NEWS revision 107207
1107207SnectarChanges in release 0.5.1 2107207Snectar 3107207Snectar * kadmind: fix remote exploit 4107207Snectar 5107207Snectar * kadmind: add option to disable kerberos 4 6107207Snectar 7107207Snectar * kdc: make sure kaserver token life is positive 8107207Snectar 9107207Snectar * telnet: use the session key if there is no subkey 10107207Snectar 11107207Snectar * fix EPSV parsing in ftp 12107207Snectar 13107207Snectar * other bug fixes 14107207Snectar 15102644SnectarChanges in release 0.5 16102644Snectar 17102644Snectar * add --detach option to kdc 18102644Snectar 19102644Snectar * allow setting forward and forwardable option in telnet from 20102644Snectar .telnetrc, with override from command line 21102644Snectar 22102644Snectar * accept addresses with or without ports in krb5_rd_cred 23102644Snectar 24102644Snectar * make it work with modern openssl 25102644Snectar 26102644Snectar * use our own string2key function even with openssl (that handles weak 27102644Snectar keys incorrectly) 28102644Snectar 29102644Snectar * more system-specific requirements in login 30102644Snectar 31102644Snectar * do not use getlogin() to determine root in su 32102644Snectar 33102644Snectar * telnet: abort if telnetd does not support encryption 34102644Snectar 35102644Snectar * update autoconf to 2.53 36102644Snectar 37102644Snectar * update config.guess, config.sub 38102644Snectar 39102644Snectar * other bug fixes 40102644Snectar 4190926SnectarChanges in release 0.4e 4290926Snectar 4390926Snectar * improve libcrypto and database autoconf tests 4490926Snectar 4590926Snectar * do not care about salting of server principals when serving v4 requests 4690926Snectar 4790926Snectar * some improvements to gssapi library 4890926Snectar 4990926Snectar * test for existing compile_et/libcom_err 5090926Snectar 5190926Snectar * portability fixes 5290926Snectar 5390926Snectar * bug fixes 5490926Snectar 5590926SnectarChanges in release 0.4d 5690926Snectar 5790926Snectar * fix some problems when using libcrypto from openssl 5890926Snectar 5990926Snectar * handle /dev/ptmx `unix98' ptys on Linux 6090926Snectar 6190926Snectar * add some forgotten man pages 6290926Snectar 6390926Snectar * rsh: clean-up and add man page 6490926Snectar 6590926Snectar * fix -A and -a in builtin-ls in tpd 6690926Snectar 6790926Snectar * fix building problem on Irix 6890926Snectar 6990926Snectar * make `ktutil get' more efficient 7090926Snectar 7190926Snectar * bug fixes 7290926Snectar 7390926SnectarChanges in release 0.4c 7490926Snectar 7590926Snectar * fix buffer overrun in telnetd 7690926Snectar 7790926Snectar * repair some of the v4 fallback code in kinit 7890926Snectar 7990926Snectar * add more shared library dependencies 8090926Snectar 8190926Snectar * simplify and fix hprop handling of v4 databases 8290926Snectar 8390926Snectar * fix some building problems (osf's sia and osfc2 login) 8490926Snectar 8590926Snectar * bug fixes 8690926Snectar 8790926SnectarChanges in release 0.4b 8890926Snectar 8990926Snectar * update the shared library version numbers correctly 9090926Snectar 9190926SnectarChanges in release 0.4a 9290926Snectar 9390926Snectar * corrected key used for checksum in mk_safe, unfortunately this 9490926Snectar makes it backwards incompatible 9590926Snectar 9690926Snectar * update to autoconf 2.50, libtool 1.4 9790926Snectar 9890926Snectar * re-write dns/config lookups (krb5_krbhst API) 9990926Snectar 10090926Snectar * make order of using subkeys consistent 10190926Snectar 10290926Snectar * add man page links 10390926Snectar 10490926Snectar * add more man pages 