1234027SstasRelease Notes - Heimdal - Version Heimdal 1.5.2 2234027Sstas 3234027Sstas Security fixes 4234027Sstas - CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege 5234027Sstas - Check that key types strictly match - denial of service 6234027Sstas 7234027SstasRelease Notes - Heimdal - Version Heimdal 1.5.1 8234027Sstas 9234027Sstas Bug fixes 10234027Sstas - Fix building on Solaris, requires c99 11234027Sstas - Fix building on Windows 12234027Sstas - Build system updates 13234027Sstas 14233294SstasRelease Notes - Heimdal - Version Heimdal 1.5 15233294Sstas 16233294SstasNew features 17233294Sstas 18233294Sstas - Support GSS name extensions/attributes 19233294Sstas - SHA512 support 20233294Sstas - No Kerberos 4 support 21233294Sstas - Basic support for MIT Admin protocol (SECGSS flavor) 22233294Sstas in kadmind (extract keytab) 23233294Sstas - Replace editline with libedit 24233294Sstas 25233294SstasRelease Notes - Heimdal - Version Heimdal 1.4 26233294Sstas 27233294Sstas New features 28233294Sstas 29233294Sstas - Support for reading MIT database file directly 30233294Sstas - KCM is polished up and now used in production 31233294Sstas - NTLM first class citizen, credentials stored in KCM 32233294Sstas - Table driven ASN.1 compiler, smaller!, not enabled by default 33233294Sstas - Native Windows client support 34233294Sstas 35233294SstasNotes 36233294Sstas 37233294Sstas - Disabled write support NDBM hdb backend (read still in there) since 38233294Sstas it can't handle large records, please migrate to a diffrent backend 39233294Sstas (like BDB4) 40233294Sstas 41233294SstasRelease Notes - Heimdal - Version Heimdal 1.3.3 42233294Sstas 43233294Sstas Bug fixes 44233294Sstas - Check the GSS-API checksum exists before trying to use it [CVE-2010-1321] 45233294Sstas - Check NULL pointers before dereference them [kdc] 46233294Sstas 47233294SstasRelease Notes - Heimdal - Version Heimdal 1.3.2 48233294Sstas 49233294Sstas Bug fixes 50233294Sstas 51233294Sstas - Don't mix length when clearing hmac (could memset too much) 52233294Sstas - More paranoid underrun checking when decrypting packets 53233294Sstas - Check the password change requests and refuse to answer empty packets 54233294Sstas - Build on OpenSolaris 55233294Sstas - Renumber AD-SIGNED-TICKET since it was stolen from US 56233294Sstas - Don't cache /dev/*random file descriptor, it doesn't get unloaded 57233294Sstas - Make C++ safe 58233294Sstas - Misc warnings 59233294Sstas 60233294SstasRelease Notes - Heimdal - Version Heimdal 1.3.1 61233294Sstas 62233294Sstas Bug fixes 63233294Sstas 64233294Sstas - Store KDC offset in credentials 65233294Sstas - Many many more bug fixes 66233294Sstas 67233294SstasRelease Notes - Heimdal - Version Heimdal 1.3.1 68233294Sstas 69233294Sstas New features 70233294Sstas 71233294Sstas - Make work with OpenLDAPs krb5 overlay 72233294Sstas 73233294SstasRelease Notes - Heimdal - Version Heimdal 1.3 74233294Sstas 75233294Sstas New features 76233294Sstas 77233294Sstas - Partial support for MIT kadmind rpc protocol in kadmind 78233294Sstas - Better support for finding keytab entries when using SPN aliases in the KDC 79233294Sstas - Support BER in ASN.1 library (needed for CMS) 80233294Sstas - Support decryption in Keychain private keys 81233294Sstas - Support for new sqlite based credential cache 82233294Sstas - Try both KDC referals and the common DNS reverse lookup in GSS-API 83233294Sstas - Fix the KCM to not leak resources on failure 84233294Sstas - Add IPv6 support to iprop 85233294Sstas - Support localization of error strings in 86233294Sstas kinit/klist/kdestroy and Kerberos library 87233294Sstas - Remove Kerberos 4 support in application (still in KDC) 88233294Sstas - Deprecate DES 89233294Sstas - Support i18n password in windows domains (using UTF-8) 90233294Sstas - More complete API emulation of OpenSSL in hcrypto 91233294Sstas - Support for ECDSA and ECDH when linking with OpenSSL 92233294Sstas 93233294Sstas API changes 94233294Sstas 95233294Sstas - Support for settin friendly name on credential caches 96233294Sstas - Move to using doxygen to generate documentation. 97233294Sstas - Sprinkling __attribute__((depricated)) for old function to be removed 98233294Sstas - Support to export LAST-REQUST information in AS-REQ 99233294Sstas - Support for client deferrals in in AS-REQ 100233294Sstas - Add seek support for krb5_storage. 101233294Sstas - Support for split AS-REQ, first step for IA-KERB 102233294Sstas - Fix many memory leaks and bugs 103233294Sstas - Improved regression test 104233294Sstas - Support krb5_cccol 105233294Sstas - Switch to krb5_set_error_message 106233294Sstas - Support krb5_crypto_*_iov 107233294Sstas - Switch to use EVP for most function 108233294Sstas - Use SOCK_CLOEXEC and O_CLOEXEC (close on exec) 109233294Sstas - Add support for GSS_C_DELEG_POLICY_FLAG 110233294Sstas - Add krb5_cc_[gs]et_config to store data in the credential caches 111233294Sstas - PTY testing application 112233294Sstas 113233294SstasBugfixes 114233294Sstas - Make building on AIX6 possible. 