1Changes in release 1.1 2 3 * Read-only PKCS11 provider built-in to hx509. 4 5 * Documentation for hx509, hcrypto and ntlm libraries improved. 6 7 * Better compatibilty with Windows 2008 Server pre-releases and Vista. 8 9 * Mac OS X 10.5 support for native credential cache. 10 11 * Provide pkg-config file for Heimdal (heimdal-gssapi.pc). 12 13 * Bug fixes. 14 15Changes in release 1.0.2 16 17* Ubuntu packages. 18 19* Bug fixes. 20 21Changes in release 1.0.1 22 23 * Serveral bug fixes to iprop. 24 25 * Make work on platforms without dlopen. 26 27 * Add RFC3526 modp group14 as default. 28 29 * Handle [kdc] database = { } entries without realm = stanzas. 30 31 * Make krb5_get_renewed_creds work. 32 33 * Make kaserver preauth work again. 34 35 * Bug fixes. 36 37Changes in release 1.0 38 39 * Add gss_pseudo_random() for mechglue and krb5. 40 41 * Make session key for the krbtgt be selected by the best encryption 42 type of the client. 43 44 * Better interoperability with other PK-INIT implementations. 45 46 * Inital support for Mac OS X Keychain for hx509. 47 48 * Alias support for inital ticket requests. 49 50 * Add symbol versioning to selected libraries on platforms that uses 51 GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc. 52 53 * New version of imath included in hcrypto. 54 55 * Fix memory leaks. 56 57 * Bugs fixes. 58 59Changes in release 0.8.1 60 61 * Make ASN.1 library less paranoid to with regard to NUL in string to 62 make it inter-operate with MIT Kerberos again. 63 64 * Make GSS-API library work again when using gss_acquire_cred 65 66 * Add symbol versioning to libgssapi when using GNU ld. 67 68 * Fix memory leaks 69 70 * Bugs fixes 71 72Changes in release 0.8 73 74 * PK-INIT support. 75 76 * HDB extensions support, used by PK-INIT. 77 78 * New ASN.1 compiler. 79 80 * GSS-API mechglue from FreeBSD. 81 82 * Updated SPNEGO to support RFC4178. 83 84 * Support for Cryptosystem Negotiation Extension (RFC 4537). 85 86 * A new X.509 library (hx509) and related crypto functions. 87 88 * A new ntlm library (heimntlm) and related crypto functions. 89 90 * Updated the built-in crypto library with bignum support using 91 imath, support for RSA and DH and renamed it to libhcrypto. 92 93 * Subsystem in the KDC, digest, that will perform the digest 94 operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL 95 DIGEST-MD5 NTLMv1 and NTLMv2. 96 97 * KDC will return the "response too big" error to force TCP retries 98 for large (default 1400 bytes) UDP replies. This is common for 99 PK-INIT requests. 100 101 * Libkafs defaults to use 2b tokens. 102 103 * Default to use the API cache on Mac OS X. 104 105 * krb5_kuserok() also checks ~/.k5login.d directory for acl files, 106 see manpage for krb5_kuserok for description. 107 108 * Many, many, other updates to code and info manual and manual pages. 109 110 * Bug fixes 111 112Changes in release 0.7.2 113 114* Fix security problem in rshd that enable an attacker to overwrite 115 and change ownership of any file that root could write. 116 117* Fix a DOS in telnetd. The attacker could force the server to crash 118 in a NULL de-reference before the user logged in, resulting in inetd 119 turning telnetd off because it forked too fast. 120 121* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name 122 exists in the keytab before returning success. This allows servers 123 to check if its even possible to use GSSAPI. 124 125* Fix receiving end of token delegation for GSS-API. It still wrongly 126 uses subkey for sending for compatibility reasons, this will change 127 in 0.8. 128 129* telnetd, login and rshd are now more verbose in logging failed and 130 successful logins. 131 132* Bug fixes 133 134Changes in release 0.7.1 135 136* Bug fixes 137 138Changes in release 0.7 139 140 * Support for KCM, a process based credential cache 141 142 * Support CCAPI credential cache 143 144 * SPNEGO support 145 146 * AES (and the gssapi conterpart, CFX) support 147 148 * Adding new and improve old documentation 149 150 * Bug fixes 151 152Changes in release 0.6.6 153 154* Fix security problem in rshd that enable an attacker to overwrite 155 and change ownership of any file that root could write. 