ae77177087
several new kerberos related libraries and applications to FreeBSD:
o kgetcred(1) allows one to manually get a ticket for a particular service.
o kf(1) securily forwards ticket to another host through an authenticated
and encrypted stream.
o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1)
and other user kerberos operations. klist and kswitch are just symlinks
to kcc(1) now.
o kswitch(1) allows you to easily switch between kerberos credentials if
you're running KCM.
o hxtool(1) is a certificate management tool to use with PKINIT.
o string2key(1) maps a password into key.
o kdigest(8) is a userland tool to access the KDC's digest interface.
o kimpersonate(8) creates a "fake" ticket for a service.
We also now install manpages for some lirbaries that were not installed
before, libheimntlm and libhx509.
- The new HEIMDAL version no longer supports Kerberos 4. All users are
recommended to switch to Kerberos 5.
- Weak ciphers are now disabled by default. To enable DES support (used
by telnet(8)), use "allow_weak_crypto" option in krb5.conf.
- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings
disabled due to the function they use (krb5_get_err_text(3)) being
deprecated. I plan to work on this next.
- Heimdal's KDC now require sqlite to operate. We use the bundled version
and install it as libheimsqlite. If some other FreeBSD components will
require it in the future we can rename it to libbsdsqlite and use for these
components as well.
- This is not a latest Heimdal version, the new one was released while I was
working on the update. I will update it to 1.5.2 soon, as it fixes some
important bugs and security issues.
962 lines
24 KiB
Plaintext
962 lines
24 KiB
Plaintext
Release Notes - Heimdal - Version Heimdal 1.5
|
|
|
|
New features
|
|
|
|
- Support GSS name extensions/attributes
|
|
- SHA512 support
|
|
- No Kerberos 4 support
|
|
- Basic support for MIT Admin protocol (SECGSS flavor)
|
|
in kadmind (extract keytab)
|
|
- Replace editline with libedit
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.4
|
|
|
|
New features
|
|
|
|
- Support for reading MIT database file directly
|
|
- KCM is polished up and now used in production
|
|
- NTLM first class citizen, credentials stored in KCM
|
|
- Table driven ASN.1 compiler, smaller!, not enabled by default
|
|
- Native Windows client support
|
|
|
|
Notes
|
|
|
|
- Disabled write support NDBM hdb backend (read still in there) since
|
|
it can't handle large records, please migrate to a diffrent backend
|
|
(like BDB4)
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.3.3
|
|
|
|
Bug fixes
|
|
- Check the GSS-API checksum exists before trying to use it [CVE-2010-1321]
|
|
- Check NULL pointers before dereference them [kdc]
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.3.2
|
|
|
|
Bug fixes
|
|
|
|
- Don't mix length when clearing hmac (could memset too much)
|
|
- More paranoid underrun checking when decrypting packets
|
|
- Check the password change requests and refuse to answer empty packets
|
|
- Build on OpenSolaris
|
|
- Renumber AD-SIGNED-TICKET since it was stolen from US
|
|
- Don't cache /dev/*random file descriptor, it doesn't get unloaded
|
|
- Make C++ safe
|
|
- Misc warnings
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.3.1
|
|
|
|
Bug fixes
|
|
|
|
- Store KDC offset in credentials
|
|
- Many many more bug fixes
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.3.1
|
|
|
|
New features
|
|
|
|
- Make work with OpenLDAPs krb5 overlay
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.3
|
|
|
|
New features
|
|
|
|
- Partial support for MIT kadmind rpc protocol in kadmind
|
|
- Better support for finding keytab entries when using SPN aliases in the KDC
|
|
- Support BER in ASN.1 library (needed for CMS)
|
|
- Support decryption in Keychain private keys
|
|
- Support for new sqlite based credential cache
|
|
- Try both KDC referals and the common DNS reverse lookup in GSS-API
|
|
- Fix the KCM to not leak resources on failure
|
|
- Add IPv6 support to iprop
|
|
- Support localization of error strings in
|
|
kinit/klist/kdestroy and Kerberos library
|
|
- Remove Kerberos 4 support in application (still in KDC)
|
|
- Deprecate DES
|
|
- Support i18n password in windows domains (using UTF-8)
|
|
- More complete API emulation of OpenSSL in hcrypto
|
|
- Support for ECDSA and ECDH when linking with OpenSSL
|
|
|
|
API changes
|
|
|
|
- Support for settin friendly name on credential caches
|
|
- Move to using doxygen to generate documentation.
