NEWS revision 120945
1120945SnectarChanges in release 0.6 2120945Snectar 3120945Snectar* The DES3 GSS-API mechanism has been changed to inter-operate with 4120945Snectar other GSSAPI implementations. See man page for gssapi(3) how to turn 5120945Snectar on generation of correct MIC messages. Next major release of heimdal 6120945Snectar will generate correct MIC by default. 7120945Snectar 8120945Snectar* More complete GSS-API support 9120945Snectar 10120945Snectar* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS 11120945Snectar support in applications no longer requires Kerberos 4 libs 12120945Snectar 13120945Snectar* Kerberos 4 support in kdc defaults to turned off (includes ka and 524) 14120945Snectar 15120945Snectar* other bug fixes 16120945Snectar 17120945SnectarChanges in release 0.5.2 18120945Snectar 19120945Snectar * kdc: add option for disabling v4 cross-realm (defaults to off) 20120945Snectar 21120945Snectar * bug fixes 22120945Snectar 23107207SnectarChanges in release 0.5.1 24107207Snectar 25107207Snectar * kadmind: fix remote exploit 26107207Snectar 27107207Snectar * kadmind: add option to disable kerberos 4 28107207Snectar 29107207Snectar * kdc: make sure kaserver token life is positive 30107207Snectar 31107207Snectar * telnet: use the session key if there is no subkey 32107207Snectar 33107207Snectar * fix EPSV parsing in ftp 34107207Snectar 35107207Snectar * other bug fixes 36107207Snectar 37102644SnectarChanges in release 0.5 38102644Snectar 39102644Snectar * add --detach option to kdc 40102644Snectar 41102644Snectar * allow setting forward and forwardable option in telnet from 42102644Snectar .telnetrc, with override from command line 43102644Snectar 44102644Snectar * accept addresses with or without ports in krb5_rd_cred 45102644Snectar 46102644Snectar * make it work with modern openssl 47102644Snectar 48102644Snectar * use our own string2key function even with openssl (that handles weak 49102644Snectar keys incorrectly) 50102644Snectar 51102644Snectar * more system-specific requirements in login 52102644Snectar 53102644Snectar * do not use getlogin() to determine root in su 54102644Snectar 55102644Snectar * telnet: abort if telnetd does not support encryption 56102644Snectar 57102644Snectar * update autoconf to 2.53 58102644Snectar 59102644Snectar * update config.guess, config.sub 60102644Snectar 61102644Snectar * other bug fixes 62102644Snectar 6390926SnectarChanges in release 0.4e 6490926Snectar 6590926Snectar * improve libcrypto and database autoconf tests 6690926Snectar 6790926Snectar * do not care about salting of server principals when serving v4 requests 6890926Snectar 6990926Snectar * some improvements to gssapi library 7090926Snectar 7190926Snectar * test for existing compile_et/libcom_err 7290926Snectar 7390926Snectar * portability fixes 7490926Snectar 7590926Snectar * bug fixes 7690926Snectar 7790926SnectarChanges in release 0.4d 7890926Snectar 7990926Snectar * fix some problems when using libcrypto from openssl 8090926Snectar 8190926Snectar * handle /dev/ptmx `unix98' ptys on Linux 8290926Snectar 8390926Snectar * add some forgotten man pages 8490926Snectar 8590926Snectar * rsh: clean-up and add man page 8690926Snectar 8790926Snectar * fix -A and -a in builtin-ls in tpd 8890926Snectar 8990926Snectar * fix building problem on Irix 9090926Snectar 9190926Snectar * make `ktutil get' more efficient 9290926Snectar 9390926Snectar * bug fixes 9490926Snectar 9590926SnectarChanges in release 0.4c 9690926Snectar 9790926Snectar * fix buffer overrun in telnetd 9890926Snectar 9990926Snectar * repair some of the v4 fallback code in kinit 10090926Snectar 10190926Snectar * add more shared library dependencies 10290926Snectar 10390926Snectar * simplify and fix hprop handling of v4 