156 157* Fix a DOS in telnetd. The attacker could force the server to crash 158 in a NULL de-reference before the user logged in, resulting in inetd 159 turning telnetd off because it forked too fast. 160 161Changes in release 0.6.5 162 163 * fix vulnerabilities in telnetd 164 165 * unbreak Kerberos 4 and kaserver 166 167Changes in release 0.6.4 168 169 * fix vulnerabilities in telnet 170 171 * rshd: encryption without a separate error socket should now work 172 173 * telnet now uses appdefaults for the encrypt and forward/forwardable 174 settings 175 176 * bug fixes 177 178Changes in release 0.6.3 179 180 * fix vulnerabilities in ftpd 181 182 * support for linux AFS /proc "syscalls" 183 184 * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in 185 kpasswdd 186 187 * fix possible KDC denial of service 188 189 * bug fixes 190 191Changes in release 0.6.2 192 193 * Fix possible buffer overrun in v4 kadmin (which now defaults to off) 194 195Changes in release 0.6.1 196 197 * Fixed ARCFOUR suppport 198 199 * Cross realm vulnerability 200 201 * kdc: fix denial of service attack 202 203 * kdc: stop clients from renewing tickets into the future 204 205 * bug fixes 206 207Changes in release 0.6 208 209* The DES3 GSS-API mechanism has been changed to inter-operate with 210 other GSSAPI implementations. See man page for gssapi(3) how to turn 211 on generation of correct MIC messages. Next major release of heimdal 212 will generate correct MIC by default. 213 214* More complete GSS-API support 215 216* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS 217 support in applications no longer requires Kerberos 4 libs 218 219* Kerberos 4 support in kdc defaults to turned off (includes ka and 524) 220 221* other bug fixes 222 223Changes in release 0.5.2 224 225 * kdc: add option for disabling v4 cross-realm (defaults to off) 226 227 * bug fixes 228 229Changes in release 0.5.1 230 231 * kadmind: fix remote exploit 232 233 * kadmind: add option to disable kerberos 4 234 235 * kdc: make sure kaserver token life is positive 236 237 * telnet: use the session key if there is no subkey 238 239 * fix EPSV parsing in ftp 240 241 * other bug fixes 242 243Changes in release 0.5 244 245 * add --detach option to kdc 246 247 * allow setting forward and forwardable option in telnet from 248 .telnetrc, with override from command line 249 250 * accept addresses with or without ports in krb5_rd_cred 251 252 * make it work with modern openssl 253 254 * use our own string2key function even with openssl (that handles weak 255 keys incorrectly) 256 257 * more system-specific requirements in login 258 259 * do not use getlogin() to determine root in su 260 261 * telnet: abort if telnetd does not support encryption 262 263 * update autoconf to 2.53 264 265 * update config.guess, config.sub 266 267 * other bug fixes 268 269Changes in release 0.4e 270 271 * improve libcrypto and database autoconf tests 272 273 * do not care about salting of server principals when serving v4 requests 274 275 * some improvements to gssapi library 276 277 * test for existing compile_et/libcom_err 278 279 * portability fixes 280 281 * bug fixes 282 283Changes in release 0.4d 284 285 * fix some problems when using libcrypto from openssl 286 287 * handle /dev/ptmx `unix98' ptys on Linux 288 289 * add some forgotten man pages 290 291 * rsh: clean-up and add man page 292 293 * fix -A and -a in builtin-ls in tpd 294 295 * fix building problem on Irix 296 297 * make `ktutil get' more efficient 298 299 * bug fixes 300 301Changes in release 0.4c 302 303 * fix buffer overrun in telnetd 304 305 * repair some of the v4 fallback code in kinit 306 307 * add more shared library dependencies 308 309 * simplify and fix hprop handling of v4 databases 310 311 * fix some building problems (osf's sia and osfc2 login) 312 313 * bug fixes 314 315Changes in release 0.4b 316 317 * update the shared library version numbers correctly 318 319Changes in release 0.4a 320 321 * corrected key used for checksum in mk_safe, unfortunately this 322 makes it backwards incompatible 323 324 * update to autoconf 2.50, libtool 1.4 325 326 * re-write dns/config lookups (krb5_krbhst API) 327 328 * make order of using subkeys consistent 329 330 * add man page links 331 332 * add more man pages 333 334 * remove rfc2052 support, now only rfc2782 is