NEWS revision 127808 
1Changes in release 0.6.1
2
3 * Fixed ARCFOUR suppport
4
5 * Cross realm vulnerability
6
7 * kdc: fix denial of service attack
8
9 * kdc: stop clients from renewing tickets into the future
10
11 * bug fixes
12	
13Changes in release 0.6
14
15* The DES3 GSS-API mechanism has been changed to inter-operate with
16  other GSSAPI implementations. See man page for gssapi(3) how to turn
17  on generation of correct MIC messages. Next major release of heimdal 
18  will generate correct MIC by default.
19
20* More complete GSS-API support
21
22* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
23  support in applications no longer requires Kerberos 4 libs
24
25* Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
26
27* other bug fixes
28
29Changes in release 0.5.2
30
31 * kdc: add option for disabling v4 cross-realm (defaults to off)
32
33 * bug fixes
34
35Changes in release 0.5.1
36
37 * kadmind: fix remote exploit
38
39 * kadmind: add option to disable kerberos 4
40
41 * kdc: make sure kaserver token life is positive
42
43 * telnet: use the session key if there is no subkey
44
45 * fix EPSV parsing in ftp
46
47 * other bug fixes
48
49Changes in release 0.5
50
51 * add --detach option to kdc
52
53 * allow setting forward and forwardable option in telnet from
54   .telnetrc, with override from command line
55
56 * accept addresses with or without ports in krb5_rd_cred
57
58 * make it work with modern openssl
59
60 * use our own string2key function even with openssl (that handles weak
61   keys incorrectly)
62
63 * more system-specific requirements in login
64
65 * do not use getlogin() to determine root in su
66
67 * telnet: abort if telnetd does not support encryption
68
69 * update autoconf to 2.53
70
71 * update config.guess, config.sub
72
73 * other bug fixes
74
75Changes in release 0.4e
76
77 * improve libcrypto and database autoconf tests
78
79 * do not care about salting of server principals when serving v4 requests
80
81 * some improvements to gssapi library
82
83 * test for existing compile_et/libcom_err
84
85 * portability fixes
86
87 * bug fixes
88
89Changes in release 0.4d
90
91 * fix some problems when using libcrypto from openssl
92
93 * handle /dev/ptmx `unix98' ptys on Linux
94
95 * add some forgotten man pages
96
97 * rsh: clean-up and add man page
98
99 * fix -A and -a in builtin-ls in tpd
100
101 * fix building problem on Irix
102
103 * make `ktutil get' more efficient
104
105 * bug fixes
106
107Changes in release 0.4c
108
109 * fix buffer overrun in telnetd
110
111 * repair some of the v4 fallback code in kinit
112
113 * add more shared library dependencies
114
115 * simplify and fix hprop handling of v4 databases
116
117 * fix some building problems (osf's sia and osfc2 login)
118
119 * bug fixes
120
121Changes in release 0.4b
122
123 * update the shared library version numbers correctly
124
125Changes in release 0.4a
126
127 * corrected key used for checksum in mk_safe, unfortunately this
128   makes it backwards incompatible
129
130 * update to autoconf 2.50, libtool 1.4
131
132 * re-write dns/config lookups (krb5_krbhst API)
133
134 * make order of using subkeys consistent
135
136 * add man page links
137
138 * add more man pages
139
140 * remove rfc2052 support, now only rfc2782 is supported
141
142 * always build with kaserver protocol support in the KDC (assuming
143   KRB4 is enabled) and support for reading kaserver databases in
144   hprop
145
146Changes in release 0.3f
147
148 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
149   the new keytab type that tries both of these in order (SRVTAB is
150   also an alias for krb4:)
151
152 * improve error reporting and error handling (error messages should
153   be more detailed and more useful)
154
155 * improve building with openssl
156
157 * add kadmin -K, rcp -F 
158
159 * fix two incorrect weak DES keys
160
161 * fix building of kaserver compat in KDC
162
163 * the API is closer to what MIT krb5 is using
164
165 * more compatible with windows 2000
166
167 * removed some memory leaks
168
169 * bug fixes
170
171Changes in release 0.3e
172
173 * rcp program included
174
175 * fix buffer overrun in ftpd
176
177 * handle omitted sequence numbers as zeroes to handle MIT krb5 that
178   cannot generate zero sequence numbers
179
180 * handle v4 /.k files better
181
182 * configure/portability fixes
183
