NEWS revision 120945
1Changes in release 0.6 2 3* The DES3 GSS-API mechanism has been changed to inter-operate with 4 other GSSAPI implementations. See man page for gssapi(3) how to turn 5 on generation of correct MIC messages. Next major release of heimdal 6 will generate correct MIC by default. 7 8* More complete GSS-API support 9 10* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS 11 support in applications no longer requires Kerberos 4 libs 12 13* Kerberos 4 support in kdc defaults to turned off (includes ka and 524) 14 15* other bug fixes 16 17Changes in release 0.5.2 18 19 * kdc: add option for disabling v4 cross-realm (defaults to off) 20 21 * bug fixes 22 23Changes in release 0.5.1 24 25 * kadmind: fix remote exploit 26 27 * kadmind: add option to disable kerberos 4 28 29 * kdc: make sure kaserver token life is positive 30 31 * telnet: use the session key if there is no subkey 32 33 * fix EPSV parsing in ftp 34 35 * other bug fixes 36 37Changes in release 0.5 38 39 * add --detach option to kdc 40 41 * allow setting forward and forwardable option in telnet from 42 .telnetrc, with override from command line 43 44 * accept addresses with or without ports in krb5_rd_cred 45 46 * make it work with modern openssl 47 48 * use our own string2key function even with openssl (that handles weak 49 keys incorrectly) 50 51 * more system-specific requirements in login 52 53 * do not use getlogin() to determine root in su 54 55 * telnet: abort if telnetd does not support encryption 56 57 * update autoconf to 2.53 58 59 * update config.guess, config.sub 60 61 * other bug fixes 62 63Changes in release 0.4e 64 65 * improve libcrypto and database autoconf tests 66 67 * do not care about salting of server principals when serving v4 requests 68 69 * some improvements to gssapi library 70 71 * test for existing compile_et/libcom_err 72 73 * portability fixes 74 75 * bug fixes 76 77Changes in release 0.4d 78 79 * fix some problems when using libcrypto from openssl 80 81 * handle /dev/ptmx `unix98' ptys on Linux 82 83 * add some forgotten man pages 84 85 * rsh: clean-up and add man page 86 87 * fix -A and -a in builtin-ls in tpd 88 89 * fix building problem on Irix 90 91 * make `ktutil get' more efficient 92 93 * bug fixes 94 95Changes in release 0.4c 96 97 * fix buffer overrun in telnetd 98 99 * repair some of the v4 fallback code in kinit 100 101 * add more shared library dependencies 102 103 * simplify and fix hprop handling of v4 databases 104 105 * fix some building problems (osf's sia and osfc2 login) 106 107 * bug fixes 108 109Changes in release 0.4b 110 111 * update the shared library version numbers correctly 112 113Changes in release 0.4a 114 115 * corrected key used for checksum in mk_safe, unfortunately this 116 makes it backwards incompatible 117 118 * update to autoconf 2.50, libtool 1.4 119 120 * re-write dns/config lookups (krb5_krbhst API) 121 122 * make order of using subkeys consistent 123 124 * add man page links 125 126 * add more man pages 127 128 * remove rfc2052 support, now only rfc2782 is supported 129 130 * always build with kaserver protocol support in the KDC (assuming 131 KRB4 is enabled) and support for reading kaserver databases in 132 hprop 133 134Changes in release 0.3f 135 136 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab, 137 the new keytab type that tries both of these in order (SRVTAB is 138 also an alias for krb4:) 139 140 * improve error reporting and error handling (error messages should 141 be more detailed and more useful) 142 143 * improve building with openssl 144 145 * add kadmin -K, rcp -F 146 147 * fix two incorrect weak DES keys 148 149 * fix building of kaserver compat in KDC 150 151 * the API is closer to what MIT krb5 is using 152 153 * more compatible with windows 2000 154 155 * removed some memory leaks 156 157 * bug fixes 158 159Changes in release 0.3e 160 161 * rcp program included 162 163 * fix buffer overrun in ftpd 164 165 * handle