xref: /freebsd/crypto/heimdal/NEWS (revision 282a3889ebf826db9839be296ff1dd903f6d6d6e)
1Changes in release 0.6.3
2
3 * fix vulnerabilities in ftpd
4
5 * support for linux AFS /proc "syscalls"
6
7 * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
8   kpasswdd
9
10 * fix possible KDC denial of service
11
12 * bug fixes
13
14Changes in release 0.6.2
15
16 * Fix possible buffer overrun in v4 kadmin (which now defaults to off)
17
18Changes in release 0.6.1
19
20 * Fixed ARCFOUR suppport
21
22 * Cross realm vulnerability
23
24 * kdc: fix denial of service attack
25
26 * kdc: stop clients from renewing tickets into the future
27
28 * bug fixes
29
30Changes in release 0.6
31
32* The DES3 GSS-API mechanism has been changed to inter-operate with
33  other GSSAPI implementations. See man page for gssapi(3) how to turn
34  on generation of correct MIC messages. Next major release of heimdal
35  will generate correct MIC by default.
36
37* More complete GSS-API support
38
39* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
40  support in applications no longer requires Kerberos 4 libs
41
42* Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
43
44* other bug fixes
45
46Changes in release 0.5.2
47
48 * kdc: add option for disabling v4 cross-realm (defaults to off)
49
50 * bug fixes
51
52Changes in release 0.5.1
53
54 * kadmind: fix remote exploit
55
56 * kadmind: add option to disable kerberos 4
57
58 * kdc: make sure kaserver token life is positive
59
60 * telnet: use the session key if there is no subkey
61
62 * fix EPSV parsing in ftp
63
64 * other bug fixes
65
66Changes in release 0.5
67
68 * add --detach option to kdc
69
70 * allow setting forward and forwardable option in telnet from
71   .telnetrc, with override from command line
72
73 * accept addresses with or without ports in krb5_rd_cred
74
75 * make it work with modern openssl
76
77 * use our own string2key function even with openssl (that handles weak
78   keys incorrectly)
79
80 * more system-specific requirements in login
81
82 * do not use getlogin() to determine root in su
83
84 * telnet: abort if telnetd does not support encryption
85
86 * update autoconf to 2.53
87
88 * update config.guess, config.sub
89
90 * other bug fixes
91
92Changes in release 0.4e
93
94 * improve libcrypto and database autoconf tests
95
96 * do not care about salting of server principals when serving v4 requests
97
98 * some improvements to gssapi library
99
100 * test for existing compile_et/libcom_err
101
102 * portability fixes
103
104 * bug fixes
105
106Changes in release 0.4d
107
108 * fix some problems when using libcrypto from openssl
109
110 * handle /dev/ptmx `unix98' ptys on Linux
111
112 * add some forgotten man pages
113
114 * rsh: clean-up and add man page
115
116 * fix -A and -a in builtin-ls in tpd
117
118 * fix building problem on Irix
119
120 * make `ktutil get' more efficient
121
122 * bug fixes
123
124Changes in release 0.4c
125
126 * fix buffer overrun in telnetd
127
128 * repair some of the v4 fallback code in kinit
129
130 * add more shared library dependencies
131
132 * simplify and fix hprop handling of v4 databases
133
134 * fix some building problems (osf's sia and osfc2 login)
135
136 * bug fixes
137
138Changes in release 0.4b
139
140 * update the shared library version numbers correctly
141
142Changes in release 0.4a
143
144 * corrected key used for checksum in mk_safe, unfortunately this
145   makes it backwards incompatible
146
147 * update to autoconf 2.50, libtool 1.4
148
149 * re-write dns/config lookups (krb5_krbhst API)
150
151 * make order of using subkeys consistent
152
153 * add man page links
154
155 * add more man pages
156
157 * remove rfc2052 support, now only rfc2782 is supported
158
159 * always build with kaserver protocol support in the KDC (assuming
160   KRB4 is enabled) and support for reading kaserver databases in
161   hprop
162
163Changes in release 0.3f
164
165 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
166   the new keytab type that tries both of these in order (SRVTAB is
167   also an alias for krb4:)
168
169 * improve error reporting and error handling (error messages should
170   be more detailed and more useful)
171
172 * improve building with openssl
173
174 * add kadmin -K, rcp -F
175
176 * fix two incorrect weak DES keys
177
178 * fix building of kaserver compat in KDC
179
180 * the API is closer to what MIT krb5 is using
181
182 * more compatible with windows 2000
183
184 * removed some memory leaks
185
186 * bug fixes
187
188Changes in release 0.3e
189
190 * rcp program included
191
192 * fix buffer overrun in ftpd
