32 Star 0 Fork 4

openKylin/krb5

加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
贡献代码
同步代码
取消
提示: 由于 Git 不支持空文件夾,创建文件夹后会生成空的 .keep 文件
Loading...
README
Kerberos Version 5, Release 1.20

                            Release Notes
                        The MIT Kerberos Team

Copyright and Other Notices
---------------------------

Copyright (C) 1985-2022 by the Massachusetts Institute of Technology
and its contributors.  All rights reserved.

Please see the file named NOTICE for additional notices.

Documentation
-------------

Unified documentation for Kerberos V5 is available in both HTML and
PDF formats.  The table of contents of the HTML format documentation
is at doc/html/index.html, and the PDF format documentation is in the
doc/pdf directory.

Additionally, you may find copies of the HTML format documentation
online at

    https://web.mit.edu/kerberos/krb5-latest/doc/

for the most recent supported release, or at

    https://web.mit.edu/kerberos/krb5-devel/doc/

for the release under development.

More information about Kerberos may be found at

    https://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site

    https://kerberos.org/

Building and Installing Kerberos 5
----------------------------------

Build documentation is in doc/html/build/index.html or
doc/pdf/build.pdf.

The installation guide is in doc/html/admin/install.html or
doc/pdf/install.pdf.

If you are attempting to build under Windows, please see the
src/windows/README file.

Reporting Bugs
--------------

Please report any problems/bugs/comments by sending email to
krb5-bugs@mit.edu.

You may view bug reports by visiting

https://krbdev.mit.edu/rt/

and using the "Guest Login" button.  Please note that the web
interface to our bug database is read-only for guests, and the primary
way to interact with our bug database is via email.

PAC transition
--------------

Beginning with release 1.20, the KDC will include minimal PACs in
tickets instead of AD-SIGNEDPATH authdata.  S4U requests (protocol
transition and constrained delegation) must now contain valid PACs in
the incoming tickets.  If only some KDCs in a realm have been upgraded
across version 1.20, the upgraded KDCs will reject S4U requests
containing tickets from non-upgraded KDCs and vice versa.

Triple-DES transition
---------------------

Beginning with the krb5-1.19 release, a warning will be issued if
initial credentials are acquired using the des3-cbc-sha1 encryption
type.  In future releases, this encryption type will be disabled by
default and eventually removed.

Beginning with the krb5-1.18 release, single-DES encryption types have
been removed.

Major changes in 1.20.1 (2022-11-15)
------------------------------------

This is a bug fix release.

* Fix integer overflows in PAC parsing [CVE-2022-42898].

* Fix null deref in KDC when decoding invalid NDR.

* Fix memory leak in OTP kdcpreauth module.

* Fix PKCS11 module path search.

krb5-1.20.1 changes by ticket ID
--------------------------------

9061    Fix memory leak in SPAKE kdcpreauth module
9062    Fix net-server.c when AI_NUMERICSERV is undefined
9063    Fix memory leak in OTP kdcpreauth module
9064    Free verto context later in KDC cleanup
9065    Fix uncommon PKINIT memory leak
9067    Fix PKCS11 module path search
9073    Fix null deref in KDC when decoding invalid NDR
9074    Fix integer overflows in PAC parsing

Major changes in 1.20 (2022-05-26)
----------------------------------

Administrator experience:

* Added a "disable_pac" realm relation to suppress adding PAC authdata
  to tickets, for realms which do not need to support S4U requests.

* Most credential cache types will use atomic replacement when a cache
  is reinitialized using kinit or refreshed from the client keytab.

* kprop can now propagate databases with a dump size larger than 4GB,
  if both the client and server are upgraded.

* kprop can now work over NATs that change the destination IP address,
  if the client is upgraded.

Developer experience:

* Updated the KDB interface.  The sign_authdata() method is replaced
  with the issue_pac() method, allowing KDB modules to add logon info
  and other buffers to the PAC issued by the KDC.

* Host-based initiator names are better supported in the GSS krb5
  mechanism.

Protocol evolution:

* Replaced AD-SIGNEDPATH authdata with minimal PACs.