supported 335 336 * always build with kaserver protocol support in the KDC (assuming 337 KRB4 is enabled) and support for reading kaserver databases in 338 hprop 339 340Changes in release 0.3f 341 342 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab, 343 the new keytab type that tries both of these in order (SRVTAB is 344 also an alias for krb4:) 345 346 * improve error reporting and error handling (error messages should 347 be more detailed and more useful) 348 349 * improve building with openssl 350 351 * add kadmin -K, rcp -F 352 353 * fix two incorrect weak DES keys 354 355 * fix building of kaserver compat in KDC 356 357 * the API is closer to what MIT krb5 is using 358 359 * more compatible with windows 2000 360 361 * removed some memory leaks 362 363 * bug fixes 364 365Changes in release 0.3e 366 367 * rcp program included 368 369 * fix buffer overrun in ftpd 370 371 * handle omitted sequence numbers as zeroes to handle MIT krb5 that 372 cannot generate zero sequence numbers 373 374 * handle v4 /.k files better 375 376 * configure/portability fixes 377 378 * fixes in parsing of options to kadmin (sub-)commands 379 380 * handle errors in kadmin load better 381 382 * bug fixes 383 384Changes in release 0.3d 385 386 * add krb5-config 387 388 * fix a bug in 3des gss-api mechanism, making it compatible with the 389 specification and the MIT implementation 390 391 * make telnetd only allow a specific list of environment variables to 392 stop it from setting `sensitive' variables 393 394 * try to use an existing libdes 395 396 * lib/krb5, kdc: use correct usage type for ap-req messages. This 397 should improve compatability with MIT krb5 when using 3DES 398 encryption types 399 400 * kdc: fix memory allocation problem 401 402 * update config.guess and config.sub 403 404 * lib/roken: more stuff implemented 405 406 * bug fixes and portability enhancements 407 408Changes in release 0.3c 409 410 * lib/krb5: memory caches now support the resolve operation 411 412 * appl/login: set PATH to some sane default 413 414 * kadmind: handle several realms 415 416 * bug fixes (including memory leaks) 417 418Changes in release 0.3b 419 420 * kdc: prefer default-salted keys on v5 requests 421 422 * kdc: lowercase hostnames in v4 mode 423 424 * hprop: handle more types of MIT salts 425 426 * lib/krb5: fix memory leak 427 428 * bug fixes 429 430Changes in release 0.3a: 431 432 * implement arcfour-hmac-md5 to interoperate with W2K 433 434 * modularise the handling of the master key, and allow for other 435 encryption types. This makes it easier to import a database from 436 some other source without having to re-encrypt all keys. 437 438 * allow for better control over which encryption types are created 439 440 * make kinit fallback to v4 if given a v4 KDC 441 442 * make klist work better with v4 and v5, and add some more MIT 443 compatibility options 444 445 * make the kdc listen on the krb524 (4444) port for compatibility 446 with MIT krb5 clients 447 448 * implement more DCE/DFS support, enabled with --enable-dce, see 449 lib/kdfs and appl/dceutils 450 451 * make the sequence numbers work correctly 452 453 * bug fixes 454 455Changes in release 0.2t: 456 457 * bug fixes 458 459Changes in release 0.2s: 460 461 * add OpenLDAP support in hdb 462 463 * login will get v4 tickets when it receives forwarded tickets 464 465 * xnlock supports both v5 and v4 466 467 * repair source routing for telnet 468 469 * fix building problems with krb4 (krb_mk_req) 470 471 * bug fixes 472 473Changes in release 0.2r: 474 475 * fix realloc memory corruption bug in kdc 476 477 * `add --key' and `cpw --key' in kadmin 478 479 * klist supports listing v4 tickets 480 481 * update config.guess and config.sub 482 483 * make v4 -> v5 principal name conversion more robust 484 485 * support for anonymous tickets 486 487 * new man-pages 488 489 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab. 490 491 * use and set expiration and not password expiration when dumping 492 to/from ka server databases / krb4 databases 493 494 * make the code happier with 64-bit time_t 495 496 * follow RFC2782 and by default do not look for non-underscore SRV names 497 498Changes in release 0.2q: 499 500 * bug fix in tcp-handling in kdc 501 502 * bug fix in expand_hostname 503 504Changes in release 0.2p: 505 506 * bug fix in `kadmin load/merge' 507 508 * bug fix in krb5_parse_address 509 510Changes in release 0.2o: 511 512 * gss_{import,export}_sec_context added to libgssapi 513 514 * new option --addresses to kdc (for listening on an explicit set of 515 addresses) 516 517 * bug fixes in the krb4 and kaserver emulation part of the kdc 518 519 * other bug fixes 520 521Changes in release 0.2n: 522 523 * more robust parsing of dump files in kadmin 524 * changed default timestamp format for log messages to extended ISO 525 8601 format (Y-M-DTH:M:S) 526 * changed md4/md5/sha1 APIes to be de-facto `standard' 527 * always make hostname into lower-case before creating principal 528 * small bits of more MIT-compatability 529 * bug fixes 530 531Changes in release 0.2m: 532 533 * handle glibc's getaddrinfo() that returns several ai_canonname 534 535 * new endian test 536 537 * man pages fixes 538 539Changes in release 0.2l: 540 541 * bug fixes 542 543Changes in release 0.2k: 544 545 * better IPv6 test 546 547 * make struct sockaddr_storage in roken work better on alphas 548 549 * some missing [hn]to[hn]s fixed. 550 551 * allow users to change their own passwords with kadmin (with initial 552 tickets) 553 554 * fix stupid bug in parsing KDC specification 555 556 * add `ktutil change' and `ktutil purge' 557 558Changes in release 0.2j: 559 560 * builds on Irix 561 562 * ftpd works in passive mode 563 564 * should build on cygwin 565 566 * work around broken IPv6-code on OpenBSD 2.6, also add configure 567 option --disable-ipv6 568 569Changes in release 0.2i: 570 571 * use getaddrinfo in the missing places. 572 573 * fix SRV lookup for admin server 574 575 * use get{addr,name}info everywhere. and implement it in terms of 576 getipnodeby{name,addr} (which uses gethostbyname{,2} and 577 gethostbyaddr) 578 579Changes in release 0.2h: 580 581 * fix typo in kx (now compiles) 582 583Changes in release 0.2g: 584 585 * lots of bug fixes: 586 * push works 587 * repair appl/test programs 588 * sockaddr_storage works on solaris (alignment issues) 589 * works better with non-roken getaddrinfo 590 * rsh works 591 * some non standard C constructs removed 592 593Changes in release 0.2f: 594 595 * support SRV records for kpasswd 596 * look for both _kerberos and krb5-realm when doing host -> realm mapping 597 598Changes in release 0.2e: 599 600 * changed copyright notices to remove `advertising'-clause. 601 * get{addr,name}info added to roken and used in the other code 602 (this makes things work much better with hosts with both v4 and v6 603 addresses, among other things) 604 * do pre-auth for both password and key-based get_in_tkt 605 * support for having several databases 606 * new command `del_enctype' in kadmin 607 * strptime (and new strftime) add to roken 608 * more paranoia about finding libdb 609 * bug fixes 610 611Changes in release 0.2d: 612 613 * new configuration option [libdefaults]default_etypes_des 614 * internal ls in ftpd builds without KRB4 615 * kx/rsh/push/pop_debug tries v5 and v4 consistenly 616 * build bug fixes 617 * other bug fixes 618 619Changes in release 0.2c: 620 621 * bug fixes (see ChangeLog's for details) 622 623Changes in release 0.2b: 624 625 * bug fixes 626 * actually bump shared library versions 627 628Changes in release 0.2a: 629 630 * a new program verify_krb5_conf for checking your /etc/krb5.conf 631 * add 3DES keys when changing password 632 * support null keys in database 633 * support multiple local realms 634 * implement a keytab backend for AFS KeyFile's 635 * implement a keytab backend for v4 srvtabs 636 * implement `ktutil copy' 637 * support password quality control in v4 kadmind 638 * improvements in v4 compat kadmind 639 * handle the case of having the correct cred in the ccache but with 640 the wrong encryption type better 641 * v6-ify the remaining programs. 642 * internal ls in ftpd 643 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat 644 * add `ank --random-password' and `cpw --random-password' in kadmin 645 * some programs and documentation for trying to talk to a W2K KDC 646 * bug fixes 647 648Changes in release 0.1m: 649 650 * support for getting default from krb5.conf for kinit/kf/rsh/telnet. 