10590926Snectar 10690926Snectar * remove rfc2052 support, now only rfc2782 is supported 10790926Snectar 10890926Snectar * always build with kaserver protocol support in the KDC (assuming 10990926Snectar KRB4 is enabled) and support for reading kaserver databases in 11090926Snectar hprop 11190926Snectar 11278527SassarChanges in release 0.3f 11378527Sassar 11478527Sassar * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab, 11578527Sassar the new keytab type that tries both of these in order (SRVTAB is 11678527Sassar also an alias for krb4:) 11778527Sassar 11878527Sassar * improve error reporting and error handling (error messages should 11978527Sassar be more detailed and more useful) 12078527Sassar 12178527Sassar * improve building with openssl 12278527Sassar 12378527Sassar * add kadmin -K, rcp -F 12478527Sassar 12578527Sassar * fix two incorrect weak DES keys 12678527Sassar 12778527Sassar * fix building of kaserver compat in KDC 12878527Sassar 12978527Sassar * the API is closer to what MIT krb5 is using 13078527Sassar 13178527Sassar * more compatible with windows 2000 13278527Sassar 13378527Sassar * removed some memory leaks 13478527Sassar 13578527Sassar * bug fixes 13678527Sassar 13772445SassarChanges in release 0.3e 13872445Sassar 13972445Sassar * rcp program included 14072445Sassar 14172445Sassar * fix buffer overrun in ftpd 14272445Sassar 14372445Sassar * handle omitted sequence numbers as zeroes to handle MIT krb5 that 14472445Sassar cannot generate zero sequence numbers 14572445Sassar 14672445Sassar * handle v4 /.k files better 14772445Sassar 14872445Sassar * configure/portability fixes 14972445Sassar 15072445Sassar * fixes in parsing of options to kadmin (sub-)commands 15172445Sassar 15272445Sassar * handle errors in kadmin load better 15372445Sassar 15472445Sassar * bug fixes 15572445Sassar 15672445SassarChanges in release 0.3d 15772445Sassar 15872445Sassar * add krb5-config 15972445Sassar 16072445Sassar * fix a bug in 3des gss-api mechanism, making it compatible with the 16172445Sassar specification and the MIT implementation 16272445Sassar 16372445Sassar * make telnetd only allow a specific list of environment variables to 16472445Sassar stop it from setting `sensitive' variables 16572445Sassar 16672445Sassar * try to use an existing libdes 16772445Sassar 16872445Sassar * lib/krb5, kdc: use correct usage type for ap-req messages. This 16972445Sassar should improve compatability with MIT krb5 when using 3DES 17072445Sassar encryption types 17172445Sassar 17272445Sassar * kdc: fix memory allocation problem 17372445Sassar 17472445Sassar * update config.guess and config.sub 17572445Sassar 17672445Sassar * lib/roken: more stuff implemented 17772445Sassar 17872445Sassar * bug fixes and portability enhancements 17972445Sassar 18072445SassarChanges in release 0.3c 18172445Sassar 18272445Sassar * lib/krb5: memory caches now support the resolve operation 18372445Sassar 18472445Sassar * appl/login: set PATH to some sane default 18572445Sassar 18672445Sassar * kadmind: handle several realms 18772445Sassar 18872445Sassar * bug fixes (including memory leaks) 18972445Sassar 19072445SassarChanges in release 0.3b 19172445Sassar 19272445Sassar * kdc: prefer default-salted keys on v5 requests 19372445Sassar 19472445Sassar * kdc: lowercase hostnames in v4 mode 19572445Sassar 19672445Sassar * hprop: handle more types of MIT salts 19772445Sassar 19872445Sassar * lib/krb5: fix memory leak 19972445Sassar 20072445Sassar * bug fixes 20172445Sassar 20272445SassarChanges in release 0.3a: 20372445Sassar 20472445Sassar * implement arcfour-hmac-md5 to