193
194 * handle omitted sequence numbers as zeroes to handle MIT krb5 that
195   cannot generate zero sequence numbers
196
197 * handle v4 /.k files better
198
199 * configure/portability fixes
200
201 * fixes in parsing of options to kadmin (sub-)commands
202
203 * handle errors in kadmin load better
204
205 * bug fixes
206
207Changes in release 0.3d
208
209 * add krb5-config
210
211 * fix a bug in 3des gss-api mechanism, making it compatible with the
212   specification and the MIT implementation
213
214 * make telnetd only allow a specific list of environment variables to
215   stop it from setting `sensitive' variables
216
217 * try to use an existing libdes
218
219 * lib/krb5, kdc: use correct usage type for ap-req messages.  This
220   should improve compatability with MIT krb5 when using 3DES
221   encryption types
222
223 * kdc: fix memory allocation problem
224
225 * update config.guess and config.sub
226
227 * lib/roken: more stuff implemented
228
229 * bug fixes and portability enhancements
230
231Changes in release 0.3c
232
233 * lib/krb5: memory caches now support the resolve operation
234
235 * appl/login: set PATH to some sane default
236
237 * kadmind: handle several realms
238
239 * bug fixes (including memory leaks)
240
241Changes in release 0.3b
242
243 * kdc: prefer default-salted keys on v5 requests
244
245 * kdc: lowercase hostnames in v4 mode
246
247 * hprop: handle more types of MIT salts
248
249 * lib/krb5: fix memory leak
250
251 * bug fixes
252
253Changes in release 0.3a:
254
255 * implement arcfour-hmac-md5 to interoperate with W2K
256
257 * modularise the handling of the master key, and allow for other
258   encryption types. This makes it easier to import a database from
259   some other source without having to re-encrypt all keys.
260
261 * allow for better control over which encryption types are created
262
263 * make kinit fallback to v4 if given a v4 KDC
264
265 * make klist work better with v4 and v5, and add some more MIT
266   compatibility options
267
268 * make the kdc listen on the krb524 (4444) port for compatibility
269   with MIT krb5 clients
270
271 * implement more DCE/DFS support, enabled with --enable-dce, see
272   lib/kdfs and appl/dceutils
273
274 * make the sequence numbers work correctly
275
276 * bug fixes
277
278Changes in release 0.2t:
279
280 * bug fixes
281
282Changes in release 0.2s:
283
284 * add OpenLDAP support in hdb
285
286 * login will get v4 tickets when it receives forwarded tickets
287
288 * xnlock supports both v5 and v4
289
290 * repair source routing for telnet
291
292 * fix building problems with krb4 (krb_mk_req)
293
294 * bug fixes
295
296Changes in release 0.2r:
297
298 * fix realloc memory corruption bug in kdc
299
300 * `add --key' and `cpw --key' in kadmin
301
302 * klist supports listing v4 tickets
303
304 * update config.guess and config.sub
305
306 * make v4 -> v5 principal name conversion more robust
307
308 * support for anonymous tickets
309
310 * new man-pages
311
312 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
313
314 * use and set expiration and not password expiration when dumping
315   to/from ka server databases / krb4 databases
316
317 * make the code happier with 64-bit time_t
318
319 * follow RFC2782 and by default do not look for non-underscore SRV names
320
321Changes in release 0.2q:
322
323 * bug fix in tcp-handling in kdc
324
325 * bug fix in expand_hostname
326
327Changes in release 0.2p:
328
329 * bug fix in `kadmin load/merge'
330
331 * bug fix in krb5_parse_address
332
333Changes in release 0.2o:
334
335 * gss_{import,export}_sec_context added to libgssapi
336
337 * new option --addresses to kdc (for listening on an explicit set of
338   addresses)
339
340 * bug fixes in the krb4 and kaserver emulation part of the kdc
341
342 * other bug fixes
343
344Changes in release 0.2n:
345
346 * more robust parsing of dump files in kadmin
347 * changed default timestamp format for log messages to extended ISO
348   8601 format (Y-M-DTH:M:S)
349 * changed md4/md5/sha1 APIes to be de-facto `standard'
350 * always make hostname into lower-case before creating principal
351 * small bits of more MIT-compatability
352 * bug fixes
353
354Changes in release 0.2m:
355
356 * handle glibc's getaddrinfo() that returns several ai_canonname
357
358 * new endian test
359
360 * man pages fixes
361
362Changes in release 0.2l:
363
364 * bug fixes
365
366Changes in release 0.2k:
367
368 * better IPv6 test
369
370 * make struct sockaddr_storage in roken work better on alphas
371
372 * some missing [hn]to[hn]s fixed.