* To avoid spurious replay errors, password change requests will not
  be attempted over UDP until the attempt over TCP fails.

* PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.

Code quality:

* Updated all code using OpenSSL to be compatible with OpenSSL 3.

* Reorganized the libk5crypto build system to allow the OpenSSL
  back-end to pull in material from the builtin back-end depending on
  the OpenSSL version.

* Simplified the PRNG logic to always use the platform PRNG.

* Converted the remaining Tcl tests to Python.

krb5-1.20 changes by ticket ID
------------------------------

7707    Credential cache API does not support atomic reinitialization
8010    gss_store_cred should initialize ccache and work with collections
8970    Wrong Encryption types shown in MIT Kerberos Ticket Manager on Windows
8976    all-liblinks build target fails when symlinks not supported
8977    Allow kprop over more types of NATs
8978    Support host-based GSS initiator names
8980    Add APIs for marshalling credentials
8981    Documentation__krb5.conf
8983    Infer name type when creating principals
8988    Only require one valid pkinit anchor/pool value
8990    Add KCM_OP_GET_CRED_LIST for faster iteration
8991    Fix PKINIT memory leaks
8994    Fix gss-krb5 handling of high sequence numbers
8995    KCM interop issue with KRB5_TC_ flags
8997    Use KCM_OP_RETRIEVE in KCM client
8998    Simplify krb5_cccol_have_content()
8999    Add additional KRB5_TRACE points
9000    Fix multiple UPN handling in PKINIT client certs
9002    Check for undefined kadm5 policy mask bits
9003    Add duplicate check to kadm5_create_policy()
9009    Update IRC pointer in resources.rst
9010    Add MAXHOSTNAME guard in Windows public header
9011    Fix some principal realm canonicalization cases
9012    Allow kinit with keytab to defer canonicalization
9013    Fix kadmin -k with fallback or referral realm
9017    Clarify and correct interposer plugin docs
9019    make check fails: OSError: AF_UNIX path too long
9022    Potential integer overflows
9024    Find gss_get_mic_iov extensions in GSS modules
9025    Use version-independent OpenLDAP links in docs
9027    Add OpenLDAP advice to princ_dns.rst
9028    Constify name field in four plugin vtables
9031    Fix verification of RODC-issued PAC KDC signature
9032    Always use platform PRNG
9034    Use builtin MD4, RC4 for OpenSSL 3.0
9035    Avoid use after free during libkrad cleanup
9036    Support larger RADIUS attributes in libkrad
9037    Race condition in krb5_set_password()
9038    Issue an error from KDC on S4U2Self failures
9039    Fix PAC handling of authtimes after y2038
9040    Use 14 instead of 9 for unkeyed SHA-1 checksum
9041    Add PA-REDHAT-IDP-OAUTH2 padata type
9042    Don't fail krb5_cc_select() for no default realm
9043    Add PAC ticket signature APIs
9044    Replace AD-SIGNEDPATH with minimal PACs
9047    Avoid passing null for asprintf strings
9048    Pass client flag to KDB for client preauth match
9049    Add replace_reply_key kdcpreauth callback
9050    Implement replaced_reply_key input to issue_pac()
9051    Clarify certauth interface documentation
9056    Fix iprop with fallback
9060    Read GSS configuration files with mtime 0

Acknowledgements
----------------

Past Sponsors of the MIT Kerberos Consortium:

    Apple
    Carnegie Mellon University
    Centrify Corporation
    Columbia University
    Cornell University
    The Department of Defense of the United States of America (DoD)
    Fidelity Investments
    Google
    Iowa State University
    MIT
    Michigan State University
    Microsoft
    MITRE Corporation
    Morgan-Stanley
    The National Aeronautics and Space Administration
        of the United States of America (NASA)
    Network Appliance (NetApp)
    Nippon Telephone and Telegraph (NTT)
    US Government Office of the National Coordinator for Health
        Information Technology (ONC)
    Oracle
    Pennsylvania State University
    Red Hat
    Stanford University
    TeamF1, Inc.
    The University of Alaska
    The University of Michigan
    The University of Pennsylvania

Past and present members of the Kerberos Team at MIT:

