1Changes in release 0.6.3 2 3 * fix vulnerabilities in ftpd 4 5 * support for linux AFS /proc "syscalls" 6 7 * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in 8 kpasswdd 9 10 * fix possible KDC denial of service 11 12 * bug fixes 13 14Changes in release 0.6.2 15 16 * Fix possible buffer overrun in v4 kadmin (which now defaults to off) 17 18Changes in release 0.6.1 19 20 * Fixed ARCFOUR suppport 21 22 * Cross realm vulnerability 23 24 * kdc: fix denial of service attack 25 26 * kdc: stop clients from renewing tickets into the future 27 28 * bug fixes 29 30Changes in release 0.6 31 32* The DES3 GSS-API mechanism has been changed to inter-operate with 33 other GSSAPI implementations. See man page for gssapi(3) how to turn 34 on generation of correct MIC messages. Next major release of heimdal 35 will generate correct MIC by default. 36 37* More complete GSS-API support 38 39* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS 40 support in applications no longer requires Kerberos 4 libs 41 42* Kerberos 4 support in kdc defaults to turned off (includes ka and 524) 43 44* other bug fixes 45 46Changes in release 0.5.2 47 48 * kdc: add option for disabling v4 cross-realm (defaults to off) 49 50 * bug fixes 51 52Changes in release 0.5.1 53 54 * kadmind: fix remote exploit 55 56 * kadmind: add option to disable kerberos 4 57 58 * kdc: make sure kaserver token life is positive 59 60 * telnet: use the session key if there is no subkey 61 62 * fix EPSV parsing in ftp 63 64 * other bug fixes 65 66Changes in release 0.5 67 68 * add --detach option to kdc 69 70 * allow setting forward and forwardable option in telnet from 71 .telnetrc, with override from command line 72 73 * accept addresses with or without ports in krb5_rd_cred 74 75 * make it work with modern openssl 76 77 * use our own string2key function even with openssl (that handles weak 78 keys incorrectly) 79 80 * more system-specific requirements in login 81 82 * do not use getlogin() to determine root in su 83 84 * telnet: abort if telnetd does not support encryption 85 86 * update autoconf to 2.53 87 88 * update config.guess, config.sub 89 90 * other bug fixes 91 92Changes in release 0.4e 93 94 * improve libcrypto and database autoconf tests 95 96 * do not care about salting of server principals when serving v4 requests 97 98 * some improvements to gssapi library 99 100 * test for existing compile_et/libcom_err 101 102 * portability fixes 103 104 * bug fixes 105 106Changes in release 0.4d 107 108 * fix some problems when using libcrypto from openssl 109 110 * handle /dev/ptmx `unix98' ptys on Linux 111 112 * add some forgotten man pages 113 114 * rsh: clean-up and add man page 115 116 * fix -A and -a in builtin-ls in tpd 117 118 * fix building problem on Irix 119 120 * make `ktutil get' more efficient 121 122 * bug fixes 123 124Changes in release 0.4c 125 126 * fix buffer overrun in telnetd 127 128 * repair some of the v4 fallback code in kinit 129 130 * add more shared library dependencies 131 132 * simplify and fix hprop handling of v4 databases 133 134 * fix some building problems (osf's sia and osfc2 login) 135 136 * bug fixes 137 138Changes in release 0.4b 139 140 * update the shared library version numbers correctly 141 142Changes in release 0.4a 143 144 * corrected key used for checksum in mk_safe, unfortunately this 145 makes it backwards incompatible 146 147 * update to autoconf 2.50, libtool 1.4 148 149 * re-write dns/config lookups (krb5_krbhst API) 150 151 * make order of using subkeys consistent 152 153 * add man page links 154 155 * add more man pages 156 157 * remove rfc2052 support, now only rfc2782 is supported 158 159 * always build with kaserver protocol support in the KDC (assuming 160 KRB4 is enabled) and support for reading kaserver databases in 161 hprop 162 163Changes in release 0.3f 164 165 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab, 166 the new keytab type that tries both of these in order (SRVTAB is 167 also an alias for krb4:) 168 169 * improve error reporting and error handling (error messages should 170 be more detailed and more useful) 