1 files changed, 534 insertions, 0 deletions
diff --git a/README b/README
new file mode 100644
index 000000000000..a8eabd5ab9e2
--- /dev/null
+++ b/README
@@ -0,0 +1,534 @@
+                   Kerberos Version 5, Release 1.15
+
+                            Release Notes
+                        The MIT Kerberos Team
+
+Copyright and Other Notices
+---------------------------
+
+Copyright (C) 1985-2017 by the Massachusetts Institute of Technology
+and its contributors.  All rights reserved.
+
+Please see the file named NOTICE for additional notices.
+
+Documentation
+-------------
+
+Unified documentation for Kerberos V5 is available in both HTML and
+PDF formats.  The table of contents of the HTML format documentation
+is at doc/html/index.html, and the PDF format documentation is in the
+doc/pdf directory.
+
+Additionally, you may find copies of the HTML format documentation
+online at
+
+    http://web.mit.edu/kerberos/krb5-latest/doc/
+
+for the most recent supported release, or at
+
+    http://web.mit.edu/kerberos/krb5-devel/doc/
+
+for the release under development.
+
+More information about Kerberos may be found at
+
+    http://web.mit.edu/kerberos/
+
+and at the MIT Kerberos Consortium web site
+
+    http://kerberos.org/
+
+Building and Installing Kerberos 5
+----------------------------------
+
+Build documentation is in doc/html/build/index.html or
+doc/pdf/build.pdf.
+
+The installation guide is in doc/html/admin/install.html or
+doc/pdf/install.pdf.
+
+If you are attempting to build under Windows, please see the
+src/windows/README file.
+
+Reporting Bugs
+--------------
+
+Please report any problems/bugs/comments by sending email to
+krb5-bugs@mit.edu.
+
+You may view bug reports by visiting
+
+http://krbdev.mit.edu/rt/
+
+and using the "Guest Login" button.  Please note that the web
+interface to our bug database is read-only for guests, and the primary
+way to interact with our bug database is via email.
+
+DES transition
+--------------
+
+The Data Encryption Standard (DES) is widely recognized as weak.  The
+krb5-1.7 release contains measures to encourage sites to migrate away
+from using single-DES cryptosystems.  Among these is a configuration
+variable that enables "weak" enctypes, which defaults to "false"
+beginning with krb5-1.8.
+
+Major changes in 1.15.1 (2017-03-01)
+------------------------------------
+
+This is a bug fix release.
+
+* Allow KDB modules to determine how the e_data field of principal
+  fields is freed
+
+* Fix udp_preference_limit when the KDC location is configured with
+  SRV records
+
+* Fix KDC and kadmind startup on some IPv4-only systems
+
+* Fix the processing of PKINIT certificate matching rules which have
+  two components and no explicit relation
+
+* Improve documentation
+
+krb5-1.15.1 changes by ticket ID
+--------------------------------
+
+7940    PKINIT docs only work for one-component client principals
+8523    Add krbPwdPolicy attributes to kerberos.ldif
+8524    Add caveats to krbtgt change documentation
+8525    Fix error handling in PKINIT decode_data()
+8530    KDC/kadmind explicit wildcard listener addresses do not use pktinfo
+8531    KDC/kadmind may fail to start on IPv4-only systems
+8532    Fix GSSAPI authind attribute name in docs
+8538    Need a way to free KDB module e_data
+8540    Document default realm and login authorization
+8552    Add GSSAPI S4U documentation
+8553    Fix PKINIT two-component matching rule parsing
+8554    udp_preference_limit fails with SRV records
+
+
+Major changes in 1.15 (2016-12-01)
+----------------------------------
+
+Administrator experience:
+
+* Improve support for multihomed Kerberos servers by adding options
+  for specifying restricted listening addresses for the KDC and
+  kadmind.
+
+* Add support to kadmin for remote extraction of current keys without
+  changing them (requires a special kadmin permission that is excluded
+  from the wildcard permission), with the exception of highly
+  protected keys.
+
+* Add a lockdown_keys principal attribute to prevent retrieval of the
+  principal's keys (old or new) via the kadmin protocol.  In newly
+  created databases, this attribute is set on the krbtgt and kadmin
+  principals.
+
+* Restore recursive dump capability for DB2 back end, so sites can
+  more easily recover from database corruption resulting from power
+  failure events.
