NEWS revision 233294
1Release Notes - Heimdal - Version Heimdal 1.5 2 3New features 4 5 - Support GSS name extensions/attributes 6 - SHA512 support 7 - No Kerberos 4 support 8 - Basic support for MIT Admin protocol (SECGSS flavor) 9 in kadmind (extract keytab) 10 - Replace editline with libedit 11 12Release Notes - Heimdal - Version Heimdal 1.4 13 14 New features 15 16 - Support for reading MIT database file directly 17 - KCM is polished up and now used in production 18 - NTLM first class citizen, credentials stored in KCM 19 - Table driven ASN.1 compiler, smaller!, not enabled by default 20 - Native Windows client support 21 22Notes 23 24 - Disabled write support NDBM hdb backend (read still in there) since 25 it can't handle large records, please migrate to a diffrent backend 26 (like BDB4) 27 28Release Notes - Heimdal - Version Heimdal 1.3.3 29 30 Bug fixes 31 - Check the GSS-API checksum exists before trying to use it [CVE-2010-1321] 32 - Check NULL pointers before dereference them [kdc] 33 34Release Notes - Heimdal - Version Heimdal 1.3.2 35 36 Bug fixes 37 38 - Don't mix length when clearing hmac (could memset too much) 39 - More paranoid underrun checking when decrypting packets 40 - Check the password change requests and refuse to answer empty packets 41 - Build on OpenSolaris 42 - Renumber AD-SIGNED-TICKET since it was stolen from US 43 - Don't cache /dev/*random file descriptor, it doesn't get unloaded 44 - Make C++ safe 45 - Misc warnings 46 47Release Notes - Heimdal - Version Heimdal 1.3.1 48 49 Bug fixes 50 51 - Store KDC offset in credentials 52 - Many many more bug fixes 53 54Release Notes - Heimdal - Version Heimdal 1.3.1 55 56 New features 57 58 - Make work with OpenLDAPs krb5 overlay 59 60Release Notes - Heimdal - Version Heimdal 1.3 61 62 New features 63 64 - Partial support for MIT kadmind rpc protocol in kadmind 65 - Better support for finding keytab entries when using SPN aliases in the KDC 66 - Support BER in ASN.1 library (needed for CMS) 67 - Support decryption in Keychain private keys 68 - Support for new sqlite based credential cache 69 - Try both KDC referals and the common DNS reverse lookup in GSS-API 70 - Fix the KCM to not leak resources on failure 71 - Add IPv6 support to iprop 72 - Support localization of error strings in 73 kinit/klist/kdestroy and Kerberos library 74 - Remove Kerberos 4 support in application (still in KDC) 75 - Deprecate DES 76 - Support i18n password in windows domains (using UTF-8) 77 - More complete API emulation of OpenSSL in hcrypto 78 - Support for ECDSA and ECDH when linking with OpenSSL 79 80 API changes 81 82 - Support for settin friendly name on credential caches 83 - Move to using doxygen to generate documentation. 84 - Sprinkling __attribute__((depricated)) for old function to be removed 85 - Support to export LAST-REQUST information in AS-REQ 86 - Support for client deferrals in in AS-REQ 87 - Add seek support for krb5_storage. 88 - Support for split AS-REQ, first step for IA-KERB 89 - Fix many memory leaks and bugs 90 - Improved regression test 91 - Support krb5_cccol 92 - Switch to krb5_set_error_message 93 - Support krb5_crypto_*_iov 94 - Switch to use EVP for most function 95 - Use SOCK_CLOEXEC and O_CLOEXEC (close on exec) 96 - Add support for GSS_C_DELEG_POLICY_FLAG 97 - Add krb5_cc_[gs]et_config to store data in the credential caches 98 - PTY testing application 99 100Bugfixes 101 - Make building on AIX6 possible. 