651 From Miroslav Ruda <ruda@ics.muni.cz> 652 * v6-ify hprop and hpropd 653 * support numeric addresses in krb5_mk_req 654 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz> 655 * make rsh/rshd IPv6-aware 656 * make the gssapi sample applications better at reporting errors 657 * lots of bug fixes 658 * handle systems with v6-aware libc and non-v6 kernels (like Linux 659 with glibc 2.1) better 660 * hide failure of ERPT in ftp 661 * lots of bug fixes 662 663Changes in release 0.1l: 664 665 * make ftp and ftpd IPv6-aware 666 * add inet_pton to roken 667 * more IPv6-awareness 668 * make mini_inetd v6 aware 669 670Changes in release 0.1k: 671 672 * bump shared libraries versions 673 * add roken version of inet_ntop 674 * merge more changes to rshd 675 676Changes in release 0.1j: 677 678 * restore back to the `old' 3DES code. This was supposed to be done 679 in 0.1h and 0.1i but I did a CVS screw-up. 680 * make telnetd handle v6 connections 681 682Changes in release 0.1i: 683 684 * start using `struct sockaddr_storage' which simplifies the code 685 (with a fallback definition if it's not defined) 686 * bug fixes (including in hprop and kf) 687 * don't use mawk which seems to mishandle roken.awk 688 * get_addrs should be able to handle v6 addresses on Linux (with the 689 required patch to the Linux kernel -- ask within) 690 * rshd builds with shadow passwords 691 692Changes in release 0.1h: 693 694 * kf: new program for forwarding credentials 695 * portability fixes 696 * make forwarding credentials work with MIT code 697 * better conversion of ka database 698 * add etc/services.append 699 * correct `modified by' from kpasswdd 700 * lots of bug fixes 701 702Changes in release 0.1g: 703 704 * kgetcred: new program for explicitly obtaining tickets 705 * configure fixes 706 * krb5-aware kx 707 * bug fixes 708 709Changes in release 0.1f; 710 711 * experimental support for v4 kadmin protokoll in kadmind 712 * bug fixes 713 714Changes in release 0.1e: 715 716 * try to handle old DCE and MIT kdcs 717 * support for older versions of credential cache files and keytabs 718 * postdated tickets work 719 * support for password quality checks in kpasswdd 720 * new flag --enable-kaserver for kdc 721 * renew fixes 722 * prototype su program 723 * updated (some) manpages 724 * support for KDC resource records 725 * should build with --without-krb4 726 * bug fixes 727 728Changes in release 0.1d: 729 730 * Support building with DB2 (uses 1.85-compat API) 731 * Support krb5-realm.DOMAIN in DNS 732 * new `ktutil srvcreate' 733 * v4/kafs support in klist/kdestroy 734 * bug fixes 735 736Changes in release 0.1c: 737 738 * fix ASN.1 encoding of signed integers 739 * somewhat working `ktutil get' 740 * some documentation updates 741 * update to Autoconf 2.13 and Automake 1.4 742 * the usual bug fixes 743 744Changes in release 0.1b: 745 746 * some old -> new crypto conversion utils 747 * bug fixes 748 749Changes in release 0.1a: 750 751 * new crypto code 752 * more bug fixes 753 * make sure we ask for DES keys in gssapi 754 * support signed ints in ASN1 755 * IPv6-bug fixes 756 757Changes in release 0.0u: 758 759 * lots of bug fixes 760 761Changes in release 0.0t: 762 763 * more robust parsing of krb5.conf 764 * include net{read,write} in lib/roken 765 * bug fixes 766 767Changes in release 0.0s: 768 769 * kludges for parsing options to rsh 770 * more robust parsing of krb5.conf 771 * removed some arbitrary limits 772 * bug fixes 773 774Changes in release 0.0r: 775 776 * default options for some programs 777 * bug fixes 778 779Changes in release 0.0q: 780 781 * support for building shared libraries with libtool 782 * bug fixes 783 784Changes in release 0.0p: 785 786 * keytab moved to /etc/krb5.keytab 787 * avoid false detection of IPv6 on Linux 788 * Lots of more functionality in the gssapi-library 789 * hprop can now read ka-server databases 790 * bug fixes 791 792Changes in release 0.0o: 793 794 * FTP with GSSAPI support. 795 * Bug fixes. 796 797Changes in release 0.0n: 798 799 * Incremental database propagation. 800 * Somewhat improved kadmin ui; the stuff in admin is now removed. 801 * Some support for using enctypes instead of keytypes. 802 * Lots of other improvement and bug fixes, see ChangeLog for details. 803