mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
a87aae5292
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
1495 lines
46 KiB
Plaintext
1495 lines
46 KiB
Plaintext
|
|
Partial news for a future Heimdal 8.0 release -- but NOTE WELL that this is NOT
|
|
a release at this time!
|
|
|
|
Bug fixes
|
|
|
|
- Errors found by the Coverity static analysis.
|
|
- Errors found by the LLVM scan-build static analyzer.
|
|
- Errors found by the valgrind memory debugger.
|
|
- Fix out-of-tree SQLite3 ccache permissions / umask issues.
|
|
- iprop bugs, race conditions, and performance
|
|
- Many misc. bugs
|
|
|
|
Features:
|
|
|
|
- KDC: Add FAST support for TGS.
|
|
- KDC: Greatly improved plugin facility for Samba.
|
|
- KDC: Add httpkadmind service providing a subset of kadmin
|
|
functionality over HTTP.
|
|
- KDC: Add support for virtual service principal namespaces.
|
|
- KDC: Add support for synthetic client principals that exist if the
|
|
pre-authentication mechanism (e.g., PKINIT) can authenticate
|
|
them, thus not requiring an HDB entry.
|
|
- KDC: Add experimental GSS-API pre-authentication support.
|
|
- KDC: Revamp and enhance kx509 support (though bx509d mostly replaces kx509).
|
|
- KDC: Better support for aliases and referrals.
|
|
- KDC: Always return the salt in the PA-ETYPE-INFO[2].
|
|
- KDC: Add warn_ticket_addresses configuration parameter.
|
|
- KDC: allow anonymous AS requests with long-term keys.
|
|
- KDC: Do not include PAC for anonymous AS requests.
|
|
- KDC: Enable keepalive mode on incoming sockets.
|
|
- KDC: Greatly improved logging.
|
|
- KDC: Remove KRB5SignedPath, to be replaced with PAC.
|
|
- PKIX: Add bx509d -- an online certification authority (CA) with an HTTP API.
|
|
- kadmin: Add HTTP-based kadmin protocol.
|
|
- kadmin: Add add_alias, del_alias.
|
|
- kadmin: Add command aliases to man page.
|
|
- kadmin: Add disallow-client attribute.
|
|
- kadmin: add --hdb / -H argument.
|
|
- kadmin: Allow enforcing password quality on admin password change.
|
|
- kadmin: Improve ext_keytab usage.
|
|
- kadmin: Selective pruning of historic key for principal.
|
|
- krb5: Add client_aware_channel_bindings option.
|
|
- krb5: Add constrained credential delegation option "destination TGT"
|
|
- krb5: Add "EFILE:" target for logging.
|
|
- krb5: Add include/includedir directives for krb5.conf.
|
|
- krb5: Complete DIR ccache collection support.
|
|
- krb5: Add FILE ccache collection support.
|
|
- krb5: Improved FILE ccache performance.
|
|
- krb5: Add KEYRING ccache support.
|
|
- krb5: Add kx509 client.
|
|
- krb5: Improve FILE keytab performance.
|
|
- krb5: Implement KRB5_TRACE environment variable.
|
|
- krb5: Add experimental name canonicalization rules configuration.
|
|
- krb5: Support start_realm ccconfig entry type.
|
|
- kinit: Add --default-for option for ccache collection support.
|
|
- kinit: Add --pk-anon-fast-armor option.
|
|
- kinit: Don't leave dangling temporary ccaches.
|
|
- klist: Better --json
|
|
- iprop: Many performance and scaling enhancements.
|
|
- iprop: Support hierarchical propagation.
|
|
- ASN.1: Document fuzzing process.
|
|
- ASN.1: Complete template backend.
|
|
- ASN.1: Add partial Information Object System support (template backend
|
|
only). This means that open type holes can be decoded recursively
|
|
with one codec function call.
|
|
- ASN.1: Add JSON encoder functionality (template backend only).
|
|
- ASN.1: Greatly enhanced asn1_print(1) command, which can now print a
|
|
JSON representation of any DER-encoded value of any type exported
|
|
by ASN.1 modules in Heimdal.
|
|
- ASN.1: Support circular types.
|
|
- ASN.1: Topographically sort declarations.
|
|
- ASN.1: Proper support for IMPLICIT tags.
|
|
- GSS: Import gss-token(1) command.
|
|
- GSS: Add advanced credential store / load functionality.
|
|
- GSS: Add name attributes support, with support for many basic attributes
|
|
and PAC buffer accessors too.
|
|
- GSS: Add SANON mechanism for anonymous-only key exchange using
|
|
elliptic curve Diffie-Hellman (ECDH) with Curve25519.
|
|
- GSS: Add gss_acquire_cred_from() and credential store extensions.
|
|
- GSS: Support fragmented tokens reassembly (for SMB).
|
|
- GSS: Support client keytab.
|
|
- GSS: Add NegoEx support.
|
|
- libhx509: Lots of improvements.