omitted sequence numbers as zeroes to handle MIT krb5 that 166 cannot generate zero sequence numbers 167 168 * handle v4 /.k files better 169 170 * configure/portability fixes 171 172 * fixes in parsing of options to kadmin (sub-)commands 173 174 * handle errors in kadmin load better 175 176 * bug fixes 177 178Changes in release 0.3d 179 180 * add krb5-config 181 182 * fix a bug in 3des gss-api mechanism, making it compatible with the 183 specification and the MIT implementation 184 185 * make telnetd only allow a specific list of environment variables to 186 stop it from setting `sensitive' variables 187 188 * try to use an existing libdes 189 190 * lib/krb5, kdc: use correct usage type for ap-req messages. This 191 should improve compatability with MIT krb5 when using 3DES 192 encryption types 193 194 * kdc: fix memory allocation problem 195 196 * update config.guess and config.sub 197 198 * lib/roken: more stuff implemented 199 200 * bug fixes and portability enhancements 201 202Changes in release 0.3c 203 204 * lib/krb5: memory caches now support the resolve operation 205 206 * appl/login: set PATH to some sane default 207 208 * kadmind: handle several realms 209 210 * bug fixes (including memory leaks) 211 212Changes in release 0.3b 213 214 * kdc: prefer default-salted keys on v5 requests 215 216 * kdc: lowercase hostnames in v4 mode 217 218 * hprop: handle more types of MIT salts 219 220 * lib/krb5: fix memory leak 221 222 * bug fixes 223 224Changes in release 0.3a: 225 226 * implement arcfour-hmac-md5 to interoperate with W2K 227 228 * modularise the handling of the master key, and allow for other 229 encryption types. This makes it easier to import a database from 230 some other source without having to re-encrypt all keys. 231 232 * allow for better control over which encryption types are created 233 234 * make kinit fallback to v4 if given a v4 KDC 235 236 * make klist work better with v4 and v5, and add some more MIT 237 compatibility options 238 239 * make the kdc listen on the krb524 (4444) port for compatibility 240 with MIT krb5 clients 241 242 * implement more DCE/DFS support, enabled with --enable-dce, see 243 lib/kdfs and appl/dceutils 244 245 * make the sequence numbers work correctly 246 247 * bug fixes 248 249Changes in release 0.2t: 250 251 * bug fixes 252 253Changes in release 0.2s: 254 255 * add OpenLDAP support in hdb 256 257 * login will get v4 tickets when it receives forwarded tickets 258 259 * xnlock supports both v5 and v4 260 261 * repair source routing for telnet 262 263 * fix building problems with krb4 (krb_mk_req) 264 265 * bug fixes 266 267Changes in release 0.2r: 268 269 * fix realloc memory corruption bug in kdc 270 271 * `add --key' and `cpw --key' in kadmin 272 273 * klist supports listing v4 tickets 274 275 * update config.guess and config.sub 276 277 * make v4 -> v5 principal name conversion more robust 278 279 * support for anonymous tickets 280 281 * new man-pages 282 283 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab. 284 285 * use and set expiration and not password expiration when dumping 286 to/from ka server databases / krb4 databases 287 288 * make the code happier with 64-bit time_t 289 290 * follow RFC2782 and by default do not look for non-underscore SRV names 291 292Changes in release 0.2q: 293 294 * bug fix in tcp-handling in kdc 295 296 * bug fix in expand_hostname 297 298Changes in release 0.2p: 299 300 * bug fix in `kadmin load/merge' 301 302 * bug fix in krb5_parse_address 303 304Changes in release 0.2o: 305 306 * gss_{import,export}_sec_context added to libgssapi 307 308 * new option --addresses to kdc (for listening on an explicit set of 309 addresses) 310 311 * bug fixes in the krb4 and kaserver emulation part of the kdc 312 313 * other bug fixes 314 315Changes in release 0.2n: 316 317 * more robust parsing of dump files in kadmin 318 * changed default timestamp format for log messages to extended ISO 319 8601 format (Y-M-DTH:M:S) 320 * changed md4/md5/sha1 APIes to be de-facto `standard' 321 * always make hostname into lower-case before creating principal 322 * small bits of more MIT-compatability 323 * bug fixes 324 325Changes in release 0.2m: 326 327 * handle glibc's getaddrinfo() that returns several ai_canonname 328 329 * new endian test 330 331 * man pages fixes 332 333Changes in release 0.2l: 334 335 * bug fixes 336 337Changes in release 0.2k: 338 339 * better IPv6 test 340 341 * make struct sockaddr_storage in roken work better on alphas 342 343 * some missing [hn]to[hn]s fixed. 