115233294Sstas - Bugfixes in LDAP KDC code to make it more stable 116233294Sstas - Make ipropd-slave reconnect when master down gown 117233294Sstas 118233294Sstas 119233294SstasRelease Notes - Heimdal - Version Heimdal 1.2.1 120233294Sstas 121233294Sstas* Bug 122233294Sstas 123233294Sstas [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris 124233294Sstas [HEIMDAL-151] - Make canned tests work again after cert expired 125233294Sstas [HEIMDAL-152] - iprop test: use full hostname to avoid realm 126233294Sstas resolving errors 127233294Sstas [HEIMDAL-153] - ftp: Use the correct length for unmap, msync 128233294Sstas 129233294SstasRelease Notes - Heimdal - Version Heimdal 1.2 130233294Sstas 131233294Sstas* Bug 132233294Sstas 133233294Sstas [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in 134233294Sstas gss_display_name/gss_export_name when using SPNEGO 135233294Sstas [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1 136233294Sstas [HEIMDAL-17] - Remove support for depricated [libdefaults]capath 137233294Sstas [HEIMDAL-52] - hdb overwrite aliases for db databases 138233294Sstas [HEIMDAL-54] - Two issues which affect credentials delegation 139233294Sstas [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args 140233294Sstas [HEIMDAL-62] - Fix printing of sig_atomic_t 141233294Sstas [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto 142233294Sstas [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase 143233294Sstas [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241) 144233294Sstas 145233294Sstas* Improvement 146233294Sstas [HEIMDAL-67] - Fix locking and store credential in atomic writes 147233294Sstas in the FILE credential cache 148233294Sstas [HEIMDAL-106] - make compile on cygwin again 149233294Sstas [HEIMDAL-107] - Replace old random key generation in des module 150233294Sstas and use it with RAND_ function instead 151233294Sstas [HEIMDAL-115] - Better documentation and compatibility in hcrypto 152233294Sstas in regards to OpenSSL 153233294Sstas 154233294Sstas* New Feature 155233294Sstas [HEIMDAL-3] - pkinit alg agility PRF test vectors 156233294Sstas [HEIMDAL-14] - Add libwind to Heimdal 157233294Sstas [HEIMDAL-16] - Use libwind in hx509 158233294Sstas [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to 159233294Sstas the negotiation 160233294Sstas [HEIMDAL-74] - Add support to report extended error message back 161233294Sstas in AS-REQ to support windows clients 162233294Sstas [HEIMDAL-116] - test pty based application (using rkpty) 163233294Sstas [HEIMDAL-120] - Use new OpenLDAP API (older deprecated) 164233294Sstas 165233294Sstas* Task 166233294Sstas [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ. 167233294Sstas This drop compatibility with pre 0.3d KDCs. 168233294Sstas [HEIMDAL-64] - kcm: first implementation of kcm-move-cache 169233294Sstas [HEIMDAL-65] - Failed to compile with --disable-pk-init 170233294Sstas [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some 171233294Sstas wraparound checks doesn't apply to Heimdal 172233294Sstas 173178825SdfrChanges in release 1.1 174178825Sdfr 175178825Sdfr * Read-only PKCS11 provider built-in to hx509. 176178825Sdfr 177178825Sdfr * Documentation for hx509, hcrypto and ntlm libraries improved. 178178825Sdfr 179178825Sdfr * Better compatibilty with Windows 2008 Server pre-releases and Vista. 180178825Sdfr 181178825Sdfr * Mac OS X 10.5 support for native credential cache. 182178825Sdfr 183178825Sdfr * Provide pkg-config file for Heimdal (heimdal-gssapi.pc). 184178825Sdfr 185178825Sdfr * Bug fixes. 186178825Sdfr 187178825SdfrChanges in release 1.0.2 188178825Sdfr 189178825Sdfr* Ubuntu packages. 190178825Sdfr 191178825Sdfr* Bug fixes. 192178825Sdfr 193178825SdfrChanges in release 1.0.1 194178825Sdfr 195178825Sdfr * Serveral bug fixes to iprop. 196178825Sdfr 197178825Sdfr * Make work on platforms without dlopen. 198178825Sdfr 199178825Sdfr * Add RFC3526 modp group14 as default. 200178825Sdfr 201178825Sdfr * Handle [kdc] database = { } entries without realm = stanzas. 202178825Sdfr 203178825Sdfr * Make krb5_get_renewed_creds work. 204178825Sdfr 205178825Sdfr * Make kaserver preauth work again. 206178825Sdfr 207178825Sdfr * Bug fixes. 208178825Sdfr 209178825SdfrChanges in release 1.0 210178825Sdfr 211178825Sdfr * Add gss_pseudo_random() for mechglue and krb5. 212178825Sdfr 213178825Sdfr * Make session key for the krbtgt be selected by the best encryption 214178825Sdfr type of the client. 215178825Sdfr 216178825Sdfr * Better interoperability with other PK-INIT implementations. 