|
|
- hxtool: Add "acert" (assert cert contents) command
|
|
- hxtool: add cert type: https-negotiate-server
|
|
- hxtool: add generate-key command
|
|
- hxtool: Add OID symbol resolution and printing of OIDs known to hxtool.
|
|
- hxtool: Add print --raw-json option that shows certificates in JSON, with
|
|
all extensions and attributes known to Heimdal fully decoded.
|
|
- hxtool: Improved SAN support.
|
|
- hxtool: Improved CSR support.
|
|
- Improved plugin interfaces.
|
|
- hcrypto: Add X25519.
|
|
- hcrypto: Better RSA key generation.
|
|
- hcrypto: import libtommath v1.2.0.
|
|
- roken: Add secure_getenv() and issuid(), use them extensively.
|
|
|
|
Release Notes - Heimdal - Version Heimdal 7.8
|
|
|
|
Bug fixes
|
|
|
|
- CVE-2022-42898 PAC parse integer overflows
|
|
|
|
- CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
|
|
- Pass correct length to _gssapi_verify_pad()
|
|
- Check for overflow in _gsskrb5_get_mech()
|
|
- Check buffer length against overflow for DES{,3} unwrap
|
|
- Check the result of _gsskrb5_get_mech()
|
|
- Avoid undefined behaviour in _gssapi_verify_pad()
|
|
- Don't pass NULL pointers to memcpy() in DES unwrap
|
|
- Use constant-time memcmp() in unwrap_des3()
|
|
- Use constant-time memcmp() for arcfour unwrap
|
|
|
|
- CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
|
|
|
|
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
|
|
|
|
This is a 10.0 on the Common Vulnerability Scoring System (CVSS) v3.
|
|
|
|
Heimdal's ASN.1 compiler generates code that allows specially
|
|
crafted DER encodings of CHOICEs to invoke the wrong free function
|
|
on the decoded structure upon decode error. This is known to impact
|
|
the Heimdal KDC, leading to an invalid free() of an address partly
|
|
or wholly under the control of the attacker, in turn leading to a
|
|
potential remote code execution (RCE) vulnerability.
|
|
|
|
This error affects the DER codec for all CHOICE types used in
|
|
Heimdal, though not all cases will be exploitable. We have not
|
|
completed a thorough analysis of all the Heimdal components
|
|
affected, thus the Kerberos client, the X.509 library, and other
|
|
parts, may be affected as well.
|
|
|
|
This bug has been in Heimdal since 2005. It was first reported by
|
|
Douglas Bagnall, though it had been found independently by the
|
|
Heimdal maintainers via fuzzing.
|
|
|
|
While no zero-day exploit is known, such an exploit will likely be
|
|
available soon after public disclosure.
|
|
|
|
- Errors found by the LLVM scan-build static analyzer.
|
|
|
|
- Errors found by the valgrind memory debugger.
|
|
|
|
- Work around GCC Bug 95189 (memcmp wrongly stripped like strcmp).
|
|
|
|
- Fix Unicode normalization read of 1 bytes past end of array.
|
|
|
|
- Correct ASN.1 OID typo for SHA-384
|
|
|
|
- Fix a deadlock in in the MEMORY ccache type.
|
|
|
|
- TGS: strip forwardable and proxiable flags if the server is
|
|
disallowed.
|
|
|
|
- CVE-2019-14870: Validate client attributes in protocol-transition
|
|
- CVE-2019-14870: Apply forwardable policy in protocol-transition
|
|
- CVE-2019-14870: Always lookup impersonate client in DB
|
|
|
|
- Incremental HDB propagation improvements
|
|
|
|
- Refactor send_diffs making it progressive
|
|
- Handle partial writes on non-blocking sockets
|
|
- Disable Nagle in iprop master and slave
|
|
- Use async I/O
|
|
- Don't send I_HAVE in response to AYT
|
|
- Do not recover log in kadm5_get_principal()
|
|
- Don't send diffs to slaves with not yet known version
|
|
- Don't stutter in send_diffs
|
|
|
|
- Optional backwards-compatible anon-pkinit behaviour
|
|
|
|
Release Notes - Heimdal - Version Heimdal 7.7
|
|
|
|
Bug fixes
|
|
|
|
- PKCS#11 hcrypto back-end
|
|
. initialize the p11_module_load function list
|
|
. verify that not only is a mechanism present but that its mechanism
|
|
info states that it offers the required encryption, decryption or
|
|
digest services
|
|
- krb5:
|
|
. Starting with 7.6, Heimdal permitted requesting authenticated
|
|
anonymous tickets. However, it did not verify that a KDC in fact
|
|
returned an anonymous ticket when one was requested.
|
|
- Cease setting the KDCOption reaquest_anonymous flag when issuing
|
|
S4UProxy (constrained delegation) TGS requests.
|
|
. when the Win2K PKINIT compatibility option is set, do
|
|
not require krbtgt otherName to match when validating KDC
|
|
certificate.