databases 10490926Snectar 10590926Snectar * fix some building problems (osf's sia and osfc2 login) 10690926Snectar 10790926Snectar * bug fixes 10890926Snectar 10990926SnectarChanges in release 0.4b 11090926Snectar 11190926Snectar * update the shared library version numbers correctly 11290926Snectar 11390926SnectarChanges in release 0.4a 11490926Snectar 11590926Snectar * corrected key used for checksum in mk_safe, unfortunately this 11690926Snectar makes it backwards incompatible 11790926Snectar 11890926Snectar * update to autoconf 2.50, libtool 1.4 11990926Snectar 12090926Snectar * re-write dns/config lookups (krb5_krbhst API) 12190926Snectar 12290926Snectar * make order of using subkeys consistent 12390926Snectar 12490926Snectar * add man page links 12590926Snectar 12690926Snectar * add more man pages 12790926Snectar 12890926Snectar * remove rfc2052 support, now only rfc2782 is supported 12990926Snectar 13090926Snectar * always build with kaserver protocol support in the KDC (assuming 13190926Snectar KRB4 is enabled) and support for reading kaserver databases in 13290926Snectar hprop 13390926Snectar 13478527SassarChanges in release 0.3f 13578527Sassar 13678527Sassar * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab, 13778527Sassar the new keytab type that tries both of these in order (SRVTAB is 13878527Sassar also an alias for krb4:) 13978527Sassar 14078527Sassar * improve error reporting and error handling (error messages should 14178527Sassar be more detailed and more useful) 14278527Sassar 14378527Sassar * improve building with openssl 14478527Sassar 14578527Sassar * add kadmin -K, rcp -F 14678527Sassar 14778527Sassar * fix two incorrect weak DES keys 14878527Sassar 14978527Sassar * fix building of kaserver compat in KDC 15078527Sassar 15178527Sassar * the API is closer to what MIT krb5 is using 15278527Sassar 15378527Sassar * more compatible with windows 2000 15478527Sassar 15578527Sassar * removed some memory leaks 15678527Sassar 15778527Sassar * bug fixes 15878527Sassar 15972445SassarChanges in release 0.3e 16072445Sassar 16172445Sassar * rcp program included 16272445Sassar 16372445Sassar * fix buffer overrun in ftpd 16472445Sassar 16572445Sassar * handle omitted sequence numbers as zeroes to handle MIT krb5 that 16672445Sassar cannot generate zero sequence numbers 16772445Sassar 16872445Sassar * handle v4 /.k files better 16972445Sassar 17072445Sassar * configure/portability fixes 17172445Sassar 17272445Sassar * fixes in parsing of options to kadmin (sub-)commands 17372445Sassar 17472445Sassar * handle errors in kadmin load better 17572445Sassar 17672445Sassar * bug fixes 17772445Sassar 17872445SassarChanges in release 0.3d 17972445Sassar 18072445Sassar * add krb5-config 18172445Sassar 18272445Sassar * fix a bug in 3des gss-api mechanism, making it compatible with the 18372445Sassar specification and the MIT implementation 18472445Sassar 18572445Sassar * make telnetd only allow a specific list of environment variables to 18672445Sassar stop it from setting `sensitive' variables 18772445Sassar 18872445Sassar * try to use an existing libdes 18972445Sassar 19072445Sassar * lib/krb5, kdc: use correct usage type for ap-req messages. This 19172445Sassar should improve compatability with MIT krb5 when using 3DES 19272445Sassar encryption types 19372445Sassar 19472445Sassar * kdc: fix memory allocation problem 19572445Sassar 19672445Sassar * update config.guess and config.sub 19772445Sassar 19872445Sassar * lib/roken: more stuff implemented 19972445Sassar 20072445Sassar * bug fixes and portability enhancements 20172445Sassar 20272445SassarChanges in release 0.3c 20372445Sassar 20472445Sassar * lib/krb5: memory caches now support the resolve operation 20572445Sassar 20672445Sassar * appl/login: set