1 | |
---|
2 | Kerberos Version 5, Release 1.2.5 |
---|
3 | |
---|
4 | Release Notes |
---|
5 | |
---|
6 | The MIT Kerberos Team |
---|
7 | |
---|
8 | Unpacking the Source Distribution |
---|
9 | --------------------------------- |
---|
10 | |
---|
11 | The source distribution of Kerberos 5 comes in a gzipped tarfile, |
---|
12 | krb5-1.2.5.tar.gz. Instruction on how to extract the entire |
---|
13 | distribution follow. These directions assume that you want to extract |
---|
14 | into a directory called DIST. |
---|
15 | |
---|
16 | If you have the GNU tar program and gzip installed, you can simply do: |
---|
17 | |
---|
18 | mkdir DIST |
---|
19 | cd DIST |
---|
20 | gtar zxpf krb5-1.2.5.tar.gz |
---|
21 | |
---|
22 | If you don't have GNU tar, you will need to get the FSF gzip |
---|
23 | distribution and use gzcat: |
---|
24 | |
---|
25 | mkdir DIST |
---|
26 | cd DIST |
---|
27 | gzcat krb5-1.2.5.tar.gz | tar xpf - |
---|
28 | |
---|
29 | Both of these methods will extract the sources into DIST/krb5-1.2.5/src |
---|
30 | and the documentation into DIST/krb5-1.2.5/doc. |
---|
31 | |
---|
32 | Building and Installing Kerberos 5 |
---|
33 | ---------------------------------- |
---|
34 | |
---|
35 | The first file you should look at is doc/install-guide.ps; it contains |
---|
36 | the notes for building and installing Kerberos 5. The info file |
---|
37 | krb5-install.info has the same information in info file format. You |
---|
38 | can view this using the GNU emacs info-mode, or by using the |
---|
39 | standalone info file viewer from the Free Software Foundation. This |
---|
40 | is also available as an HTML file, install.html. |
---|
41 | |
---|
42 | Other good files to look at are admin-guide.ps and user-guide.ps, |
---|
43 | which contain the system administrator's guide, and the user's guide, |
---|
44 | respectively. They are also available as info files |
---|
45 | kerberos-admin.info and krb5-user.info, respectively. These files are |
---|
46 | also available as HTML files. |
---|
47 | |
---|
48 | If you are attempting to build under Windows, please see the |
---|
49 | src/windows/README file. |
---|
50 | |
---|
51 | Reporting Bugs |
---|
52 | -------------- |
---|
53 | |
---|
54 | Please report any problems/bugs/comments using the krb5-send-pr |
---|
55 | program. The krb5-send-pr program will be installed in the sbin |
---|
56 | directory once you have successfully compiled and installed Kerberos |
---|
57 | V5 (or if you have installed one of our binary distributions). |
---|
58 | |
---|
59 | If you are not able to use krb5-send-pr because you haven't been able |
---|
60 | compile and install Kerberos V5 on any platform, you may send mail to |
---|
61 | krb5-bugs@mit.edu. |
---|
62 | |
---|
63 | Notes, Major Changes, and Known Bugs for 1.2.5 |
---|
64 | ---------------------------------------------- |
---|
65 | |
---|
66 | Major Changes: |
---|
67 | |
---|
68 | * On MacOS X, we have reviewed the list of exported symbol names. As |
---|
69 | in earlier MacOS releases, and the Windows releases, but unlike the |
---|
70 | UNIX releases, the list of exported names accessible to applications |
---|
71 | is reduced to a predefined set of symbols. We are attempting to |
---|
72 | define a "stable" subset of the API we feel confident about |
---|
73 | providing, as opposed to giving applications access to half of the |
---|
74 | packet-manipulation functions we have. |
---|
75 | |
---|
76 | In future releases, we may investigate applying a similar export |
---|
77 | list under some UNIX shared library implementations. |
---|
78 | |
---|
79 | If a function you use is not exported, we probably figured it was |
---|
80 | functionality that should be internal to the library, or something |
---|
81 | that should be done with a different interface, or something we |
---|
82 | didn't know anyone was using at the moment and thought we'd like to |
---|
83 | clean up the interface later on. If you need it, and there isn't a |
---|
84 | cleaner way, contact us about getting it added back in to the export |
---|
85 | list. |
---|
86 | |
---|
87 | A few things are marked "deprecated" in the header file, but will |
---|
88 | continue to be provided under "#if KRB5_DEPRECATED" because even |
