1Changes in release 0.6.1 2 3 * Fixed ARCFOUR suppport 4 5 * Cross realm vulnerability 6 7 * kdc: fix denial of service attack 8 9 * kdc: stop clients from renewing tickets into the future 10 11 * bug fixes 12 13Changes in release 0.6 14 15* The DES3 GSS-API mechanism has been changed to inter-operate with 16 other GSSAPI implementations. See man page for gssapi(3) how to turn 17 on generation of correct MIC messages. Next major release of heimdal 18 will generate correct MIC by default. 19 20* More complete GSS-API support 21 22* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS 23 support in applications no longer requires Kerberos 4 libs 24 25* Kerberos 4 support in kdc defaults to turned off (includes ka and 524) 26 27* other bug fixes 28 29Changes in release 0.5.2 30 31 * kdc: add option for disabling v4 cross-realm (defaults to off) 32 33 * bug fixes 34 35Changes in release 0.5.1 36 37 * kadmind: fix remote exploit 38 39 * kadmind: add option to disable kerberos 4 40 41 * kdc: make sure kaserver token life is positive 42 43 * telnet: use the session key if there is no subkey 44 45 * fix EPSV parsing in ftp 46 47 * other bug fixes 48 49Changes in release 0.5 50 51 * add --detach option to kdc 52 53 * allow setting forward and forwardable option in telnet from 54 .telnetrc, with override from command line 55 56 * accept addresses with or without ports in krb5_rd_cred 57 58 * make it work with modern openssl 59 60 * use our own string2key function even with openssl (that handles weak 61 keys incorrectly) 62 63 * more system-specific requirements in login 64 65 * do not use getlogin() to determine root in su 66 67 * telnet: abort if telnetd does not support encryption 68 69 * update autoconf to 2.53 70 71 * update config.guess, config.sub 72 73 * other bug fixes 74 75Changes in release 0.4e 76 77 * improve libcrypto and database autoconf tests 78 79 * do not care about salting of server principals when serving v4 requests 80 81 * some improvements to gssapi library 82 83 * test for existing compile_et/libcom_err 84 85 * portability fixes 86 87 * bug fixes 88 89Changes in release 0.4d 90 91 * fix some problems when using libcrypto from openssl 92 93 * handle /dev/ptmx `unix98' ptys on Linux 94 95 * add some forgotten man pages 96 97 * rsh: clean-up and add man page 98 99 * fix -A and -a in builtin-ls in tpd 100 101 * fix building problem on Irix 102 103 * make `ktutil get' more efficient 104 105 * bug fixes 106 107Changes in release 0.4c 108 109 * fix buffer overrun in telnetd 110 111 * repair some of the v4 fallback code in kinit 112 113 * add more shared library dependencies 114 115 * simplify and fix hprop handling of v4 databases 116 117 * fix some building problems (osf's sia and osfc2 login) 118 119 * bug fixes 120 121Changes in release 0.4b 122 123 * update the shared library version numbers correctly 124 125Changes in release 0.4a 126 127 * corrected key used for checksum in mk_safe, unfortunately this 128 makes it backwards incompatible 129 130 * update to autoconf 2.50, libtool 1.4 131 132 * re-write dns/config lookups (krb5_krbhst API) 133 134 * make order of using subkeys consistent 135 136 * add man page links 137 138 * add more man pages 139 140 * remove rfc2052 support, now only rfc2782 is supported 141 142 * always build with kaserver protocol support in the KDC (assuming 143 KRB4 is enabled) and support for reading kaserver databases in 144 hprop 145 146Changes in release 0.3f 147 148 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab, 149 the new keytab type that tries both of these in order (SRVTAB is 150 also an alias for krb4:) 151 152 * improve error reporting and error handling (error messages should 153 be more detailed and more useful) 154 155 * improve building with openssl 156 157 * add kadmin -K, rcp -F 158 159 * fix two incorrect weak DES keys 160 161 * fix building of kaserver compat in KDC 162 163 * the API is closer to what MIT krb5 is using 164 165 * more compatible with windows 2000 166 167 * removed