|
|
. set PKINIT_BTMM flag per Apple implementation
|
|
. use memset_s() instead of memset()
|
|
- kdc:
|
|
. When generating KRB5SignedPath in the AS, use the reply client name
|
|
rather than the one from the request, so validation will work
|
|
correctly in the TGS.
|
|
. allow checksum of PA-FOR-USER to be HMAC_MD5. Even if tgt used
|
|
an enctype with a different checksum. Per [MS-SFU] 2.2.1
|
|
PA-FOR-USER the checksum is always HMAC_MD5, and that's what
|
|
Windows and MIT clients send.
|
|
|
|
In heimdal both the client and kdc use instead the
|
|
checksum of the tgt, and therefore work with each other
|
|
but Windows and MIT clients fail against heimdal KDC.
|
|
|
|
Both Windows and MIT KDCs would allow any keyed checksum
|
|
to be used so Heimdal client interoperates with them.
|
|
|
|
Change Heimdal KDC to allow HMAC_MD5 even for non RC4
|
|
based tgt in order to support per-spec clients.
|
|
. use memset_s() instead of memset().
|
|
- Detect Heimdal 1.0 through 7.6 clients that issue S4UProxy
|
|
(constrained delegation) TGS Requests with the request
|
|
anonymous flag set. These requests will be treated as
|
|
S4UProxy requests and not anonymous requests.
|
|
- HDB:
|
|
. Set SQLite3 backend default page size to 8KB.
|
|
. Add hdb_set_sync() method
|
|
- kadmind:
|
|
. disable HDB sync during database load avoiding unnecessary disk i/o.
|
|
- ipropd:
|
|
. disable HDB sync during receive_everything. Doing an fsync
|
|
per-record when receiving the complete HDB is a performance
|
|
disaster. Among other things, if the HDB is very large, then
|
|
one slave receving a full HDB can cause other slaves to timeout
|
|
and, if HDB write activity is high enough to cause iprop log
|
|
truncation, then also need full syncs, which leads to a cycle of
|
|
full syncs for all slaves until HDB write activity drops.
|
|
Allowing the iprop log to be larger helps, but improving
|
|
receive_everything() performance helps even more.
|
|
- kinit:
|
|
. Anonymous PKINIT tickets discard the realm information used
|
|
to locate the issuing AS. Store the issuing realm in the
|
|
credentials cache in order to locate a KDC which can renew them.
|
|
. Do not leak the result of krb5_cc_get_config() when determining
|
|
anonymous PKINIT start realm.
|
|
- klist:
|
|
. Show transited-policy-checked, ok-as-delegate and anonymous
|
|
flags when listing credentials.
|
|
- tests:
|
|
. Regenerate certs so that they expire before the 2038 armageddon
|
|
so the test suite will pass on 32-bit operating systems until the
|
|
underlying issues can be resolved.
|
|
- Solaris:
|
|
. Define _STDC_C11_BCI for memset_s prototype
|
|
- build tooling:
|
|
. Convert from python 2 to python 3
|
|
- documentation
|
|
. rename verify-password to verify-password-quality
|
|
. hprop default mode is encrypt
|
|
. kadmind "all" permission does not include "get-keys"
|
|
. verify-password-quality might not be stateless
|
|
|
|
Release Notes - Heimdal - Version Heimdal 7.6
|
|
|
|
Security
|
|
|
|
- CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum
|
|
|
|
When the Heimdal KDC checks the checksum that is placed on the
|
|
S4U2Self packet by the server to protect the requested principal
|
|
against modification, it does not confirm that the checksum
|
|
algorithm that protects the user name (principal) in the request
|
|
is keyed. This allows a man-in-the-middle attacker who can
|
|
intercept the request to the KDC to modify the packet by replacing
|
|
the user name (principal) in the request with any desired user
|
|
name (principal) that exists in the KDC and replace the checksum
|
|
protecting that name with a CRC32 checksum (which requires no
|
|
prior knowledge to compute).
|
|
|
|
This would allow a S4U2Self ticket requested on behalf of user
|
|
name (principal) user@EXAMPLE.COM to any service to be changed
|
|
to a S4U2Self ticket with a user name (principal) of
|
|
Administrator@EXAMPLE.COM. This ticket would then contain the
|
|
PAC of the modified user name (principal).
|
|
|
|
- CVE-2019-12098, client-only:
|
|
|
|
RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge
|
|
when anonymous PKINIT is used. Failure to do so can permit an active
|
|
attacker to become a man-in-the-middle.
|
|
|
|
Bug fixes
|
|
|
|
- Happy eyeballs: Don't wait for responses from known-unreachable KDCs.
|
|
- kdc: check return copy_Realm, copy_PrincipalName, copy_EncryptionKey
|
|
- kinit:
|
|
. cleanup temporary ccaches
|
|
. see man page for "kinit --anonymous" command line syntax change
|
|
- kdc: Make anonymous AS-requests more RFC8062-compliant.