171 172 * improve building with openssl 173 174 * add kadmin -K, rcp -F 175 176 * fix two incorrect weak DES keys 177 178 * fix building of kaserver compat in KDC 179 180 * the API is closer to what MIT krb5 is using 181 182 * more compatible with windows 2000 183 184 * removed some memory leaks 185 186 * bug fixes 187 188Changes in release 0.3e 189 190 * rcp program included 191 192 * fix buffer overrun in ftpd 193 194 * handle omitted sequence numbers as zeroes to handle MIT krb5 that 195 cannot generate zero sequence numbers 196 197 * handle v4 /.k files better 198 199 * configure/portability fixes 200 201 * fixes in parsing of options to kadmin (sub-)commands 202 203 * handle errors in kadmin load better 204 205 * bug fixes 206 207Changes in release 0.3d 208 209 * add krb5-config 210 211 * fix a bug in 3des gss-api mechanism, making it compatible with the 212 specification and the MIT implementation 213 214 * make telnetd only allow a specific list of environment variables to 215 stop it from setting `sensitive' variables 216 217 * try to use an existing libdes 218 219 * lib/krb5, kdc: use correct usage type for ap-req messages. This 220 should improve compatability with MIT krb5 when using 3DES 221 encryption types 222 223 * kdc: fix memory allocation problem 224 225 * update config.guess and config.sub 226 227 * lib/roken: more stuff implemented 228 229 * bug fixes and portability enhancements 230 231Changes in release 0.3c 232 233 * lib/krb5: memory caches now support the resolve operation 234 235 * appl/login: set PATH to some sane default 236 237 * kadmind: handle several realms 238 239 * bug fixes (including memory leaks) 240 241Changes in release 0.3b 242 243 * kdc: prefer default-salted keys on v5 requests 244 245 * kdc: lowercase hostnames in v4 mode 246 247 * hprop: handle more types of MIT salts 248 249 * lib/krb5: fix memory leak 250 251 * bug fixes 252 253Changes in release 0.3a: 254 255 * implement arcfour-hmac-md5 to interoperate with W2K 256 257 * modularise the handling of the master key, and allow for other 258 encryption types. This makes it easier to import a database from 259 some other source without having to re-encrypt all keys. 260 261 * allow for better control over which encryption types are created 262 263 * make kinit fallback to v4 if given a v4 KDC 264 265 * make klist work better with v4 and v5, and add some more MIT 266 compatibility options 267 268 * make the kdc listen on the krb524 (4444) port for compatibility 269 with MIT krb5 clients 270 271 * implement more DCE/DFS support, enabled with --enable-dce, see 272 lib/kdfs and appl/dceutils 273 274 * make the sequence numbers work correctly 275 276 * bug fixes 277 278Changes in release 0.2t: 279 280 * bug fixes 281 282Changes in release 0.2s: 283 284 * add OpenLDAP support in hdb 285 286 * login will get v4 tickets when it receives forwarded tickets 287 288 * xnlock supports both v5 and v4 289 290 * repair source routing for telnet 291 292 * fix building problems with krb4 (krb_mk_req) 293 294 * bug fixes 295 296Changes in release 0.2r: 297 298 * fix realloc memory corruption bug in kdc 299 300 * `add --key' and `cpw --key' in kadmin 301 302 * klist supports listing v4 tickets 303 304 * update config.guess and config.sub 305 306 * make v4 -> v5 principal name conversion more robust 307 308 * support for anonymous tickets 309 310 * new man-pages 311 312 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab. 313 314 * use and set expiration and not password expiration when dumping 315 to/from ka server databases / krb4 databases 316 317 * make the code happier with 64-bit time_t 318 319 * follow RFC2782 and by default do not look for non-underscore SRV names 320 321Changes in release 0.2q: 322 323 * bug fix in tcp-handling in kdc 324 325 * bug fix in expand_hostname 326 327Changes in release 0.2p: 328 329 * bug fix in `kadmin load/merge' 330 331 * bug fix in krb5_parse_address 332 333Changes in release 0.2o: 334 335 * gss_{import,export}_sec_context added to libgssapi 336 337 * new option --addresses to kdc (for listening on an explicit set of 