some memory leaks 168 169 * bug fixes 170 171Changes in release 0.3e 172 173 * rcp program included 174 175 * fix buffer overrun in ftpd 176 177 * handle omitted sequence numbers as zeroes to handle MIT krb5 that 178 cannot generate zero sequence numbers 179 180 * handle v4 /.k files better 181 182 * configure/portability fixes 183 184 * fixes in parsing of options to kadmin (sub-)commands 185 186 * handle errors in kadmin load better 187 188 * bug fixes 189 190Changes in release 0.3d 191 192 * add krb5-config 193 194 * fix a bug in 3des gss-api mechanism, making it compatible with the 195 specification and the MIT implementation 196 197 * make telnetd only allow a specific list of environment variables to 198 stop it from setting `sensitive' variables 199 200 * try to use an existing libdes 201 202 * lib/krb5, kdc: use correct usage type for ap-req messages. This 203 should improve compatability with MIT krb5 when using 3DES 204 encryption types 205 206 * kdc: fix memory allocation problem 207 208 * update config.guess and config.sub 209 210 * lib/roken: more stuff implemented 211 212 * bug fixes and portability enhancements 213 214Changes in release 0.3c 215 216 * lib/krb5: memory caches now support the resolve operation 217 218 * appl/login: set PATH to some sane default 219 220 * kadmind: handle several realms 221 222 * bug fixes (including memory leaks) 223 224Changes in release 0.3b 225 226 * kdc: prefer default-salted keys on v5 requests 227 228 * kdc: lowercase hostnames in v4 mode 229 230 * hprop: handle more types of MIT salts 231 232 * lib/krb5: fix memory leak 233 234 * bug fixes 235 236Changes in release 0.3a: 237 238 * implement arcfour-hmac-md5 to interoperate with W2K 239 240 * modularise the handling of the master key, and allow for other 241 encryption types. This makes it easier to import a database from 242 some other source without having to re-encrypt all keys. 243 244 * allow for better control over which encryption types are created 245 246 * make kinit fallback to v4 if given a v4 KDC 247 248 * make klist work better with v4 and v5, and add some more MIT 249 compatibility options 250 251 * make the kdc listen on the krb524 (4444) port for compatibility 252 with MIT krb5 clients 253 254 * implement more DCE/DFS support, enabled with --enable-dce, see 255 lib/kdfs and appl/dceutils 256 257 * make the sequence numbers work correctly 258 259 * bug fixes 260 261Changes in release 0.2t: 262 263 * bug fixes 264 265Changes in release 0.2s: 266 267 * add OpenLDAP support in hdb 268 269 * login will get v4 tickets when it receives forwarded tickets 270 271 * xnlock supports both v5 and v4 272 273 * repair source routing for telnet 274 275 * fix building problems with krb4 (krb_mk_req) 276 277 * bug fixes 278 279Changes in release 0.2r: 280 281 * fix realloc memory corruption bug in kdc 282 283 * `add --key' and `cpw --key' in kadmin 284 285 * klist supports listing v4 tickets 286 287 * update config.guess and config.sub 288 289 * make v4 -> v5 principal name conversion more robust 290 291 * support for anonymous tickets 292 293 * new man-pages 294 295 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab. 296 297 * use and set expiration and not password expiration when dumping 298 to/from ka server databases / krb4 databases 299 300 * make the code happier with 64-bit time_t 301 302 * follow RFC2782 and by default do not look for non-underscore SRV names 303 304Changes in release 0.2q: 305 306 * bug fix in tcp-handling in kdc 307 308 * bug fix in expand_hostname 309 310Changes in release 0.2p: 311 312 * bug fix in `kadmin load/merge' 313 314 * bug fix in krb5_parse_address 315 316Changes in release 0.2o: 317 318 * gss_{import,export}_sec_context added to libgssapi 319 320 * new option --addresses to kdc (for listening on an explicit set of 321 addresses) 322 323 * bug fixes in the krb4 and kaserver emulation part of the kdc 324 325 * other bug fixes 326 327Changes in release 0.2n: 328 329 * more robust parsing of dump files