|
|
- Updated expired test certificates
|
|
- Solaris:
|
|
. PKCS#11 hcrypto backend broken since 7.0.1
|
|
. Building with Sun Pro C
|
|
|
|
Features
|
|
|
|
- kuser: support authenticated anonymous AS-REQs in kinit
|
|
- kdc: support for anonymous TGS-REQs
|
|
- kgetcred support for anonymous service tickets
|
|
- Support builds with OpenSSL 1.1.1
|
|
|
|
Release Notes - Heimdal - Version Heimdal 7.5
|
|
|
|
Security
|
|
|
|
- Fix CVE-2017-17439, which is a remote denial of service
|
|
vulnerability:
|
|
|
|
In Heimdal 7.1 through 7.4, remote unauthenticated attackers
|
|
are able to crash the KDC by sending a crafted UDP packet
|
|
containing empty data fields for client name or realm.
|
|
|
|
Bug fixes
|
|
|
|
- Handle long input lines when reloading database dumps.
|
|
|
|
- In pre-forked mode (default on Unix), correctly clear
|
|
the process ids of exited children, allowing new child processes
|
|
to replace the old.
|
|
|
|
- Fixed incorrect KDC response when no-cross realm TGT exists,
|
|
allowing client requests to fail quickly rather than time
|
|
out after trying to get a correct answer from each KDC.
|
|
|
|
Release Notes - Heimdal - Version Heimdal 7.4
|
|
|
|
Security
|
|
|
|
- Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
|
|
|
|
This is a critical vulnerability.
|
|
|
|
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
|
|
encrypted version stored in 'enc_part' instead of the unencrypted version
|
|
stored in 'ticket'. Use of the unecrypted version provides an
|
|
opportunity for successful server impersonation and other attacks.
|
|
|
|
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
|
|
|
|
See https://www.orpheus-lyre.info/ for more details.
|
|
|
|
Release Notes - Heimdal - Version Heimdal 7.3
|
|
|
|
Security
|
|
|
|
- Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently
|
|
caused the previous hop realm to not be added to the transit path
|
|
of issued tickets. This may, in some cases, enable bypass of capath
|
|
policy in Heimdal versions 1.5 through 7.2.
|
|
|
|
Note, this may break sites that rely on the bug. With the bug some
|
|
incomplete [capaths] worked, that should not have. These may now break
|
|
authentication in some cross-realm configurations.
|
|
(CVE-2017-6594)
|
|
|
|
Release Notes - Heimdal - Version Heimdal 7.2
|
|
|
|
Bug fixes
|
|
- Portability improvements
|
|
- More strict parsing of encoded URI components in HTTP KDC
|
|
- Fixed memory leak in malloc error recovery in NTLM GSSAPI mechanism
|
|
- Avoid overly specific CPU info in krb5-config in aid of reproducible builds
|
|
- Don't do AFS string-to-key tests when feature is disabled
|
|
- Skip mdb_stat test when the command is not available
|
|
- Windows: update SHA2 timestamp server
|
|
- hdb: add missing export hdb_generate_key_set_password_with_ks_tuple
|
|
- Fix signature of hdb_generate_key_set_password()
|
|
- Windows: enable KX509 support in the KDC
|
|
- kdc: fix kx509 service principal match
|
|
- iprop: handle case where master sends nothing new
|
|
- ipropd-slave: fix incorrect error codes
|
|
- Allow choice of sqlite for HDB pref
|
|
- check-iprop: don't fail to kill daemons
|
|
- roken: pidfile -> rk_pidfile
|
|
- kdc: _kdc_do_kx509 fix use after free error
|
|
- Do not detect x32 as 64-bit platform.
|
|
- No sys/ttydefaults.h on CYGWIN
|
|
- Fix check-iprop races
|
|
- roken_detach_prep() close pipe
|
|
|
|
Release Notes - Heimdal - Version Heimdal 7.1
|
|
|
|
Security
|
|
|
|
- kx509 realm-chopping security bug
|
|
- non-authorization of alias additions/removals in kadmind
|
|
(CVE-2016-2400)
|
|
|
|
Feature
|
|
|
|
- iprop has been revamped to fix a number of race conditions that could
|
|
lead to inconsistent replication
|
|
- Hierarchical capath support
|
|
- AES Encryption with HMAC-SHA2 for Kerberos 5
|
|
draft-ietf-kitten-aes-cts-hmac-sha2-11
|
|
- hcrypto is now thread safe on all platforms
|
|
- libhcrypto has new backends: CNG (Windows), PKCS#11 (mainly for
|
|
Solaris), and OpenSSL. OpenSSL is now a first-class libhcrypto backend.