102 - Bugfixes in LDAP KDC code to make it more stable 103 - Make ipropd-slave reconnect when master down gown 104 105 106Release Notes - Heimdal - Version Heimdal 1.2.1 107 108* Bug 109 110 [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris 111 [HEIMDAL-151] - Make canned tests work again after cert expired 112 [HEIMDAL-152] - iprop test: use full hostname to avoid realm 113 resolving errors 114 [HEIMDAL-153] - ftp: Use the correct length for unmap, msync 115 116Release Notes - Heimdal - Version Heimdal 1.2 117 118* Bug 119 120 [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in 121 gss_display_name/gss_export_name when using SPNEGO 122 [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1 123 [HEIMDAL-17] - Remove support for depricated [libdefaults]capath 124 [HEIMDAL-52] - hdb overwrite aliases for db databases 125 [HEIMDAL-54] - Two issues which affect credentials delegation 126 [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args 127 [HEIMDAL-62] - Fix printing of sig_atomic_t 128 [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto 129 [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase 130 [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241) 131 132* Improvement 133 [HEIMDAL-67] - Fix locking and store credential in atomic writes 134 in the FILE credential cache 135 [HEIMDAL-106] - make compile on cygwin again 136 [HEIMDAL-107] - Replace old random key generation in des module 137 and use it with RAND_ function instead 138 [HEIMDAL-115] - Better documentation and compatibility in hcrypto 139 in regards to OpenSSL 140 141* New Feature 142 [HEIMDAL-3] - pkinit alg agility PRF test vectors 143 [HEIMDAL-14] - Add libwind to Heimdal 144 [HEIMDAL-16] - Use libwind in hx509 145 [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to 146 the negotiation 147 [HEIMDAL-74] - Add support to report extended error message back 148 in AS-REQ to support windows clients 149 [HEIMDAL-116] - test pty based application (using rkpty) 150 [HEIMDAL-120] - Use new OpenLDAP API (older deprecated) 151 152* Task 153 [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ. 154 This drop compatibility with pre 0.3d KDCs. 155 [HEIMDAL-64] - kcm: first implementation of kcm-move-cache 156 [HEIMDAL-65] - Failed to compile with --disable-pk-init 157 [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some 158 wraparound checks doesn't apply to Heimdal 159 160Changes in release 1.1 161 162 * Read-only PKCS11 provider built-in to hx509. 163 164 * Documentation for hx509, hcrypto and ntlm libraries improved. 165 166 * Better compatibilty with Windows 2008 Server pre-releases and Vista. 167 168 * Mac OS X 10.5 support for native credential cache. 169 170 * Provide pkg-config file for Heimdal (heimdal-gssapi.pc). 171 172 * Bug fixes. 173 174Changes in release 1.0.2 175 176* Ubuntu packages. 177 178* Bug fixes. 179 180Changes in release 1.0.1 181 182 * Serveral bug fixes to iprop. 183 184 * Make work on platforms without dlopen. 185 186 * Add RFC3526 modp group14 as default. 187 188 * Handle [kdc] database = { } entries without realm = stanzas. 189 190 * Make krb5_get_renewed_creds work. 191 192 * Make kaserver preauth work again. 193 194 * Bug fixes. 195 196Changes in release 1.0 197 198 * Add gss_pseudo_random() for mechglue and krb5. 199 200 * Make session key for the krbtgt be selected by the best encryption 201 type of the client. 202 203 * Better interoperability with other PK-INIT implementations. 204 205 * Inital support for Mac OS X Keychain for hx509. 206 207 * Alias support for inital ticket requests. 208 209 * Add symbol versioning to selected libraries on platforms that uses 210 GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc. 211 212 * New version of imath included in hcrypto. 213 214 * Fix memory leaks. 215 216 * Bugs fixes. 217 218Changes in release 0.8.1 219 220 * Make ASN.1 library less paranoid to with regard to NUL in string to 221 make it inter-operate with MIT Kerberos again. 222 223 * Make GSS-API library work again when using gss_acquire_cred 224 225 * Add symbol versioning to libgssapi when using GNU ld. 226 227 * Fix memory leaks 228 229 * Bugs fixes 230 231Changes in release 0.8 232 233 * PK-INIT support. 234 235 * HDB extensions support, used by PK-INIT. 236 237 * New ASN.1 compiler. 238 239 * GSS-API mechglue from FreeBSD. 