217178825Sdfr 218178825Sdfr * Inital support for Mac OS X Keychain for hx509. 219178825Sdfr 220178825Sdfr * Alias support for inital ticket requests. 221178825Sdfr 222178825Sdfr * Add symbol versioning to selected libraries on platforms that uses 223178825Sdfr GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc. 224178825Sdfr 225178825Sdfr * New version of imath included in hcrypto. 226178825Sdfr 227178825Sdfr * Fix memory leaks. 228178825Sdfr 229178825Sdfr * Bugs fixes. 230178825Sdfr 231178825SdfrChanges in release 0.8.1 232178825Sdfr 233178825Sdfr * Make ASN.1 library less paranoid to with regard to NUL in string to 234178825Sdfr make it inter-operate with MIT Kerberos again. 235178825Sdfr 236178825Sdfr * Make GSS-API library work again when using gss_acquire_cred 237178825Sdfr 238178825Sdfr * Add symbol versioning to libgssapi when using GNU ld. 239178825Sdfr 240178825Sdfr * Fix memory leaks 241178825Sdfr 242178825Sdfr * Bugs fixes 243178825Sdfr 244178825SdfrChanges in release 0.8 245178825Sdfr 246178825Sdfr * PK-INIT support. 247178825Sdfr 248178825Sdfr * HDB extensions support, used by PK-INIT. 249178825Sdfr 250178825Sdfr * New ASN.1 compiler. 251178825Sdfr 252178825Sdfr * GSS-API mechglue from FreeBSD. 253178825Sdfr 254178825Sdfr * Updated SPNEGO to support RFC4178. 255178825Sdfr 256178825Sdfr * Support for Cryptosystem Negotiation Extension (RFC 4537). 257178825Sdfr 258178825Sdfr * A new X.509 library (hx509) and related crypto functions. 259178825Sdfr 260178825Sdfr * A new ntlm library (heimntlm) and related crypto functions. 261178825Sdfr 262178825Sdfr * Updated the built-in crypto library with bignum support using 263178825Sdfr imath, support for RSA and DH and renamed it to libhcrypto. 264178825Sdfr 265178825Sdfr * Subsystem in the KDC, digest, that will perform the digest 266178825Sdfr operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL 267178825Sdfr DIGEST-MD5 NTLMv1 and NTLMv2. 268178825Sdfr 269178825Sdfr * KDC will return the "response too big" error to force TCP retries 270178825Sdfr for large (default 1400 bytes) UDP replies. This is common for 271178825Sdfr PK-INIT requests. 272178825Sdfr 273178825Sdfr * Libkafs defaults to use 2b tokens. 274178825Sdfr 275178825Sdfr * Default to use the API cache on Mac OS X. 276178825Sdfr 277178825Sdfr * krb5_kuserok() also checks ~/.k5login.d directory for acl files, 278178825Sdfr see manpage for krb5_kuserok for description. 279178825Sdfr 280178825Sdfr * Many, many, other updates to code and info manual and manual pages. 281178825Sdfr 282178825Sdfr * Bug fixes 283178825Sdfr 284178825SdfrChanges in release 0.7.2 285178825Sdfr 286178825Sdfr* Fix security problem in rshd that enable an attacker to overwrite 287178825Sdfr and change ownership of any file that root could write. 288178825Sdfr 289178825Sdfr* Fix a DOS in telnetd. The attacker could force the server to crash 290178825Sdfr in a NULL de-reference before the user logged in, resulting in inetd 291178825Sdfr turning telnetd off because it forked too fast. 292178825Sdfr 293178825Sdfr* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name 294178825Sdfr exists in the keytab before returning success. This allows servers 295178825Sdfr to check if its even possible to use GSSAPI. 296178825Sdfr 297178825Sdfr* Fix receiving end of token delegation for GSS-API. It still wrongly 298178825Sdfr uses subkey for sending for compatibility reasons, this will change 299178825Sdfr in 0.8. 300178825Sdfr 301178825Sdfr* telnetd, login and rshd are now more verbose in logging failed and 302178825Sdfr successful logins. 303178825Sdfr 304178825Sdfr* Bug fixes 305178825Sdfr 306178825SdfrChanges in release 0.7.1 307178825Sdfr 308178825Sdfr* Bug fixes 309178825Sdfr 310178825SdfrChanges in release 0.7 311178825Sdfr 312178825Sdfr * Support for KCM, a process based credential cache 313178825Sdfr 314178825Sdfr * Support CCAPI credential cache 315178825Sdfr 316178825Sdfr * SPNEGO support 317178825Sdfr 318178825Sdfr * AES (and the gssapi conterpart, CFX) support 319178825Sdfr 320178825Sdfr * Adding new and improve old documentation 321178825Sdfr 322178825Sdfr * Bug fixes 323178825Sdfr 324178825SdfrChanges in release 0.6.6 325178825Sdfr 326178825Sdfr* Fix security problem in rshd that enable an attacker to overwrite 327178825Sdfr and change ownership of any file that root could write. 