 579 Garrett Wollman 580 David Woodhouse 581 Tsu-Phong Wu 582 Xu Qiang 583 Neng Xue 584 Zhaomo Yang 585 Tianjiao Yin 586 Nickolai Zeldovich 587 Bean Zhang 588 ChenChen Zhou 589 Hanz van Zijst 590 Gertjan Zwartjes 591 592The above is not an exhaustive list; many others have contributed in 593various ways to the MIT Kerberos development effort over the years. 594