344 345 * allow users to change their own passwords with kadmin (with initial 346 tickets) 347 348 * fix stupid bug in parsing KDC specification 349 350 * add `ktutil change' and `ktutil purge' 351 352Changes in release 0.2j: 353 354 * builds on Irix 355 356 * ftpd works in passive mode 357 358 * should build on cygwin 359 360 * work around broken IPv6-code on OpenBSD 2.6, also add configure 361 option --disable-ipv6 362 363Changes in release 0.2i: 364 365 * use getaddrinfo in the missing places. 366 367 * fix SRV lookup for admin server 368 369 * use get{addr,name}info everywhere. and implement it in terms of 370 getipnodeby{name,addr} (which uses gethostbyname{,2} and 371 gethostbyaddr) 372 373Changes in release 0.2h: 374 375 * fix typo in kx (now compiles) 376 377Changes in release 0.2g: 378 379 * lots of bug fixes: 380 * push works 381 * repair appl/test programs 382 * sockaddr_storage works on solaris (alignment issues) 383 * works better with non-roken getaddrinfo 384 * rsh works 385 * some non standard C constructs removed 386 387Changes in release 0.2f: 388 389 * support SRV records for kpasswd 390 * look for both _kerberos and krb5-realm when doing host -> realm mapping 391 392Changes in release 0.2e: 393 394 * changed copyright notices to remove `advertising'-clause. 395 * get{addr,name}info added to roken and used in the other code 396 (this makes things work much better with hosts with both v4 and v6 397 addresses, among other things) 398 * do pre-auth for both password and key-based get_in_tkt 399 * support for having several databases 400 * new command `del_enctype' in kadmin 401 * strptime (and new strftime) add to roken 402 * more paranoia about finding libdb 403 * bug fixes 404 405Changes in release 0.2d: 406 407 * new configuration option [libdefaults]default_etypes_des 408 * internal ls in ftpd builds without KRB4 409 * kx/rsh/push/pop_debug tries v5 and v4 consistenly 410 * build bug fixes 411 * other bug fixes 412 413Changes in release 0.2c: 414 415 * bug fixes (see ChangeLog's for details) 416 417Changes in release 0.2b: 418 419 * bug fixes 420 * actually bump shared library versions 421 422Changes in release 0.2a: 423 424 * a new program verify_krb5_conf for checking your /etc/krb5.conf 425 * add 3DES keys when changing password 426 * support null keys in database 427 * support multiple local realms 428 * implement a keytab backend for AFS KeyFile's 429 * implement a keytab backend for v4 srvtabs 430 * implement `ktutil copy' 431 * support password quality control in v4 kadmind 432 * improvements in v4 compat kadmind 433 * handle the case of having the correct cred in the ccache but with 434 the wrong encryption type better 435 * v6-ify the remaining programs. 436 * internal ls in ftpd 437 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat 438 * add `ank --random-password' and `cpw --random-password' in kadmin 439 * some programs and documentation for trying to talk to a W2K KDC 440 * bug fixes 441 442Changes in release 0.1m: 443 444 * support for getting default from krb5.conf for kinit/kf/rsh/telnet. 