328178825Sdfr 329178825Sdfr* Fix a DOS in telnetd. The attacker could force the server to crash 330178825Sdfr in a NULL de-reference before the user logged in, resulting in inetd 331178825Sdfr turning telnetd off because it forked too fast. 332178825Sdfr 333178825SdfrChanges in release 0.6.5 334178825Sdfr 335178825Sdfr * fix vulnerabilities in telnetd 336178825Sdfr 337178825Sdfr * unbreak Kerberos 4 and kaserver 338178825Sdfr 339178825SdfrChanges in release 0.6.4 340178825Sdfr 341178825Sdfr * fix vulnerabilities in telnet 342178825Sdfr 343178825Sdfr * rshd: encryption without a separate error socket should now work 344178825Sdfr 345178825Sdfr * telnet now uses appdefaults for the encrypt and forward/forwardable 346178825Sdfr settings 347178825Sdfr 348178825Sdfr * bug fixes 349178825Sdfr 350142403SnectarChanges in release 0.6.3 351142403Snectar 352142403Snectar * fix vulnerabilities in ftpd 353142403Snectar 354142403Snectar * support for linux AFS /proc "syscalls" 355142403Snectar 356142403Snectar * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in 357142403Snectar kpasswdd 358142403Snectar 359142403Snectar * fix possible KDC denial of service 360142403Snectar 361142403Snectar * bug fixes 362142403Snectar 363142403SnectarChanges in release 0.6.2 364142403Snectar 365142403Snectar * Fix possible buffer overrun in v4 kadmin (which now defaults to off) 366142403Snectar 367127808SnectarChanges in release 0.6.1 368127808Snectar 369127808Snectar * Fixed ARCFOUR suppport 370127808Snectar 371127808Snectar * Cross realm vulnerability 372127808Snectar 373127808Snectar * kdc: fix denial of service attack 374127808Snectar 375127808Snectar * kdc: stop clients from renewing tickets into the future 376127808Snectar 377127808Snectar * bug fixes 378127808Snectar 379120945SnectarChanges in release 0.6 380120945Snectar 381120945Snectar* The DES3 GSS-API mechanism has been changed to inter-operate with 382120945Snectar other GSSAPI implementations. See man page for gssapi(3) how to turn 383120945Snectar on generation of correct MIC messages. Next major release of heimdal 384120945Snectar will generate correct MIC by default. 385120945Snectar 386120945Snectar* More complete GSS-API support 387120945Snectar 388120945Snectar* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS 389120945Snectar support in applications no longer requires Kerberos 4 libs 390120945Snectar 391120945Snectar* Kerberos 4 support in kdc defaults to turned off (includes ka and 524) 392120945Snectar 393120945Snectar* other bug fixes 394120945Snectar 395120945SnectarChanges in release 0.5.2 396120945Snectar 397120945Snectar * kdc: add option for disabling v4 cross-realm (defaults to off) 398120945Snectar 399120945Snectar * bug fixes 400120945Snectar 401107207SnectarChanges in release 0.5.1 402107207Snectar 403107207Snectar * kadmind: fix remote exploit 404107207Snectar 405107207Snectar * kadmind: add option to disable kerberos 4 406107207Snectar 407107207Snectar * kdc: make sure kaserver token life is positive 408107207Snectar 409107207Snectar * telnet: use the session key if there is no subkey 410107207Snectar 411107207Snectar * fix EPSV parsing in ftp 412107207Snectar 413107207Snectar * other bug fixes 414107207Snectar 415102644SnectarChanges in release 0.5 416102644Snectar 417102644Snectar * add --detach option to kdc 418102644Snectar 419102644Snectar * allow setting forward and forwardable option in telnet from 420102644Snectar .telnetrc, with override from command line 421102644Snectar 422102644Snectar * accept addresses with or without ports in krb5_rd_cred 423102644Snectar 424102644Snectar * make it work with modern openssl 425102644Snectar 426102644Snectar * use our own string2key function even with openssl (that handles weak 427102644Snectar keys incorrectly) 428102644Snectar 429102644Snectar * more system-specific requirements in login 430102644Snectar 431102644Snectar * do not use getlogin() to determine root in su 432102644Snectar 433102644Snectar * telnet: abort if telnetd does not support encryption 434102644Snectar 435102644Snectar * update autoconf to 2.53 436102644Snectar 437102644Snectar * update config.guess, config.sub 438102644Snectar 439102644Snectar * other bug fixes 440102644Snectar 44190926SnectarChanges in release 0.4e 44290926Snectar 44390926Snectar * improve libcrypto and database autoconf tests 44490926Snectar 44590926Snectar * do not care about salting of server principals when serving v4 requests 44690926Snectar 44790926Snectar * some improvements to gssapi library 44890926Snectar 44990926Snectar * test for existing compile_et/libcom_err 45090926Snectar 45190926Snectar * portability fixes 45290926Snectar 45390926Snectar * bug fixes 45490926Snectar 45590926SnectarChanges in release 0.4d 45690926Snectar 45790926Snectar * fix some problems when using libcrypto from openssl 45890926Snectar 45990926Snectar * handle /dev/ptmx `unix98' ptys on Linux 46090926Snectar 46190926Snectar * add some forgotten man pages 46290926Snectar 46390926Snectar * rsh: clean-up and add man page 46490926Snectar 46590926Snectar * fix -A and -a in builtin-ls in tpd 46690926Snectar 46790926Snectar * fix building problem on Irix 46890926Snectar 46990926Snectar * make `ktutil get' more efficient 47090926Snectar 