338 addresses) 339 340 * bug fixes in the krb4 and kaserver emulation part of the kdc 341 342 * other bug fixes 343 344Changes in release 0.2n: 345 346 * more robust parsing of dump files in kadmin 347 * changed default timestamp format for log messages to extended ISO 348 8601 format (Y-M-DTH:M:S) 349 * changed md4/md5/sha1 APIes to be de-facto `standard' 350 * always make hostname into lower-case before creating principal 351 * small bits of more MIT-compatability 352 * bug fixes 353 354Changes in release 0.2m: 355 356 * handle glibc's getaddrinfo() that returns several ai_canonname 357 358 * new endian test 359 360 * man pages fixes 361 362Changes in release 0.2l: 363 364 * bug fixes 365 366Changes in release 0.2k: 367 368 * better IPv6 test 369 370 * make struct sockaddr_storage in roken work better on alphas 371 372 * some missing [hn]to[hn]s fixed. 373 374 * allow users to change their own passwords with kadmin (with initial 375 tickets) 376 377 * fix stupid bug in parsing KDC specification 378 379 * add `ktutil change' and `ktutil purge' 380 381Changes in release 0.2j: 382 383 * builds on Irix 384 385 * ftpd works in passive mode 386 387 * should build on cygwin 388 389 * work around broken IPv6-code on OpenBSD 2.6, also add configure 390 option --disable-ipv6 391 392Changes in release 0.2i: 393 394 * use getaddrinfo in the missing places. 395 396 * fix SRV lookup for admin server 397 398 * use get{addr,name}info everywhere. and implement it in terms of 399 getipnodeby{name,addr} (which uses gethostbyname{,2} and 400 gethostbyaddr) 401 402Changes in release 0.2h: 403 404 * fix typo in kx (now compiles) 405 406Changes in release 0.2g: 407 408 * lots of bug fixes: 409 * push works 410 * repair appl/test programs 411 * sockaddr_storage works on solaris (alignment issues) 412 * works better with non-roken getaddrinfo 413 * rsh works 414 * some non standard C constructs removed 415 416Changes in release 0.2f: 417 418 * support SRV records for kpasswd 419 * look for both _kerberos and krb5-realm when doing host -> realm mapping 420 421Changes in release 0.2e: 422 423 * changed copyright notices to remove `advertising'-clause. 424 * get{addr,name}info added to roken and used in the other code 425 (this makes things work much better with hosts with both v4 and v6 426 addresses, among other things) 427 * do pre-auth for both password and key-based get_in_tkt 428 * support for having several databases 429 * new command `del_enctype' in kadmin 430 * strptime (and new strftime) add to roken 431 * more paranoia about finding libdb 432 * bug fixes 433 434Changes in release 0.2d: 435 436 * new configuration option [libdefaults]default_etypes_des 437 * internal ls in ftpd builds without KRB4 438 * kx/rsh/push/pop_debug tries v5 and v4 consistenly 439 * build bug fixes 440 * other bug fixes 441 442Changes in release 0.2c: 443 444 * bug fixes (see ChangeLog's for details) 445 446Changes in release 0.2b: 447 448 * bug fixes 449 * actually bump shared library versions 450 451Changes in release 0.2a: 452 453 * a new program verify_krb5_conf for checking your /etc/krb5.conf 454 * add 3DES keys when changing password 455 * support null keys in database 456 * support multiple local realms 457 * implement a keytab backend for AFS KeyFile's 458 * implement a keytab backend for v4 srvtabs 459 * implement `ktutil copy' 460 * support password quality control in v4 kadmind 461 * improvements in v4 compat kadmind 462 * handle the case of having the correct cred in the ccache but with 463 the wrong encryption type better 464 * v6-ify the remaining programs. 465 * internal ls in ftpd 466 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat 467 * add `ank --random-password' and `cpw --random-password' in kadmin 468 * some programs and documentation for trying to talk to a W2K KDC 469 * bug fixes 470 471Changes in release 0.1m: 472 473 * support for getting default from krb5.conf for kinit/kf/rsh/telnet. 