From 1ff3e2653da2f73ab3cc4c4f220d7781b43c9362 Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Sat, 1 Jul 2000 03:48:01 +0000 Subject: pullup from 1.2.1 release git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12502 dc483132-0cff-0310-8789-dd5450dbe970 --- README | 252 ++++++++++++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 195 insertions(+), 57 deletions(-) (limited to 'README') diff --git a/README b/README index 19b193ec61..3e03b95316 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ these were the - Kerberos Version 5, Release 1.1 + Kerberos Version 5, Release 1.2 Release Notes which will be updated before the next release by @@ -9,11 +9,11 @@ Unpacking the Source Distribution --------------------------------- The source distribution of Kerberos 5 comes in three gzipped tarfiles, -krb5-1.1.src.tar.gz, krb5-1.1.doc.tar.gz, and krb5-1.1.crypto.tar.gz. -The krb5-1.1.doc.tar.gz contains the doc/ directory and this README -file. The krb5-1.1.src.tar.gz contains the src/ directory and this +krb5-1.2.src.tar.gz, krb5-1.2.doc.tar.gz, and krb5-1.2.crypto.tar.gz. +The krb5-1.2.doc.tar.gz contains the doc/ directory and this README +file. The krb5-1.2.src.tar.gz contains the src/ directory and this README file, except for the crypto library sources, which are in -krb5-1.1.crypto.tar.gz. +krb5-1.2.crypto.tar.gz. Instruction on how to extract the entire distribution follow. These directions assume that you want to extract into a directory called @@ -23,21 +23,21 @@ If you have the GNU tar program and gzip installed, you can simply do: mkdir DIST cd DIST - gtar zxpf krb5-1.1.src.tar.gz - gtar zxpf krb5-1.1.crypto.tar.gz - gtar zxpf krb5-1.1.doc.tar.gz + gtar zxpf krb5-1.2.src.tar.gz + gtar zxpf krb5-1.2.crypto.tar.gz + gtar zxpf krb5-1.2.doc.tar.gz If you don't have GNU tar, you will need to get the FSF gzip distribution and use gzcat: mkdir DIST cd DIST - gzcat krb5-1.1.src.tar.gz | tar xpf - - gzcat krb5-1.1.crypto.tar.gz | tar xpf - - gzcat krb5-1.1.doc.tar.gz | tar xpf - + gzcat krb5-1.2.src.tar.gz | tar xpf - + gzcat krb5-1.2.crypto.tar.gz | tar xpf - + gzcat krb5-1.2.doc.tar.gz | tar xpf - -Both of these methods will extract the sources into DIST/krb5-1.1/src -and the documentation into DIST/krb5-1.1/doc. +Both of these methods will extract the sources into DIST/krb5-1.2/src +and the documentation into DIST/krb5-1.2/doc. Building and Installing Kerberos 5 ---------------------------------- @@ -73,50 +73,170 @@ krb5-bugs@mit.edu. Notes, Major Changes, and Known Bugs ------------------------------------ -* Triple DES support is included; however, it is only usable for - service keys at the moment, due to a large number of compatibility - issues. For example, the GSSAPI library has some (buggy) support - for a triple DES session key, but it is intentionally disabled. - ** Do not use triple-DES in your config files except as described in - ** the documentation. - -* The principal database now uses the btree backend of Berkeley DB. - This should result in improved KDC performance. - -* The lib/rpc tests do not appear to work under NetBSD-1.4, for - reasons that are not completely clear at the moment, but probably - have something to do with portmapper interfacing. This should not - affect other operations, such as kadmind operation. - -* Shared library builds are under a new framework; at this point only - Solaris (2.x), Irix (6.5), NetBSD (1.4 i386), and possibly Linux are - known to work. All other working shared library builds may be - figments of your imagination. - -* Many existing databases, especially those converted from krb4 - original databases, may contain expiration dates in 1999. You - should make sure to update these expiration dates, and also change - any config file entries that have two-digit years. - -* Hardware preauthentication is known to be broken; this will be fixed - in an upcoming release. - -* krb524d now defaults to forking into the background; use - "krb524d -nofork" to avoid forking. - -* Not all reported bugs have been fixed in this release, due to time - constraints. We are planning to make another release in the near - future with more complete triple DES support, and additional - bugfixes. Many of the bugs in our database are reported against - what is now quite old code, or require hardware that we do not have, - which make them difficult to reproduce and debug. We will work on - these older bugs and some externally submitted patches for the - following release. +* Triple DES support, for session keys as well as user or service + keys, should be nearly complete in this