47190926Snectar * bug fixes 47290926Snectar 47390926SnectarChanges in release 0.4c 47490926Snectar 47590926Snectar * fix buffer overrun in telnetd 47690926Snectar 47790926Snectar * repair some of the v4 fallback code in kinit 47890926Snectar 47990926Snectar * add more shared library dependencies 48090926Snectar 48190926Snectar * simplify and fix hprop handling of v4 databases 48290926Snectar 48390926Snectar * fix some building problems (osf's sia and osfc2 login) 48490926Snectar 48590926Snectar * bug fixes 48690926Snectar 48790926SnectarChanges in release 0.4b 48890926Snectar 48990926Snectar * update the shared library version numbers correctly 49090926Snectar 49190926SnectarChanges in release 0.4a 49290926Snectar 49390926Snectar * corrected key used for checksum in mk_safe, unfortunately this 49490926Snectar makes it backwards incompatible 49590926Snectar 49690926Snectar * update to autoconf 2.50, libtool 1.4 49790926Snectar 49890926Snectar * re-write dns/config lookups (krb5_krbhst API) 49990926Snectar 50090926Snectar * make order of using subkeys consistent 50190926Snectar 50290926Snectar * add man page links 50390926Snectar 50490926Snectar * add more man pages 50590926Snectar 50690926Snectar * remove rfc2052 support, now only rfc2782 is supported 50790926Snectar 50890926Snectar * always build with kaserver protocol support in the KDC (assuming 50990926Snectar KRB4 is enabled) and support for reading kaserver databases in 51090926Snectar hprop 51190926Snectar 51278527SassarChanges in release 0.3f 51378527Sassar 51478527Sassar * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab, 51578527Sassar the new keytab type that tries both of these in order (SRVTAB is 51678527Sassar also an alias for krb4:) 51778527Sassar 51878527Sassar * improve error reporting and error handling (error messages should 51978527Sassar be more detailed and more useful) 52078527Sassar 52178527Sassar * improve building with openssl 52278527Sassar 52378527Sassar * add kadmin -K, rcp -F 52478527Sassar 52578527Sassar * fix two incorrect weak DES keys 52678527Sassar 52778527Sassar * fix building of kaserver compat in KDC 52878527Sassar 52978527Sassar * the API is closer to what MIT krb5 is using 53078527Sassar 53178527Sassar * more compatible with windows 2000 53278527Sassar 53378527Sassar * removed some memory leaks 53478527Sassar 53578527Sassar * bug fixes 53678527Sassar 53772445SassarChanges in release 0.3e 53872445Sassar 53972445Sassar * rcp program included 54072445Sassar 54172445Sassar * fix buffer overrun in ftpd 54272445Sassar 54372445Sassar * handle omitted sequence numbers as zeroes to handle MIT krb5 that 54472445Sassar cannot generate zero sequence numbers 54572445Sassar 54672445Sassar * handle v4 /.k files better 54772445Sassar 54872445Sassar * configure/portability fixes 54972445Sassar 55072445Sassar * fixes in parsing of options to kadmin (sub-)commands 55172445Sassar 55272445Sassar * handle errors in kadmin load better 55372445Sassar 55472445Sassar * bug fixes 55572445Sassar 55672445SassarChanges in release 0.3d 55772445Sassar 55872445Sassar * add krb5-config 55972445Sassar 56072445Sassar * fix a bug in 3des gss-api mechanism, making it compatible with the 56172445Sassar specification and the MIT implementation 56272445Sassar 56372445Sassar * make telnetd only allow a specific list of environment variables to 56472445Sassar stop it from setting `sensitive' variables 56572445Sassar 56672445Sassar * try to use an existing libdes 56772445Sassar 56872445Sassar * lib/krb5, kdc: use correct usage type for ap-req messages. This 56972445Sassar should improve compatability with MIT krb5 when using 3DES 57072445Sassar encryption types 57172445Sassar 57272445Sassar * kdc: fix memory allocation problem 57372445Sassar 57472445Sassar * update config.guess and config.sub 57572445Sassar 57672445Sassar * lib/roken: more stuff implemented 57772445Sassar 57872445Sassar * bug fixes and portability enhancements 57972445Sassar 58072445SassarChanges in release 0.3c 58172445Sassar 58272445Sassar * lib/krb5: memory caches now support the resolve operation 58372445Sassar 58472445Sassar * appl/login: set PATH to some sane default 58572445Sassar 58672445Sassar * kadmind: handle several realms 58772445Sassar 58872445Sassar * bug fixes (including memory leaks) 58972445Sassar 59072445SassarChanges in release 0.3b 59172445Sassar 59272445Sassar * kdc: prefer default-salted keys on v5 requests 59372445Sassar 59472445Sassar * kdc: lowercase hostnames in v4 mode 59572445Sassar 59672445Sassar * hprop: handle more types of MIT salts 59772445Sassar 59872445Sassar * lib/krb5: fix memory leak 59972445Sassar 60072445Sassar * bug fixes 60172445Sassar 60272445SassarChanges in release 0.3a: 60372445Sassar 60472445Sassar * implement arcfour-hmac-md5 to interoperate