|
|
- Sprinkling __attribute__((depricated)) for old function to be removed
|
|
- Support to export LAST-REQUST information in AS-REQ
|
|
- Support for client deferrals in in AS-REQ
|
|
- Add seek support for krb5_storage.
|
|
- Support for split AS-REQ, first step for IA-KERB
|
|
- Fix many memory leaks and bugs
|
|
- Improved regression test
|
|
- Support krb5_cccol
|
|
- Switch to krb5_set_error_message
|
|
- Support krb5_crypto_*_iov
|
|
- Switch to use EVP for most function
|
|
- Use SOCK_CLOEXEC and O_CLOEXEC (close on exec)
|
|
- Add support for GSS_C_DELEG_POLICY_FLAG
|
|
- Add krb5_cc_[gs]et_config to store data in the credential caches
|
|
- PTY testing application
|
|
|
|
Bugfixes
|
|
- Make building on AIX6 possible.
|
|
- Bugfixes in LDAP KDC code to make it more stable
|
|
- Make ipropd-slave reconnect when master down gown
|
|
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.2.1
|
|
|
|
* Bug
|
|
|
|
[HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris
|
|
[HEIMDAL-151] - Make canned tests work again after cert expired
|
|
[HEIMDAL-152] - iprop test: use full hostname to avoid realm
|
|
resolving errors
|
|
[HEIMDAL-153] - ftp: Use the correct length for unmap, msync
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.2
|
|
|
|
* Bug
|
|
|
|
[HEIMDAL-10] - Follow-up on bug report for SEGFAULT in
|
|
gss_display_name/gss_export_name when using SPNEGO
|
|
[HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1
|
|
[HEIMDAL-17] - Remove support for depricated [libdefaults]capath
|
|
[HEIMDAL-52] - hdb overwrite aliases for db databases
|
|
[HEIMDAL-54] - Two issues which affect credentials delegation
|
|
[HEIMDAL-58] - sockbuf.c calls setsockopt with bad args
|
|
[HEIMDAL-62] - Fix printing of sig_atomic_t
|
|
[HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto
|
|
[HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase
|
|
[HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241)
|
|
|
|
* Improvement
|
|
[HEIMDAL-67] - Fix locking and store credential in atomic writes
|
|
in the FILE credential cache
|
|
[HEIMDAL-106] - make compile on cygwin again
|
|
[HEIMDAL-107] - Replace old random key generation in des module
|
|
and use it with RAND_ function instead
|
|
[HEIMDAL-115] - Better documentation and compatibility in hcrypto
|
|
in regards to OpenSSL
|
|
|
|
* New Feature
|
|
[HEIMDAL-3] - pkinit alg agility PRF test vectors
|
|
[HEIMDAL-14] - Add libwind to Heimdal
|
|
[HEIMDAL-16] - Use libwind in hx509
|
|
[HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to
|
|
the negotiation
|
|
[HEIMDAL-74] - Add support to report extended error message back
|
|
in AS-REQ to support windows clients
|
|
[HEIMDAL-116] - test pty based application (using rkpty)
|
|
[HEIMDAL-120] - Use new OpenLDAP API (older deprecated)
|
|
|
|
* Task
|
|
[HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ.
|
|
This drop compatibility with pre 0.3d KDCs.
|
|
[HEIMDAL-64] - kcm: first implementation of kcm-move-cache
|
|
[HEIMDAL-65] - Failed to compile with --disable-pk-init
|
|
[HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some
|
|
wraparound checks doesn't apply to Heimdal
|
|
|
|
Changes in release 1.1
|
|
|
|
* Read-only PKCS11 provider built-in to hx509.
|
|
|
|
* Documentation for hx509, hcrypto and ntlm libraries improved.
|
|
|
|
* Better compatibilty with Windows 2008 Server pre-releases and Vista.