---|
89 | though they're ugly, we also know they're in use and we can't phase |
---|
90 | them out fast enough. We may replace the implementation later on |
---|
91 | with a shim on top of some cleaner mechanism. |
---|
92 | |
---|
93 | * For Heimdal (and possibly Microsoft) compatibility, we now accept |
---|
94 | encrypted delegated credentials in gssapi. Historically, the MIT |
---|
95 | implementation has sent delegated gssapi credentials "in the clear", |
---|
96 | but still encrypted in the AP-REQ. |
---|
97 | |
---|
98 | * IP address checks have been removed from rd_cred; this improves |
---|
99 | compatibility with Heimdal. |
---|
100 | |
---|
101 | Minor changes: |
---|
102 | |
---|
103 | * A null pointer dereference in the krb5 library has been fixed. |
---|
104 | |
---|
105 | Known bugs: |
---|
106 | |
---|
107 | * Most of the other known bugs from 1.2.3 and 1.2.4 are unchanged. |
---|
108 | |
---|
109 | Notes, Major Changes, and Known Bugs for 1.2.4 |
---|
110 | ---------------------------------------------- |
---|
111 | |
---|
112 | Notes: |
---|
113 | |
---|
114 | * Like the 1.2.3 release, this is a patch release. One critical login |
---|
115 | problem is fixed, and a problem with interoperability with |
---|
116 | Microsoft software is worked around. |
---|
117 | |
---|
118 | Major Changes: |
---|
119 | |
---|
120 | * The one-character bug introduced into the login.krb5 program that |
---|
121 | caused 8-character usernames to be rejected in some circumstances |
---|
122 | has been fixed. |
---|
123 | |
---|
124 | * The handling of key version numbers has been modified in places. |
---|
125 | The current formats of the keytab and srvtab files, as well as parts |
---|
126 | of the remote kadmin protocol, handle key version numbers as 8-bit |
---|
127 | quantities, when in fact they are 32-bit quantities. |
---|
128 | |
---|
129 | * In the keytab and srvtab support for krb5, searching for the |
---|
130 | "highest numbered" key version now has some heuristics to deal |
---|
131 | with the 8-bit kvno wrapping from 255 to 0 to 1.... If a kvno |
---|
132 | greater than 240 is found, the kvno values are assumed to range |
---|
133 | from 128 to 383 (127+256). This should handle cases like storing |
---|
134 | kvno values 255 and 256 in the file. |
---|
135 | |
---|
136 | * In the keytab and srvtab support for krb5, when looking for a key |
---|
137 | with a specific version number, the low 8 bits of the requested |
---|
138 | kvno are compared against the value stored in the file. |
---|
139 | |
---|
140 | * The "ktutil" program also has a new heuristic for choosing the |
---|
141 | "highest numbered" key in a keytab to be written out into a krb4 |
---|
142 | srvtab file. |
---|
143 | |
---|
144 | These heuristics all assume that key version numbers will be |
---|
145 | assigned sequentially, and that there will not be a large set of key |
---|
146 | version numbers in use at one time for any given principal in a |
---|
147 | keytab file. |
---|
148 | |
---|
149 | These changes were prompted by the discovery by Microsoft (while |
---|
150 | trying to write tools to generate MIT-style keytab files) that we |
---|
151 | could not store arbitrary 32-bit version numbers for keys. |
---|
152 | |
---|
153 | * Some issues with multiple enctype support in GSSAPI credential |
---|
154 | forwarding have been fixed. |
---|
155 | |
---|
156 | Minor Changes: |
---|
157 | |
---|
158 | * A few compilation problems have been fixed. |
---|
159 | |
---|
160 | * New test cases have been added to the test suite to exercise some of |
---|
161 | the new changes. |
---|
162 | |
---|
163 | Known Bugs: |
---|
164 | |
---|
165 | * Non-sequential key version numbering will confuse the new kvno |
---|
166 | handling heuristics. |
---|
167 | |
---|
168 | * Long-standing but newly recognized: |
---|
169 | |
---|
170 | * The remote kadmin protocol will produce incorrect results when key |
---|
171 | version numbers greater than 255 are being retrieved or stored. |
---|
172 | The kadmin.local program does not suffer from this problem. |
---|
173 | |
---|
174 | * We do not support storing multiple key versions for a principal in |
---|
175 | a srvtab file. |
---|
176 | |
---|