release. Much of the work + that has been needed is generic multiple-cryptosystem support, so + the addition of another cryptosystem should be much easier. + + * GSSAPI support for 3DES has been added. An Internet Draft is + being worked on that will describe how this works; it is not + currently standardized. Some backwards-compatibility issues in + this area mean that enabling 3DES support must be done with + caution; service keys that are used for GSSAPI must not be updated + to 3DES until the services themselves are upgraded to support 3DES + under GSSAPI. + +* DNS support for locating KDCs is enabled by default. DNS support + for looking up the realm of a host is compiled in but disabled by + default (due to some concerns with DNS spoofing). + + We recommend that you publish your KDC information through DNS even + if you intend to rely on config files at your own site; otherwise, + sites that wish to communicate with you will have to keep their + config files updated with your information. One of the goals of + this code is to reduce the client-side configuration maintenance + requirements as much as is possible, without compromising security. + + See the administrator's guide for information on setting up DNS + information for your realm. + + One important effect of this for developers is that on many systems, + "-lresolv" must be added to the compiler command line when linking + Kerberos programs. + + Configure-time options are available to control the inclusion of the + DNS code and the setting of the defaults. Entries in krb5.conf will + also modify the behavior if the code has been compiled in. + +* Numerous buffer-overrun problems have been found and fixed. Many of + these were in locations we don't expect can be exploited in any + useful way (for example, overrunning a buffer of MAXPATHLEN bytes if + a compiled-in pathname is too long, in a program that has no special + privileges). It may be possible to exploit a few of these to + compromise system security. + +* Partial support for IPv6 addresses has been added. It can be + enabled or disabled at configure time with --enable-ipv6 or + --disable-ipv6; by default, the configure script will search for + certain types and macros, and enable the IPv6 code if they're found. + The IPv6 support at this time mostly consists of including the + addresses in credentials. + +* A protocol change has been made to the "rcmd" suite (rlogin, rsh, + rcp) to address several security problems described in Kris + Hildrum's paper presented at NDSS 2000. New command-line options + have been added to control the selection of protocol, since the + revised protocol is not compatible with the old one. + +* A security problem in login.krb5 has been fixed. This problem was + only present if the krb4 compatibility code was not compiled in. + +* A security problem with ftpd has been fixed. An error in the in the + yacc grammar permitted potential root access. + +* The client programs kinit, klist and kdestroy have been changed to + incorporate krb4 support. New command-line options control whether + krb4 behavior, krb5 behavior, or both are used. + +* Patches from Frank Cusack for much better hardware preauth support + have been incorporated. + +* Patches from Matt Crawford extend the kadmin ACL syntax so that + restrictions can be imposed on what certain administrators may do to + certain accounts. + +* A KDC on a host with multiple network addresses will now respond to + a client from the address that the client used to contact it. The + means used to implement this will however cause the KDC not to + listen on network addresses configured after the KDC has started. + +Minor changes +------------- + +* The shell code for searching for the Tcl package at configure time + has been modified. If a tclConfig.sh can be found, the information + it contains is used, otherwise the old searching method is tried. + Let us know if this new scheme causes any problems. + +* Shared library builds may work on HPUX, Rhapsody/MacOS X, and newer + Alpha systems now. + +* The Windows build will now include kvno and gss-sample. + +* The routine krb5_secure_config_files has been disabled. A new + routine, krb5_init_secure_context, has been added in its place. + +* The routine decode_krb5_ticket is now being exported as + krb5_decode_ticket. Any programs that used the old name (which + should be few) should be changed to use the new name; we will + probably eliminate the old name in the future. + +* The CCAPI-based credentials cache code has been changed to store the + local-clock time of issue and