240 241 * Updated SPNEGO to support RFC4178. 242 243 * Support for Cryptosystem Negotiation Extension (RFC 4537). 244 245 * A new X.509 library (hx509) and related crypto functions. 246 247 * A new ntlm library (heimntlm) and related crypto functions. 248 249 * Updated the built-in crypto library with bignum support using 250 imath, support for RSA and DH and renamed it to libhcrypto. 251 252 * Subsystem in the KDC, digest, that will perform the digest 253 operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL 254 DIGEST-MD5 NTLMv1 and NTLMv2. 255 256 * KDC will return the "response too big" error to force TCP retries 257 for large (default 1400 bytes) UDP replies. This is common for 258 PK-INIT requests. 259 260 * Libkafs defaults to use 2b tokens. 261 262 * Default to use the API cache on Mac OS X. 263 264 * krb5_kuserok() also checks ~/.k5login.d directory for acl files, 265 see manpage for krb5_kuserok for description. 266 267 * Many, many, other updates to code and info manual and manual pages. 268 269 * Bug fixes 270 271Changes in release 0.7.2 272 273* Fix security problem in rshd that enable an attacker to overwrite 274 and change ownership of any file that root could write. 275 276* Fix a DOS in telnetd. The attacker could force the server to crash 277 in a NULL de-reference before the user logged in, resulting in inetd 278 turning telnetd off because it forked too fast. 279 280* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name 281 exists in the keytab before returning success. This allows servers 282 to check if its even possible to use GSSAPI. 283 284* Fix receiving end of token delegation for GSS-API. It still wrongly 285 uses subkey for sending for compatibility reasons, this will change 286 in 0.8. 287 288* telnetd, login and rshd are now more verbose in logging failed and 289 successful logins. 290 291* Bug fixes 292 293Changes in release 0.7.1 294 295* Bug fixes 296 297Changes in release 0.7 298 299 * Support for KCM, a process based credential cache 300 301 * Support CCAPI credential cache 302 303 * SPNEGO support 304 305 * AES (and the gssapi conterpart, CFX) support 306 307 * Adding new and improve old documentation 308 309 * Bug fixes 310 311Changes in release 0.6.6 312 313* Fix security problem in rshd that enable an attacker to overwrite 314 and change ownership of any file that root could write. 315 316* Fix a DOS in telnetd. The attacker could force the server to crash 317 in a NULL de-reference before the user logged in, resulting in inetd 318 turning telnetd off because it forked too fast. 319 320Changes in release 0.6.5 321 322 * fix vulnerabilities in telnetd 323 324 * unbreak Kerberos 4 and kaserver 325 326Changes in release 0.6.4 327 328 * fix vulnerabilities in telnet 329 330 * rshd: encryption without a separate error socket should now work 331 332 * telnet now uses appdefaults for the encrypt and forward/forwardable 333 settings 334 335 * bug fixes 336 337Changes in release 0.6.3 338 339 * fix vulnerabilities in ftpd 340 341 * support for linux AFS /proc "syscalls" 342 343 * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in 344 kpasswdd 345 346 * fix possible KDC denial of service 347 348 * bug fixes 349 350Changes in release 0.6.2 351 352 * Fix possible buffer overrun in v4 kadmin (which now defaults to off) 353 354Changes in release 0.6.1 355 356 * Fixed ARCFOUR suppport 357 358 * Cross realm vulnerability 359 360 * kdc: fix denial of service attack 361 362 * kdc: stop clients from renewing tickets into the future 363 364 * bug fixes 365 366Changes in release 0.6 367 368* The DES3 GSS-API mechanism has been changed to inter-operate with 369 other GSSAPI implementations. See man page for gssapi(3) how to turn 370 on generation of correct MIC messages. Next major release of heimdal 371 will generate correct MIC by default. 