PATH to some sane default 20772445Sassar 20872445Sassar * kadmind: handle several realms 20972445Sassar 21072445Sassar * bug fixes (including memory leaks) 21172445Sassar 21272445SassarChanges in release 0.3b 21372445Sassar 21472445Sassar * kdc: prefer default-salted keys on v5 requests 21572445Sassar 21672445Sassar * kdc: lowercase hostnames in v4 mode 21772445Sassar 21872445Sassar * hprop: handle more types of MIT salts 21972445Sassar 22072445Sassar * lib/krb5: fix memory leak 22172445Sassar 22272445Sassar * bug fixes 22372445Sassar 22472445SassarChanges in release 0.3a: 22572445Sassar 22672445Sassar * implement arcfour-hmac-md5 to interoperate with W2K 22772445Sassar 22872445Sassar * modularise the handling of the master key, and allow for other 22972445Sassar encryption types. This makes it easier to import a database from 23072445Sassar some other source without having to re-encrypt all keys. 23172445Sassar 23272445Sassar * allow for better control over which encryption types are created 23372445Sassar 23472445Sassar * make kinit fallback to v4 if given a v4 KDC 23572445Sassar 23672445Sassar * make klist work better with v4 and v5, and add some more MIT 23772445Sassar compatibility options 23872445Sassar 23972445Sassar * make the kdc listen on the krb524 (4444) port for compatibility 24072445Sassar with MIT krb5 clients 24172445Sassar 24272445Sassar * implement more DCE/DFS support, enabled with --enable-dce, see 24372445Sassar lib/kdfs and appl/dceutils 24472445Sassar 24572445Sassar * make the sequence numbers work correctly 24672445Sassar 24772445Sassar * bug fixes 24872445Sassar 24972445SassarChanges in release 0.2t: 25072445Sassar 25172445Sassar * bug fixes 25272445Sassar 25372445SassarChanges in release 0.2s: 25472445Sassar 25572445Sassar * add OpenLDAP support in hdb 25672445Sassar 25772445Sassar * login will get v4 tickets when it receives forwarded tickets 25872445Sassar 25972445Sassar * xnlock supports both v5 and v4 26072445Sassar 26172445Sassar * repair source routing for telnet 26272445Sassar 26372445Sassar * fix building problems with krb4 (krb_mk_req) 26472445Sassar 26572445Sassar * bug fixes 26672445Sassar 26772445SassarChanges in release 0.2r: 26872445Sassar 26972445Sassar * fix realloc memory corruption bug in kdc 27072445Sassar 27172445Sassar * `add --key' and `cpw --key' in kadmin 27272445Sassar 27372445Sassar * klist supports listing v4 tickets 27472445Sassar 27572445Sassar * update config.guess and config.sub 27672445Sassar 27772445Sassar * make v4 -> v5 principal name conversion more robust 27872445Sassar 27972445Sassar * support for anonymous tickets 28072445Sassar 28172445Sassar * new man-pages 28272445Sassar 28372445Sassar * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab. 28472445Sassar 28572445Sassar * use and set expiration and not password expiration when dumping 28672445Sassar to/from ka server databases / krb4 databases 28772445Sassar 28872445Sassar * make the code happier with 64-bit time_t 28972445Sassar 29072445Sassar * follow RFC2782 and by default do not look for non-underscore SRV names 29172445Sassar 29272445SassarChanges in release 0.2q: 29372445Sassar 29472445Sassar * bug fix in tcp-handling in kdc 29572445Sassar 29672445Sassar * bug fix in expand_hostname 29772445Sassar 29857422SmarkmChanges in release 0.2p: 29957422Smarkm 30057422Smarkm * bug fix in `kadmin load/merge' 30157422Smarkm 30257422Smarkm * bug fix in krb5_parse_address 30357422Smarkm 30457419SmarkmChanges in release 0.2o: 30557419Smarkm 30657419Smarkm * gss_{import,export}_sec_context added to libgssapi 30757419Smarkm 30857419Smarkm * new option --addresses to kdc (for listening on an explicit set of 30957419Smarkm addresses) 31057419Smarkm 31157419Smarkm * bug fixes in the krb4 and