+
+* Add DNS auto-discovery of KDC and kpasswd servers from URI records,
+ in addition to SRV records.  URI records can convey TCP and UDP
+ servers and master KDC status in a single DNS lookup, and can also
+ point to HTTPS proxy servers.
+
+* Add support for password history to the LDAP back end.
+
+* Add support for principal renaming to the LDAP back end.
+
+* Use the getrandom system call on supported Linux kernels to avoid
+  blocking problems when getting entropy from the operating system.
+
+* In the PKINIT client, use the correct DigestInfo encoding for PKCS
+  #1 signatures, so that some especially strict smart cards will work.
+
+Code quality:
+
+* Clean up numerous compilation warnings.
+
+* Remove various infrequently built modules, including some preauth
+  modules that were not built by default.
+
+Developer experience:
+
+* Add support for building with OpenSSL 1.1.
+
+* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
+  authenticators in the replay cache.  This helps sites that must
+  build with FIPS 140 conformant libraries that lack MD5.
+
+* Eliminate util/reconf and allow the use of autoreconf alone to
+  regenerate the configure script.
+
+Protocol evolution:
+
+* Add support for the AES-SHA2 enctypes, which allows sites to conform
+  to Suite B crypto requirements.
+
+krb5-1.15 changes by ticket ID
+------------------------------
+
+1093    KDC could use feature to limit listening interfaces
+5889    password history doesn't work with LDAP KDB
+6666    some non-default plugin directories don't build in 1.8 branch
+7852    kadmin.local's ktadd -norandkey does not handle multiple kvnos
+        in the KDB
+7985    Add krb5_get_init_creds_opt_set_pac_request
+8065    Renaming principals with LDAP KDB deletes the principal
+8277    iprop can choose wrong realm
+8278    Add krb5_expand_hostname() API
+8280    Fix impersonate_name to work with interposers
+8295    kdb5_ldap_stash_service_password() stash file logic needs tweaking
+8297    jsonwalker.py test fails
+8298    Audit Test fails when system has IPV6 address
+8299    Remove util/reconf
+8329    Only run export-check.pl in maintainer mode
+8344    Create KDC and kadmind log files with mode 0640
+8345    Remove nss libk5crypto implementation
+8348    Remove workaround when binding to udp addresses and pktinfo
+        isn't supported by the system
+8353    Replace MD5 use in rcache with SHA-256
+8354    Only store latest keys in key history entry
+8355    Add kadm5_setkey_principal_4 RPC to kadmin
+8364    Add get_principal_keys RPC to kadmin
+8365    Add the ability to lock down principal keys
+8366    Increase initial DNS buffer size
+8368    Remove hdb KDB module
+8371    Improve libkadm5 client RPC thread safety
+8372    Use cached S4U2Proxy tickets in GSSAPI
+8374    Interoperate with incomplete SPNEGO responses
+8375    Allow zero cksumtype in krb5_k_verify_checksum()
+8379    Add auth indicator handling to libkdb_ldap
+8381    Don't fall back to master on password read error
+8386    Add KDC pre-send and post-receive KDC hooks
+8388    Remove port 750 from the KDC default ports
+8389    Make profile includedir accept all *.conf files
+8391    Add kinit long option support for all platforms
+8393    Password Expiration "Never" Inconsistently Applied
+8394    Add debug message filtering to krb5_klog_syslog
+8396    Skip password prompt when running ksu as root
+8398    Add libk5crypto support for OpenSSL 1.1.0
+8399    Unconstify some krb5 GSS OIDs
+8403    kinit documentation page
+8404    Remove non-DFSG documentation
+8405    Work around python-ldap bug in kerberos.ldif
+8412    Link correct VS2015 C libraries for debug builds
+8414    Use library malloc for principal, policy entries
+8418    Add libkdb function to specialize principal's salt