interoperate with W2K 20572445Sassar 20672445Sassar * modularise the handling of the master key, and allow for other 20772445Sassar encryption types. This makes it easier to import a database from 20872445Sassar some other source without having to re-encrypt all keys. 20972445Sassar 21072445Sassar * allow for better control over which encryption types are created 21172445Sassar 21272445Sassar * make kinit fallback to v4 if given a v4 KDC 21372445Sassar 21472445Sassar * make klist work better with v4 and v5, and add some more MIT 21572445Sassar compatibility options 21672445Sassar 21772445Sassar * make the kdc listen on the krb524 (4444) port for compatibility 21872445Sassar with MIT krb5 clients 21972445Sassar 22072445Sassar * implement more DCE/DFS support, enabled with --enable-dce, see 22172445Sassar lib/kdfs and appl/dceutils 22272445Sassar 22372445Sassar * make the sequence numbers work correctly 22472445Sassar 22572445Sassar * bug fixes 22672445Sassar 22772445SassarChanges in release 0.2t: 22872445Sassar 22972445Sassar * bug fixes 23072445Sassar 23172445SassarChanges in release 0.2s: 23272445Sassar 23372445Sassar * add OpenLDAP support in hdb 23472445Sassar 23572445Sassar * login will get v4 tickets when it receives forwarded tickets 23672445Sassar 23772445Sassar * xnlock supports both v5 and v4 23872445Sassar 23972445Sassar * repair source routing for telnet 24072445Sassar 24172445Sassar * fix building problems with krb4 (krb_mk_req) 24272445Sassar 24372445Sassar * bug fixes 24472445Sassar 24572445SassarChanges in release 0.2r: 24672445Sassar 24772445Sassar * fix realloc memory corruption bug in kdc 24872445Sassar 24972445Sassar * `add --key' and `cpw --key' in kadmin 25072445Sassar 25172445Sassar * klist supports listing v4 tickets 25272445Sassar 25372445Sassar * update config.guess and config.sub 25472445Sassar 25572445Sassar * make v4 -> v5 principal name conversion more robust 25672445Sassar 25772445Sassar * support for anonymous tickets 25872445Sassar 25972445Sassar * new man-pages 26072445Sassar 26172445Sassar * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab. 26272445Sassar 26372445Sassar * use and set expiration and not password expiration when dumping 26472445Sassar to/from ka server databases / krb4 databases 26572445Sassar 26672445Sassar * make the code happier with 64-bit time_t 26772445Sassar 26872445Sassar * follow RFC2782 and by default do not look for non-underscore SRV names 26972445Sassar 27072445SassarChanges in release 0.2q: 27172445Sassar 27272445Sassar * bug fix in tcp-handling in kdc 27372445Sassar 27472445Sassar * bug fix in expand_hostname 27572445Sassar 27657422SmarkmChanges in release 0.2p: 27757422Smarkm 27857422Smarkm * bug fix in `kadmin load/merge' 27957422Smarkm 28057422Smarkm * bug fix in krb5_parse_address 28157422Smarkm 28257419SmarkmChanges in release 0.2o: 28357419Smarkm 28457419Smarkm * gss_{import,export}_sec_context added to libgssapi 28557419Smarkm 28657419Smarkm * new option --addresses to kdc (for listening on an explicit set of 28757419Smarkm addresses) 28857419Smarkm 28957419Smarkm * bug fixes in the krb4 and kaserver emulation part of the kdc 29057419Smarkm 29157419Smarkm * other bug fixes 29257419Smarkm 29357416SmarkmChanges in release 0.2n: 29457416Smarkm 29557416Smarkm * more robust parsing of dump files in kadmin 29657416Smarkm * changed default timestamp format for log messages to extended ISO 29757416Smarkm 8601 format (Y-M-DTH:M:S) 29857416Smarkm * changed md4/md5/sha1 APIes to be de-facto `standard' 29957416Smarkm * always make hostname into lower-case before creating principal 