177 | * We do not support acquiring krb4 tickets using a srvtab or keytab |
---|
178 | file without acquiring krb5 tickets at the same time (i.e., the |
---|
179 | old krb4 "ksrvtgt" program). |
---|
180 | |
---|
181 | * most of the other known bugs from 1.2.3 |
---|
182 | |
---|
183 | Notes, Major Changes, and Known Bugs for 1.2.3 |
---|
184 | ---------------------------------------------- |
---|
185 | |
---|
186 | Notes: |
---|
187 | |
---|
188 | * This release is a patch release; some non-critical bugs and feature |
---|
189 | requests have not been incorporated. We have focussed mainly on |
---|
190 | important security fixes and usability fixes. |
---|
191 | |
---|
192 | Major Changes: |
---|
193 | |
---|
194 | * Certain problems with shared library builds have been eliminated or |
---|
195 | reduced on Linux and HP-UX. |
---|
196 | |
---|
197 | * Various bugs in single-DES enctype similarity have been fixed; the |
---|
198 | 1.0.x behavior of treating all single-DES enctype as equivalent has |
---|
199 | been restored for now. This may go away in a future release. Note |
---|
200 | that SUPPORT_DESMD5 will be treated as always false for now. |
---|
201 | |
---|
202 | * The KDC will now log a number of enctype parameters associated with |
---|
203 | KDC requests, in order to allow easier debugging of enctype-related |
---|
204 | problems. |
---|
205 | |
---|
206 | * A client will no longer attempt obtain a forwarded TGT with a |
---|
207 | session key enctype that the target server won't understand. |
---|
208 | |
---|
209 | * Triple-DES should work on Windows now. The SHA-1 implementation had |
---|
210 | a Windows-specific bug preventing it from working in most cases. |
---|
211 | |
---|
212 | * Various bugs in pty handling have been fixed. |
---|
213 | |
---|
214 | * Bogus utmp files with garbage characters in their names should not |
---|
215 | get created on Solaris. Also, utmp/wtmp handling code has been |
---|
216 | mostly rewritten, eliminating numerous bugs. |
---|
217 | |
---|
218 | * Potential buffer-overrun problems and null-pointer dereferences have |
---|
219 | been fixed in ftpd, telnetd, login.krb5, and SHA-1. The first three |
---|
220 | may be exploitable under certain conditions; the SHA-1 bug probably |
---|
221 | isn't, as far as we know. |
---|
222 | |
---|
223 | * For multiple-hop interrealm authentication, the realm transit path |
---|
224 | checking has been rewritten. The old code had a serious bug where |
---|
225 | some of the transited realms may not have been checked against the |
---|
226 | computed path. It was therefore possible to forge a remote client |
---|
227 | name in certain cases. We strongly recommend updating application |
---|
228 | server code where non-local principals may be found on ACLs. |
---|
229 | |
---|
230 | * In conjunction with the above fix, we've implemented KDC checking of |
---|
231 | the realm transit path, as described in the IETF's current |
---|
232 | kerberos-revisions draft, and set up the KDC to refuse to issue |
---|
233 | tickets with unacceptable transit paths. (Strictly speaking, |
---|
234 | according to the Kerberos specification, enforcement of these checks |
---|
235 | is supposed to be left to the application servers.) Thus, if your |
---|
236 | application servers can't be updated promptly but your KDC can, you |
---|
237 | can still prevent such tickets from being issued. This checking is |
---|
238 | controlled by a per-realm flag, and is enabled by default. |
---|
239 | |
---|
240 | * On AIX systems, the rlogin server should no longer hang when |
---|
241 | control-C is pressed. |
---|
242 | |
---|
243 | * New databases will be created in btree format by default. We |
---|
244 | believe the btree code to be less buggy than the hash format code we |
---|
245 | have been using. This should not affect the use of any existing |
---|
246 | databases, only newly created ones, and even that should be a |
---|
247 | transparent change. |
---|
248 | |
---|
249 | Known Bugs: |
---|
250 | |
---|
251 | * There may be problems with running a KDC on 64-bit platforms |
---|
252 | (environments where size_t and long are wider than 32 bits, such as |
---|
253 | alpha/Tru64, or Solaris/SPARC in SPARCv9 mode, for example), as |
---|
