NEWS revision 107207
1Changes in release 0.5.1 2 3 * kadmind: fix remote exploit 4 5 * kadmind: add option to disable kerberos 4 6 7 * kdc: make sure kaserver token life is positive 8 9 * telnet: use the session key if there is no subkey 10 11 * fix EPSV parsing in ftp 12 13 * other bug fixes 14 15Changes in release 0.5 16 17 * add --detach option to kdc 18 19 * allow setting forward and forwardable option in telnet from 20 .telnetrc, with override from command line 21 22 * accept addresses with or without ports in krb5_rd_cred 23 24 * make it work with modern openssl 25 26 * use our own string2key function even with openssl (that handles weak 27 keys incorrectly) 28 29 * more system-specific requirements in login 30 31 * do not use getlogin() to determine root in su 32 33 * telnet: abort if telnetd does not support encryption 34 35 * update autoconf to 2.53 36 37 * update config.guess, config.sub 38 39 * other bug fixes 40 41Changes in release 0.4e 42 43 * improve libcrypto and database autoconf tests 44 45 * do not care about salting of server principals when serving v4 requests 46 47 * some improvements to gssapi library 48 49 * test for existing compile_et/libcom_err 50 51 * portability fixes 52 53 * bug fixes 54 55Changes in release 0.4d 56 57 * fix some problems when using libcrypto from openssl 58 59 * handle /dev/ptmx `unix98' ptys on Linux 60 61 * add some forgotten man pages 62 63 * rsh: clean-up and add man page 64 65 * fix -A and -a in builtin-ls in tpd 66 67 * fix building problem on Irix 68 69 * make `ktutil get' more efficient 70 71 * bug fixes 72 73Changes in release 0.4c 74 75 * fix buffer overrun in telnetd 76 77 * repair some of the v4 fallback code in kinit 78 79 * add more shared library dependencies 80 81 * simplify and fix hprop handling of v4 databases 82 83 * fix some building problems (osf's sia and osfc2 login) 84 85 * bug fixes 86 87Changes in release 0.4b 88 89 * update the shared library version numbers correctly 90 91Changes in release 0.4a 92 93 * corrected key used for checksum in mk_safe, unfortunately this 94 makes it backwards incompatible 95 96 * update to autoconf 2.50, libtool 1.4 97 98 * re-write dns/config lookups (krb5_krbhst API) 99 100 * make order of using subkeys consistent 101 102 * add man page links 103 104 * add more man pages 105 106 * remove rfc2052 support, now only rfc2782 is supported 107 108 * always build with kaserver protocol support in the KDC (assuming 109 KRB4 is enabled) and support for reading kaserver databases in 110 hprop 111 112Changes in release 0.3f 113 114 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab, 115 the new keytab type that tries both of these in order (SRVTAB is 116 also an alias for krb4:) 117 118 * improve error reporting and error handling (error messages should 119 be more detailed and more useful) 120 121 * improve building with openssl 122 123 * add kadmin -K, rcp -F 124 125 * fix two incorrect weak DES keys 126 127 * fix building of kaserver compat in KDC 128 129 * the API is closer to what MIT krb5 is using 130 131 * more compatible with windows 2000 132 133 * removed some memory leaks 134 135 * bug fixes 136 137Changes in release 0.3e 138 139 * rcp program included 140 141 * fix buffer overrun in ftpd 142 143 * handle omitted sequence numbers as zeroes to handle MIT krb5 that 144 cannot generate zero sequence numbers 145 146 * handle v4 /.k files better 147 148 * configure/portability fixes 149 150 * fixes in parsing of options to kadmin (sub-)commands 151 152 * handle errors in kadmin load better 153 154 * bug fixes 155 156Changes in release 0.3d 157 158 * add krb5-config 159 160 * fix a bug in 3des gss-api mechanism, making it compatible with the 161 specification and the MIT implementation 162 163 * make telnetd only allow