30057416Smarkm * small bits of more MIT-compatability 30157416Smarkm * bug fixes 30257416Smarkm 30355682SmarkmChanges in release 0.2m: 30455682Smarkm 30555682Smarkm * handle glibc's getaddrinfo() that returns several ai_canonname 30655682Smarkm 30755682Smarkm * new endian test 30855682Smarkm 30955682Smarkm * man pages fixes 31055682Smarkm 31155682SmarkmChanges in release 0.2l: 31255682Smarkm 31355682Smarkm * bug fixes 31455682Smarkm 31555682SmarkmChanges in release 0.2k: 31655682Smarkm 31755682Smarkm * better IPv6 test 31855682Smarkm 31955682Smarkm * make struct sockaddr_storage in roken work better on alphas 32055682Smarkm 32155682Smarkm * some missing [hn]to[hn]s fixed. 32255682Smarkm 32355682Smarkm * allow users to change their own passwords with kadmin (with initial 32455682Smarkm tickets) 32555682Smarkm 32655682Smarkm * fix stupid bug in parsing KDC specification 32755682Smarkm 32855682Smarkm * add `ktutil change' and `ktutil purge' 32955682Smarkm 33055682SmarkmChanges in release 0.2j: 33155682Smarkm 33255682Smarkm * builds on Irix 33355682Smarkm 33455682Smarkm * ftpd works in passive mode 33555682Smarkm 33655682Smarkm * should build on cygwin 33755682Smarkm 33855682Smarkm * work around broken IPv6-code on OpenBSD 2.6, also add configure 33955682Smarkm option --disable-ipv6 34055682Smarkm 34155682SmarkmChanges in release 0.2i: 34255682Smarkm 34355682Smarkm * use getaddrinfo in the missing places. 34455682Smarkm 34555682Smarkm * fix SRV lookup for admin server 34655682Smarkm 34755682Smarkm * use get{addr,name}info everywhere. and implement it in terms of 34855682Smarkm getipnodeby{name,addr} (which uses gethostbyname{,2} and 34955682Smarkm gethostbyaddr) 35055682Smarkm 35155682SmarkmChanges in release 0.2h: 35255682Smarkm 35355682Smarkm * fix typo in kx (now compiles) 35455682Smarkm 35555682SmarkmChanges in release 0.2g: 35655682Smarkm 35755682Smarkm * lots of bug fixes: 35855682Smarkm * push works 35955682Smarkm * repair appl/test programs 36055682Smarkm * sockaddr_storage works on solaris (alignment issues) 36155682Smarkm * works better with non-roken getaddrinfo 36255682Smarkm * rsh works 36355682Smarkm * some non standard C constructs removed 36455682Smarkm 36555682SmarkmChanges in release 0.2f: 36655682Smarkm 36755682Smarkm * support SRV records for kpasswd 36855682Smarkm * look for both _kerberos and krb5-realm when doing host -> realm mapping 36955682Smarkm 37055682SmarkmChanges in release 0.2e: 37155682Smarkm 37255682Smarkm * changed copyright notices to remove `advertising'-clause. 37355682Smarkm * get{addr,name}info added to roken and used in the other code 37455682Smarkm (this makes things work much better with hosts with both v4 and v6 37555682Smarkm addresses, among other things) 37655682Smarkm * do pre-auth for both password and key-based get_in_tkt 37755682Smarkm * support for having several databases 37855682Smarkm * new command `del_enctype' in kadmin 37955682Smarkm * strptime (and new strftime) add to roken 38055682Smarkm * more paranoia about finding libdb 38155682Smarkm * bug fixes 38255682Smarkm 38355682SmarkmChanges in release 0.2d: 38455682Smarkm 38555682Smarkm * new configuration option [libdefaults]default_etypes_des 38655682Smarkm * internal ls in ftpd builds without KRB4 38755682Smarkm * kx/rsh/push/pop_debug tries v5 and v4 consistenly 38855682Smarkm * build bug fixes 38955682Smarkm * other bug fixes 39055682Smarkm 39155682SmarkmChanges in release 0.2c: 39255682Smarkm 39355682Smarkm * bug fixes (see ChangeLog's for details) 39455682Smarkm 39555682SmarkmChanges in release 0.2b: 39655682Smarkm 39755682Smarkm * bug