+8419    Do not indicate deprecated GSS mechanisms
+8423    Add SPNEGO special case for NTLMSSP+MechListMIC
+8425    Add auth-indicator authdata module
+8426    test_check_allowed_to_delegate() should free unparsed princ output
+8428    Minimize timing leaks in PKINIT decryption
+8429    Fix Makefile for paths containing '+' character
+8434    Fix memory leak in old gssrpc authentication
+8436    Update libev sources to 4.22
+8446    Fix leak in key change operations
+8451    Add hints for -A flag to kdestroy
+8456    Add the kprop-port option to kadmind
+8462    Better handle failures to resolve client keytab
+8464    Set prompt type for OTP preauth prompt
+8465    Improve bad password inference in kinit
+8466    Rename k5-queue.h macros
+8471    Change KDC error for encrypted timestamp preauth
+8476    Restore recursive dump functionality
+8478    usability improvements for bttest
+8488    Stop generating doc/CHANGES
+8490    Add aes-sha2 enctype support
+8494    Add krb5_db_register_keytab()
+8496    Add KDC discovery from URI records
+8498    Potential memory leak in prepare_error_as()
+8499    Use getrandom system call on recent Linux kernels
+8500    Document krb5_kt_next_entry() requirement
+8502    ret_boolean in profile_get_boolean() should be krb5_boolean *
+        instead of int *
+8504    Properly handle EOF condition on libkrad sockets
+8506    PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1
+8507    Suggest unlocked iteration for mkey rollover
+8508    Clarify krb5_kt_resolve() API documentation
+8509    Leak in krb5_cccol_have_content with truncated ccache
+8510    Update features list for 1.15
+8512    Fix detection of libaceclnt for securid_sam2
+8513    Add doxygen comments for RFC 8009, RFC 4757
+8514    Make zap() more reliable
+8516    Fix declaration without type in t_shs3.c
+8520    Relicense ccapi/common/win/OldCC/autolock.hxx
+8521    Allow slapd path configuration in t_kdb.py
+
+
+Acknowledgements
+----------------
+
+Past Sponsors of the MIT Kerberos Consortium:
+
+    Apple
+    Carnegie Mellon University
+    Centrify Corporation
+    Columbia University
+    Cornell University
+    The Department of Defense of the United States of America (DoD)
+    Fidelity Investments
+    Google
+    Iowa State University
+    MIT
+    Michigan State University
+    Microsoft
+    MITRE Corporation
+    Morgan-Stanley
+    The National Aeronautics and Space Administration
+        of the United States of America (NASA)
+    Network Appliance (NetApp)
+    Nippon Telephone and Telegraph (NTT)
+    US Government Office of the National Coordinator for Health
+        Information Technology (ONC)
+    Oracle
+    Pennsylvania State University
+    Red Hat
+    Stanford University
+    TeamF1, Inc.
+    The University of Alaska
+    The University of Michigan
+    The University of Pennsylvania
+
+Past and present members of the Kerberos Team at MIT:
+
+    Danilo Almeida
+    Jeffrey Altman
+    Justin Anderson
+    Richard Basch
+    Mitch Berger
+    Jay Berkenbilt
+    Andrew Boardman
+    Bill Bryant
+    Steve Buckley
+    Joe Calzaretta
+    John Carr
+    Mark Colan
+    Don Davis
+    Sarah Day
+    Alexandra Ellwood
+    Carlos Garay
+    Dan Geer
+    Nancy Gilman
+    Matt Hancher
+    Thomas Hardjono
+    Sam Hartman
+    Paul Hill
+    Marc Horowitz
+    Eva Jacobus
+    Miroslav Jurisic
+    Barry Jaspan
+    Benjamin Kaduk
+    Geoffrey King
+    Kevin Koch
+    John Kohl
+    HaoQi Li
+    Jonathan Lin
+    Peter Litwack
+    Scott McGuire
+    Steve Miller
+    Kevin Mitchell
+    Cliff Neuman
+    Paul Park
+    Ezra Peisach
+    Chris Provenzano
+    Ken Raeburn
+    Jon Rochlis
+    Jeff Schiller
+    Jen Selby
+    Robert Silk
+    Bill Sommerfeld
+    Jennifer Steiner
+    Ralph Swick
+    Brad Thompson