|
|
|
|
* Mac OS X 10.5 support for native credential cache.
|
|
|
|
* Provide pkg-config file for Heimdal (heimdal-gssapi.pc).
|
|
|
|
* Bug fixes.
|
|
|
|
Changes in release 1.0.2
|
|
|
|
* Ubuntu packages.
|
|
|
|
* Bug fixes.
|
|
|
|
Changes in release 1.0.1
|
|
|
|
* Serveral bug fixes to iprop.
|
|
|
|
* Make work on platforms without dlopen.
|
|
|
|
* Add RFC3526 modp group14 as default.
|
|
|
|
* Handle [kdc] database = { } entries without realm = stanzas.
|
|
|
|
* Make krb5_get_renewed_creds work.
|
|
|
|
* Make kaserver preauth work again.
|
|
|
|
* Bug fixes.
|
|
|
|
Changes in release 1.0
|
|
|
|
* Add gss_pseudo_random() for mechglue and krb5.
|
|
|
|
* Make session key for the krbtgt be selected by the best encryption
|
|
type of the client.
|
|
|
|
* Better interoperability with other PK-INIT implementations.
|
|
|
|
* Inital support for Mac OS X Keychain for hx509.
|
|
|
|
* Alias support for inital ticket requests.
|
|
|
|
* Add symbol versioning to selected libraries on platforms that uses
|
|
GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc.
|
|
|
|
* New version of imath included in hcrypto.
|
|
|
|
* Fix memory leaks.
|
|
|
|
* Bugs fixes.
|
|
|
|
Changes in release 0.8.1
|
|
|
|
* Make ASN.1 library less paranoid to with regard to NUL in string to
|
|
make it inter-operate with MIT Kerberos again.
|
|
|
|
* Make GSS-API library work again when using gss_acquire_cred
|
|
|
|
* Add symbol versioning to libgssapi when using GNU ld.
|
|
|
|
* Fix memory leaks
|
|
|
|
* Bugs fixes
|
|
|
|
Changes in release 0.8
|
|
|
|
* PK-INIT support.
|
|
|
|
* HDB extensions support, used by PK-INIT.
|
|
|
|
* New ASN.1 compiler.
|
|
|
|
* GSS-API mechglue from FreeBSD.
|
|
|
|
* Updated SPNEGO to support RFC4178.
|
|
|
|
* Support for Cryptosystem Negotiation Extension (RFC 4537).
|
|
|
|
* A new X.509 library (hx509) and related crypto functions.
|
|
|
|
* A new ntlm library (heimntlm) and related crypto functions.
|
|
|
|
* Updated the built-in crypto library with bignum support using
|
|
imath, support for RSA and DH and renamed it to libhcrypto.
|
|
|
|
* Subsystem in the KDC, digest, that will perform the digest
|
|
operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL
|
|
DIGEST-MD5 NTLMv1 and NTLMv2.
|
|
|
|
* KDC will return the "response too big" error to force TCP retries
|
|
for large (default 1400 bytes) UDP replies. This is common for
|
|
PK-INIT requests.
|
|
|
|
* Libkafs defaults to use 2b tokens.
|
|
|
|
* Default to use the API cache on Mac OS X.
|
|
|
|
* krb5_kuserok() also checks ~/.k5login.d directory for acl files,
|
|
see manpage for krb5_kuserok for description.
|
|
|
|
* Many, many, other updates to code and info manual and manual pages.
|
|
|
|
* Bug fixes
|
|
|
|
Changes in release 0.7.2
|
|
|
|
* Fix security problem in rshd that enable an attacker to overwrite
|
|
and change ownership of any file that root could write.
|
|
|
|
* Fix a DOS in telnetd. The attacker could force the server to crash
|
|
in a NULL de-reference before the user logged in, resulting in inetd
|
|
turning telnetd off because it forked too fast.
|
|
|
|
* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
|
|
exists in the keytab before returning success. This allows servers
|
|
to check if its even possible to use GSSAPI.
|
|
|
|
* Fix receiving end of token delegation for GSS-API. It still wrongly
|
|
uses subkey for sending for compatibility reasons, this will change
|
|
in 0.8.