445 From Miroslav Ruda <ruda@ics.muni.cz> 446 * v6-ify hprop and hpropd 447 * support numeric addresses in krb5_mk_req 448 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz> 449 * make rsh/rshd IPv6-aware 450 * make the gssapi sample applications better at reporting errors 451 * lots of bug fixes 452 * handle systems with v6-aware libc and non-v6 kernels (like Linux 453 with glibc 2.1) better 454 * hide failure of ERPT in ftp 455 * lots of bug fixes 456 457Changes in release 0.1l: 458 459 * make ftp and ftpd IPv6-aware 460 * add inet_pton to roken 461 * more IPv6-awareness 462 * make mini_inetd v6 aware 463 464Changes in release 0.1k: 465 466 * bump shared libraries versions 467 * add roken version of inet_ntop 468 * merge more changes to rshd 469 470Changes in release 0.1j: 471 472 * restore back to the `old' 3DES code. This was supposed to be done 473 in 0.1h and 0.1i but I did a CVS screw-up. 474 * make telnetd handle v6 connections 475 476Changes in release 0.1i: 477 478 * start using `struct sockaddr_storage' which simplifies the code 479 (with a fallback definition if it's not defined) 480 * bug fixes (including in hprop and kf) 481 * don't use mawk which seems to mishandle roken.awk 482 * get_addrs should be able to handle v6 addresses on Linux (with the 483 required patch to the Linux kernel -- ask within) 484 * rshd builds with shadow passwords 485 486Changes in release 0.1h: 487 488 * kf: new program for forwarding credentials 489 * portability fixes 490 * make forwarding credentials work with MIT code 491 * better conversion of ka database 492 * add etc/services.append 493 * correct `modified by' from kpasswdd 494 * lots of bug fixes 495 496Changes in release 0.1g: 497 498 * kgetcred: new program for explicitly obtaining tickets 499 * configure fixes 500 * krb5-aware kx 501 * bug fixes 502 503Changes in release 0.1f; 504 505 * experimental support for v4 kadmin protokoll in kadmind 506 * bug fixes 507 508Changes in release 0.1e: 509 510 * try to handle old DCE and MIT kdcs 511 * support for older versions of credential cache files and keytabs 512 * postdated tickets work 513 * support for password quality checks in kpasswdd 514 * new flag --enable-kaserver for kdc 515 * renew fixes 516 * prototype su program 517 * updated (some) manpages 518 * support for KDC resource records 519 * should build with --without-krb4 520 * bug fixes 521 522Changes in release 0.1d: 523 524 * Support building with DB2 (uses 1.85-compat API) 525 * Support krb5-realm.DOMAIN in DNS 526 * new `ktutil srvcreate' 527 * v4/kafs support in klist/kdestroy 528 * bug fixes 529 530Changes in release 0.1c: 531 532 * fix ASN.1 encoding of signed integers 533 * somewhat working `ktutil get' 534 * some documentation updates 535 * update to Autoconf 2.13 and Automake 1.4 536 * the usual bug fixes 537 538Changes in release 0.1b: 539 540 * some old -> new crypto conversion utils 541 * bug fixes 542 543Changes in release 0.1a: 544 545 * new crypto code 546 * more bug fixes 547 * make sure we ask for DES keys in gssapi 548 * support signed ints in ASN1 549 * IPv6-bug fixes 550 551Changes in release 0.0u: 552 553 * lots of bug fixes 554 555Changes in release 0.0t: 556 557 * more robust parsing of krb5.conf 558 * include net{read,write} in lib/roken 559 * bug fixes 560 561Changes in release 0.0s: 562 563 * kludges for parsing options to rsh 564 * more robust parsing of krb5.conf 565 * removed some arbitrary limits 566 * bug fixes 567 568Changes in release 0.0r: 569 570 * default options for some programs 571 * bug fixes 572 573Changes in release 0.0q: 574 575 * support for building shared libraries with libtool 576 * bug fixes 577 578Changes in release 0.0p: 579 580 * keytab moved to /etc/krb5.keytab 581 * avoid false detection of IPv6 on Linux 582 * Lots of more functionality in the gssapi-library 583 * hprop can now read ka-server databases 584 * bug fixes 585 586Changes in release 0.0o: 587 588 * FTP with GSSAPI support. 589 * Bug fixes. 590 591Changes in release 0.0n: 592 593 * Incremental database propagation. 594 * Somewhat improved kadmin ui; the stuff in admin is now removed. 595 * Some support for using enctypes instead of keytypes. 596 * Lots of other improvement and bug fixes, see ChangeLog for details. 597