|
|
OpenSSL 1.0.x and 1.1 are both supported. AES-NI used when supported by
|
|
backend
|
|
- HDB now supports LMDB
|
|
- Thread support on Windows
|
|
- RFC 6113 Generalized Framework for Kerberos Pre-Authentication (FAST)
|
|
- New GSS APIs:
|
|
. gss_localname
|
|
- Allow setting what encryption types a principal should have with
|
|
[kadmin] default_key_rules, see krb5.conf manpage for more info
|
|
- Unify libhcrypto with LTC (libtomcrypto)
|
|
- asn1_compile 64-bit INTEGER functionality
|
|
- HDB key history support including --keepold kadmin password option
|
|
- Improved cross-realm key rollover safety
|
|
- New krb5_kuserok() and krb5_aname_to_localname() plug-in interfaces
|
|
- Improved MIT compatibility
|
|
. kadm5 API
|
|
. Migration from MIT KDB via "mitdb" HDB backend
|
|
. Capable of writing the HDB in MIT dump format
|
|
- Improved Active Directory interoperability
|
|
. Enctype selection issues for PAC and other authz-data signatures
|
|
. Cross realm key rollover (kvno 0)
|
|
- New [kdc] enctype negotiation configuration:
|
|
. tgt-use-strongest-session-key
|
|
. svc-use-strongest-session-key
|
|
. preauth-use-strongest-session-key
|
|
. use-strongest-server-key
|
|
- The KDC process now uses a multi-process model improving
|
|
resiliency and performance
|
|
- Allow batch-mode kinit with password file
|
|
- SIGINFO support added to kinit cmd
|
|
- New kx509 configuration options:
|
|
. kx509_ca
|
|
. kca_service
|
|
. kx509_include_pkinit_san
|
|
. kx509_template
|
|
- Improved Heimdal library/plugin version safety
|
|
- Name canonicalization
|
|
. DNS resolver searchlist
|
|
. Improved referral support
|
|
. Support host:port host-based services
|
|
- Pluggable libheimbase interface for DBs
|
|
- Improve IPv6 Support
|
|
- LDAP
|
|
. Bind DN and password
|
|
. Start TLS
|
|
- klist --json
|
|
- DIR credential cache type
|
|
- Updated upstream SQLite and libedit
|
|
- Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh,
|
|
telnet, xnlock
|
|
- Completely remove RAND_egd support
|
|
- Moved kadmin and ktutil to /usr/bin
|
|
- Stricter fcache checks (see fcache_strict_checking krb5.conf setting)
|
|
. use O_NOFOLLOW
|
|
. don't follow symlinks
|
|
. require cache files to be owned by the user
|
|
. require sensible permissions (not group/other readable)
|
|
- Implemented gss_store_cred()
|
|
- Many more
|
|
|
|
Bug fixes
|
|
- iprop has been revamped to fix a number of race conditions that could
|
|
lead to data loss
|
|
- Include non-loopback addresses assigned to loopback interfaces
|
|
when requesting tickets with addresses
|
|
- KDC 1DES session key selection (for AFS rxkad-k5 compatibility)
|
|
- Keytab file descriptor and lock leak
|
|
- Credential cache corruption bugs
|
|
(NOTE: The FILE ccache is still not entirely safe due to the
|
|
fundamentally unsafe design of POSIX file locking)
|
|
- gss_pseudo_random() interop bug
|
|
- Plugins are now preferentially loaded from the run-time install tree
|
|
- Reauthentication after password change in init_creds_password
|
|
- Memory leak in the client kadmin library
|
|
- TGS client requests renewable/forwardable/proxiable when possible
|
|
- Locking issues in DB1 and DB3 HDB backends
|
|
- Master HDB can remain locked while waiting for network I/O
|
|
- Renewal/refresh logic when kinit is provided with a command
|
|
- KDC handling of enterprise principals
|
|
- Use correct bit for anon-pkinit
|
|
- Many more
|
|
|
|
Acknowledgements
|
|
|
|
This release of Heimdal includes contributions from:
|
|
|
|
Abhinav Upadhyay Heath Kehoe Nico Williams
|
|
Andreas Schneider Henry Jacques Patrik Lundin
|
|
Andrew Bartlett Howard Chu Philip Boulain
|
|
Andrew Tridgell Igor Sobrado Ragnar Sundblad
|
|
Antoine Jacoutot Ingo Schwarze Remi Ferrand
|
|
Arran Cudbard-Bell Jakub Čajka Rod Widdowson
|
|
Arvid Requate James Le Cuirot Rok Papež
|
|
Asanka Herath James Lee Roland C. Dowdeswell
|
|
Ben Kaduk Jeffrey Altman Ross L Richardson
|
|
Benjamin Kaduk Jeffrey Clark Russ Allbery
|
|
Bernard Spil Jeffrey Hutzelman Samuel Cabrero
|
|
Brian May Jelmer Vernooij Samuel Thibault
|
|
Chas Williams Ken Dreyer Santosh Kumar Pradhan
|
|
Chaskiel Grundman Kiran S J Sean Davis
|
|
Dana Koch Kumar Thangavelu Sergio Gelato
|
|
Daniel Schepler Landon Fuller Simon Wilkinson
|
|
David Mulder Linus Nordberg Stef Walter
|
|
Douglas Bagnall Love Hörnquist Åstrand Stefan Metzmacher
|
|
Ed Maste Luke Howard Steffen Jaeckel
|
|