|
|
|
|
* telnetd, login and rshd are now more verbose in logging failed and
|
|
successful logins.
|
|
|
|
* Bug fixes
|
|
|
|
Changes in release 0.7.1
|
|
|
|
* Bug fixes
|
|
|
|
Changes in release 0.7
|
|
|
|
* Support for KCM, a process based credential cache
|
|
|
|
* Support CCAPI credential cache
|
|
|
|
* SPNEGO support
|
|
|
|
* AES (and the gssapi conterpart, CFX) support
|
|
|
|
* Adding new and improve old documentation
|
|
|
|
* Bug fixes
|
|
|
|
Changes in release 0.6.6
|
|
|
|
* Fix security problem in rshd that enable an attacker to overwrite
|
|
and change ownership of any file that root could write.
|
|
|
|
* Fix a DOS in telnetd. The attacker could force the server to crash
|
|
in a NULL de-reference before the user logged in, resulting in inetd
|
|
turning telnetd off because it forked too fast.
|
|
|
|
Changes in release 0.6.5
|
|
|
|
* fix vulnerabilities in telnetd
|
|
|
|
* unbreak Kerberos 4 and kaserver
|
|
|
|
Changes in release 0.6.4
|
|
|
|
* fix vulnerabilities in telnet
|
|
|
|
* rshd: encryption without a separate error socket should now work
|
|
|
|
* telnet now uses appdefaults for the encrypt and forward/forwardable
|
|
settings
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.6.3
|
|
|
|
* fix vulnerabilities in ftpd
|
|
|
|
* support for linux AFS /proc "syscalls"
|
|
|
|
* support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
|
|
kpasswdd
|
|
|
|
* fix possible KDC denial of service
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.6.2
|
|
|
|
* Fix possible buffer overrun in v4 kadmin (which now defaults to off)
|
|
|
|
Changes in release 0.6.1
|
|
|
|
* Fixed ARCFOUR suppport
|
|
|
|
* Cross realm vulnerability
|
|
|
|
* kdc: fix denial of service attack
|
|
|
|
* kdc: stop clients from renewing tickets into the future
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.6
|
|
|
|
* The DES3 GSS-API mechanism has been changed to inter-operate with
|
|
other GSSAPI implementations. See man page for gssapi(3) how to turn
|
|
on generation of correct MIC messages. Next major release of heimdal
|
|
will generate correct MIC by default.
|
|
|
|
* More complete GSS-API support
|
|
|
|
* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
|
|
support in applications no longer requires Kerberos 4 libs
|
|
|
|
* Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
|
|
|
|
* other bug fixes
|
|
|
|
Changes in release 0.5.2
|
|
|
|
* kdc: add option for disabling v4 cross-realm (defaults to off)
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.5.1
|
|
|
|
* kadmind: fix remote exploit
|
|
|
|
* kadmind: add option to disable kerberos 4
|
|
|
|
* kdc: make sure kaserver token life is positive
|
|
|
|
* telnet: use the session key if there is no subkey
|
|
|
|
* fix EPSV parsing in ftp
|
|
|
|
* other bug fixes
|
|
|
|
Changes in release 0.5
|
|
|
|
* add --detach option to kdc
|
|
|
|
* allow setting forward and forwardable option in telnet from
|
|
.telnetrc, with override from command line
|
|
|
|
* accept addresses with or without ports in krb5_rd_cred
|
|
|
|
* make it work with modern openssl
|
|
|
|
* use our own string2key function even with openssl (that handles weak
|
|
keys incorrectly)
|
|
|
|
* more system-specific requirements in login
|
|
|
|
* do not use getlogin() to determine root in su
|
|
|
|
* telnet: abort if telnetd does not support encryption
|
|
|
|
* update autoconf to 2.53
|
|
|
|
* update config.guess, config.sub
|
|
|
|
* other bug fixes
|
|
|
|
Changes in release 0.4e
|
|
|
|
* improve libcrypto and database autoconf tests
|
|
|
|
* do not care about salting of server principals when serving v4 requests
|
|
|
|
* some improvements to gssapi library
|
|
|
|
* test for existing compile_et/libcom_err
|
|
|
|
* portability fixes
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.4d
|
|
|
|