in kadmin 330 * changed default timestamp format for log messages to extended ISO 331 8601 format (Y-M-DTH:M:S) 332 * changed md4/md5/sha1 APIes to be de-facto `standard' 333 * always make hostname into lower-case before creating principal 334 * small bits of more MIT-compatability 335 * bug fixes 336 337Changes in release 0.2m: 338 339 * handle glibc's getaddrinfo() that returns several ai_canonname 340 341 * new endian test 342 343 * man pages fixes 344 345Changes in release 0.2l: 346 347 * bug fixes 348 349Changes in release 0.2k: 350 351 * better IPv6 test 352 353 * make struct sockaddr_storage in roken work better on alphas 354 355 * some missing [hn]to[hn]s fixed. 356 357 * allow users to change their own passwords with kadmin (with initial 358 tickets) 359 360 * fix stupid bug in parsing KDC specification 361 362 * add `ktutil change' and `ktutil purge' 363 364Changes in release 0.2j: 365 366 * builds on Irix 367 368 * ftpd works in passive mode 369 370 * should build on cygwin 371 372 * work around broken IPv6-code on OpenBSD 2.6, also add configure 373 option --disable-ipv6 374 375Changes in release 0.2i: 376 377 * use getaddrinfo in the missing places. 378 379 * fix SRV lookup for admin server 380 381 * use get{addr,name}info everywhere. and implement it in terms of 382 getipnodeby{name,addr} (which uses gethostbyname{,2} and 383 gethostbyaddr) 384 385Changes in release 0.2h: 386 387 * fix typo in kx (now compiles) 388 389Changes in release 0.2g: 390 391 * lots of bug fixes: 392 * push works 393 * repair appl/test programs 394 * sockaddr_storage works on solaris (alignment issues) 395 * works better with non-roken getaddrinfo 396 * rsh works 397 * some non standard C constructs removed 398 399Changes in release 0.2f: 400 401 * support SRV records for kpasswd 402 * look for both _kerberos and krb5-realm when doing host -> realm mapping 403 404Changes in release 0.2e: 405 406 * changed copyright notices to remove `advertising'-clause. 407 * get{addr,name}info added to roken and used in the other code 408 (this makes things work much better with hosts with both v4 and v6 409 addresses, among other things) 410 * do pre-auth for both password and key-based get_in_tkt 411 * support for having several databases 412 * new command `del_enctype' in kadmin 413 * strptime (and new strftime) add to roken 414 * more paranoia about finding libdb 415 * bug fixes 416 417Changes in release 0.2d: 418 419 * new configuration option [libdefaults]default_etypes_des 420 * internal ls in ftpd builds without KRB4 421 * kx/rsh/push/pop_debug tries v5 and v4 consistenly 422 * build bug fixes 423 * other bug fixes 424 425Changes in release 0.2c: 426 427 * bug fixes (see ChangeLog's for details) 428 429Changes in release 0.2b: 430 431 * bug fixes 432 * actually bump shared library versions 433 434Changes in release 0.2a: 435 436 * a new program verify_krb5_conf for checking your /etc/krb5.conf 437 * add 3DES keys when changing password 438 * support null keys in database 439 * support multiple local realms 440 * implement a keytab backend for AFS KeyFile's 441 * implement a keytab backend for v4 srvtabs 442 * implement `ktutil copy' 443 * support password quality control in v4 kadmind 444 * improvements in v4 compat kadmind 445 * handle the case of having the correct cred in the ccache but with 446 the wrong encryption type better 447 * v6-ify the remaining programs. 448 * internal ls in ftpd 449 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat 450 * add `ank --random-password' and `cpw --random-password' in kadmin 451 * some programs and documentation for trying to talk to a W2K KDC 452 * bug fixes 453 454Changes in release 0.1m: 455 456 * support for getting default from krb5.conf for kinit/kf/rsh/telnet. 