Eray Aslan Magnus Ahltorp Timothy Pearson
|
|
Florian Best Marc Balmer Tollef Fog Heen
|
|
Fredrik Pettai Marcin Cieślak Tony Acero
|
|
Greg Hudson Marco Molteni Uri Simchoni
|
|
Gustavo Zacarias Matthieu Hautreux Viktor Dukhovni
|
|
Günther Deschner Michael Meffie Volker Lendecke
|
|
Harald Barth Moritz Lenz
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.5.3
|
|
|
|
Bug fixes
|
|
- Fix leaking file descriptors in KDC
|
|
- Better socket/timeout handling in libkrb5
|
|
- General bug fixes
|
|
- Build fixes
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.5.2
|
|
|
|
Security fixes
|
|
- CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege
|
|
- Check that key types strictly match - denial of service
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.5.1
|
|
|
|
Bug fixes
|
|
- Fix building on Solaris, requires c99
|
|
- Fix building on Windows
|
|
- Build system updates
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.5
|
|
|
|
New features
|
|
|
|
- Support GSS name extensions/attributes
|
|
- SHA512 support
|
|
- No Kerberos 4 support
|
|
- Basic support for MIT Admin protocol (SECGSS flavor)
|
|
in kadmind (extract keytab)
|
|
- Replace editline with libedit
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.4
|
|
|
|
New features
|
|
|
|
- Support for reading MIT database file directly
|
|
- KCM is polished up and now used in production
|
|
- NTLM first class citizen, credentials stored in KCM
|
|
- Table driven ASN.1 compiler, smaller!, not enabled by default
|
|
- Native Windows client support
|
|
|
|
Notes
|
|
|
|
- Disabled write support NDBM hdb backend (read still in there) since
|
|
it can't handle large records, please migrate to a diffrent backend
|
|
(like BDB4)
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.3.3
|
|
|
|
Bug fixes
|
|
- Check the GSS-API checksum exists before trying to use it [CVE-2010-1321]
|
|
- Check NULL pointers before dereference them [kdc]
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.3.2
|
|
|
|
Bug fixes
|
|
|
|
- Don't mix length when clearing hmac (could memset too much)
|
|
- More paranoid underrun checking when decrypting packets
|
|
- Check the password change requests and refuse to answer empty packets
|
|
- Build on OpenSolaris
|
|
- Renumber AD-SIGNED-TICKET since it was stolen from US
|
|
- Don't cache /dev/*random file descriptor, it doesn't get unloaded
|
|
- Make C++ safe
|
|
- Misc warnings
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.3.1
|
|
|
|
Bug fixes
|
|
|
|
- Store KDC offset in credentials
|
|
- Many many more bug fixes
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.3.1
|
|
|
|
New features
|
|
|
|
- Make work with OpenLDAPs krb5 overlay
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.3
|
|
|
|
New features
|
|
|
|
- Partial support for MIT kadmind rpc protocol in kadmind
|
|
- Better support for finding keytab entries when using SPN aliases in the KDC
|
|
- Support BER in ASN.1 library (needed for CMS)
|
|
- Support decryption in Keychain private keys
|
|
- Support for new sqlite based credential cache
|
|
- Try both KDC referals and the common DNS reverse lookup in GSS-API
|
|
- Fix the KCM to not leak resources on failure
|
|
- Add IPv6 support to iprop
|
|
- Support localization of error strings in
|
|
kinit/klist/kdestroy and Kerberos library
|
|
- Remove Kerberos 4 support in application (still in KDC)
|
|
- Deprecate DES
|
|
- Support i18n password in windows domains (using UTF-8)
|
|
- More complete API emulation of OpenSSL in hcrypto
|
|
- Support for ECDSA and ECDH when linking with OpenSSL
|
|
|
|
API changes
|
|
|
|
- Support for settin friendly name on credential caches
|
|
- Move to using doxygen to generate documentation.
|
|
- Sprinkling __attribute__((__deprecated__)) for old function to be removed
|
|
- Support to export LAST-REQUST information in AS-REQ
|
|
- Support for client deferrals in in AS-REQ
|
|
- Add seek support for krb5_storage.
|
|
- Support for split AS-REQ, first step for IA-KERB
|
|
- Fix many memory leaks and bugs
|
|
- Improved regression test
|
|
- Support krb5_cccol
|
|
- Switch to krb5_set_error_message
|
|
- Support krb5_crypto_*_iov
|
|
- Switch to use EVP for most function
|
|
- Use SOCK_CLOEXEC and O_CLOEXEC (close on exec)
|
|
- Add support for GSS_C_DELEG_POLICY_FLAG
|
|
- Add krb5_cc_[gs]et_config to store data in the credential caches
|
|
- PTY testing application
|
|
|
|
Bugfixes
|
|
- Make building on AIX6 possible.