* fix some problems when using libcrypto from openssl
|
|
|
|
* handle /dev/ptmx `unix98' ptys on Linux
|
|
|
|
* add some forgotten man pages
|
|
|
|
* rsh: clean-up and add man page
|
|
|
|
* fix -A and -a in builtin-ls in tpd
|
|
|
|
* fix building problem on Irix
|
|
|
|
* make `ktutil get' more efficient
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.4c
|
|
|
|
* fix buffer overrun in telnetd
|
|
|
|
* repair some of the v4 fallback code in kinit
|
|
|
|
* add more shared library dependencies
|
|
|
|
* simplify and fix hprop handling of v4 databases
|
|
|
|
* fix some building problems (osf's sia and osfc2 login)
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.4b
|
|
|
|
* update the shared library version numbers correctly
|
|
|
|
Changes in release 0.4a
|
|
|
|
* corrected key used for checksum in mk_safe, unfortunately this
|
|
makes it backwards incompatible
|
|
|
|
* update to autoconf 2.50, libtool 1.4
|
|
|
|
* re-write dns/config lookups (krb5_krbhst API)
|
|
|
|
* make order of using subkeys consistent
|
|
|
|
* add man page links
|
|
|
|
* add more man pages
|
|
|
|
* remove rfc2052 support, now only rfc2782 is supported
|
|
|
|
* always build with kaserver protocol support in the KDC (assuming
|
|
KRB4 is enabled) and support for reading kaserver databases in
|
|
hprop
|
|
|
|
Changes in release 0.3f
|
|
|
|
* change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
|
|
the new keytab type that tries both of these in order (SRVTAB is
|
|
also an alias for krb4:)
|
|
|
|
* improve error reporting and error handling (error messages should
|
|
be more detailed and more useful)
|
|
|
|
* improve building with openssl
|
|
|
|
* add kadmin -K, rcp -F
|
|
|
|
* fix two incorrect weak DES keys
|
|
|
|
* fix building of kaserver compat in KDC
|
|
|
|
* the API is closer to what MIT krb5 is using
|
|
|
|
* more compatible with windows 2000
|
|
|
|
* removed some memory leaks
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.3e
|
|
|
|
* rcp program included
|
|
|
|
* fix buffer overrun in ftpd
|
|
|
|
* handle omitted sequence numbers as zeroes to handle MIT krb5 that
|
|
cannot generate zero sequence numbers
|
|
|
|
* handle v4 /.k files better
|
|
|
|
* configure/portability fixes
|
|
|
|
* fixes in parsing of options to kadmin (sub-)commands
|
|
|
|
* handle errors in kadmin load better
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.3d
|
|
|
|
* add krb5-config
|
|
|
|
* fix a bug in 3des gss-api mechanism, making it compatible with the
|
|
specification and the MIT implementation
|
|
|
|
* make telnetd only allow a specific list of environment variables to
|
|
stop it from setting `sensitive' variables
|
|
|
|
* try to use an existing libdes
|
|
|
|
* lib/krb5, kdc: use correct usage type for ap-req messages. This
|
|
should improve compatability with MIT krb5 when using 3DES
|
|
encryption types
|
|
|
|
* kdc: fix memory allocation problem
|
|
|
|
* update config.guess and config.sub
|
|
|
|
* lib/roken: more stuff implemented
|
|
|
|
* bug fixes and portability enhancements
|
|
|
|
Changes in release 0.3c
|
|
|
|
* lib/krb5: memory caches now support the resolve operation
|
|
|
|
* appl/login: set PATH to some sane default
|
|
|
|
* kadmind: handle several realms
|
|
|
|
* bug fixes (including memory leaks)
|
|
|
|
Changes in release 0.3b
|
|
|
|
* kdc: prefer default-salted keys on v5 requests
|
|
|
|
* kdc: lowercase hostnames in v4 mode
|
|
|
|
* hprop: handle more types of MIT salts
|
|
|
|
* lib/krb5: fix memory leak
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.3a:
|
|
|
|
* implement arcfour-hmac-md5 to interoperate with W2K
|
|
|
|
* modularise the handling of the master key, and allow for other
|
|
encryption types. This makes it easier to import a database from
|
|
some other source without having to re-encrypt all keys.