254 | indicated by the util/db2 tests not passing. These problems may |
---|
255 | also extend to the rpc library, which may prevent the kadmin |
---|
256 | protocol from functioning. These are being investigated. |
---|
257 | |
---|
258 | * ETYPE_INFO preauthentication data returned from the KDC are not |
---|
259 | sorted in the order requested by the client. This may result in |
---|
260 | preauthentication failure when encrypted timestamp preauthentication |
---|
261 | is required but the client doesn't understand some of the enctypes |
---|
262 | of the keys stored for it in the database. |
---|
263 | |
---|
264 | * The gssftp daemon and client, when running in krb4 mode, are |
---|
265 | inconsistent with respect to port numbers passed to the |
---|
266 | {mk,rd}_{priv,safe} functions. As a result, there is a small but |
---|
267 | nonzero probability that krb4 ftp with client and server on the same |
---|
268 | IP address will fail with a "Time is out of bounds" error. This |
---|
269 | includes the tests/dejagnu test suite, which tests the krb4 ftp |
---|
270 | functionality. The probability of this occuring seems to be less |
---|
271 | than 50%. |
---|
272 | |
---|
273 | * The gss-sample test application suite is known to not communicate |
---|
274 | with the gss-sample suite in 1.1.x and earlier releases. This is |
---|
275 | the result of changes to gss-sample to increase its functionality; |
---|
276 | fixes to allow for backwards compatibility will occur in a later |
---|
277 | release. |
---|
278 | |
---|
279 | * BSD/OS 4.x may have some problems compiling. These are being |
---|
280 | investigated. |
---|
281 | |
---|
282 | Notes, Major Changes, and Known Bugs for 1.2.2 |
---|
283 | ---------------------------------------------- |
---|
284 | |
---|
285 | Notes: |
---|
286 | |
---|
287 | * This release is a patch release; some non-critical bugs and feature |
---|
288 | requests have not been incorporated. |
---|
289 | |
---|
290 | Major Changes: |
---|
291 | |
---|
292 | * The KDC dump format has been updated to include per-principal policy |
---|
293 | information. This will require updating your slave KDCs before your |
---|
294 | master if you want things to still work. |
---|
295 | |
---|
296 | * A library bug that prevented kprop from working properly with DES3 |
---|
297 | keys has been fixed. |
---|
298 | |
---|
299 | * kpasswd should no longer coredump when there is no kadmin_server |
---|
300 | line in krb5.conf. |
---|
301 | |
---|
302 | * ASN.1 parsing has been improved to deal with indefinite encodings, |
---|
303 | such as those emitted by DCE-1.0 derived systems. |
---|
304 | |
---|
305 | * Preauthentication handling code in the initial ticket APIs has been |
---|
306 | fixed to handle zero-length ETYPE_INFO sequences without causing a |
---|
307 | NULL pointer dereference. |
---|
308 | |
---|
309 | * The replay cache should no longer leak temporary files. Related |
---|
310 | hard-to-analyze filename bugs in the rcache code should also be |
---|
311 | fixed. |
---|
312 | |
---|
313 | * Library builds should now work on AIX. |
---|
314 | |
---|
315 | * KDC local address search code should now work on AIX. |
---|
316 | |
---|
317 | * The yacc grammar for the ftp daemon has been modified to be |
---|
318 | compilable on HP/UX with Bison; namespace pollution from system |
---|
319 | headers was causing trouble before. |
---|
320 | |
---|
321 | Known Bugs: |
---|
322 | |
---|
323 | * The gss-sample test application suite is known to not communicate |
---|
324 | with the gss-sample suite in 1.1.x and earlier releases. This is |
---|
325 | the result of changes to increase functionality; fixes to allow for |
---|
326 | backwards compatibility will occur in a later release. |
---|
327 | |
---|
328 | * Handling of utmp and utmpx updates is known to be broken on some |
---|
329 | systems, such as Solaris 8. We are investigating possible solutions |
---|
330 | to this problem. |
---|
331 | |
---|
332 | * Tru64 Unix 5.0 (aka OSF/1 5.0), at least, has some problems with |
---|
333 | revoke() returning ENOTTY in open_slave in the pty library. One |
---|
334 | possible workaround is to insert |
---|
335 | |
---|
336 | vfs: |
---|
337 | revoke_tty_only = 0 |
---|
338 | |
---|