|
|
- Bugfixes in LDAP KDC code to make it more stable
|
|
- Make ipropd-slave reconnect when master down gown
|
|
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.2.1
|
|
|
|
* Bug
|
|
|
|
[HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris
|
|
[HEIMDAL-151] - Make canned tests work again after cert expired
|
|
[HEIMDAL-152] - iprop test: use full hostname to avoid realm
|
|
resolving errors
|
|
[HEIMDAL-153] - ftp: Use the correct length for unmap, msync
|
|
|
|
Release Notes - Heimdal - Version Heimdal 1.2
|
|
|
|
* Bug
|
|
|
|
[HEIMDAL-10] - Follow-up on bug report for SEGFAULT in
|
|
gss_display_name/gss_export_name when using SPNEGO
|
|
[HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1
|
|
[HEIMDAL-17] - Remove support for depricated [libdefaults]capath
|
|
[HEIMDAL-52] - hdb overwrite aliases for db databases
|
|
[HEIMDAL-54] - Two issues which affect credentials delegation
|
|
[HEIMDAL-58] - sockbuf.c calls setsockopt with bad args
|
|
[HEIMDAL-62] - Fix printing of sig_atomic_t
|
|
[HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto
|
|
[HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase
|
|
[HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241)
|
|
|
|
* Improvement
|
|
[HEIMDAL-67] - Fix locking and store credential in atomic writes
|
|
in the FILE credential cache
|
|
[HEIMDAL-106] - make compile on cygwin again
|
|
[HEIMDAL-107] - Replace old random key generation in des module
|
|
and use it with RAND_ function instead
|
|
[HEIMDAL-115] - Better documentation and compatibility in hcrypto
|
|
in regards to OpenSSL
|
|
|
|
* New Feature
|
|
[HEIMDAL-3] - pkinit alg agility PRF test vectors
|
|
[HEIMDAL-14] - Add libwind to Heimdal
|
|
[HEIMDAL-16] - Use libwind in hx509
|
|
[HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to
|
|
the negotiation
|
|
[HEIMDAL-74] - Add support to report extended error message back
|
|
in AS-REQ to support windows clients
|
|
[HEIMDAL-116] - test pty based application (using rkpty)
|
|
[HEIMDAL-120] - Use new OpenLDAP API (older deprecated)
|
|
|
|
* Task
|
|
[HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ.
|
|
This drop compatibility with pre 0.3d KDCs.
|
|
[HEIMDAL-64] - kcm: first implementation of kcm-move-cache
|
|
[HEIMDAL-65] - Failed to compile with --disable-pk-init
|
|
[HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some
|
|
wraparound checks doesn't apply to Heimdal
|
|
|
|
Changes in release 1.1
|
|
|
|
* Read-only PKCS11 provider built-in to hx509.
|
|
|
|
* Documentation for hx509, hcrypto and ntlm libraries improved.
|
|
|
|
* Better compatibilty with Windows 2008 Server pre-releases and Vista.
|
|
|
|
* Mac OS X 10.5 support for native credential cache.
|
|
|
|
* Provide pkg-config file for Heimdal (heimdal-gssapi.pc).
|
|
|
|
* Bug fixes.
|
|
|
|
Changes in release 1.0.2
|
|
|
|
* Ubuntu packages.
|
|
|
|
* Bug fixes.
|
|
|
|
Changes in release 1.0.1
|
|
|
|
* Serveral bug fixes to iprop.
|
|
|
|
* Make work on platforms without dlopen.
|
|
|
|
* Add RFC3526 modp group14 as default.
|
|
|
|
* Handle [kdc] database = { } entries without realm = stanzas.
|
|
|
|
* Make krb5_get_renewed_creds work.
|
|
|
|
* Make kaserver preauth work again.
|
|
|
|
* Bug fixes.
|
|
|
|
Changes in release 1.0
|
|
|
|
* Add gss_pseudo_random() for mechglue and krb5.
|
|
|
|
* Make session key for the krbtgt be selected by the best encryption
|
|
type of the client.
|
|
|
|
* Better interoperability with other PK-INIT implementations.
|
|
|
|
* Inital support for Mac OS X Keychain for hx509.
|
|
|
|
* Alias support for inital ticket requests.
|
|
|
|
* Add symbol versioning to selected libraries on platforms that uses
|
|
GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc.
|
|
|
|
* New version of imath included in hcrypto.
|
|
|
|
* Fix memory leaks.
|
|
|
|
* Bugs fixes.
|
|
|
|
Changes in release 0.8.1
|
|
|
|
* Make ASN.1 library less paranoid to with regard to NUL in string to
|
|
make it inter-operate with MIT Kerberos again.
|
|
|
|
* Make GSS-API library work again when using gss_acquire_cred
|
|
|
|
* Add symbol versioning to libgssapi when using GNU ld.