184 * fixes in parsing of options to kadmin (sub-)commands
185
186 * handle errors in kadmin load better
187
188 * bug fixes
189
190Changes in release 0.3d
191
192 * add krb5-config
193
194 * fix a bug in 3des gss-api mechanism, making it compatible with the
195   specification and the MIT implementation
196
197 * make telnetd only allow a specific list of environment variables to
198   stop it from setting `sensitive' variables
199
200 * try to use an existing libdes
201
202 * lib/krb5, kdc: use correct usage type for ap-req messages.  This
203   should improve compatability with MIT krb5 when using 3DES
204   encryption types
205
206 * kdc: fix memory allocation problem
207
208 * update config.guess and config.sub
209
210 * lib/roken: more stuff implemented
211
212 * bug fixes and portability enhancements
213
214Changes in release 0.3c
215
216 * lib/krb5: memory caches now support the resolve operation
217
218 * appl/login: set PATH to some sane default
219
220 * kadmind: handle several realms
221
222 * bug fixes (including memory leaks)
223
224Changes in release 0.3b
225
226 * kdc: prefer default-salted keys on v5 requests
227
228 * kdc: lowercase hostnames in v4 mode
229
230 * hprop: handle more types of MIT salts
231
232 * lib/krb5: fix memory leak
233
234 * bug fixes
235
236Changes in release 0.3a:
237
238 * implement arcfour-hmac-md5 to interoperate with W2K
239
240 * modularise the handling of the master key, and allow for other
241   encryption types. This makes it easier to import a database from
242   some other source without having to re-encrypt all keys.
243
244 * allow for better control over which encryption types are created
245
246 * make kinit fallback to v4 if given a v4 KDC
247
248 * make klist work better with v4 and v5, and add some more MIT
249   compatibility options
250
251 * make the kdc listen on the krb524 (4444) port for compatibility
252   with MIT krb5 clients
253
254 * implement more DCE/DFS support, enabled with --enable-dce, see
255   lib/kdfs and appl/dceutils
256
257 * make the sequence numbers work correctly
258
259 * bug fixes
260
261Changes in release 0.2t:
262
263 * bug fixes
264
265Changes in release 0.2s:
266
267 * add OpenLDAP support in hdb
268
269 * login will get v4 tickets when it receives forwarded tickets
270
271 * xnlock supports both v5 and v4
272
273 * repair source routing for telnet
274
275 * fix building problems with krb4 (krb_mk_req)
276
277 * bug fixes
278
279Changes in release 0.2r:
280
281 * fix realloc memory corruption bug in kdc
282
283 * `add --key' and `cpw --key' in kadmin
284
285 * klist supports listing v4 tickets
286
287 * update config.guess and config.sub
288
289 * make v4 -> v5 principal name conversion more robust
290
291 * support for anonymous tickets
292
293 * new man-pages
294
295 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
296
297 * use and set expiration and not password expiration when dumping
298   to/from ka server databases / krb4 databases
299
300 * make the code happier with 64-bit time_t
301
302 * follow RFC2782 and by default do not look for non-underscore SRV names
303
304Changes in release 0.2q:
305
306 * bug fix in tcp-handling in kdc
307
308 * bug fix in expand_hostname
309
310Changes in release 0.2p:
311
312 * bug fix in `kadmin load/merge'
313
314 * bug fix in krb5_parse_address
315
316Changes in release 0.2o:
317
318 * gss_{import,export}_sec_context added to libgssapi
319
320 * new option --addresses to kdc (for listening on an explicit set of
321   addresses)
322
323 * bug fixes in the krb4 and kaserver emulation part of the kdc
324
325 * other bug fixes
326
327Changes in release 0.2n:
328
329 * more robust parsing of dump files in kadmin
330 * changed default timestamp format for log messages to extended ISO
331   8601 format (Y-M-DTH:M:S)
332 * changed md4/md5/sha1 APIes to be de-facto `standard'
333 * always make hostname into lower-case before creating principal
334 * small bits of more MIT-compatability
335 * bug fixes
336
337Changes in release 0.2m:
338
339 * handle glibc's getaddrinfo() that returns several ai_canonname
340
341 * new endian test
342
343 * man pages fixes
344
345Changes in release 0.2l:
346
347 * bug fixes
348
349Changes in release 0.2k:
350
351 * better IPv6 test
352
353 * make struct sockaddr_storage in roken work better on alphas
354
355 * some missing [hn]to[hn]s fixed.