339 | in /etc/sysconfigtab. It is not known whether this workaround will |
---|
340 | cause other problems. |
---|
341 | |
---|
342 | * BSD/OS 4.x may have some problems compiling. These are being |
---|
343 | investigated. |
---|
344 | |
---|
345 | Notes, Major Changes, and Known Bugs for 1.2.1 and 1.2 |
---|
346 | ------------------------------------------------------ |
---|
347 | |
---|
348 | * Triple DES support, for session keys as well as user or service |
---|
349 | keys, should be nearly complete in this release. Much of the work |
---|
350 | that has been needed is generic multiple-cryptosystem support, so |
---|
351 | the addition of another cryptosystem should be much easier. |
---|
352 | |
---|
353 | * GSSAPI support for 3DES has been added. An Internet Draft is |
---|
354 | being worked on that will describe how this works; it is not |
---|
355 | currently standardized. Some backwards-compatibility issues in |
---|
356 | this area mean that enabling 3DES support must be done with |
---|
357 | caution; service keys that are used for GSSAPI must not be updated |
---|
358 | to 3DES until the services themselves are upgraded to support 3DES |
---|
359 | under GSSAPI. |
---|
360 | |
---|
361 | * DNS support for locating KDCs is enabled by default. DNS support |
---|
362 | for looking up the realm of a host is compiled in but disabled by |
---|
363 | default (due to some concerns with DNS spoofing). |
---|
364 | |
---|
365 | We recommend that you publish your KDC information through DNS even |
---|
366 | if you intend to rely on config files at your own site; otherwise, |
---|
367 | sites that wish to communicate with you will have to keep their |
---|
368 | config files updated with your information. One of the goals of |
---|
369 | this code is to reduce the client-side configuration maintenance |
---|
370 | requirements as much as is possible, without compromising security. |
---|
371 | |
---|
372 | See the administrator's guide for information on setting up DNS |
---|
373 | information for your realm. |
---|
374 | |
---|
375 | One important effect of this for developers is that on many systems, |
---|
376 | "-lresolv" must be added to the compiler command line when linking |
---|
377 | Kerberos programs. |
---|
378 | |
---|
379 | Configure-time options are available to control the inclusion of the |
---|
380 | DNS code and the setting of the defaults. Entries in krb5.conf will |
---|
381 | also modify the behavior if the code has been compiled in. |
---|
382 | |
---|
383 | * Numerous buffer-overrun problems have been found and fixed. Many of |
---|
384 | these were in locations we don't expect can be exploited in any |
---|
385 | useful way (for example, overrunning a buffer of MAXPATHLEN bytes if |
---|
386 | a compiled-in pathname is too long, in a program that has no special |
---|
387 | privileges). It may be possible to exploit a few of these to |
---|
388 | compromise system security. |
---|
389 | |
---|
390 | * Partial support for IPv6 addresses has been added. It can be |
---|
391 | enabled or disabled at configure time with --enable-ipv6 or |
---|
392 | --disable-ipv6; by default, the configure script will search for |
---|
393 | certain types and macros, and enable the IPv6 code if they're found. |
---|
394 | The IPv6 support at this time mostly consists of including the |
---|
395 | addresses in credentials. |
---|
396 | |
---|
397 | * A protocol change has been made to the "rcmd" suite (rlogin, rsh, |
---|
398 | rcp) to address several security problems described in Kris |
---|
399 | Hildrum's paper presented at NDSS 2000. New command-line options |
---|
400 | have been added to control the selection of protocol, since the |
---|
401 | revised protocol is not compatible with the old one. |
---|
402 | |
---|
403 | * A security problem in login.krb5 has been fixed. This problem was |
---|
404 | only present if the krb4 compatibility code was not compiled in. |
---|
405 | |
---|
406 | * A security problem with ftpd has been fixed. An error in the in the |
---|
407 | yacc grammar permitted potential root access. |
---|
408 | |
---|
409 | * The client programs kinit, klist and kdestroy have been changed to |
---|
410 | incorporate krb4 support. New command-line options control whether |