|
|
|
|
* allow for better control over which encryption types are created
|
|
|
|
* make kinit fallback to v4 if given a v4 KDC
|
|
|
|
* make klist work better with v4 and v5, and add some more MIT
|
|
compatibility options
|
|
|
|
* make the kdc listen on the krb524 (4444) port for compatibility
|
|
with MIT krb5 clients
|
|
|
|
* implement more DCE/DFS support, enabled with --enable-dce, see
|
|
lib/kdfs and appl/dceutils
|
|
|
|
* make the sequence numbers work correctly
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.2t:
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.2s:
|
|
|
|
* add OpenLDAP support in hdb
|
|
|
|
* login will get v4 tickets when it receives forwarded tickets
|
|
|
|
* xnlock supports both v5 and v4
|
|
|
|
* repair source routing for telnet
|
|
|
|
* fix building problems with krb4 (krb_mk_req)
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.2r:
|
|
|
|
* fix realloc memory corruption bug in kdc
|
|
|
|
* `add --key' and `cpw --key' in kadmin
|
|
|
|
* klist supports listing v4 tickets
|
|
|
|
* update config.guess and config.sub
|
|
|
|
* make v4 -> v5 principal name conversion more robust
|
|
|
|
* support for anonymous tickets
|
|
|
|
* new man-pages
|
|
|
|
* telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
|
|
|
|
* use and set expiration and not password expiration when dumping
|
|
to/from ka server databases / krb4 databases
|
|
|
|
* make the code happier with 64-bit time_t
|
|
|
|
* follow RFC2782 and by default do not look for non-underscore SRV names
|
|
|
|
Changes in release 0.2q:
|
|
|
|
* bug fix in tcp-handling in kdc
|
|
|
|
* bug fix in expand_hostname
|
|
|
|
Changes in release 0.2p:
|
|
|
|
* bug fix in `kadmin load/merge'
|
|
|
|
* bug fix in krb5_parse_address
|
|
|
|
Changes in release 0.2o:
|
|
|
|
* gss_{import,export}_sec_context added to libgssapi
|
|
|
|
* new option --addresses to kdc (for listening on an explicit set of
|
|
addresses)
|
|
|
|
* bug fixes in the krb4 and kaserver emulation part of the kdc
|
|
|
|
* other bug fixes
|
|
|
|
Changes in release 0.2n:
|
|
|
|
* more robust parsing of dump files in kadmin
|
|
* changed default timestamp format for log messages to extended ISO
|
|
8601 format (Y-M-DTH:M:S)
|
|
* changed md4/md5/sha1 APIes to be de-facto `standard'
|
|
* always make hostname into lower-case before creating principal
|
|
* small bits of more MIT-compatability
|
|
* bug fixes
|
|
|
|
Changes in release 0.2m:
|
|
|
|
* handle glibc's getaddrinfo() that returns several ai_canonname
|
|
|
|
* new endian test
|
|
|
|
* man pages fixes
|
|
|
|
Changes in release 0.2l:
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.2k:
|
|
|
|
* better IPv6 test
|
|
|
|
* make struct sockaddr_storage in roken work better on alphas
|
|
|
|
* some missing [hn]to[hn]s fixed.
|
|
|
|
* allow users to change their own passwords with kadmin (with initial
|
|
tickets)
|
|
|
|
* fix stupid bug in parsing KDC specification
|
|
|
|
* add `ktutil change' and `ktutil purge'
|
|
|
|
Changes in release 0.2j:
|
|
|
|
* builds on Irix
|
|
|
|
* ftpd works in passive mode
|
|
|
|
* should build on cygwin
|
|
|
|
* work around broken IPv6-code on OpenBSD 2.6, also add configure
|
|
option --disable-ipv6
|
|
|
|
Changes in release 0.2i:
|
|
|
|
* use getaddrinfo in the missing places.