a specific list of environment variables to 164 stop it from setting `sensitive' variables 165 166 * try to use an existing libdes 167 168 * lib/krb5, kdc: use correct usage type for ap-req messages. This 169 should improve compatability with MIT krb5 when using 3DES 170 encryption types 171 172 * kdc: fix memory allocation problem 173 174 * update config.guess and config.sub 175 176 * lib/roken: more stuff implemented 177 178 * bug fixes and portability enhancements 179 180Changes in release 0.3c 181 182 * lib/krb5: memory caches now support the resolve operation 183 184 * appl/login: set PATH to some sane default 185 186 * kadmind: handle several realms 187 188 * bug fixes (including memory leaks) 189 190Changes in release 0.3b 191 192 * kdc: prefer default-salted keys on v5 requests 193 194 * kdc: lowercase hostnames in v4 mode 195 196 * hprop: handle more types of MIT salts 197 198 * lib/krb5: fix memory leak 199 200 * bug fixes 201 202Changes in release 0.3a: 203 204 * implement arcfour-hmac-md5 to interoperate with W2K 205 206 * modularise the handling of the master key, and allow for other 207 encryption types. This makes it easier to import a database from 208 some other source without having to re-encrypt all keys. 209 210 * allow for better control over which encryption types are created 211 212 * make kinit fallback to v4 if given a v4 KDC 213 214 * make klist work better with v4 and v5, and add some more MIT 215 compatibility options 216 217 * make the kdc listen on the krb524 (4444) port for compatibility 218 with MIT krb5 clients 219 220 * implement more DCE/DFS support, enabled with --enable-dce, see 221 lib/kdfs and appl/dceutils 222 223 * make the sequence numbers work correctly 224 225 * bug fixes 226 227Changes in release 0.2t: 228 229 * bug fixes 230 231Changes in release 0.2s: 232 233 * add OpenLDAP support in hdb 234 235 * login will get v4 tickets when it receives forwarded tickets 236 237 * xnlock supports both v5 and v4 238 239 * repair source routing for telnet 240 241 * fix building problems with krb4 (krb_mk_req) 242 243 * bug fixes 244 245Changes in release 0.2r: 246 247 * fix realloc memory corruption bug in kdc 248 249 * `add --key' and `cpw --key' in kadmin 250 251 * klist supports listing v4 tickets 252 253 * update config.guess and config.sub 254 255 * make v4 -> v5 principal name conversion more robust 256 257 * support for anonymous tickets 258 259 * new man-pages 260 261 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab. 262 263 * use and set expiration and not password expiration when dumping 264 to/from ka server databases / krb4 databases 265 266 * make the code happier with 64-bit time_t 267 268 * follow RFC2782 and by default do not look for non-underscore SRV names 269 270Changes in release 0.2q: 271 272 * bug fix in tcp-handling in kdc 273 274 * bug fix in expand_hostname 275 276Changes in release 0.2p: 277 278 * bug fix in `kadmin load/merge' 279 280 * bug fix in krb5_parse_address 281 282Changes in release 0.2o: 283 284 * gss_{import,export}_sec_context added to libgssapi 285 286 * new option --addresses to kdc (for listening on an explicit set of 287 addresses) 288 289 * bug fixes in the krb4 and kaserver emulation part of the kdc 290 291 * other bug fixes 292 293Changes in release 0.2n: 294 295 * more robust parsing of dump files in kadmin 296 * changed default timestamp format for log messages to extended ISO 297 8601 format (Y-M-DTH:M:S) 298 * changed md4/md5/sha1 APIes to be de-facto `standard' 299 * always make hostname into lower-case before creating principal 300 * small bits of more MIT-compatability 301 * bug fixes 302 303Changes in release 0.2m: 304 305 * handle glibc's getaddrinfo() that returns several ai_canonname 306 307 * new endian test 308 309 * man pages fixes 310 311Changes in release 0.2l: 312 313 * bug fixes 314 315Changes in release 0.2k: 316 317 * better IPv6 test 318 319 * make struct sockaddr_storage in roken work better on alphas 320 321 * some missing [hn]to[hn]s fixed. 