fixes 39855682Smarkm * actually bump shared library versions 39955682Smarkm 40055682SmarkmChanges in release 0.2a: 40155682Smarkm 40255682Smarkm * a new program verify_krb5_conf for checking your /etc/krb5.conf 40355682Smarkm * add 3DES keys when changing password 40455682Smarkm * support null keys in database 40555682Smarkm * support multiple local realms 40655682Smarkm * implement a keytab backend for AFS KeyFile's 40755682Smarkm * implement a keytab backend for v4 srvtabs 40855682Smarkm * implement `ktutil copy' 40955682Smarkm * support password quality control in v4 kadmind 41055682Smarkm * improvements in v4 compat kadmind 41155682Smarkm * handle the case of having the correct cred in the ccache but with 41255682Smarkm the wrong encryption type better 41355682Smarkm * v6-ify the remaining programs. 41455682Smarkm * internal ls in ftpd 41555682Smarkm * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat 41655682Smarkm * add `ank --random-password' and `cpw --random-password' in kadmin 41755682Smarkm * some programs and documentation for trying to talk to a W2K KDC 41855682Smarkm * bug fixes 41955682Smarkm 42055682SmarkmChanges in release 0.1m: 42155682Smarkm 42255682Smarkm * support for getting default from krb5.conf for kinit/kf/rsh/telnet. 42355682Smarkm From Miroslav Ruda <ruda@ics.muni.cz> 42455682Smarkm * v6-ify hprop and hpropd 42555682Smarkm * support numeric addresses in krb5_mk_req 42655682Smarkm * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz> 42755682Smarkm * make rsh/rshd IPv6-aware 42855682Smarkm * make the gssapi sample applications better at reporting errors 42955682Smarkm * lots of bug fixes 43055682Smarkm * handle systems with v6-aware libc and non-v6 kernels (like Linux 43155682Smarkm with glibc 2.1) better 43255682Smarkm * hide failure of ERPT in ftp 43355682Smarkm * lots of bug fixes 43455682Smarkm 43555682SmarkmChanges in release 0.1l: 43655682Smarkm 43755682Smarkm * make ftp and ftpd IPv6-aware 43855682Smarkm * add inet_pton to roken 43955682Smarkm * more IPv6-awareness 44055682Smarkm * make mini_inetd v6 aware 44155682Smarkm 44255682SmarkmChanges in release 0.1k: 44355682Smarkm 44455682Smarkm * bump shared libraries versions 44555682Smarkm * add roken version of inet_ntop 44655682Smarkm * merge more changes to rshd 44755682Smarkm 44855682SmarkmChanges in release 0.1j: 44955682Smarkm 45055682Smarkm * restore back to the `old' 3DES code. This was supposed to be done 45155682Smarkm in 0.1h and 0.1i but I did a CVS screw-up. 45255682Smarkm * make telnetd handle v6 connections 45355682Smarkm 45455682SmarkmChanges in release 0.1i: 45555682Smarkm 45655682Smarkm * start using `struct sockaddr_storage' which simplifies the code 45755682Smarkm (with a fallback definition if it's not defined) 45855682Smarkm * bug fixes (including in hprop and kf) 45955682Smarkm * don't use mawk which seems to mishandle roken.awk 46055682Smarkm * get_addrs should be able to handle v6 addresses on Linux (with the 46155682Smarkm required patch to the Linux kernel -- ask within) 46255682Smarkm * rshd builds with shadow passwords 46355682Smarkm 46455682SmarkmChanges in release 0.1h: 46555682Smarkm 46655682Smarkm * kf: new program for forwarding credentials 46755682Smarkm * portability fixes 46855682Smarkm * make forwarding credentials work with MIT code 46955682Smarkm * better conversion of ka database 47055682Smarkm * add etc/services.append 47155682Smarkm * correct `modified by' from kpasswdd 47255682Smarkm * lots of bug fixes 47355682Smarkm 47455682SmarkmChanges in release 0.1g: 47555682Smarkm 47655682Smarkm * kgetcred: new program