373
374 * allow users to change their own passwords with kadmin (with initial
375   tickets)
376
377 * fix stupid bug in parsing KDC specification
378
379 * add `ktutil change' and `ktutil purge'
380
381Changes in release 0.2j:
382
383 * builds on Irix
384
385 * ftpd works in passive mode
386
387 * should build on cygwin
388
389 * work around broken IPv6-code on OpenBSD 2.6, also add configure
390   option --disable-ipv6
391
392Changes in release 0.2i:
393
394 * use getaddrinfo in the missing places.
395
396 * fix SRV lookup for admin server
397
398 * use get{addr,name}info everywhere.  and implement it in terms of
399   getipnodeby{name,addr} (which uses gethostbyname{,2} and
400   gethostbyaddr)
401
402Changes in release 0.2h:
403
404 * fix typo in kx (now compiles)
405
406Changes in release 0.2g:
407
408 * lots of bug fixes:
409   * push works
410   * repair appl/test programs
411   * sockaddr_storage works on solaris (alignment issues)
412   * works better with non-roken getaddrinfo
413   * rsh works
414   * some non standard C constructs removed
415
416Changes in release 0.2f:
417
418 * support SRV records for kpasswd
419 * look for both _kerberos and krb5-realm when doing host -> realm mapping
420
421Changes in release 0.2e:
422
423 * changed copyright notices to remove `advertising'-clause.
424 * get{addr,name}info added to roken and used in the other code
425   (this makes things work much better with hosts with both v4 and v6
426    addresses, among other things)
427 * do pre-auth for both password and key-based get_in_tkt
428 * support for having several databases
429 * new command `del_enctype' in kadmin
430 * strptime (and new strftime) add to roken
431 * more paranoia about finding libdb
432 * bug fixes
433
434Changes in release 0.2d:
435
436 * new configuration option [libdefaults]default_etypes_des
437 * internal ls in ftpd builds without KRB4
438 * kx/rsh/push/pop_debug tries v5 and v4 consistenly
439 * build bug fixes
440 * other bug fixes
441
442Changes in release 0.2c:
443
444 * bug fixes (see ChangeLog's for details)
445
446Changes in release 0.2b:
447
448 * bug fixes
449 * actually bump shared library versions
450
451Changes in release 0.2a:
452
453 * a new program verify_krb5_conf for checking your /etc/krb5.conf
454 * add 3DES keys when changing password
455 * support null keys in database
456 * support multiple local realms
457 * implement a keytab backend for AFS KeyFile's
458 * implement a keytab backend for v4 srvtabs
459 * implement `ktutil copy'
460 * support password quality control in v4 kadmind
461 * improvements in v4 compat kadmind
462 * handle the case of having the correct cred in the ccache but with
463   the wrong encryption type better
464 * v6-ify the remaining programs.
465 * internal ls in ftpd
466 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
467 * add `ank --random-password' and `cpw --random-password' in kadmin
468 * some programs and documentation for trying to talk to a W2K KDC
469 * bug fixes
470
471Changes in release 0.1m:
472
473 * support for getting default from krb5.conf for kinit/kf/rsh/telnet.