457 From Miroslav Ruda <ruda@ics.muni.cz> 458 * v6-ify hprop and hpropd 459 * support numeric addresses in krb5_mk_req 460 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz> 461 * make rsh/rshd IPv6-aware 462 * make the gssapi sample applications better at reporting errors 463 * lots of bug fixes 464 * handle systems with v6-aware libc and non-v6 kernels (like Linux 465 with glibc 2.1) better 466 * hide failure of ERPT in ftp 467 * lots of bug fixes 468 469Changes in release 0.1l: 470 471 * make ftp and ftpd IPv6-aware 472 * add inet_pton to roken 473 * more IPv6-awareness 474 * make mini_inetd v6 aware 475 476Changes in release 0.1k: 477 478 * bump shared libraries versions 479 * add roken version of inet_ntop 480 * merge more changes to rshd 481 482Changes in release 0.1j: 483 484 * restore back to the `old' 3DES code. This was supposed to be done 485 in 0.1h and 0.1i but I did a CVS screw-up. 486 * make telnetd handle v6 connections 487 488Changes in release 0.1i: 489 490 * start using `struct sockaddr_storage' which simplifies the code 491 (with a fallback definition if it's not defined) 492 * bug fixes (including in hprop and kf) 493 * don't use mawk which seems to mishandle roken.awk 494 * get_addrs should be able to handle v6 addresses on Linux (with the 495 required patch to the Linux kernel -- ask within) 496 * rshd builds with shadow passwords 497 498Changes in release 0.1h: 499 500 * kf: new program for forwarding credentials 501 * portability fixes 502 * make forwarding credentials work with MIT code 503 * better conversion of ka database 504 * add etc/services.append 505 * correct `modified by' from kpasswdd 506 * lots of bug fixes 507 508Changes in release 0.1g: 509 510 * kgetcred: new program for explicitly obtaining tickets 511 * configure fixes 512 * krb5-aware kx 513 * bug fixes 514 515Changes in release 0.1f; 516 517 * experimental support for v4 kadmin protokoll in kadmind 518 * bug fixes 519 520Changes in release 0.1e: 521 522 * try to handle old DCE and MIT kdcs 523 * support for older versions of credential cache files and keytabs 524 * postdated tickets work 525 * support for password quality checks in kpasswdd 526 * new flag --enable-kaserver for kdc 527 * renew fixes 528 * prototype su program 529 * updated (some) manpages 530 * support for KDC resource records 531 * should build with --without-krb4 532 * bug fixes 533 534Changes in release 0.1d: 535 536 * Support building with DB2 (uses 1.85-compat API) 537 * Support krb5-realm.DOMAIN in DNS 538 * new `ktutil srvcreate' 539 * v4/kafs support in klist/kdestroy 540 * bug fixes 541 542Changes in release 0.1c: 543 544 * fix ASN.1 encoding of signed integers 545 * somewhat working `ktutil get' 546 * some documentation updates 547 * update to Autoconf 2.13 and Automake 1.4 548 * the usual bug fixes 549 550Changes in release 0.1b: 551 552 * some old -> new crypto conversion utils 553 * bug fixes 554 555Changes in release 0.1a: 556 557 * new crypto code 558 * more bug fixes 559 * make sure we ask for DES keys in gssapi 560 * support signed ints in ASN1 561 * IPv6-bug fixes 562 563Changes in release 0.0u: 564 565 * lots of bug fixes 566 567Changes in release 0.0t: 568 569 * more robust parsing of krb5.conf 570 * include net{read,write} in lib/roken 571 * bug fixes 572 573Changes in release 0.0s: 574 575 * kludges for parsing options to rsh 576 * more robust parsing of krb5.conf 577 * removed some arbitrary limits 578 * bug fixes 579 580Changes in release 0.0r: 581 582 * default options for some programs 583 * bug fixes 584 585Changes in release 0.0q: 586 587 * support for building shared libraries with libtool 588 * bug fixes 589 590Changes in release 0.0p: 591 592 * keytab moved to /etc/krb5.keytab 593 * avoid false detection of IPv6 on Linux 594 * Lots of more functionality in the gssapi-library 595 * hprop can now read ka-server databases 596 * bug fixes 597 598Changes in release 0.0o: 599 600 * FTP with GSSAPI support. 601 * Bug fixes. 602 603Changes in release 0.0n: 604 605 * Incremental database propagation. 606 * Somewhat improved kadmin ui; the stuff in admin is now removed. 607 * Some support for using enctypes instead of keytypes. 608 * Lots of other improvement and bug fixes, see ChangeLog for details. 609