356
357 * allow users to change their own passwords with kadmin (with initial
358   tickets)
359
360 * fix stupid bug in parsing KDC specification
361
362 * add `ktutil change' and `ktutil purge'
363
364Changes in release 0.2j:
365
366 * builds on Irix
367
368 * ftpd works in passive mode
369
370 * should build on cygwin
371
372 * work around broken IPv6-code on OpenBSD 2.6, also add configure
373   option --disable-ipv6
374
375Changes in release 0.2i:
376
377 * use getaddrinfo in the missing places.
378
379 * fix SRV lookup for admin server
380
381 * use get{addr,name}info everywhere.  and implement it in terms of
382   getipnodeby{name,addr} (which uses gethostbyname{,2} and
383   gethostbyaddr)
384
385Changes in release 0.2h:
386
387 * fix typo in kx (now compiles)
388
389Changes in release 0.2g:
390
391 * lots of bug fixes:
392   * push works
393   * repair appl/test programs
394   * sockaddr_storage works on solaris (alignment issues)
395   * works better with non-roken getaddrinfo
396   * rsh works
397   * some non standard C constructs removed
398
399Changes in release 0.2f:
400
401 * support SRV records for kpasswd
402 * look for both _kerberos and krb5-realm when doing host -> realm mapping
403
404Changes in release 0.2e:
405
406 * changed copyright notices to remove `advertising'-clause.
407 * get{addr,name}info added to roken and used in the other code
408   (this makes things work much better with hosts with both v4 and v6
409    addresses, among other things)
410 * do pre-auth for both password and key-based get_in_tkt
411 * support for having several databases
412 * new command `del_enctype' in kadmin
413 * strptime (and new strftime) add to roken
414 * more paranoia about finding libdb
415 * bug fixes
416
417Changes in release 0.2d:
418
419 * new configuration option [libdefaults]default_etypes_des
420 * internal ls in ftpd builds without KRB4
421 * kx/rsh/push/pop_debug tries v5 and v4 consistenly
422 * build bug fixes
423 * other bug fixes
424
425Changes in release 0.2c:
426
427 * bug fixes (see ChangeLog's for details)
428
429Changes in release 0.2b:
430
431 * bug fixes
432 * actually bump shared library versions
433
434Changes in release 0.2a:
435
436 * a new program verify_krb5_conf for checking your /etc/krb5.conf
437 * add 3DES keys when changing password
438 * support null keys in database
439 * support multiple local realms
440 * implement a keytab backend for AFS KeyFile's
441 * implement a keytab backend for v4 srvtabs
442 * implement `ktutil copy'
443 * support password quality control in v4 kadmind
444 * improvements in v4 compat kadmind
445 * handle the case of having the correct cred in the ccache but with
446   the wrong encryption type better
447 * v6-ify the remaining programs.
448 * internal ls in ftpd
449 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
450 * add `ank --random-password' and `cpw --random-password' in kadmin
451 * some programs and documentation for trying to talk to a W2K KDC
452 * bug fixes
453
454Changes in release 0.1m:
455
456 * support for getting default from krb5.conf for kinit/kf/rsh/telnet.