474   From Miroslav Ruda <ruda@ics.muni.cz>
475 * v6-ify hprop and hpropd
476 * support numeric addresses in krb5_mk_req
477 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
478 * make rsh/rshd IPv6-aware
479 * make the gssapi sample applications better at reporting errors
480 * lots of bug fixes
481 * handle systems with v6-aware libc and non-v6 kernels (like Linux
482   with glibc 2.1) better
483 * hide failure of ERPT in ftp
484 * lots of bug fixes
485
486Changes in release 0.1l:
487
488 * make ftp and ftpd IPv6-aware
489 * add inet_pton to roken
490 * more IPv6-awareness
491 * make mini_inetd v6 aware
492
493Changes in release 0.1k:
494
495 * bump shared libraries versions
496 * add roken version of inet_ntop
497 * merge more changes to rshd
498
499Changes in release 0.1j:
500
501 * restore back to the `old' 3DES code.  This was supposed to be done
502   in 0.1h and 0.1i but I did a CVS screw-up.
503 * make telnetd handle v6 connections
504
505Changes in release 0.1i:
506
507 * start using `struct sockaddr_storage' which simplifies the code
508   (with a fallback definition if it's not defined)
509 * bug fixes (including in hprop and kf)
510 * don't use mawk which seems to mishandle roken.awk
511 * get_addrs should be able to handle v6 addresses on Linux (with the
512   required patch to the Linux kernel -- ask within)
513 * rshd builds with shadow passwords
514
515Changes in release 0.1h:
516
517 * kf: new program for forwarding credentials
518 * portability fixes
519 * make forwarding credentials work with MIT code
520 * better conversion of ka database
521 * add etc/services.append
522 * correct `modified by' from kpasswdd
523 * lots of bug fixes
524
525Changes in release 0.1g:
526
527 * kgetcred: new program for explicitly obtaining tickets
528 * configure fixes
529 * krb5-aware kx
530 * bug fixes
531
532Changes in release 0.1f;
533
534 * experimental support for v4 kadmin protokoll in kadmind
535 * bug fixes
536
537Changes in release 0.1e:
538
539 * try to handle old DCE and MIT kdcs
540 * support for older versions of credential cache files and keytabs
541 * postdated tickets work
542 * support for password quality checks in kpasswdd
543 * new flag --enable-kaserver for kdc
544 * renew fixes
545 * prototype su program
546 * updated (some) manpages
547 * support for KDC resource records
548 * should build with --without-krb4
549 * bug fixes
550
551Changes in release 0.1d:
552
553 * Support building with DB2 (uses 1.85-compat API)
554 * Support krb5-realm.DOMAIN in DNS
555 * new `ktutil srvcreate'
556 * v4/kafs support in klist/kdestroy
557 * bug fixes
558
559Changes in release 0.1c:
560
561 * fix ASN.1 encoding of signed integers
562 * somewhat working `ktutil get'
563 * some documentation updates
564 * update to Autoconf 2.13 and Automake 1.4
565 * the usual bug fixes
566
567Changes in release 0.1b:
568
569 * some old -> new crypto conversion utils
570 * bug fixes
571
572Changes in release 0.1a:
573
574 * new crypto code
575 * more bug fixes
576 * make sure we ask for DES keys in gssapi
577 * support signed ints in ASN1
578 * IPv6-bug fixes
579
580Changes in release 0.0u:
581
582 * lots of bug fixes
583
584Changes in release 0.0t:
585
586 * more robust parsing of krb5.conf
587 * include net{read,write} in lib/roken
588 * bug fixes
589
590Changes in release 0.0s:
591
592 * kludges for parsing options to rsh
593 * more robust parsing of krb5.conf
594 * removed some arbitrary limits
595 * bug fixes
596
597Changes in release 0.0r:
598
599 * default options for some programs
600 * bug fixes
601
602Changes in release 0.0q:
603
604 * support for building shared libraries with libtool
605 * bug fixes
606
607Changes in release 0.0p:
608
609 * keytab moved to /etc/krb5.keytab
610 * avoid false detection of IPv6 on Linux
611 * Lots of more functionality in the gssapi-library
612 * hprop can now read ka-server databases
613 * bug fixes
614
615Changes in release 0.0o:
616
617 * FTP with GSSAPI support.
618 * Bug fixes.
619
620Changes in release 0.0n:
621
622 * Incremental database propagation.
623 * Somewhat improved kadmin ui; the stuff in admin is now removed.
624 * Some support for using enctypes instead of keytypes.
625 * Lots of other improvement and bug fixes, see ChangeLog for details.
626