372 373* More complete GSS-API support 374 375* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS 376 support in applications no longer requires Kerberos 4 libs 377 378* Kerberos 4 support in kdc defaults to turned off (includes ka and 524) 379 380* other bug fixes 381 382Changes in release 0.5.2 383 384 * kdc: add option for disabling v4 cross-realm (defaults to off) 385 386 * bug fixes 387 388Changes in release 0.5.1 389 390 * kadmind: fix remote exploit 391 392 * kadmind: add option to disable kerberos 4 393 394 * kdc: make sure kaserver token life is positive 395 396 * telnet: use the session key if there is no subkey 397 398 * fix EPSV parsing in ftp 399 400 * other bug fixes 401 402Changes in release 0.5 403 404 * add --detach option to kdc 405 406 * allow setting forward and forwardable option in telnet from 407 .telnetrc, with override from command line 408 409 * accept addresses with or without ports in krb5_rd_cred 410 411 * make it work with modern openssl 412 413 * use our own string2key function even with openssl (that handles weak 414 keys incorrectly) 415 416 * more system-specific requirements in login 417 418 * do not use getlogin() to determine root in su 419 420 * telnet: abort if telnetd does not support encryption 421 422 * update autoconf to 2.53 423 424 * update config.guess, config.sub 425 426 * other bug fixes 427 428Changes in release 0.4e 429 430 * improve libcrypto and database autoconf tests 431 432 * do not care about salting of server principals when serving v4 requests 433 434 * some improvements to gssapi library 435 436 * test for existing compile_et/libcom_err 437 438 * portability fixes 439 440 * bug fixes 441 442Changes in release 0.4d 443 444 * fix some problems when using libcrypto from openssl 445 446 * handle /dev/ptmx `unix98' ptys on Linux 447 448 * add some forgotten man pages 449 450 * rsh: clean-up and add man page 451 452 * fix -A and -a in builtin-ls in tpd 453 454 * fix building problem on Irix 455 456 * make `ktutil get' more efficient 457 458 * bug fixes 459 460Changes in release 0.4c 461 462 * fix buffer overrun in telnetd 463 464 * repair some of the v4 fallback code in kinit 465 466 * add more shared library dependencies 467 468 * simplify and fix hprop handling of v4 databases 469 470 * fix some building problems (osf's sia and osfc2 login) 471 472 * bug fixes 473 474Changes in release 0.4b 475 476 * update the shared library version numbers correctly 477 478Changes in release 0.4a 479 480 * corrected key used for checksum in mk_safe, unfortunately this 481 makes it backwards incompatible 482 483 * update to autoconf 2.50, libtool 1.4 484 485 * re-write dns/config lookups (krb5_krbhst API) 486 487 * make order of using subkeys consistent 488 489 * add man page links 490 491 * add more man pages 492 493 * remove rfc2052 support, now only rfc2782 is supported 494 495 * always build with kaserver protocol support in the KDC (assuming 496 KRB4 is enabled) and support for reading kaserver databases in 497 hprop 498 499Changes in release 0.3f 500 501 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab, 502 the new keytab type that tries both of these in order (SRVTAB is 503 also an alias for krb4:) 504 505 * improve error reporting and error handling (error messages should 506 be more detailed and more useful) 507 508 * improve building with openssl 509 510 * add kadmin -K, rcp -F 511 512 * fix two incorrect weak DES keys 513 514 * fix building of kaserver compat in KDC 515 516 * the API is closer to what MIT krb5 is using 517 518 * more compatible with windows 2000 519 520 * removed some memory leaks 521 522 * bug fixes 523 524Changes in release 0.3e 525 526 * rcp program included 527 528 * fix buffer overrun in ftpd 529 530 * handle omitted sequence numbers as zeroes to handle MIT krb5 that 531 cannot generate zero sequence numbers 532 533 * handle v4 /.k files better 534 535 * configure/portability fixes 536 537 * fixes in