with W2K 60572445Sassar 60672445Sassar * modularise the handling of the master key, and allow for other 60772445Sassar encryption types. This makes it easier to import a database from 60872445Sassar some other source without having to re-encrypt all keys. 60972445Sassar 61072445Sassar * allow for better control over which encryption types are created 61172445Sassar 61272445Sassar * make kinit fallback to v4 if given a v4 KDC 61372445Sassar 61472445Sassar * make klist work better with v4 and v5, and add some more MIT 61572445Sassar compatibility options 61672445Sassar 61772445Sassar * make the kdc listen on the krb524 (4444) port for compatibility 61872445Sassar with MIT krb5 clients 61972445Sassar 62072445Sassar * implement more DCE/DFS support, enabled with --enable-dce, see 62172445Sassar lib/kdfs and appl/dceutils 62272445Sassar 62372445Sassar * make the sequence numbers work correctly 62472445Sassar 62572445Sassar * bug fixes 62672445Sassar 62772445SassarChanges in release 0.2t: 62872445Sassar 62972445Sassar * bug fixes 63072445Sassar 63172445SassarChanges in release 0.2s: 63272445Sassar 63372445Sassar * add OpenLDAP support in hdb 63472445Sassar 63572445Sassar * login will get v4 tickets when it receives forwarded tickets 63672445Sassar 63772445Sassar * xnlock supports both v5 and v4 63872445Sassar 63972445Sassar * repair source routing for telnet 64072445Sassar 64172445Sassar * fix building problems with krb4 (krb_mk_req) 64272445Sassar 64372445Sassar * bug fixes 64472445Sassar 64572445SassarChanges in release 0.2r: 64672445Sassar 64772445Sassar * fix realloc memory corruption bug in kdc 64872445Sassar 64972445Sassar * `add --key' and `cpw --key' in kadmin 65072445Sassar 65172445Sassar * klist supports listing v4 tickets 65272445Sassar 65372445Sassar * update config.guess and config.sub 65472445Sassar 65572445Sassar * make v4 -> v5 principal name conversion more robust 65672445Sassar 65772445Sassar * support for anonymous tickets 65872445Sassar 65972445Sassar * new man-pages 66072445Sassar 66172445Sassar * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab. 66272445Sassar 66372445Sassar * use and set expiration and not password expiration when dumping 66472445Sassar to/from ka server databases / krb4 databases 66572445Sassar 66672445Sassar * make the code happier with 64-bit time_t 66772445Sassar 66872445Sassar * follow RFC2782 and by default do not look for non-underscore SRV names 66972445Sassar 67072445SassarChanges in release 0.2q: 67172445Sassar 67272445Sassar * bug fix in tcp-handling in kdc 67372445Sassar 67472445Sassar * bug fix in expand_hostname 67572445Sassar 67657422SmarkmChanges in release 0.2p: 67757422Smarkm 67857422Smarkm * bug fix in `kadmin load/merge' 67957422Smarkm 68057422Smarkm * bug fix in krb5_parse_address 68157422Smarkm 68257419SmarkmChanges in release 0.2o: 68357419Smarkm 68457419Smarkm * gss_{import,export}_sec_context added to libgssapi 68557419Smarkm 68657419Smarkm * new option --addresses to kdc (for listening on an explicit set of 68757419Smarkm addresses) 68857419Smarkm 68957419Smarkm * bug fixes in the krb4 and kaserver emulation part of the kdc 69057419Smarkm 69157419Smarkm * other bug fixes 69257419Smarkm 69357416SmarkmChanges in release 0.2n: 69457416Smarkm 69557416Smarkm * more robust parsing of dump files in kadmin 69657416Smarkm * changed default timestamp format for log messages to extended ISO 69757416Smarkm 8601 format (Y-M-DTH:M:S) 69857416Smarkm * changed md4/md5/sha1 APIes to be de-facto `standard' 69957416Smarkm * always make hostname into lower-case before creating principal 70057416Smarkm * small bits of more MIT-compatability 70157416Smarkm * bug fixes 70257416Smarkm 70355682SmarkmChanges in release 0.2m: 70455682Smarkm 70555682Smarkm * handle glibc's getaddrinfo() that returns several ai_canonname 70655682Smarkm 70755682Smarkm * new endian test 70855682Smarkm 70955682Smarkm * man pages fixes 71055682Smarkm 71155682SmarkmChanges in release 0.2l: 71255682Smarkm 71355682Smarkm * bug fixes 71455682Smarkm 71555682SmarkmChanges in release 0.2k: 71655682Smarkm 71755682Smarkm * better IPv6 test 71855682Smarkm 71955682Smarkm * make struct sockaddr_storage in roken work better on alphas 72055682Smarkm 72155682Smarkm * some missing [hn]to[hn]s fixed. 72255682Smarkm 72355682Smarkm * allow users to change their own passwords with kadmin (with initial 72455682Smarkm tickets) 72555682Smarkm 72655682Smarkm * fix stupid bug in parsing KDC specification 72755682Smarkm 72855682Smarkm * add `ktutil change' and `ktutil purge' 72955682Smarkm 73055682SmarkmChanges in release 0.2j: 73155682Smarkm 73255682Smarkm * builds on Irix 73355682Smarkm 73455682Smarkm * ftpd works in passive mode 73555682Smarkm 73655682Smarkm * should build on cygwin 73755682Smarkm 73855682Smarkm * work around broken IPv6-code on OpenBSD 2.6, also add configure 73955682Smarkm option --disable-ipv6 74055682Smarkm 74155682SmarkmChanges in release 0.2i: 74255682Smarkm 74355682Smarkm * use getaddrinfo in the missing places. 