+    Harry Tsai
+    Zhanna Tsitkova
+    Ted Ts'o
+    Marshall Vale
+    Tom Yu
+
+The following external contributors have provided code, patches, bug
+reports, suggestions, and valuable resources:
+
+    Ian Abbott
+    Brandon Allbery
+    Russell Allbery
+    Brian Almeida
+    Michael B Allen
+    Heinz-Ado Arnolds
+    Derek Atkins
+    Mark Bannister
+    David Bantz
+    Alex Baule
+    David Benjamin
+    Thomas Bernard
+    Adam Bernstein
+    Arlene Berry
+    Jeff Blaine
+    Radoslav Bodo
+    Sumit Bose
+    Emmanuel Bouillon
+    Philip Brown
+    Michael Calmer
+    Andrea Campi
+    Julien Chaffraix
+    Ravi Channavajhala
+    Srinivas Cheruku
+    Leonardo Chiquitto
+    Seemant Choudhary
+    Howard Chu
+    Andrea Cirulli
+    Christopher D. Clausen
+    Kevin Coffman
+    Simon Cooper
+    Sylvain Cortes
+    Ian Crowther
+    Arran Cudbard-Bell
+    Jeff D'Angelo
+    Nalin Dahyabhai
+    Mark Davies
+    Dennis Davis
+    Alex Dehnert
+    Mark Deneen
+    Günther Deschner
+    John Devitofranceschi
+    Roland Dowdeswell
+    Viktor Dukhovni
+    Jason Edgecombe
+    Mark Eichin
+    Shawn M. Emery
+    Douglas E. Engert
+    Peter Eriksson
+    Juha Erkkilä
+    Gilles Espinasse
+    Ronni Feldt
+    Bill Fellows
+    JC Ferguson
+    Remi Ferrand
+    Paul Fertser
+    William Fiveash
+    Jacques Florent
+    Ákos Frohner
+    Sebastian Galiano
+    Marcus Granado
+    Scott Grizzard
+    Helmut Grohne
+    Steve Grubb
+    Philip Guenther
+    Dominic Hargreaves
+    Robbie Harwood
+    Jakob Haufe
+    Matthieu Hautreux
+    Jochen Hein
+    Paul B. Henson
+    Jeff Hodges
+    Christopher Hogan
+    Love Hörnquist Åstrand
+    Ken Hornstein
+    Henry B. Hotz
+    Luke Howard
+    Jakub Hrozek
+    Shumon Huque
+    Jeffrey Hutzelman
+    Wyllys Ingersoll
+    Holger Isenberg
+    Spencer Jackson
+    Diogenes S. Jesus
+    Pavel Jindra
+    Brian Johannesmeyer
+    Joel Johnson
+    Anders Kaseorg
+    W. Trevor King
+    Patrik Kis
+    Mikkel Kruse
+    Reinhard Kugler
+    Tomas Kuthan
+    Pierre Labastie
+    Volker Lendecke
+    Jan iankko Lieskovsky
+    Todd Lipcon
+    Oliver Loch
+    Kevin Longfellow
+    Jon Looney
+    Nuno Lopes
+    Ryan Lynch
+    Roland Mainz
+    Andrei Maslennikov
+    Michael Mattioli
+    Nathaniel McCallum
+    Greg McClement
+    Cameron Meadors
+    Alexey Melnikov
+    Franklyn Mendez
+    Markus Moeller
+    Kyle Moffett
+    Paul Moore
+    Keiichi Mori
+    Michael Morony
+    Zbysek Mraz
+    Edward Murrell
+    Nikos Nikoleris
+    Felipe Ortega
+    Michael Osipov
+    Andrej Ota
+    Dmitri Pal
+    Javier Palacios
+    Tom Parker
+    Ezra Peisach
+    Zoran Pericic
+    W. Michael Petullo
+    Mark Phalan
+    Brett Randall
+    Jonathan Reams
+    Jonathan Reed
+    Robert Relyea
+    Martin Rex
+    Jason Rogers
+    Matt Rogers
+    Nate Rosenblum
+    Solly Ross
+    Mike Roszkowski
+    Guillaume Rousse
+    Andreas Schneider
+    Tom Shaw
+    Jim Shi
+    Peter Shoults
+    Simo Sorce
+    Michael Spang
+    Michael Ströder
+    Bjørn Tore Sund
+    Joe Travaglini
+    Tim Uglow
+    Rathor Vipin
+    Denis Vlasenko
+    Jorgen Wahlsten
+    Stef Walter
+    Max (Weijun) Wang
+    John Washington
+    Stef Walter
+    Xi Wang
+    Kevin Wasserman
+    Margaret Wasserman
+    Marcus Watts
+    Andreas Wiese
+    Simon Wilkinson
+    Nicolas Williams
+    Ross Wilper
+    Augustin Wolf
+    David Woodhouse
+    Tsu-Phong Wu
+    Xu Qiang
+    Neng Xue
+    Zhaomo Yang
+    Nickolai Zeldovich
+    Hanz van Zijst
+    Gertjan Zwartjes
+
+The above is not an exhaustive list; many others have contributed in
+various ways to the MIT Kerberos development effort over the years.
+Other acknowledgments (for bug reports and patches) are in the
+doc/CHANGES file.