    Danilo Almeida
    Jeffrey Altman
    Justin Anderson
    Richard Basch
    Mitch Berger
    Jay Berkenbilt
    Andrew Boardman
    Bill Bryant
    Steve Buckley
    Joe Calzaretta
    John Carr
    Mark Colan
    Don Davis
    Sarah Day
    Alexandra Ellwood
    Carlos Garay
    Dan Geer
    Nancy Gilman
    Matt Hancher
    Thomas Hardjono
    Sam Hartman
    Paul Hill
    Marc Horowitz
    Eva Jacobus
    Miroslav Jurisic
    Barry Jaspan
    Benjamin Kaduk
    Geoffrey King
    Kevin Koch
    John Kohl
    HaoQi Li
    Jonathan Lin
    Peter Litwack
    Scott McGuire
    Steve Miller
    Kevin Mitchell
    Cliff Neuman
    Paul Park
    Ezra Peisach
    Chris Provenzano
    Ken Raeburn
    Jon Rochlis
    Jeff Schiller
    Jen Selby
    Robert Silk
    Bill Sommerfeld
    Jennifer Steiner
    Ralph Swick
    Brad Thompson
    Harry Tsai
    Zhanna Tsitkova
    Ted Ts'o
    Marshall Vale
    Taylor Yu

The following external contributors have provided code, patches, bug
reports, suggestions, and valuable resources:

    Ian Abbott
    Daniel Albers
    Brandon Allbery
    Russell Allbery
    Brian Almeida
    Michael B Allen
    Pooja Anil
    Jeffrey Arbuckle
    Heinz-Ado Arnolds
    Derek Atkins
    Mark Bannister
    David Bantz
    Alex Baule
    Nikhil Benesch
    David Benjamin
    Thomas Bernard
    Adam Bernstein
    Arlene Berry
    Jeff Blaine
    Toby Blake
    Radoslav Bodo
    Alexander Bokovoy
    Sumit Bose
    Emmanuel Bouillon
    Isaac Boukris
    Ulf Bremer
    Pavel Březina
    Philip Brown
    Samuel Cabrero
    Michael Calmer
    Andrea Campi
    Julien Chaffraix
    Puran Chand
    Ravi Channavajhala
    Srinivas Cheruku
    Leonardo Chiquitto
    Rachit Chokshi
    Seemant Choudhary
    Howard Chu
    Andrea Cirulli
    Christopher D. Clausen
    Kevin Coffman
    Simon Cooper
    Sylvain Cortes
    Ian Crowther
    Arran Cudbard-Bell
    Adam Dabrowski
    Jeff D'Angelo
    Nalin Dahyabhai
    Mark Davies
    Dennis Davis
    Alex Dehnert
    Misty De Meo
    Mark Deneen
    Günther Deschner
    John Devitofranceschi
    Marc Dionne
    Roland Dowdeswell
    Ken Dreyer
    Dorian Ducournau
    Viktor Dukhovni
    Jason Edgecombe
    Mark Eichin
    Shawn M. Emery
    Douglas E. Engert
    Peter Eriksson
    Juha Erkkilä
    Gilles Espinasse
    Ronni Feldt
    Bill Fellows
    JC Ferguson
    Remi Ferrand
    Paul Fertser
    Fabiano Fidêncio
    Frank Filz
    William Fiveash
    Jacques Florent
    Oliver Freyermuth
    Ákos Frohner
    Sebastian Galiano
    Marcus Granado
    Dylan Gray
    Norm Green
    Scott Grizzard
    Helmut Grohne
    Steve Grubb
    Philip Guenther
    Timo Gurr
    Dominic Hargreaves
    Robbie Harwood
    John Hascall
    Jakob Haufe
    Matthieu Hautreux
    Jochen Hein
    Paul B. Henson
    Kihong Heo
    Jeff Hodges
    Christopher Hogan
    Love Hörnquist Åstrand
    Ken Hornstein
    Henry B. Hotz
    Luke Howard
    Jakub Hrozek
    Shumon Huque
    Jeffrey Hutzelman
    Sergey Ilinykh
    Wyllys Ingersoll
    Holger Isenberg
    Spencer Jackson
    Diogenes S. Jesus
    Mike Jetzer
    Pavel Jindra
    Brian Johannesmeyer
    Joel Johnson
    Lutz Justen
    Alexander Karaivanov
    Anders Kaseorg
    Bar Katz
    Zentaro Kavanagh
    Mubashir Kazia
    W. Trevor King
    Patrik Kis
    Martin Kittel
    Thomas Klausner
    Tomasz Kłoczko
    Matthew Krupcale
    Mikkel Kruse
    Reinhard Kugler
    Harshawardhan Kulkarni
    Tomas Kuthan
    Pierre Labastie
    Andreas Ladanyi
    Chris Leick
    Volker Lendecke
    Jan iankko Lieskovsky
    Todd Lipcon
    Oliver Loch
    Chris Long
    Kevin Longfellow
    Frank Lonigro
    Jon Looney
    Nuno Lopes
    Todd Lubin
    Ryan Lynch
    Glenn Machin
    Roland Mainz
    Sorin Manolache
    Robert Marshall
    Andrei Maslennikov
    Michael Mattioli
    Nathaniel McCallum
    Greg McClement
    Cameron Meadors
    Vipul Mehta
    Alexey Melnikov
    Ivan A. Melnikov
    Franklyn Mendez
    Mantas Mikulėnas
    Markus Moeller
    Kyle Moffett
    Paul Moore
    Keiichi Mori
    Michael Morony
    Sam Morris
    Zbysek Mraz
    Edward Murrell
    Joshua Neuheisel
    Nikos Nikoleris
    Demi Obenour
    Felipe Ortega
    Michael Osipov
    Andrej Ota
    Dmitri Pal
    Javier Palacios
    Dilyan Palauzov
    Tom Parker
    Eric Pauly
    Leonard Peirce
    Ezra Peisach
    Alejandro Perez
    Zoran Pericic
    W. Michael Petullo
    Mark Phalan
    Sharwan Ram
    Brett Randall
    Jonathan Reams
    Jonathan Reed
    Robert Relyea
    Tony Reix
    Martin Rex
    Pat Riehecky
    Julien Rische
    Jason Rogers
    Matt Rogers
    Nate Rosenblum
    Solly Ross
    Mike Roszkowski
    Guillaume Rousse
    Joshua Schaeffer
    Alexander Scheel
    Jens Schleusener
    Ryan Schmidt
    Andreas Schneider
    Paul Seyfert
    Tom Shaw
    Jim Shi
    Jerry Shipman
    Peter Shoults
    Richard Silverman
    Cel Skeggs
    Simo Sorce
    Michael Spang
    Michael Ströder
    Bjørn Tore Sund
    Ondřej Surý
    Joseph Sutton
    Joe Travaglini
    Sergei Trofimovich
    Greg Troxel
    Fraser Tweedale
    Tim Uglow
    Rathor Vipin
    Denis Vlasenko
    Thomas Wagner
    Jorgen Wahlsten
    Stef Walter
    Max (Weijun) Wang
    John Washington
    Stef Walter
    Xi Wang
    Nehal J Wani
    Kevin Wasserman
    Margaret Wasserman
    Marcus Watts
    Andreas Wiese
    Simon Wilkinson
    Nicolas Williams
    Ross Wilper
    Augustin Wolf
    Garrett Wollman
    David Woodhouse
    Tsu-Phong Wu
    Xu Qiang
    Neng Xue
    Zhaomo Yang
    Tianjiao Yin
    Nickolai Zeldovich
    Bean Zhang
    Hanz van Zijst
    Gertjan Zwartjes

The above is not an exhaustive list; many others have contributed in
various ways to the MIT Kerberos development effort over the years.
Other acknowledgments (for bug reports and patches) are in the
doc/CHANGES file.

空文件

简介

暂无描述 展开 收起
取消

发行版

暂无发行版

贡献者

全部

近期动态

加载更多
不能加载更多了
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/openkylin/krb5.git
git@gitee.com:openkylin/krb5.git
openkylin
krb5
krb5
openkylin/nile

搜索帮助