74455682Smarkm 74555682Smarkm * fix SRV lookup for admin server 74655682Smarkm 74755682Smarkm * use get{addr,name}info everywhere. and implement it in terms of 74855682Smarkm getipnodeby{name,addr} (which uses gethostbyname{,2} and 74955682Smarkm gethostbyaddr) 75055682Smarkm 75155682SmarkmChanges in release 0.2h: 75255682Smarkm 75355682Smarkm * fix typo in kx (now compiles) 75455682Smarkm 75555682SmarkmChanges in release 0.2g: 75655682Smarkm 75755682Smarkm * lots of bug fixes: 75855682Smarkm * push works 75955682Smarkm * repair appl/test programs 76055682Smarkm * sockaddr_storage works on solaris (alignment issues) 76155682Smarkm * works better with non-roken getaddrinfo 76255682Smarkm * rsh works 76355682Smarkm * some non standard C constructs removed 76455682Smarkm 76555682SmarkmChanges in release 0.2f: 76655682Smarkm 76755682Smarkm * support SRV records for kpasswd 76855682Smarkm * look for both _kerberos and krb5-realm when doing host -> realm mapping 76955682Smarkm 77055682SmarkmChanges in release 0.2e: 77155682Smarkm 77255682Smarkm * changed copyright notices to remove `advertising'-clause. 77355682Smarkm * get{addr,name}info added to roken and used in the other code 77455682Smarkm (this makes things work much better with hosts with both v4 and v6 77555682Smarkm addresses, among other things) 77655682Smarkm * do pre-auth for both password and key-based get_in_tkt 77755682Smarkm * support for having several databases 77855682Smarkm * new command `del_enctype' in kadmin 77955682Smarkm * strptime (and new strftime) add to roken 78055682Smarkm * more paranoia about finding libdb 78155682Smarkm * bug fixes 78255682Smarkm 78355682SmarkmChanges in release 0.2d: 78455682Smarkm 78555682Smarkm * new configuration option [libdefaults]default_etypes_des 78655682Smarkm * internal ls in ftpd builds without KRB4 78755682Smarkm * kx/rsh/push/pop_debug tries v5 and v4 consistenly 78855682Smarkm * build bug fixes 78955682Smarkm * other bug fixes 79055682Smarkm 79155682SmarkmChanges in release 0.2c: 79255682Smarkm 79355682Smarkm * bug fixes (see ChangeLog's for details) 79455682Smarkm 79555682SmarkmChanges in release 0.2b: 79655682Smarkm 79755682Smarkm * bug fixes 79855682Smarkm * actually bump shared library versions 79955682Smarkm 80055682SmarkmChanges in release 0.2a: 80155682Smarkm 80255682Smarkm * a new program verify_krb5_conf for checking your /etc/krb5.conf 80355682Smarkm * add 3DES keys when changing password 80455682Smarkm * support null keys in database 80555682Smarkm * support multiple local realms 80655682Smarkm * implement a keytab backend for AFS KeyFile's 80755682Smarkm * implement a keytab backend for v4 srvtabs 80855682Smarkm * implement `ktutil copy' 80955682Smarkm * support password quality control in v4 kadmind 81055682Smarkm * improvements in v4 compat kadmind 81155682Smarkm * handle the case of having the correct cred in the ccache but with 81255682Smarkm the wrong encryption type better 81355682Smarkm * v6-ify the remaining programs. 81455682Smarkm * internal ls in ftpd 81555682Smarkm * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat 81655682Smarkm * add `ank --random-password' and `cpw --random-password' in kadmin 81755682Smarkm * some programs and documentation for trying to talk to a W2K KDC 81855682Smarkm * bug fixes 81955682Smarkm 82055682SmarkmChanges in release 0.1m: 82155682Smarkm 82255682Smarkm * support for getting default from krb5.conf for kinit/kf/rsh/telnet. 82355682Smarkm From Miroslav Ruda <ruda@ics.muni.cz> 82455682Smarkm * v6-ify hprop and hpropd 82555682Smarkm * support numeric addresses in krb5_mk_req 82655682Smarkm * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz> 82755682Smarkm * make rsh/rshd IPv6-aware 82855682Smarkm * make the gssapi sample applications better at reporting errors 82955682Smarkm * lots of bug fixes 83055682Smarkm * handle systems with v6-aware libc and non-v6 kernels (like Linux 83155682Smarkm with glibc 2.1) better 83255682Smarkm * hide failure of ERPT in ftp 83355682Smarkm * lots of bug fixes 83455682Smarkm 83555682SmarkmChanges in release 0.1l: 83655682Smarkm 83755682Smarkm * make ftp and ftpd IPv6-aware 83855682Smarkm * add inet_pton to roken 83955682Smarkm * more IPv6-awareness 84055682Smarkm * make mini_inetd v6 aware 84155682Smarkm 84255682SmarkmChanges in release 0.1k: 84355682Smarkm 84455682Smarkm * bump shared libraries versions 84555682Smarkm * add roken version of inet_ntop 84655682Smarkm * merge more changes to rshd 84755682Smarkm 84855682SmarkmChanges in release 0.1j: 84955682Smarkm 85055682Smarkm * restore back to the `old' 