NEWS revision 107207 
1Changes in release 0.5.1
2
3 * kadmind: fix remote exploit
4
5 * kadmind: add option to disable kerberos 4
6
7 * kdc: make sure kaserver token life is positive
8
9 * telnet: use the session key if there is no subkey
10
11 * fix EPSV parsing in ftp
12
13 * other bug fixes
14
15Changes in release 0.5
16
17 * add --detach option to kdc
18
19 * allow setting forward and forwardable option in telnet from
20   .telnetrc, with override from command line
21
22 * accept addresses with or without ports in krb5_rd_cred
23
24 * make it work with modern openssl
25
26 * use our own string2key function even with openssl (that handles weak
27   keys incorrectly)
28
29 * more system-specific requirements in login
30
31 * do not use getlogin() to determine root in su
32
33 * telnet: abort if telnetd does not support encryption
34
35 * update autoconf to 2.53
36
37 * update config.guess, config.sub
38
39 * other bug fixes
40
41Changes in release 0.4e
42
43 * improve libcrypto and database autoconf tests
44
45 * do not care about salting of server principals when serving v4 requests
46
47 * some improvements to gssapi library
48
49 * test for existing compile_et/libcom_err
50
51 * portability fixes
52
53 * bug fixes
54
55Changes in release 0.4d
56
57 * fix some problems when using libcrypto from openssl
58
59 * handle /dev/ptmx `unix98' ptys on Linux
60
61 * add some forgotten man pages
62
63 * rsh: clean-up and add man page
64
65 * fix -A and -a in builtin-ls in tpd
66
67 * fix building problem on Irix
68
69 * make `ktutil get' more efficient
70
71 * bug fixes
72
73Changes in release 0.4c
74
75 * fix buffer overrun in telnetd
76
77 * repair some of the v4 fallback code in kinit
78
79 * add more shared library dependencies
80
81 * simplify and fix hprop handling of v4 databases
82
83 * fix some building problems (osf's sia and osfc2 login)
84
85 * bug fixes
86
87Changes in release 0.4b
88
89 * update the shared library version numbers correctly
90
91Changes in release 0.4a
92
93 * corrected key used for checksum in mk_safe, unfortunately this
94   makes it backwards incompatible
95
96 * update to autoconf 2.50, libtool 1.4
97
98 * re-write dns/config lookups (krb5_krbhst API)
99
100 * make order of using subkeys consistent
101
102 * add man page links
103
104 * add more man pages
105
106 * remove rfc2052 support, now only rfc2782 is supported
107
108 * always build with kaserver protocol support in the KDC (assuming
109   KRB4 is enabled) and support for reading kaserver databases in
110   hprop
111
112Changes in release 0.3f
113
114 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
115   the new keytab type that tries both of these in order (SRVTAB is
116   also an alias for krb4:)
117
118 * improve error reporting and error handling (error messages should
119   be more detailed and more useful)
120
121 * improve building with openssl
122
123 * add kadmin -K, rcp -F 
124
125 * fix two incorrect weak DES keys
126
127 * fix building of kaserver compat in KDC
128
129 * the API is closer to what MIT krb5 is using
130
131 * more compatible with windows 2000
132
133 * removed some memory leaks
134
135 * bug fixes
136
137Changes in release 0.3e
138
139 * rcp program included
140
141 * fix buffer overrun in ftpd
142
143 * handle omitted sequence numbers as zeroes to handle MIT krb5 that
144   cannot generate zero sequence numbers
145
146 * handle v4 /.k files better
147
148 * configure/portability fixes
149
150 * fixes in parsing of options to kadmin (sub-)commands
151
152 * handle errors in kadmin load better
153
154 * bug fixes
155
156Changes in release 0.3d
157
158 * add krb5-config
159
160 * fix a bug in 3des gss-api mechanism, making it compatible with the
161   specification and the MIT implementation
162
163 * make telnetd only allow a specific list of environment variables to
164   stop it from setting `sensitive' variables
165
166 * try to use an existing libdes