|
|
|
|
* fix SRV lookup for admin server
|
|
|
|
* use get{addr,name}info everywhere. and implement it in terms of
|
|
getipnodeby{name,addr} (which uses gethostbyname{,2} and
|
|
gethostbyaddr)
|
|
|
|
Changes in release 0.2h:
|
|
|
|
* fix typo in kx (now compiles)
|
|
|
|
Changes in release 0.2g:
|
|
|
|
* lots of bug fixes:
|
|
* push works
|
|
* repair appl/test programs
|
|
* sockaddr_storage works on solaris (alignment issues)
|
|
* works better with non-roken getaddrinfo
|
|
* rsh works
|
|
* some non standard C constructs removed
|
|
|
|
Changes in release 0.2f:
|
|
|
|
* support SRV records for kpasswd
|
|
* look for both _kerberos and krb5-realm when doing host -> realm mapping
|
|
|
|
Changes in release 0.2e:
|
|
|
|
* changed copyright notices to remove `advertising'-clause.
|
|
* get{addr,name}info added to roken and used in the other code
|
|
(this makes things work much better with hosts with both v4 and v6
|
|
addresses, among other things)
|
|
* do pre-auth for both password and key-based get_in_tkt
|
|
* support for having several databases
|
|
* new command `del_enctype' in kadmin
|
|
* strptime (and new strftime) add to roken
|
|
* more paranoia about finding libdb
|
|
* bug fixes
|
|
|
|
Changes in release 0.2d:
|
|
|
|
* new configuration option [libdefaults]default_etypes_des
|
|
* internal ls in ftpd builds without KRB4
|
|
* kx/rsh/push/pop_debug tries v5 and v4 consistenly
|
|
* build bug fixes
|
|
* other bug fixes
|
|
|
|
Changes in release 0.2c:
|
|
|
|
* bug fixes (see ChangeLog's for details)
|
|
|
|
Changes in release 0.2b:
|
|
|
|
* bug fixes
|
|
* actually bump shared library versions
|
|
|
|
Changes in release 0.2a:
|
|
|
|
* a new program verify_krb5_conf for checking your /etc/krb5.conf
|
|
* add 3DES keys when changing password
|
|
* support null keys in database
|
|
* support multiple local realms
|
|
* implement a keytab backend for AFS KeyFile's
|
|
* implement a keytab backend for v4 srvtabs
|
|
* implement `ktutil copy'
|
|
* support password quality control in v4 kadmind
|
|
* improvements in v4 compat kadmind
|
|
* handle the case of having the correct cred in the ccache but with
|
|
the wrong encryption type better
|
|
* v6-ify the remaining programs.
|
|
* internal ls in ftpd
|
|
* rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
|
|
* add `ank --random-password' and `cpw --random-password' in kadmin
|
|
* some programs and documentation for trying to talk to a W2K KDC
|
|
* bug fixes
|
|
|
|
Changes in release 0.1m:
|
|
|
|
* support for getting default from krb5.conf for kinit/kf/rsh/telnet.
|
|
From Miroslav Ruda <ruda@ics.muni.cz>
|
|
* v6-ify hprop and hpropd
|
|
* support numeric addresses in krb5_mk_req
|
|
* shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
|
|
* make rsh/rshd IPv6-aware
|
|
* make the gssapi sample applications better at reporting errors
|
|
* lots of bug fixes
|
|
* handle systems with v6-aware libc and non-v6 kernels (like Linux
|
|
with glibc 2.1) better
|
|
* hide failure of ERPT in ftp
|
|
* lots of bug fixes
|
|
|
|
Changes in release 0.1l:
|
|
|
|
* make ftp and ftpd IPv6-aware
|
|
* add inet_pton to roken
|
|
* more IPv6-awareness
|
|
* make mini_inetd v6 aware
|
|
|
|
Changes in release 0.1k:
|
|
|
|
* bump shared libraries versions
|
|
* add roken version of inet_ntop
|
|
* merge more changes to rshd
|
|
|
|
Changes in release 0.1j:
|
|
|
|
* restore back to the `old' 3DES code. This was supposed to be done
|
|
in 0.1h and 0.1i but I did a CVS screw-up.