kaserver emulation part of the kdc 31257419Smarkm 31357419Smarkm * other bug fixes 31457419Smarkm 31557416SmarkmChanges in release 0.2n: 31657416Smarkm 31757416Smarkm * more robust parsing of dump files in kadmin 31857416Smarkm * changed default timestamp format for log messages to extended ISO 31957416Smarkm 8601 format (Y-M-DTH:M:S) 32057416Smarkm * changed md4/md5/sha1 APIes to be de-facto `standard' 32157416Smarkm * always make hostname into lower-case before creating principal 32257416Smarkm * small bits of more MIT-compatability 32357416Smarkm * bug fixes 32457416Smarkm 32555682SmarkmChanges in release 0.2m: 32655682Smarkm 32755682Smarkm * handle glibc's getaddrinfo() that returns several ai_canonname 32855682Smarkm 32955682Smarkm * new endian test 33055682Smarkm 33155682Smarkm * man pages fixes 33255682Smarkm 33355682SmarkmChanges in release 0.2l: 33455682Smarkm 33555682Smarkm * bug fixes 33655682Smarkm 33755682SmarkmChanges in release 0.2k: 33855682Smarkm 33955682Smarkm * better IPv6 test 34055682Smarkm 34155682Smarkm * make struct sockaddr_storage in roken work better on alphas 34255682Smarkm 34355682Smarkm * some missing [hn]to[hn]s fixed. 34455682Smarkm 34555682Smarkm * allow users to change their own passwords with kadmin (with initial 34655682Smarkm tickets) 34755682Smarkm 34855682Smarkm * fix stupid bug in parsing KDC specification 34955682Smarkm 35055682Smarkm * add `ktutil change' and `ktutil purge' 35155682Smarkm 35255682SmarkmChanges in release 0.2j: 35355682Smarkm 35455682Smarkm * builds on Irix 35555682Smarkm 35655682Smarkm * ftpd works in passive mode 35755682Smarkm 35855682Smarkm * should build on cygwin 35955682Smarkm 36055682Smarkm * work around broken IPv6-code on OpenBSD 2.6, also add configure 36155682Smarkm option --disable-ipv6 36255682Smarkm 36355682SmarkmChanges in release 0.2i: 36455682Smarkm 36555682Smarkm * use getaddrinfo in the missing places. 36655682Smarkm 36755682Smarkm * fix SRV lookup for admin server 36855682Smarkm 36955682Smarkm * use get{addr,name}info everywhere. and implement it in terms of 37055682Smarkm getipnodeby{name,addr} (which uses gethostbyname{,2} and 37155682Smarkm gethostbyaddr) 37255682Smarkm 37355682SmarkmChanges in release 0.2h: 37455682Smarkm 37555682Smarkm * fix typo in kx (now compiles) 37655682Smarkm 37755682SmarkmChanges in release 0.2g: 37855682Smarkm 37955682Smarkm * lots of bug fixes: 38055682Smarkm * push works 38155682Smarkm * repair appl/test programs 38255682Smarkm * sockaddr_storage works on solaris (alignment issues) 38355682Smarkm * works better with non-roken getaddrinfo 38455682Smarkm * rsh works 38555682Smarkm * some non standard C constructs removed 38655682Smarkm 38755682SmarkmChanges in release 0.2f: 38855682Smarkm 38955682Smarkm * support SRV records for kpasswd 39055682Smarkm * look for both _kerberos and krb5-realm when doing host -> realm mapping 39155682Smarkm 39255682SmarkmChanges in release 0.2e: 39355682Smarkm 39455682Smarkm * changed copyright notices to remove `advertising'-clause. 39555682Smarkm * get{addr,name}info added to roken and used in the other code 39655682Smarkm (this makes things work much better with hosts with both v4 and v6 39755682Smarkm addresses, among other things) 39855682Smarkm * do pre-auth for both password and key-based get_in_tkt 39955682Smarkm * support for having several databases 40055682Smarkm * new command `del_enctype' in kadmin 40155682Smarkm * strptime (and new strftime) add to roken 40255682Smarkm * more paranoia about finding libdb 40355682Smarkm * bug fixes 40455682Smarkm 40555682SmarkmChanges in release 0.2d: 40655682Smarkm 40755682Smarkm * new configuration option [libdefaults]default_etypes_des 40855682Smarkm * internal ls in ftpd builds without KRB4 40955682Smarkm * kx/rsh/push/pop_debug tries v5 and v4 consistenly 41055682Smarkm * build bug fixes 41155682Smarkm * other bug fixes 41255682Smarkm 41355682SmarkmChanges in release 0.2c: 41455682Smarkm 41555682Smarkm * bug fixes (see ChangeLog's for details) 41655682Smarkm 41755682SmarkmChanges in release 0.2b: 41855682Smarkm 41955682Smarkm * bug fixes 42055682Smarkm * actually bump shared library versions 42155682Smarkm 42255682SmarkmChanges in release 0.2a: 42355682Smarkm 42455682Smarkm * a new program verify_krb5_conf for checking your /etc/krb5.conf 42555682Smarkm * add 3DES keys when changing password 42655682Smarkm * support null keys in database 42755682Smarkm * support multiple local realms 42855682Smarkm * implement a keytab backend for AFS KeyFile's 42955682Smarkm * implement a keytab backend for v4 srvtabs 43055682Smarkm * implement `ktutil copy' 43155682Smarkm * support password quality control in v4 kadmind 43255682Smarkm * improvements in v4 compat kadmind 43355682Smarkm * handle the case of having the correct cred in the ccache but with 43455682Smarkm the wrong encryption type better 43555682Smarkm * v6-ify the remaining programs. 43655682Smarkm * internal ls in ftpd 43755682Smarkm * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat 43855682Smarkm * add `ank --random-password' and `cpw --random-password' in kadmin 43955682Smarkm * some programs and documentation for trying to talk to a W2K KDC 44055682Smarkm * bug fixes 44155682Smarkm 44255682SmarkmChanges in release 0.1m: 44355682Smarkm 44455682Smarkm * support for getting default from krb5.conf for kinit/kf/rsh/telnet. 44555682Smarkm From Miroslav Ruda <ruda@ics.muni.cz> 44655682Smarkm * v6-ify hprop and hpropd 44755682Smarkm * support numeric addresses in krb5_mk_req 44855682Smarkm * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz> 44955682Smarkm * make rsh/rshd IPv6-aware 45055682Smarkm * make the gssapi sample applications better at reporting errors 45155682Smarkm * lots of bug fixes 45255682Smarkm * handle systems with v6-aware libc and non-v6 kernels (like Linux 45355682Smarkm with glibc 2.1) better 45455682Smarkm * hide failure of ERPT in ftp 45555682Smarkm * lots of bug fixes 45655682Smarkm 45755682SmarkmChanges in release 0.1l: 45855682Smarkm 45955682Smarkm * make ftp and ftpd IPv6-aware 46055682Smarkm * add inet_pton to roken 46155682Smarkm * more IPv6-awareness 46255682Smarkm * make mini_inetd v6 aware 46355682Smarkm 46455682SmarkmChanges in release 0.1k: 46555682Smarkm 46655682Smarkm * bump shared libraries versions 46755682Smarkm * add roken version of inet_ntop 46855682Smarkm * merge more changes to rshd 46955682Smarkm 47055682SmarkmChanges in release 0.1j: 47155682Smarkm 47255682Smarkm * restore back to the `old' 3DES code. This was supposed to be done 47355682Smarkm in 0.1h and 0.1i but I did a CVS screw-up. 47455682Smarkm * make telnetd handle v6 connections 47555682Smarkm 47655682SmarkmChanges in release 0.1i: 47755682Smarkm 47855682Smarkm * start using `struct sockaddr_storage' which simplifies the code 47955682Smarkm (with a fallback definition if it's not defined) 48055682Smarkm * bug fixes (including in hprop and kf) 48155682Smarkm * don't use mawk which seems to mishandle roken.awk 48255682Smarkm * get_addrs should be able to handle v6 addresses on Linux (with the 48355682Smarkm required patch to the Linux kernel -- ask within) 48455682Smarkm * rshd builds with shadow passwords 48555682Smarkm 48655682SmarkmChanges in release 0.1h: 48755682Smarkm 48855682Smarkm * kf: new program for forwarding credentials 48955682Smarkm * portability fixes 49055682Smarkm * make forwarding credentials work with MIT code 49155682Smarkm * better conversion of ka database 49255682Smarkm * add etc/services.append 49355682Smarkm * correct `modified