167
168 * lib/krb5, kdc: use correct usage type for ap-req messages.  This
169   should improve compatability with MIT krb5 when using 3DES
170   encryption types
171
172 * kdc: fix memory allocation problem
173
174 * update config.guess and config.sub
175
176 * lib/roken: more stuff implemented
177
178 * bug fixes and portability enhancements
179
180Changes in release 0.3c
181
182 * lib/krb5: memory caches now support the resolve operation
183
184 * appl/login: set PATH to some sane default
185
186 * kadmind: handle several realms
187
188 * bug fixes (including memory leaks)
189
190Changes in release 0.3b
191
192 * kdc: prefer default-salted keys on v5 requests
193
194 * kdc: lowercase hostnames in v4 mode
195
196 * hprop: handle more types of MIT salts
197
198 * lib/krb5: fix memory leak
199
200 * bug fixes
201
202Changes in release 0.3a:
203
204 * implement arcfour-hmac-md5 to interoperate with W2K
205
206 * modularise the handling of the master key, and allow for other
207   encryption types. This makes it easier to import a database from
208   some other source without having to re-encrypt all keys.
209
210 * allow for better control over which encryption types are created
211
212 * make kinit fallback to v4 if given a v4 KDC
213
214 * make klist work better with v4 and v5, and add some more MIT
215   compatibility options
216
217 * make the kdc listen on the krb524 (4444) port for compatibility
218   with MIT krb5 clients
219
220 * implement more DCE/DFS support, enabled with --enable-dce, see
221   lib/kdfs and appl/dceutils
222
223 * make the sequence numbers work correctly
224
225 * bug fixes
226
227Changes in release 0.2t:
228
229 * bug fixes
230
231Changes in release 0.2s:
232
233 * add OpenLDAP support in hdb
234
235 * login will get v4 tickets when it receives forwarded tickets
236
237 * xnlock supports both v5 and v4
238
239 * repair source routing for telnet
240
241 * fix building problems with krb4 (krb_mk_req)
242
243 * bug fixes
244
245Changes in release 0.2r:
246
247 * fix realloc memory corruption bug in kdc
248
249 * `add --key' and `cpw --key' in kadmin
250
251 * klist supports listing v4 tickets
252
253 * update config.guess and config.sub
254
255 * make v4 -> v5 principal name conversion more robust
256
257 * support for anonymous tickets
258
259 * new man-pages
260
261 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
262
263 * use and set expiration and not password expiration when dumping
264   to/from ka server databases / krb4 databases
265
266 * make the code happier with 64-bit time_t
267
268 * follow RFC2782 and by default do not look for non-underscore SRV names
269
270Changes in release 0.2q:
271
272 * bug fix in tcp-handling in kdc
273
274 * bug fix in expand_hostname
275
276Changes in release 0.2p:
277
278 * bug fix in `kadmin load/merge'
279
280 * bug fix in krb5_parse_address
281
282Changes in release 0.2o:
283
284 * gss_{import,export}_sec_context added to libgssapi
285
286 * new option --addresses to kdc (for listening on an explicit set of
287   addresses)
288
289 * bug fixes in the krb4 and kaserver emulation part of the kdc
290
291 * other bug fixes
292
293Changes in release 0.2n:
294
295 * more robust parsing of dump files in kadmin
296 * changed default timestamp format for log messages to extended ISO
297   8601 format (Y-M-DTH:M:S)
298 * changed md4/md5/sha1 APIes to be de-facto `standard'
299 * always make hostname into lower-case before creating principal
300 * small bits of more MIT-compatability
301 * bug fixes
302
303Changes in release 0.2m:
304
305 * handle glibc's getaddrinfo() that returns several ai_canonname
306
307 * new endian test
308
309 * man pages fixes
310
311Changes in release 0.2l:
312
313 * bug fixes
314
315Changes in release 0.2k:
316
317 * better IPv6 test
318
319 * make struct sockaddr_storage in roken work better on alphas
320
321 * some missing [hn]to[hn]s fixed.