3DES code. This was supposed to be done 85155682Smarkm in 0.1h and 0.1i but I did a CVS screw-up. 85255682Smarkm * make telnetd handle v6 connections 85355682Smarkm 85455682SmarkmChanges in release 0.1i: 85555682Smarkm 85655682Smarkm * start using `struct sockaddr_storage' which simplifies the code 85755682Smarkm (with a fallback definition if it's not defined) 85855682Smarkm * bug fixes (including in hprop and kf) 85955682Smarkm * don't use mawk which seems to mishandle roken.awk 86055682Smarkm * get_addrs should be able to handle v6 addresses on Linux (with the 86155682Smarkm required patch to the Linux kernel -- ask within) 86255682Smarkm * rshd builds with shadow passwords 86355682Smarkm 86455682SmarkmChanges in release 0.1h: 86555682Smarkm 86655682Smarkm * kf: new program for forwarding credentials 86755682Smarkm * portability fixes 86855682Smarkm * make forwarding credentials work with MIT code 86955682Smarkm * better conversion of ka database 87055682Smarkm * add etc/services.append 87155682Smarkm * correct `modified by' from kpasswdd 87255682Smarkm * lots of bug fixes 87355682Smarkm 87455682SmarkmChanges in release 0.1g: 87555682Smarkm 87655682Smarkm * kgetcred: new program for explicitly obtaining tickets 87755682Smarkm * configure fixes 87855682Smarkm * krb5-aware kx 87955682Smarkm * bug fixes 88055682Smarkm 88155682SmarkmChanges in release 0.1f; 88255682Smarkm 88355682Smarkm * experimental support for v4 kadmin protokoll in kadmind 88455682Smarkm * bug fixes 88555682Smarkm 88655682SmarkmChanges in release 0.1e: 88755682Smarkm 88855682Smarkm * try to handle old DCE and MIT kdcs 88955682Smarkm * support for older versions of credential cache files and keytabs 89055682Smarkm * postdated tickets work 89155682Smarkm * support for password quality checks in kpasswdd 89255682Smarkm * new flag --enable-kaserver for kdc 89355682Smarkm * renew fixes 89455682Smarkm * prototype su program 89555682Smarkm * updated (some) manpages 89655682Smarkm * support for KDC resource records 89755682Smarkm * should build with --without-krb4 89855682Smarkm * bug fixes 89955682Smarkm 90055682SmarkmChanges in release 0.1d: 90155682Smarkm 90255682Smarkm * Support building with DB2 (uses 1.85-compat API) 90355682Smarkm * Support krb5-realm.DOMAIN in DNS 90455682Smarkm * new `ktutil srvcreate' 90555682Smarkm * v4/kafs support in klist/kdestroy 90655682Smarkm * bug fixes 90755682Smarkm 90855682SmarkmChanges in release 0.1c: 90955682Smarkm 91055682Smarkm * fix ASN.1 encoding of signed integers 91155682Smarkm * somewhat working `ktutil get' 91255682Smarkm * some documentation updates 91355682Smarkm * update to Autoconf 2.13 and Automake 1.4 91455682Smarkm * the usual bug fixes 91555682Smarkm 91655682SmarkmChanges in release 0.1b: 91755682Smarkm 91855682Smarkm * some old -> new crypto conversion utils 91955682Smarkm * bug fixes 92055682Smarkm 92155682SmarkmChanges in release 0.1a: 92255682Smarkm 92355682Smarkm * new crypto code 92455682Smarkm * more bug fixes 92555682Smarkm * make sure we ask for DES keys in gssapi 92655682Smarkm * support signed ints in ASN1 92755682Smarkm * IPv6-bug fixes 92855682Smarkm 92955682SmarkmChanges in release 0.0u: 93055682Smarkm 93155682Smarkm * lots of bug fixes 93255682Smarkm 93355682SmarkmChanges in release 0.0t: 93455682Smarkm 93555682Smarkm * more robust parsing of krb5.conf 93655682Smarkm * include net{read,write} in lib/roken 93755682Smarkm * bug fixes 93855682Smarkm 93955682SmarkmChanges in release 0.0s: 94055682Smarkm 94155682Smarkm * kludges for parsing options to rsh 94255682Smarkm * more robust parsing of krb5.conf 94355682Smarkm * removed some arbitrary limits 94455682Smarkm * bug fixes 94555682Smarkm 94655682SmarkmChanges in release 0.0r: 94755682Smarkm 94855682Smarkm * default options for some programs 94955682Smarkm * bug fixes 95055682Smarkm 95155682SmarkmChanges in release 0.0q: 95255682Smarkm 95355682Smarkm * support for building shared libraries with libtool 95455682Smarkm * bug fixes 95555682Smarkm 95655682SmarkmChanges in release 0.0p: 95755682Smarkm 95855682Smarkm * keytab moved to /etc/krb5.keytab 95955682Smarkm * avoid false detection of IPv6 on Linux 96055682Smarkm * Lots of more functionality in the gssapi-library 96155682Smarkm * hprop can now read ka-server databases 96255682Smarkm * bug fixes 96355682Smarkm 96455682SmarkmChanges in release 0.0o: 96555682Smarkm 96655682Smarkm * FTP with GSSAPI support. 96755682Smarkm * Bug fixes. 96855682Smarkm 96955682SmarkmChanges in release 0.0n: 97055682Smarkm 97155682Smarkm * Incremental database propagation. 97255682Smarkm * Somewhat improved kadmin ui; the stuff in admin is now removed. 97355682Smarkm * Some support for using enctypes instead of keytypes. 97455682Smarkm * Lots of other improvement and bug fixes, see ChangeLog for details. 975