expiration rather than the KDC-clock + times. + +* On systems with large numbers of IP addresses, "kinit" should do a + better job of acquiring those addresses to put in the user's + credentials. + +* Several memory leaks in error cases in the gssrpc code have been + fixed. + +* A bug with login clobbering some internal static storage on AIX has + been fixed. + +* Per-library initialization and cleanup functions have been added, + for use in configurations that dynamically load and unload these + libraries. + +* Many compile-time warnings have been fixed. + +* The GSS sample programs have been updated to exercise more of the + API. + +* The telnet server should produce a more meaningful error message if + authentication is required but not provided. + +* Changes have been made to ksu to make it more difficult to use it to + leak information the user does not have access to. + +* The sample config file information for the CYGNUS.COM realm has been + updated, and the GNU.ORG realm has been added. + +* A configure-time option has been added to enable a replay cache in + the KDC. We recommend its use when hardware preauthentication is + being used. It is enabled by default, and can be disabled if + desired with the configure-time option --disable-kdc-replay-cache. + +* Some new routines have been added to the library and krb5.h. + +* A new routine has been added to the prompter interface to allow the + application to determine which of the strings prompted for is the + user's password, in case it is needed for other purposes. + +* The remote kadmin interface has been enhanced to support the + specification of key/salt types for a principal. + +* New keytab entries' key values can now be specified manually with a + new command in the ktutil program. + +* A longstanding bug where certain krb4 exchanges using the + compatibility library between systems with different byte orders + would fail half the time has been fixed. + +* A source file under the GPL has been replaced with an equivalent + under the BSD license. The file, strftime.c, was part of one of the + OpenVision admin system applications, and was only used on systems + that don't have strftime() in their C libraries. + +* Many bug reports are still outstanding in our database. We are + continuing to work on this backlog. + Copyright Notice and Legal Administrivia ---------------------------------------- -Copyright (C) 1985-1999 by the Massachusetts Institute of Technology. +Copyright (C) 1985-2000 by the Massachusetts Institute of Technology. All rights reserved. @@ -156,6 +276,8 @@ manner. It does NOT prevent a commercial firm from referring to the MIT trademarks in order to convey information (although in doing so, recognition of their trademark status should be given). +---- + The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions @@ -194,6 +316,13 @@ of lib/rpc: and our gratitude for the valuable work which has been performed by MIT and the Kerberos community. +---- + + Portions contributed by Matt Crawford were + work performed at Fermi National Accelerator Laboratory, which is + operated by Universities Research Association, Inc., under + contract DE-AC02-76CHO3000 with the U.S. Department of Energy. + Acknowledgements ---------------- @@ -222,13 +351,22 @@ as testing to ensure DCE interoperability. Thanks to Ken Hornstein at NRL for providing many bug fixes and suggestions. +Thanks to Matt Crawford at FNAL for bugfixes and enhancements. + Thanks to Sean Mullan and Bill Sommerfeld from Hewlett Packard for their many suggestions and bug fixes. +Thanks to Nalin Dahyabhai of RedHat and Chris Evans for locating and +providing patches for numerous buffer overruns. + +Thanks to Christopher Thompson and Marcus Watts for discovering the +ftpd security bug. + Thanks to the members of the Kerberos V5 development team at MIT, both past and present: Danillo Almeida, Jay Berkenbilt, Richard Basch, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman, Matt Hancher, Sam -Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Barry Jaspan, Geoffrey -King, John Kohl, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul -Park, Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff -Schiller, Brad Thompson, Harry Tsai, Ted Ts'o, Marshall Vale, Tom Yu. +Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Miroslav Jurisic, +Barry Jaspan, Geoffrey King, John Kohl, Peter Litwack, Scott McGuire, +Kevin Mitchell, Cliff Neuman, Paul Park, Ezra Peisach, Chris +Provenzano, Ken Raeburn, Jon Rochlis, Jeff Schiller, Brad Thompson, +Harry Tsai, Ted Ts'o, Marshall Vale, Tom Yu. -- cgit