parsing of options to kadmin (sub-)commands 538 539 * handle errors in kadmin load better 540 541 * bug fixes 542 543Changes in release 0.3d 544 545 * add krb5-config 546 547 * fix a bug in 3des gss-api mechanism, making it compatible with the 548 specification and the MIT implementation 549 550 * make telnetd only allow a specific list of environment variables to 551 stop it from setting `sensitive' variables 552 553 * try to use an existing libdes 554 555 * lib/krb5, kdc: use correct usage type for ap-req messages. This 556 should improve compatability with MIT krb5 when using 3DES 557 encryption types 558 559 * kdc: fix memory allocation problem 560 561 * update config.guess and config.sub 562 563 * lib/roken: more stuff implemented 564 565 * bug fixes and portability enhancements 566 567Changes in release 0.3c 568 569 * lib/krb5: memory caches now support the resolve operation 570 571 * appl/login: set PATH to some sane default 572 573 * kadmind: handle several realms 574 575 * bug fixes (including memory leaks) 576 577Changes in release 0.3b 578 579 * kdc: prefer default-salted keys on v5 requests 580 581 * kdc: lowercase hostnames in v4 mode 582 583 * hprop: handle more types of MIT salts 584 585 * lib/krb5: fix memory leak 586 587 * bug fixes 588 589Changes in release 0.3a: 590 591 * implement arcfour-hmac-md5 to interoperate with W2K 592 593 * modularise the handling of the master key, and allow for other 594 encryption types. This makes it easier to import a database from 595 some other source without having to re-encrypt all keys. 596 597 * allow for better control over which encryption types are created 598 599 * make kinit fallback to v4 if given a v4 KDC 600 601 * make klist work better with v4 and v5, and add some more MIT 602 compatibility options 603 604 * make the kdc listen on the krb524 (4444) port for compatibility 605 with MIT krb5 clients 606 607 * implement more DCE/DFS support, enabled with --enable-dce, see 608 lib/kdfs and appl/dceutils 609 610 * make the sequence numbers work correctly 611 612 * bug fixes 613 614Changes in release 0.2t: 615 616 * bug fixes 617 618Changes in release 0.2s: 619 620 * add OpenLDAP support in hdb 621 622 * login will get v4 tickets when it receives forwarded tickets 623 624 * xnlock supports both v5 and v4 625 626 * repair source routing for telnet 627 628 * fix building problems with krb4 (krb_mk_req) 629 630 * bug fixes 631 632Changes in release 0.2r: 633 634 * fix realloc memory corruption bug in kdc 635 636 * `add --key' and `cpw --key' in kadmin 637 638 * klist supports listing v4 tickets 639 640 * update config.guess and config.sub 641 642 * make v4 -> v5 principal name conversion more robust 643 644 * support for anonymous tickets 645 646 * new man-pages 647 648 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab. 649 650 * use and set expiration and not password expiration when dumping 651 to/from ka server databases / krb4 databases 652 653 * make the code happier with 64-bit time_t 654 655 * follow RFC2782 and by default do not look for non-underscore SRV names 656 657Changes in release 0.2q: 658 659 * bug fix in tcp-handling in kdc 660 661 * bug fix in expand_hostname 662 663Changes in release 0.2p: 664 665 * bug fix in `kadmin load/merge' 666 667 * bug fix in krb5_parse_address 668 669Changes in release 0.2o: 670 671 * gss_{import,export}_sec_context added to libgssapi 672 673 * new option --addresses to kdc (for listening on an explicit set of 674 addresses) 675 676 * bug fixes in the krb4 and kaserver emulation part of the kdc 677 678 * other bug fixes 679 680Changes in release 0.2n: 681 682 * more robust parsing of dump files in kadmin 683 * changed default timestamp format for log messages to extended ISO 684 8601 format (Y-M-DTH:M:S) 685 * changed md4/md5/sha1 APIes to be de-facto `standard' 686 * always make hostname into lower-case before creating principal 687 * small bits of more MIT-compatability 688 * bug fixes 689 690Changes in release 0.2m: 691 692 * handle glibc's getaddrinfo() that returns several ai_canonname 693 694 * new endian test 695 696 * man pages fixes 697 698Changes in release 0.2l: 699 700 * bug fixes 701 702Changes in release 0.2k: 703 704 * better IPv6 test 705 706 * make struct sockaddr_storage in roken work better on alphas 707 708 * some missing [hn]to[hn]s fixed. 