322
323 * allow users to change their own passwords with kadmin (with initial
324   tickets)
325
326 * fix stupid bug in parsing KDC specification
327
328 * add `ktutil change' and `ktutil purge'
329
330Changes in release 0.2j:
331
332 * builds on Irix
333
334 * ftpd works in passive mode
335
336 * should build on cygwin
337
338 * work around broken IPv6-code on OpenBSD 2.6, also add configure
339   option --disable-ipv6
340
341Changes in release 0.2i:
342
343 * use getaddrinfo in the missing places.
344
345 * fix SRV lookup for admin server
346
347 * use get{addr,name}info everywhere.  and implement it in terms of
348   getipnodeby{name,addr} (which uses gethostbyname{,2} and
349   gethostbyaddr)
350
351Changes in release 0.2h:
352
353 * fix typo in kx (now compiles)
354
355Changes in release 0.2g:
356
357 * lots of bug fixes:
358   * push works
359   * repair appl/test programs
360   * sockaddr_storage works on solaris (alignment issues)
361   * works better with non-roken getaddrinfo
362   * rsh works
363   * some non standard C constructs removed
364
365Changes in release 0.2f:
366
367 * support SRV records for kpasswd
368 * look for both _kerberos and krb5-realm when doing host -> realm mapping
369
370Changes in release 0.2e:
371
372 * changed copyright notices to remove `advertising'-clause.
373 * get{addr,name}info added to roken and used in the other code
374   (this makes things work much better with hosts with both v4 and v6
375    addresses, among other things)
376 * do pre-auth for both password and key-based get_in_tkt
377 * support for having several databases
378 * new command `del_enctype' in kadmin
379 * strptime (and new strftime) add to roken
380 * more paranoia about finding libdb
381 * bug fixes
382
383Changes in release 0.2d:
384
385 * new configuration option [libdefaults]default_etypes_des
386 * internal ls in ftpd builds without KRB4
387 * kx/rsh/push/pop_debug tries v5 and v4 consistenly
388 * build bug fixes
389 * other bug fixes
390
391Changes in release 0.2c:
392
393 * bug fixes (see ChangeLog's for details)
394
395Changes in release 0.2b:
396
397 * bug fixes
398 * actually bump shared library versions
399
400Changes in release 0.2a:
401
402 * a new program verify_krb5_conf for checking your /etc/krb5.conf
403 * add 3DES keys when changing password
404 * support null keys in database
405 * support multiple local realms
406 * implement a keytab backend for AFS KeyFile's
407 * implement a keytab backend for v4 srvtabs
408 * implement `ktutil copy'
409 * support password quality control in v4 kadmind
410 * improvements in v4 compat kadmind
411 * handle the case of having the correct cred in the ccache but with
412   the wrong encryption type better
413 * v6-ify the remaining programs.
414 * internal ls in ftpd
415 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
416 * add `ank --random-password' and `cpw --random-password' in kadmin
417 * some programs and documentation for trying to talk to a W2K KDC
418 * bug fixes
419
420Changes in release 0.1m:
421
422 * support for getting default from krb5.conf for kinit/kf/rsh/telnet.
423   From Miroslav Ruda <ruda@ics.muni.cz>
424 * v6-ify hprop and hpropd
425 * support numeric addresses in krb5_mk_req
426 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
427 * make rsh/rshd IPv6-aware
428 * make the gssapi sample applications better at reporting errors
429 * lots of bug fixes
430 * handle systems with v6-aware libc and non-v6 kernels (like Linux
431   with glibc 2.1) better
432 * hide failure of ERPT in ftp
433 * lots of bug fixes
434
435Changes in release 0.1l:
436
437 * make ftp and ftpd IPv6-aware
438 * add inet_pton to roken
439 * more IPv6-awareness
440 * make mini_inetd v6 aware
441
442Changes in release 0.1k:
443
444 * bump shared libraries versions
445 * add roken version of inet_ntop
446 * merge more changes to rshd
447
448Changes in release 0.1j:
449
450 * restore back to the `old' 3DES code.  This was supposed to be done
451   in 0.1h and 0.1i but I did a CVS screw-up.