457   From Miroslav Ruda <ruda@ics.muni.cz>
458 * v6-ify hprop and hpropd
459 * support numeric addresses in krb5_mk_req
460 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
461 * make rsh/rshd IPv6-aware
462 * make the gssapi sample applications better at reporting errors
463 * lots of bug fixes
464 * handle systems with v6-aware libc and non-v6 kernels (like Linux
465   with glibc 2.1) better
466 * hide failure of ERPT in ftp
467 * lots of bug fixes
468
469Changes in release 0.1l:
470
471 * make ftp and ftpd IPv6-aware
472 * add inet_pton to roken
473 * more IPv6-awareness
474 * make mini_inetd v6 aware
475
476Changes in release 0.1k:
477
478 * bump shared libraries versions
479 * add roken version of inet_ntop
480 * merge more changes to rshd
481
482Changes in release 0.1j:
483
484 * restore back to the `old' 3DES code.  This was supposed to be done
485   in 0.1h and 0.1i but I did a CVS screw-up.
486 * make telnetd handle v6 connections
487
488Changes in release 0.1i:
489
490 * start using `struct sockaddr_storage' which simplifies the code
491   (with a fallback definition if it's not defined)
492 * bug fixes (including in hprop and kf)
493 * don't use mawk which seems to mishandle roken.awk
494 * get_addrs should be able to handle v6 addresses on Linux (with the
495   required patch to the Linux kernel -- ask within)
496 * rshd builds with shadow passwords
497
498Changes in release 0.1h:
499
500 * kf: new program for forwarding credentials
501 * portability fixes
502 * make forwarding credentials work with MIT code
503 * better conversion of ka database
504 * add etc/services.append
505 * correct `modified by' from kpasswdd
506 * lots of bug fixes
507
508Changes in release 0.1g:
509
510 * kgetcred: new program for explicitly obtaining tickets
511 * configure fixes
512 * krb5-aware kx
513 * bug fixes
514
515Changes in release 0.1f;
516
517 * experimental support for v4 kadmin protokoll in kadmind
518 * bug fixes
519
520Changes in release 0.1e:
521
522 * try to handle old DCE and MIT kdcs
523 * support for older versions of credential cache files and keytabs
524 * postdated tickets work
525 * support for password quality checks in kpasswdd
526 * new flag --enable-kaserver for kdc
527 * renew fixes
528 * prototype su program
529 * updated (some) manpages
530 * support for KDC resource records
531 * should build with --without-krb4
532 * bug fixes
533
534Changes in release 0.1d:
535
536 * Support building with DB2 (uses 1.85-compat API)
537 * Support krb5-realm.DOMAIN in DNS
538 * new `ktutil srvcreate'
539 * v4/kafs support in klist/kdestroy
540 * bug fixes
541
542Changes in release 0.1c:
543
544 * fix ASN.1 encoding of signed integers
545 * somewhat working `ktutil get'
546 * some documentation updates
547 * update to Autoconf 2.13 and Automake 1.4
548 * the usual bug fixes
549
550Changes in release 0.1b:
551
552 * some old -> new crypto conversion utils
553 * bug fixes
554
555Changes in release 0.1a:
556
557 * new crypto code
558 * more bug fixes
559 * make sure we ask for DES keys in gssapi
560 * support signed ints in ASN1
561 * IPv6-bug fixes
562
563Changes in release 0.0u:
564
565 * lots of bug fixes
566
567Changes in release 0.0t:
568
569 * more robust parsing of krb5.conf
570 * include net{read,write} in lib/roken
571 * bug fixes
572
573Changes in release 0.0s:
574
575 * kludges for parsing options to rsh
576 * more robust parsing of krb5.conf
577 * removed some arbitrary limits
578 * bug fixes
579
580Changes in release 0.0r:
581
582 * default options for some programs
583 * bug fixes
584
585Changes in release 0.0q:
586
587 * support for building shared libraries with libtool
588 * bug fixes
589
590Changes in release 0.0p:
591
592 * keytab moved to /etc/krb5.keytab
593 * avoid false detection of IPv6 on Linux
594 * Lots of more functionality in the gssapi-library
595 * hprop can now read ka-server databases
596 * bug fixes
597
598Changes in release 0.0o:
599
600 * FTP with GSSAPI support.
601 * Bug fixes.
602
603Changes in release 0.0n:
604
605 * Incremental database propagation.
606 * Somewhat improved kadmin ui; the stuff in admin is now removed.
607 * Some support for using enctypes instead of keytypes.
608 * Lots of other improvement and bug fixes, see ChangeLog for details.
609