709 710 * allow users to change their own passwords with kadmin (with initial 711 tickets) 712 713 * fix stupid bug in parsing KDC specification 714 715 * add `ktutil change' and `ktutil purge' 716 717Changes in release 0.2j: 718 719 * builds on Irix 720 721 * ftpd works in passive mode 722 723 * should build on cygwin 724 725 * work around broken IPv6-code on OpenBSD 2.6, also add configure 726 option --disable-ipv6 727 728Changes in release 0.2i: 729 730 * use getaddrinfo in the missing places. 731 732 * fix SRV lookup for admin server 733 734 * use get{addr,name}info everywhere. and implement it in terms of 735 getipnodeby{name,addr} (which uses gethostbyname{,2} and 736 gethostbyaddr) 737 738Changes in release 0.2h: 739 740 * fix typo in kx (now compiles) 741 742Changes in release 0.2g: 743 744 * lots of bug fixes: 745 * push works 746 * repair appl/test programs 747 * sockaddr_storage works on solaris (alignment issues) 748 * works better with non-roken getaddrinfo 749 * rsh works 750 * some non standard C constructs removed 751 752Changes in release 0.2f: 753 754 * support SRV records for kpasswd 755 * look for both _kerberos and krb5-realm when doing host -> realm mapping 756 757Changes in release 0.2e: 758 759 * changed copyright notices to remove `advertising'-clause. 760 * get{addr,name}info added to roken and used in the other code 761 (this makes things work much better with hosts with both v4 and v6 762 addresses, among other things) 763 * do pre-auth for both password and key-based get_in_tkt 764 * support for having several databases 765 * new command `del_enctype' in kadmin 766 * strptime (and new strftime) add to roken 767 * more paranoia about finding libdb 768 * bug fixes 769 770Changes in release 0.2d: 771 772 * new configuration option [libdefaults]default_etypes_des 773 * internal ls in ftpd builds without KRB4 774 * kx/rsh/push/pop_debug tries v5 and v4 consistenly 775 * build bug fixes 776 * other bug fixes 777 778Changes in release 0.2c: 779 780 * bug fixes (see ChangeLog's for details) 781 782Changes in release 0.2b: 783 784 * bug fixes 785 * actually bump shared library versions 786 787Changes in release 0.2a: 788 789 * a new program verify_krb5_conf for checking your /etc/krb5.conf 790 * add 3DES keys when changing password 791 * support null keys in database 792 * support multiple local realms 793 * implement a keytab backend for AFS KeyFile's 794 * implement a keytab backend for v4 srvtabs 795 * implement `ktutil copy' 796 * support password quality control in v4 kadmind 797 * improvements in v4 compat kadmind 798 * handle the case of having the correct cred in the ccache but with 799 the wrong encryption type better 800 * v6-ify the remaining programs. 801 * internal ls in ftpd 802 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat 803 * add `ank --random-password' and `cpw --random-password' in kadmin 804 * some programs and documentation for trying to talk to a W2K KDC 805 * bug fixes 806 807Changes in release 0.1m: 808 809 * support for getting default from krb5.conf for kinit/kf/rsh/telnet. 