452 * make telnetd handle v6 connections
453
454Changes in release 0.1i:
455
456 * start using `struct sockaddr_storage' which simplifies the code
457   (with a fallback definition if it's not defined)
458 * bug fixes (including in hprop and kf)
459 * don't use mawk which seems to mishandle roken.awk
460 * get_addrs should be able to handle v6 addresses on Linux (with the
461   required patch to the Linux kernel -- ask within)
462 * rshd builds with shadow passwords
463
464Changes in release 0.1h:
465
466 * kf: new program for forwarding credentials
467 * portability fixes
468 * make forwarding credentials work with MIT code
469 * better conversion of ka database
470 * add etc/services.append
471 * correct `modified by' from kpasswdd
472 * lots of bug fixes
473
474Changes in release 0.1g:
475
476 * kgetcred: new program for explicitly obtaining tickets
477 * configure fixes
478 * krb5-aware kx
479 * bug fixes
480
481Changes in release 0.1f;
482
483 * experimental support for v4 kadmin protokoll in kadmind
484 * bug fixes
485
486Changes in release 0.1e:
487
488 * try to handle old DCE and MIT kdcs
489 * support for older versions of credential cache files and keytabs
490 * postdated tickets work
491 * support for password quality checks in kpasswdd
492 * new flag --enable-kaserver for kdc
493 * renew fixes
494 * prototype su program
495 * updated (some) manpages
496 * support for KDC resource records
497 * should build with --without-krb4
498 * bug fixes
499
500Changes in release 0.1d:
501
502 * Support building with DB2 (uses 1.85-compat API)
503 * Support krb5-realm.DOMAIN in DNS
504 * new `ktutil srvcreate'
505 * v4/kafs support in klist/kdestroy
506 * bug fixes
507
508Changes in release 0.1c:
509
510 * fix ASN.1 encoding of signed integers
511 * somewhat working `ktutil get'
512 * some documentation updates
513 * update to Autoconf 2.13 and Automake 1.4
514 * the usual bug fixes
515
516Changes in release 0.1b:
517
518 * some old -> new crypto conversion utils
519 * bug fixes
520
521Changes in release 0.1a:
522
523 * new crypto code
524 * more bug fixes
525 * make sure we ask for DES keys in gssapi
526 * support signed ints in ASN1
527 * IPv6-bug fixes
528
529Changes in release 0.0u:
530
531 * lots of bug fixes
532
533Changes in release 0.0t:
534
535 * more robust parsing of krb5.conf
536 * include net{read,write} in lib/roken
537 * bug fixes
538
539Changes in release 0.0s:
540
541 * kludges for parsing options to rsh
542 * more robust parsing of krb5.conf
543 * removed some arbitrary limits
544 * bug fixes
545
546Changes in release 0.0r:
547
548 * default options for some programs
549 * bug fixes
550
551Changes in release 0.0q:
552
553 * support for building shared libraries with libtool
554 * bug fixes
555
556Changes in release 0.0p:
557
558 * keytab moved to /etc/krb5.keytab
559 * avoid false detection of IPv6 on Linux
560 * Lots of more functionality in the gssapi-library
561 * hprop can now read ka-server databases
562 * bug fixes
563
564Changes in release 0.0o:
565
566 * FTP with GSSAPI support.
567 * Bug fixes.
568
569Changes in release 0.0n:
570
571 * Incremental database propagation.
572 * Somewhat improved kadmin ui; the stuff in admin is now removed.
573 * Some support for using enctypes instead of keytypes.
574 * Lots of other improvement and bug fixes, see ChangeLog for details.
575