474 From Miroslav Ruda <ruda@ics.muni.cz> 475 * v6-ify hprop and hpropd 476 * support numeric addresses in krb5_mk_req 477 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz> 478 * make rsh/rshd IPv6-aware 479 * make the gssapi sample applications better at reporting errors 480 * lots of bug fixes 481 * handle systems with v6-aware libc and non-v6 kernels (like Linux 482 with glibc 2.1) better 483 * hide failure of ERPT in ftp 484 * lots of bug fixes 485 486Changes in release 0.1l: 487 488 * make ftp and ftpd IPv6-aware 489 * add inet_pton to roken 490 * more IPv6-awareness 491 * make mini_inetd v6 aware 492 493Changes in release 0.1k: 494 495 * bump shared libraries versions 496 * add roken version of inet_ntop 497 * merge more changes to rshd 498 499Changes in release 0.1j: 500 501 * restore back to the `old' 3DES code. This was supposed to be done 502 in 0.1h and 0.1i but I did a CVS screw-up. 503 * make telnetd handle v6 connections 504 505Changes in release 0.1i: 506 507 * start using `struct sockaddr_storage' which simplifies the code 508 (with a fallback definition if it's not defined) 509 * bug fixes (including in hprop and kf) 510 * don't use mawk which seems to mishandle roken.awk 511 * get_addrs should be able to handle v6 addresses on Linux (with the 512 required patch to the Linux kernel -- ask within) 513 * rshd builds with shadow passwords 514 515Changes in release 0.1h: 516 517 * kf: new program for forwarding credentials 518 * portability fixes 519 * make forwarding credentials work with MIT code 520 * better conversion of ka database 521 * add etc/services.append 522 * correct `modified by' from kpasswdd 523 * lots of bug fixes 524 525Changes in release 0.1g: 526 527 * kgetcred: new program for explicitly obtaining tickets 528 * configure fixes 529 * krb5-aware kx 530 * bug fixes 531 532Changes in release 0.1f; 533 534 * experimental support for v4 kadmin protokoll in kadmind 535 * bug fixes 536 537Changes in release 0.1e: 538 539 * try to handle old DCE and MIT kdcs 540 * support for older versions of credential cache files and keytabs 541 * postdated tickets work 542 * support for password quality checks in kpasswdd 543 * new flag --enable-kaserver for kdc 544 * renew fixes 545 * prototype su program 546 * updated (some) manpages 547 * support for KDC resource records 548 * should build with --without-krb4 549 * bug fixes 550 551Changes in release 0.1d: 552 553 * Support building with DB2 (uses 1.85-compat API) 554 * Support krb5-realm.DOMAIN in DNS 555 * new `ktutil srvcreate' 556 * v4/kafs support in klist/kdestroy 557 * bug fixes 558 559Changes in release 0.1c: 560 561 * fix ASN.1 encoding of signed integers 562 * somewhat working `ktutil get' 563 * some documentation updates 564 * update to Autoconf 2.13 and Automake 1.4 565 * the usual bug fixes 566 567Changes in release 0.1b: 568 569 * some old -> new crypto conversion utils 570 * bug fixes 571 572Changes in release 0.1a: 573 574 * new crypto code 575 * more bug fixes 576 * make sure we ask for DES keys in gssapi 577 * support signed ints in ASN1 578 * IPv6-bug fixes 579 580Changes in release 0.0u: 581 582 * lots of bug fixes 583 584Changes in release 0.0t: 585 586 * more robust parsing of krb5.conf 587 * include net{read,write} in lib/roken 588 * bug fixes 589 590Changes in release 0.0s: 591 592 * kludges for parsing options to rsh 593 * more robust parsing of krb5.conf 594 * removed some arbitrary limits 595 * bug fixes 596 597Changes in release 0.0r: 598 599 * default options for some programs 600 * bug fixes 601 602Changes in release 0.0q: 603 604 * support for building shared libraries with libtool 605 * bug fixes 606 607Changes in release 0.0p: 608 609 * keytab moved to /etc/krb5.keytab 610 * avoid false detection of IPv6 on Linux 611 * Lots of more functionality in the gssapi-library 612 * hprop can now read ka-server databases 613 * bug fixes 614 615Changes in release 0.0o: 616 617 * FTP with GSSAPI support. 618 * Bug fixes. 619 620Changes in release 0.0n: 621 622 * Incremental database propagation. 623 * Somewhat improved kadmin ui; the stuff in admin is now removed. 624 * Some support for using enctypes instead of keytypes. 625 * Lots of other improvement and bug fixes, see ChangeLog for details. 626