---|
411 | krb4 behavior, krb5 behavior, or both are used. |
---|
412 | |
---|
413 | * Patches from Frank Cusack for much better hardware preauth support |
---|
414 | have been incorporated. |
---|
415 | |
---|
416 | * Patches from Matt Crawford extend the kadmin ACL syntax so that |
---|
417 | restrictions can be imposed on what certain administrators may do to |
---|
418 | certain accounts. |
---|
419 | |
---|
420 | * A KDC on a host with multiple network addresses will now respond to |
---|
421 | a client from the address that the client used to contact it. The |
---|
422 | means used to implement this will however cause the KDC not to |
---|
423 | listen on network addresses configured after the KDC has started. |
---|
424 | |
---|
425 | Minor changes |
---|
426 | ------------- |
---|
427 | |
---|
428 | * The shell code for searching for the Tcl package at configure time |
---|
429 | has been modified. If a tclConfig.sh can be found, the information |
---|
430 | it contains is used, otherwise the old searching method is tried. |
---|
431 | Let us know if this new scheme causes any problems. |
---|
432 | |
---|
433 | * Shared library builds may work on HPUX, Rhapsody/MacOS X, and newer |
---|
434 | Alpha systems now. |
---|
435 | |
---|
436 | * The Windows build will now include kvno and gss-sample. |
---|
437 | |
---|
438 | * The routine krb5_secure_config_files has been disabled. A new |
---|
439 | routine, krb5_init_secure_context, has been added in its place. |
---|
440 | |
---|
441 | * The routine decode_krb5_ticket is now being exported as |
---|
442 | krb5_decode_ticket. Any programs that used the old name (which |
---|
443 | should be few) should be changed to use the new name; we will |
---|
444 | probably eliminate the old name in the future. |
---|
445 | |
---|
446 | * The CCAPI-based credentials cache code has been changed to store the |
---|
447 | local-clock time of issue and expiration rather than the KDC-clock |
---|
448 | times. |
---|
449 | |
---|
450 | * On systems with large numbers of IP addresses, "kinit" should do a |
---|
451 | better job of acquiring those addresses to put in the user's |
---|
452 | credentials. |
---|
453 | |
---|
454 | * Several memory leaks in error cases in the gssrpc code have been |
---|
455 | fixed. |
---|
456 | |
---|
457 | * A bug with login clobbering some internal static storage on AIX has |
---|
458 | been fixed. |
---|
459 | |
---|
460 | * Per-library initialization and cleanup functions have been added, |
---|
461 | for use in configurations that dynamically load and unload these |
---|
462 | libraries. |
---|
463 | |
---|
464 | * Many compile-time warnings have been fixed. |
---|
465 | |
---|
466 | * The GSS sample programs have been updated to exercise more of the |
---|
467 | API. |
---|
468 | |
---|
469 | * The telnet server should produce a more meaningful error message if |
---|
470 | authentication is required but not provided. |
---|
471 | |
---|
472 | * Changes have been made to ksu to make it more difficult to use it to |
---|
473 | leak information the user does not have access to. |
---|
474 | |
---|
475 | * The sample config file information for the CYGNUS.COM realm has been |
---|
476 | updated, and the GNU.ORG realm has been added. |
---|
477 | |
---|
478 | * A configure-time option has been added to enable a replay cache in |
---|
479 | the KDC. We recommend its use when hardware preauthentication is |
---|
480 | being used. It is enabled by default, and can be disabled if |
---|
481 | desired with the configure-time option --disable-kdc-replay-cache. |
---|
482 | |
---|
483 | * Some new routines have been added to the library and krb5.h. |
---|
484 | |
---|
485 | * A new routine has been added to the prompter interface to allow the |
---|
486 | application to determine which of the strings prompted for is the |
---|
487 | user's password, in case it is needed for other purposes. |
---|
488 | |
---|
489 | * The remote kadmin interface has been enhanced to support the |
---|
490 | specification of key/salt types for a principal. |
---|
491 | |
---|
492 | * New keytab entries' key values can now be specified manually with a |
---|
493 | new command in the ktutil program. |
---|
494 | |