322 323 * allow users to change their own passwords with kadmin (with initial 324 tickets) 325 326 * fix stupid bug in parsing KDC specification 327 328 * add `ktutil change' and `ktutil purge' 329 330Changes in release 0.2j: 331 332 * builds on Irix 333 334 * ftpd works in passive mode 335 336 * should build on cygwin 337 338 * work around broken IPv6-code on OpenBSD 2.6, also add configure 339 option --disable-ipv6 340 341Changes in release 0.2i: 342 343 * use getaddrinfo in the missing places. 344 345 * fix SRV lookup for admin server 346 347 * use get{addr,name}info everywhere. and implement it in terms of 348 getipnodeby{name,addr} (which uses gethostbyname{,2} and 349 gethostbyaddr) 350 351Changes in release 0.2h: 352 353 * fix typo in kx (now compiles) 354 355Changes in release 0.2g: 356 357 * lots of bug fixes: 358 * push works 359 * repair appl/test programs 360 * sockaddr_storage works on solaris (alignment issues) 361 * works better with non-roken getaddrinfo 362 * rsh works 363 * some non standard C constructs removed 364 365Changes in release 0.2f: 366 367 * support SRV records for kpasswd 368 * look for both _kerberos and krb5-realm when doing host -> realm mapping 369 370Changes in release 0.2e: 371 372 * changed copyright notices to remove `advertising'-clause. 373 * get{addr,name}info added to roken and used in the other code 374 (this makes things work much better with hosts with both v4 and v6 375 addresses, among other things) 376 * do pre-auth for both password and key-based get_in_tkt 377 * support for having several databases 378 * new command `del_enctype' in kadmin 379 * strptime (and new strftime) add to roken 380 * more paranoia about finding libdb 381 * bug fixes 382 383Changes in release 0.2d: 384 385 * new configuration option [libdefaults]default_etypes_des 386 * internal ls in ftpd builds without KRB4 387 * kx/rsh/push/pop_debug tries v5 and v4 consistenly 388 * build bug fixes 389 * other bug fixes 390 391Changes in release 0.2c: 392 393 * bug fixes (see ChangeLog's for details) 394 395Changes in release 0.2b: 396 397 * bug fixes 398 * actually bump shared library versions 399 400Changes in release 0.2a: 401 402 * a new program verify_krb5_conf for checking your /etc/krb5.conf 403 * add 3DES keys when changing password 404 * support null keys in database 405 * support multiple local realms 406 * implement a keytab backend for AFS KeyFile's 407 * implement a keytab backend for v4 srvtabs 408 * implement `ktutil copy' 409 * support password quality control in v4 kadmind 410 * improvements in v4 compat kadmind 411 * handle the case of having the correct cred in the ccache but with 412 the wrong encryption type better 413 * v6-ify the remaining programs. 414 * internal ls in ftpd 415 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat 416 * add `ank --random-password' and `cpw --random-password' in kadmin 417 * some programs and documentation for trying to talk to a W2K KDC 418 * bug fixes 419 420Changes in release 0.1m: 421 422 * support for getting default from krb5.conf for kinit/kf/rsh/telnet. 