810 From Miroslav Ruda <ruda@ics.muni.cz> 811 * v6-ify hprop and hpropd 812 * support numeric addresses in krb5_mk_req 813 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz> 814 * make rsh/rshd IPv6-aware 815 * make the gssapi sample applications better at reporting errors 816 * lots of bug fixes 817 * handle systems with v6-aware libc and non-v6 kernels (like Linux 818 with glibc 2.1) better 819 * hide failure of ERPT in ftp 820 * lots of bug fixes 821 822Changes in release 0.1l: 823 824 * make ftp and ftpd IPv6-aware 825 * add inet_pton to roken 826 * more IPv6-awareness 827 * make mini_inetd v6 aware 828 829Changes in release 0.1k: 830 831 * bump shared libraries versions 832 * add roken version of inet_ntop 833 * merge more changes to rshd 834 835Changes in release 0.1j: 836 837 * restore back to the `old' 3DES code. This was supposed to be done 838 in 0.1h and 0.1i but I did a CVS screw-up. 839 * make telnetd handle v6 connections 840 841Changes in release 0.1i: 842 843 * start using `struct sockaddr_storage' which simplifies the code 844 (with a fallback definition if it's not defined) 845 * bug fixes (including in hprop and kf) 846 * don't use mawk which seems to mishandle roken.awk 847 * get_addrs should be able to handle v6 addresses on Linux (with the 848 required patch to the Linux kernel -- ask within) 849 * rshd builds with shadow passwords 850 851Changes in release 0.1h: 852 853 * kf: new program for forwarding credentials 854 * portability fixes 855 * make forwarding credentials work with MIT code 856 * better conversion of ka database 857 * add etc/services.append 858 * correct `modified by' from kpasswdd 859 * lots of bug fixes 860 861Changes in release 0.1g: 862 863 * kgetcred: new program for explicitly obtaining tickets 864 * configure fixes 865 * krb5-aware kx 866 * bug fixes 867 868Changes in release 0.1f; 869 870 * experimental support for v4 kadmin protokoll in kadmind 871 * bug fixes 872 873Changes in release 0.1e: 874 875 * try to handle old DCE and MIT kdcs 876 * support for older versions of credential cache files and keytabs 877 * postdated tickets work 878 * support for password quality checks in kpasswdd 879 * new flag --enable-kaserver for kdc 880 * renew fixes 881 * prototype su program 882 * updated (some) manpages 883 * support for KDC resource records 884 * should build with --without-krb4 885 * bug fixes 886 887Changes in release 0.1d: 888 889 * Support building with DB2 (uses 1.85-compat API) 890 * Support krb5-realm.DOMAIN in DNS 891 * new `ktutil srvcreate' 892 * v4/kafs support in klist/kdestroy 893 * bug fixes 894 895Changes in release 0.1c: 896 897 * fix ASN.1 encoding of signed integers 898 * somewhat working `ktutil get' 899 * some documentation updates 900 * update to Autoconf 2.13 and Automake 1.4 901 * the usual bug fixes 902 903Changes in release 0.1b: 904 905 * some old -> new crypto conversion utils 906 * bug fixes 907 908Changes in release 0.1a: 909 910 * new crypto code 911 * more bug fixes 912 * make sure we ask for DES keys in gssapi 913 * support signed ints in ASN1 914 * IPv6-bug fixes 915 916Changes in release 0.0u: 917 918 * lots of bug fixes 919 920Changes in release 0.0t: 921 922 * more robust parsing of krb5.conf 923 * include net{read,write} in lib/roken 924 * bug fixes 925 926Changes in release 0.0s: 927 928 * kludges for parsing options to rsh 929 * more robust parsing of krb5.conf 930 * removed some arbitrary limits 931 * bug fixes 932 933Changes in release 0.0r: 934 935 * default options for some programs 936 * bug fixes 937 938Changes in release 0.0q: 939 940 * support for building shared libraries with libtool 941 * bug fixes 942 943Changes in release 0.0p: 944 945 * keytab moved to /etc/krb5.keytab 946 * avoid false detection of IPv6 on Linux 947 * Lots of more functionality in the gssapi-library 948 * hprop can now read ka-server databases 949 * bug fixes 950 951Changes in release 0.0o: 952 953 * FTP with GSSAPI support. 954 * Bug fixes. 955 956Changes in release 0.0n: 957 958 * Incremental database propagation. 959 * Somewhat improved kadmin ui; the stuff in admin is now removed. 960 * Some support for using enctypes instead of keytypes. 961 * Lots of other improvement and bug fixes, see ChangeLog for details. 962