for explicitly obtaining tickets 47755682Smarkm * configure fixes 47855682Smarkm * krb5-aware kx 47955682Smarkm * bug fixes 48055682Smarkm 48155682SmarkmChanges in release 0.1f; 48255682Smarkm 48355682Smarkm * experimental support for v4 kadmin protokoll in kadmind 48455682Smarkm * bug fixes 48555682Smarkm 48655682SmarkmChanges in release 0.1e: 48755682Smarkm 48855682Smarkm * try to handle old DCE and MIT kdcs 48955682Smarkm * support for older versions of credential cache files and keytabs 49055682Smarkm * postdated tickets work 49155682Smarkm * support for password quality checks in kpasswdd 49255682Smarkm * new flag --enable-kaserver for kdc 49355682Smarkm * renew fixes 49455682Smarkm * prototype su program 49555682Smarkm * updated (some) manpages 49655682Smarkm * support for KDC resource records 49755682Smarkm * should build with --without-krb4 49855682Smarkm * bug fixes 49955682Smarkm 50055682SmarkmChanges in release 0.1d: 50155682Smarkm 50255682Smarkm * Support building with DB2 (uses 1.85-compat API) 50355682Smarkm * Support krb5-realm.DOMAIN in DNS 50455682Smarkm * new `ktutil srvcreate' 50555682Smarkm * v4/kafs support in klist/kdestroy 50655682Smarkm * bug fixes 50755682Smarkm 50855682SmarkmChanges in release 0.1c: 50955682Smarkm 51055682Smarkm * fix ASN.1 encoding of signed integers 51155682Smarkm * somewhat working `ktutil get' 51255682Smarkm * some documentation updates 51355682Smarkm * update to Autoconf 2.13 and Automake 1.4 51455682Smarkm * the usual bug fixes 51555682Smarkm 51655682SmarkmChanges in release 0.1b: 51755682Smarkm 51855682Smarkm * some old -> new crypto conversion utils 51955682Smarkm * bug fixes 52055682Smarkm 52155682SmarkmChanges in release 0.1a: 52255682Smarkm 52355682Smarkm * new crypto code 52455682Smarkm * more bug fixes 52555682Smarkm * make sure we ask for DES keys in gssapi 52655682Smarkm * support signed ints in ASN1 52755682Smarkm * IPv6-bug fixes 52855682Smarkm 52955682SmarkmChanges in release 0.0u: 53055682Smarkm 53155682Smarkm * lots of bug fixes 53255682Smarkm 53355682SmarkmChanges in release 0.0t: 53455682Smarkm 53555682Smarkm * more robust parsing of krb5.conf 53655682Smarkm * include net{read,write} in lib/roken 53755682Smarkm * bug fixes 53855682Smarkm 53955682SmarkmChanges in release 0.0s: 54055682Smarkm 54155682Smarkm * kludges for parsing options to rsh 54255682Smarkm * more robust parsing of krb5.conf 54355682Smarkm * removed some arbitrary limits 54455682Smarkm * bug fixes 54555682Smarkm 54655682SmarkmChanges in release 0.0r: 54755682Smarkm 54855682Smarkm * default options for some programs 54955682Smarkm * bug fixes 55055682Smarkm 55155682SmarkmChanges in release 0.0q: 55255682Smarkm 55355682Smarkm * support for building shared libraries with libtool 55455682Smarkm * bug fixes 55555682Smarkm 55655682SmarkmChanges in release 0.0p: 55755682Smarkm 55855682Smarkm * keytab moved to /etc/krb5.keytab 55955682Smarkm * avoid false detection of IPv6 on Linux 56055682Smarkm * Lots of more functionality in the gssapi-library 56155682Smarkm * hprop can now read ka-server databases 56255682Smarkm * bug fixes 56355682Smarkm 56455682SmarkmChanges in release 0.0o: 56555682Smarkm 56655682Smarkm * FTP with GSSAPI support. 56755682Smarkm * Bug fixes. 56855682Smarkm 56955682SmarkmChanges in release 0.0n: 57055682Smarkm 57155682Smarkm * Incremental database propagation. 57255682Smarkm * Somewhat improved kadmin ui; the stuff in admin is now removed. 57355682Smarkm * Some support for using enctypes instead of keytypes. 57455682Smarkm * Lots of other improvement and bug fixes, see ChangeLog for details. 575