|
|
* make telnetd handle v6 connections
|
|
|
|
Changes in release 0.1i:
|
|
|
|
* start using `struct sockaddr_storage' which simplifies the code
|
|
(with a fallback definition if it's not defined)
|
|
* bug fixes (including in hprop and kf)
|
|
* don't use mawk which seems to mishandle roken.awk
|
|
* get_addrs should be able to handle v6 addresses on Linux (with the
|
|
required patch to the Linux kernel -- ask within)
|
|
* rshd builds with shadow passwords
|
|
|
|
Changes in release 0.1h:
|
|
|
|
* kf: new program for forwarding credentials
|
|
* portability fixes
|
|
* make forwarding credentials work with MIT code
|
|
* better conversion of ka database
|
|
* add etc/services.append
|
|
* correct `modified by' from kpasswdd
|
|
* lots of bug fixes
|
|
|
|
Changes in release 0.1g:
|
|
|
|
* kgetcred: new program for explicitly obtaining tickets
|
|
* configure fixes
|
|
* krb5-aware kx
|
|
* bug fixes
|
|
|
|
Changes in release 0.1f;
|
|
|
|
* experimental support for v4 kadmin protokoll in kadmind
|
|
* bug fixes
|
|
|
|
Changes in release 0.1e:
|
|
|
|
* try to handle old DCE and MIT kdcs
|
|
* support for older versions of credential cache files and keytabs
|
|
* postdated tickets work
|
|
* support for password quality checks in kpasswdd
|
|
* new flag --enable-kaserver for kdc
|
|
* renew fixes
|
|
* prototype su program
|
|
* updated (some) manpages
|
|
* support for KDC resource records
|
|
* should build with --without-krb4
|
|
* bug fixes
|
|
|
|
Changes in release 0.1d:
|
|
|
|
* Support building with DB2 (uses 1.85-compat API)
|
|
* Support krb5-realm.DOMAIN in DNS
|
|
* new `ktutil srvcreate'
|
|
* v4/kafs support in klist/kdestroy
|
|
* bug fixes
|
|
|
|
Changes in release 0.1c:
|
|
|
|
* fix ASN.1 encoding of signed integers
|
|
* somewhat working `ktutil get'
|
|
* some documentation updates
|
|
* update to Autoconf 2.13 and Automake 1.4
|
|
* the usual bug fixes
|
|
|
|
Changes in release 0.1b:
|
|
|
|
* some old -> new crypto conversion utils
|
|
* bug fixes
|
|
|
|
Changes in release 0.1a:
|
|
|
|
* new crypto code
|
|
* more bug fixes
|
|
* make sure we ask for DES keys in gssapi
|
|
* support signed ints in ASN1
|
|
* IPv6-bug fixes
|
|
|
|
Changes in release 0.0u:
|
|
|
|
* lots of bug fixes
|
|
|
|
Changes in release 0.0t:
|
|
|
|
* more robust parsing of krb5.conf
|
|
* include net{read,write} in lib/roken
|
|
* bug fixes
|
|
|
|
Changes in release 0.0s:
|
|
|
|
* kludges for parsing options to rsh
|
|
* more robust parsing of krb5.conf
|
|
* removed some arbitrary limits
|
|
* bug fixes
|
|
|
|
Changes in release 0.0r:
|
|
|
|
* default options for some programs
|
|
* bug fixes
|
|
|
|
Changes in release 0.0q:
|
|
|
|
* support for building shared libraries with libtool
|
|
* bug fixes
|
|
|
|
Changes in release 0.0p:
|
|
|
|
* keytab moved to /etc/krb5.keytab
|
|
* avoid false detection of IPv6 on Linux
|
|
* Lots of more functionality in the gssapi-library
|
|
* hprop can now read ka-server databases
|
|
* bug fixes
|
|
|
|
Changes in release 0.0o:
|
|
|
|
* FTP with GSSAPI support.
|
|
* Bug fixes.
|
|
|
|
Changes in release 0.0n:
|
|
|
|
* Incremental database propagation.
|
|
* Somewhat improved kadmin ui; the stuff in admin is now removed.
|
|
* Some support for using enctypes instead of keytypes.
|
|
* Lots of other improvement and bug fixes, see ChangeLog for details.
|