---|
495 | * A longstanding bug where certain krb4 exchanges using the |
---|
496 | compatibility library between systems with different byte orders |
---|
497 | would fail half the time has been fixed. |
---|
498 | |
---|
499 | * A source file under the GPL has been replaced with an equivalent |
---|
500 | under the BSD license. The file, strftime.c, was part of one of the |
---|
501 | OpenVision admin system applications, and was only used on systems |
---|
502 | that don't have strftime() in their C libraries. |
---|
503 | |
---|
504 | * Many bug reports are still outstanding in our database. We are |
---|
505 | continuing to work on this backlog. |
---|
506 | |
---|
507 | |
---|
508 | Copyright Notice and Legal Administrivia |
---|
509 | ---------------------------------------- |
---|
510 | |
---|
511 | Copyright (C) 1985-2001 by the Massachusetts Institute of Technology. |
---|
512 | |
---|
513 | All rights reserved. |
---|
514 | |
---|
515 | Export of this software from the United States of America may require |
---|
516 | a specific license from the United States Government. It is the |
---|
517 | responsibility of any person or organization contemplating export to |
---|
518 | obtain such a license before exporting. |
---|
519 | |
---|
520 | WITHIN THAT CONSTRAINT, permission to use, copy, modify, and |
---|
521 | distribute this software and its documentation for any purpose and |
---|
522 | without fee is hereby granted, provided that the above copyright |
---|
523 | notice appear in all copies and that both that copyright notice and |
---|
524 | this permission notice appear in supporting documentation, and that |
---|
525 | the name of M.I.T. not be used in advertising or publicity pertaining |
---|
526 | to distribution of the software without specific, written prior |
---|
527 | permission. Furthermore if you modify this software you must label |
---|
528 | your software as modified software and not distribute it in such a |
---|
529 | fashion that it might be confused with the original MIT software. |
---|
530 | M.I.T. makes no representations about the suitability of this software |
---|
531 | for any purpose. It is provided "as is" without express or implied |
---|
532 | warranty. |
---|
533 | |
---|
534 | THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR |
---|
535 | IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED |
---|
536 | WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. |
---|
537 | |
---|
538 | Individual source code files are copyright MIT, Cygnus Support, |
---|
539 | OpenVision, Oracle, Sun Soft, FundsXpress, and others. |
---|
540 | |
---|
541 | Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, |
---|
542 | and Zephyr are trademarks of the Massachusetts Institute of Technology |
---|
543 | (MIT). No commercial use of these trademarks may be made without |
---|
544 | prior written permission of MIT. |
---|
545 | |
---|
546 | "Commercial use" means use of a name in a product or other for-profit |
---|
547 | manner. It does NOT prevent a commercial firm from referring to the |
---|
548 | MIT trademarks in order to convey information (although in doing so, |
---|
549 | recognition of their trademark status should be given). |
---|
550 | |
---|
551 | ---- |
---|
552 | |
---|
553 | The following copyright and permission notice applies to the |
---|
554 | OpenVision Kerberos Administration system located in kadmin/create, |
---|
555 | kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions |
---|
556 | of lib/rpc: |
---|
557 | |
---|
558 | Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved |
---|
559 | |
---|
560 | WARNING: Retrieving the OpenVision Kerberos Administration system |
---|
561 | source code, as described below, indicates your acceptance of the |
---|
562 | following terms. If you do not agree to the following terms, do not |
---|
563 | retrieve the OpenVision Kerberos administration system. |
---|
564 | |
---|
565 | You may freely use and distribute the Source Code and Object Code |
---|
566 | compiled from it, with or without modification, but this Source |
---|
567 | Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, |
---|
568 | INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR |
---|