by' from kpasswdd 49455682Smarkm * lots of bug fixes 49555682Smarkm 49655682SmarkmChanges in release 0.1g: 49755682Smarkm 49855682Smarkm * kgetcred: new program for explicitly obtaining tickets 49955682Smarkm * configure fixes 50055682Smarkm * krb5-aware kx 50155682Smarkm * bug fixes 50255682Smarkm 50355682SmarkmChanges in release 0.1f; 50455682Smarkm 50555682Smarkm * experimental support for v4 kadmin protokoll in kadmind 50655682Smarkm * bug fixes 50755682Smarkm 50855682SmarkmChanges in release 0.1e: 50955682Smarkm 51055682Smarkm * try to handle old DCE and MIT kdcs 51155682Smarkm * support for older versions of credential cache files and keytabs 51255682Smarkm * postdated tickets work 51355682Smarkm * support for password quality checks in kpasswdd 51455682Smarkm * new flag --enable-kaserver for kdc 51555682Smarkm * renew fixes 51655682Smarkm * prototype su program 51755682Smarkm * updated (some) manpages 51855682Smarkm * support for KDC resource records 51955682Smarkm * should build with --without-krb4 52055682Smarkm * bug fixes 52155682Smarkm 52255682SmarkmChanges in release 0.1d: 52355682Smarkm 52455682Smarkm * Support building with DB2 (uses 1.85-compat API) 52555682Smarkm * Support krb5-realm.DOMAIN in DNS 52655682Smarkm * new `ktutil srvcreate' 52755682Smarkm * v4/kafs support in klist/kdestroy 52855682Smarkm * bug fixes 52955682Smarkm 53055682SmarkmChanges in release 0.1c: 53155682Smarkm 53255682Smarkm * fix ASN.1 encoding of signed integers 53355682Smarkm * somewhat working `ktutil get' 53455682Smarkm * some documentation updates 53555682Smarkm * update to Autoconf 2.13 and Automake 1.4 53655682Smarkm * the usual bug fixes 53755682Smarkm 53855682SmarkmChanges in release 0.1b: 53955682Smarkm 54055682Smarkm * some old -> new crypto conversion utils 54155682Smarkm * bug fixes 54255682Smarkm 54355682SmarkmChanges in release 0.1a: 54455682Smarkm 54555682Smarkm * new crypto code 54655682Smarkm * more bug fixes 54755682Smarkm * make sure we ask for DES keys in gssapi 54855682Smarkm * support signed ints in ASN1 54955682Smarkm * IPv6-bug fixes 55055682Smarkm 55155682SmarkmChanges in release 0.0u: 55255682Smarkm 55355682Smarkm * lots of bug fixes 55455682Smarkm 55555682SmarkmChanges in release 0.0t: 55655682Smarkm 55755682Smarkm * more robust parsing of krb5.conf 55855682Smarkm * include net{read,write} in lib/roken 55955682Smarkm * bug fixes 56055682Smarkm 56155682SmarkmChanges in release 0.0s: 56255682Smarkm 56355682Smarkm * kludges for parsing options to rsh 56455682Smarkm * more robust parsing of krb5.conf 56555682Smarkm * removed some arbitrary limits 56655682Smarkm * bug fixes 56755682Smarkm 56855682SmarkmChanges in release 0.0r: 56955682Smarkm 57055682Smarkm * default options for some programs 57155682Smarkm * bug fixes 57255682Smarkm 57355682SmarkmChanges in release 0.0q: 57455682Smarkm 57555682Smarkm * support for building shared libraries with libtool 57655682Smarkm * bug fixes 57755682Smarkm 57855682SmarkmChanges in release 0.0p: 57955682Smarkm 58055682Smarkm * keytab moved to /etc/krb5.keytab 58155682Smarkm * avoid false detection of IPv6 on Linux 58255682Smarkm * Lots of more functionality in the gssapi-library 58355682Smarkm * hprop can now read ka-server databases 58455682Smarkm * bug fixes 58555682Smarkm 58655682SmarkmChanges in release 0.0o: 58755682Smarkm 58855682Smarkm * FTP with GSSAPI support. 58955682Smarkm * Bug fixes. 59055682Smarkm 59155682SmarkmChanges in release 0.0n: 59255682Smarkm 59355682Smarkm * Incremental database propagation. 59455682Smarkm * Somewhat improved kadmin ui; the stuff in admin is now removed. 59555682Smarkm * Some support for using enctypes instead of keytypes. 59655682Smarkm * Lots of other improvement and bug fixes, see ChangeLog for details. 597