423 From Miroslav Ruda <ruda@ics.muni.cz> 424 * v6-ify hprop and hpropd 425 * support numeric addresses in krb5_mk_req 426 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz> 427 * make rsh/rshd IPv6-aware 428 * make the gssapi sample applications better at reporting errors 429 * lots of bug fixes 430 * handle systems with v6-aware libc and non-v6 kernels (like Linux 431 with glibc 2.1) better 432 * hide failure of ERPT in ftp 433 * lots of bug fixes 434 435Changes in release 0.1l: 436 437 * make ftp and ftpd IPv6-aware 438 * add inet_pton to roken 439 * more IPv6-awareness 440 * make mini_inetd v6 aware 441 442Changes in release 0.1k: 443 444 * bump shared libraries versions 445 * add roken version of inet_ntop 446 * merge more changes to rshd 447 448Changes in release 0.1j: 449 450 * restore back to the `old' 3DES code. This was supposed to be done 451 in 0.1h and 0.1i but I did a CVS screw-up. 452 * make telnetd handle v6 connections 453 454Changes in release 0.1i: 455 456 * start using `struct sockaddr_storage' which simplifies the code 457 (with a fallback definition if it's not defined) 458 * bug fixes (including in hprop and kf) 459 * don't use mawk which seems to mishandle roken.awk 460 * get_addrs should be able to handle v6 addresses on Linux (with the 461 required patch to the Linux kernel -- ask within) 462 * rshd builds with shadow passwords 463 464Changes in release 0.1h: 465 466 * kf: new program for forwarding credentials 467 * portability fixes 468 * make forwarding credentials work with MIT code 469 * better conversion of ka database 470 * add etc/services.append 471 * correct `modified by' from kpasswdd 472 * lots of bug fixes 473 474Changes in release 0.1g: 475 476 * kgetcred: new program for explicitly obtaining tickets 477 * configure fixes 478 * krb5-aware kx 479 * bug fixes 480 481Changes in release 0.1f; 482 483 * experimental support for v4 kadmin protokoll in kadmind 484 * bug fixes 485 486Changes in release 0.1e: 487 488 * try to handle old DCE and MIT kdcs 489 * support for older versions of credential cache files and keytabs 490 * postdated tickets work 491 * support for password quality checks in kpasswdd 492 * new flag --enable-kaserver for kdc 493 * renew fixes 494 * prototype su program 495 * updated (some) manpages 496 * support for KDC resource records 497 * should build with --without-krb4 498 * bug fixes 499 500Changes in release 0.1d: 501 502 * Support building with DB2 (uses 1.85-compat API) 503 * Support krb5-realm.DOMAIN in DNS 504 * new `ktutil srvcreate' 505 * v4/kafs support in klist/kdestroy 506 * bug fixes 507 508Changes in release 0.1c: 509 510 * fix ASN.1 encoding of signed integers 511 * somewhat working `ktutil get' 512 * some documentation updates 513 * update to Autoconf 2.13 and Automake 1.4 514 * the usual bug fixes 515 516Changes in release 0.1b: 517 518 * some old -> new crypto conversion utils 519 * bug fixes 520 521Changes in release 0.1a: 522 523 * new crypto code 524 * more bug fixes 525 * make sure we ask for DES keys in gssapi 526 * support signed ints in ASN1 527 * IPv6-bug fixes 528 529Changes in release 0.0u: 530 531 * lots of bug fixes 532 533Changes in release 0.0t: 534 535 * more robust parsing of krb5.conf 536 * include net{read,write} in lib/roken 537 * bug fixes 538 539Changes in release 0.0s: 540 541 * kludges for parsing options to rsh 542 * more robust parsing of krb5.conf 543 * removed some arbitrary limits 544 * bug fixes 545 546Changes in release 0.0r: 547 548 * default options for some programs 549 * bug fixes 550 551Changes in release 0.0q: 552 553 * support for building shared libraries with libtool 554 * bug fixes 555 556Changes in release 0.0p: 557 558 * keytab moved to /etc/krb5.keytab 559 * avoid false detection of IPv6 on Linux 560 * Lots of more functionality in the gssapi-library 561 * hprop can now read ka-server databases 562 * bug fixes 563 564Changes in release 0.0o: 565 566 * FTP with GSSAPI support. 567 * Bug fixes. 568 569Changes in release 0.0n: 570 571 * Incremental database propagation. 572 * Somewhat improved kadmin ui; the stuff in admin is now removed. 573 * Some support for using enctypes instead of keytypes. 574 * Lots of other improvement and bug fixes, see ChangeLog for details. 575