569 | FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER |
---|
570 | EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY |
---|
571 | FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF |
---|
572 | SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR |
---|
573 | CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, |
---|
574 | WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE |
---|
575 | CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY |
---|
576 | OTHER REASON. |
---|
577 | |
---|
578 | OpenVision retains all copyrights in the donated Source Code. OpenVision |
---|
579 | also retains copyright to derivative works of the Source Code, whether |
---|
580 | created by OpenVision or by a third party. The OpenVision copyright |
---|
581 | notice must be preserved if derivative works are made based on the |
---|
582 | donated Source Code. |
---|
583 | |
---|
584 | OpenVision Technologies, Inc. has donated this Kerberos |
---|
585 | Administration system to MIT for inclusion in the standard |
---|
586 | Kerberos 5 distribution. This donation underscores our |
---|
587 | commitment to continuing Kerberos technology development |
---|
588 | and our gratitude for the valuable work which has been |
---|
589 | performed by MIT and the Kerberos community. |
---|
590 | |
---|
591 | ---- |
---|
592 | |
---|
593 | Portions contributed by Matt Crawford <crawdad@fnal.gov> were |
---|
594 | work performed at Fermi National Accelerator Laboratory, which is |
---|
595 | operated by Universities Research Association, Inc., under |
---|
596 | contract DE-AC02-76CHO3000 with the U.S. Department of Energy. |
---|
597 | |
---|
598 | Acknowledgements |
---|
599 | ---------------- |
---|
600 | |
---|
601 | Appreciation Time!!!! There are far too many people to try to thank |
---|
602 | them all; many people have contributed to the development of Kerberos |
---|
603 | V5. This is only a partial listing.... |
---|
604 | |
---|
605 | Thanks to Paul Vixie and the Internet Software Consortium for funding |
---|
606 | the work of Barry Jaspan. This funding was invaluable for the OV |
---|
607 | administration server integration, as well as the 1.0 release |
---|
608 | preparation process. |
---|
609 | |
---|
610 | Thanks to John Linn, Scott Foote, and all of the folks at OpenVision |
---|
611 | Technologies, Inc., who donated their administration server for use in |
---|
612 | the MIT release of Kerberos. |
---|
613 | |
---|
614 | Thanks to Jeff Bigler, Mark Eichin, Marc Horowitz, Nancy Gilman, Ken |
---|
615 | Raeburn, and all of the folks at Cygnus Support, who provided |
---|
616 | innumerable bug fixes and portability enhancements to the Kerberos V5 |
---|
617 | tree. Thanks especially to Jeff Bigler, for the new user and system |
---|
618 | administrator's documentation. |
---|
619 | |
---|
620 | Thanks to Doug Engert from ANL for providing many bug fixes, as well |
---|
621 | as testing to ensure DCE interoperability. |
---|
622 | |
---|
623 | Thanks to Ken Hornstein at NRL for providing many bug fixes and |
---|
624 | suggestions. |
---|
625 | |
---|
626 | Thanks to Matt Crawford at FNAL for bugfixes and enhancements. |
---|
627 | |
---|
628 | Thanks to Sean Mullan and Bill Sommerfeld from Hewlett Packard for |
---|
629 | their many suggestions and bug fixes. |
---|
630 | |
---|
631 | Thanks to Nalin Dahyabhai of RedHat and Chris Evans for locating and |
---|
632 | providing patches for numerous buffer overruns. |
---|
633 | |
---|
634 | Thanks to Christopher Thompson and Marcus Watts for discovering the |
---|
635 | ftpd security bug. |
---|
636 | |
---|
637 | Thanks to the members of the Kerberos V5 development team at MIT, both |
---|
638 | past and present: Danilo Almeida, Jay Berkenbilt, Richard Basch, Mitch |
---|
639 | Berger, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman, Matt |
---|
640 | Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Miroslav |
---|
641 | Jurisic, Barry Jaspan, Geoffrey King, John Kohl, Peter Litwack, Scott |
---|
642 | McGuire, Kevin Mitchell, Cliff Neuman, Paul Park, Ezra Peisach, Chris |
---|
643 | Provenzano, Ken Raeburn, Jon Rochlis, Jeff Schiller, Jen Selby, Brad |
---|
644 | Thompson, Harry Tsai, Ted Ts'o, Marshall Vale, Tom Yu. |
---|