|
|
|
|
* Fix memory leaks
|
|
|
|
* Bugs fixes
|
|
|
|
Changes in release 0.8
|
|
|
|
* PK-INIT support.
|
|
|
|
* HDB extensions support, used by PK-INIT.
|
|
|
|
* New ASN.1 compiler.
|
|
|
|
* GSS-API mechglue from FreeBSD.
|
|
|
|
* Updated SPNEGO to support RFC4178.
|
|
|
|
* Support for Cryptosystem Negotiation Extension (RFC 4537).
|
|
|
|
* A new X.509 library (hx509) and related crypto functions.
|
|
|
|
* A new ntlm library (heimntlm) and related crypto functions.
|
|
|
|
* Updated the built-in crypto library with bignum support using
|
|
imath, support for RSA and DH and renamed it to libhcrypto.
|
|
|
|
* Subsystem in the KDC, digest, that will perform the digest
|
|
operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL
|
|
DIGEST-MD5 NTLMv1 and NTLMv2.
|
|
|
|
* KDC will return the "response too big" error to force TCP retries
|
|
for large (default 1400 bytes) UDP replies. This is common for
|
|
PK-INIT requests.
|
|
|
|
* Libkafs defaults to use 2b tokens.
|
|
|
|
* Default to use the API cache on Mac OS X.
|
|
|
|
* krb5_kuserok() also checks ~/.k5login.d directory for acl files,
|
|
see manpage for krb5_kuserok for description.
|
|
|
|
* Many, many, other updates to code and info manual and manual pages.
|
|
|
|
* Bug fixes
|
|
|
|
Changes in release 0.7.2
|
|
|
|
* Fix security problem in rshd that enable an attacker to overwrite
|
|
and change ownership of any file that root could write.
|
|
|
|
* Fix a DOS in telnetd. The attacker could force the server to crash
|
|
in a NULL de-reference before the user logged in, resulting in inetd
|
|
turning telnetd off because it forked too fast.
|
|
|
|
* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
|
|
exists in the keytab before returning success. This allows servers
|
|
to check if its even possible to use GSSAPI.
|
|
|
|
* Fix receiving end of token delegation for GSS-API. It still wrongly
|
|
uses subkey for sending for compatibility reasons, this will change
|
|
in 0.8.
|
|
|
|
* telnetd, login and rshd are now more verbose in logging failed and
|
|
successful logins.
|
|
|
|
* Bug fixes
|
|
|
|
Changes in release 0.7.1
|
|
|
|
* Bug fixes
|
|
|
|
Changes in release 0.7
|
|
|
|
* Support for KCM, a process based credential cache
|
|
|
|
* Support CCAPI credential cache
|
|
|
|
* SPNEGO support
|
|
|
|
* AES (and the gssapi conterpart, CFX) support
|
|
|
|
* Adding new and improve old documentation
|
|
|
|
* Bug fixes
|
|
|
|
Changes in release 0.6.6
|
|
|
|
* Fix security problem in rshd that enable an attacker to overwrite
|
|
and change ownership of any file that root could write.
|
|
|
|
* Fix a DOS in telnetd. The attacker could force the server to crash
|
|
in a NULL de-reference before the user logged in, resulting in inetd
|
|
turning telnetd off because it forked too fast.
|
|
|
|
Changes in release 0.6.5
|
|
|
|
* fix vulnerabilities in telnetd
|
|
|
|
* unbreak Kerberos 4 and kaserver
|
|
|
|
Changes in release 0.6.4
|
|
|
|
* fix vulnerabilities in telnet
|
|
|
|
* rshd: encryption without a separate error socket should now work
|
|
|
|
* telnet now uses appdefaults for the encrypt and forward/forwardable
|
|
settings
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.6.3
|
|
|
|
* fix vulnerabilities in ftpd
|
|
|
|
* support for linux AFS /proc "syscalls"
|
|
|
|
* support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
|
|
kpasswdd
|
|
|
|
* fix possible KDC denial of service
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.6.2
|
|
|
|
* Fix possible buffer overrun in v4 kadmin (which now defaults to off)
|
|
|
|
Changes in release 0.6.1
|
|
|
|
* Fixed ARCFOUR suppport
|
|
|
|
* Cross realm vulnerability
|
|
|
|
* kdc: fix denial of service attack
|
|
|
|
* kdc: stop clients from renewing tickets into the future
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.6
|
|
|
|
* The DES3 GSS-API mechanism has been changed to inter-operate with
|
|
other GSSAPI implementations. See man page for gssapi(3) how to turn
|
|
on generation of correct MIC messages. Next major release of heimdal
|
|
will generate correct MIC by default.
|
|
|
|
* More complete GSS-API support
|
|
|
|
* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
|
|
support in applications no longer requires Kerberos 4 libs
|
|
|
|
* Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
|
|
|
|
* other bug fixes
|
|
|
|
Changes in release 0.5.2
|
|
|
|
* kdc: add option for disabling v4 cross-realm (defaults to off)
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.5.1
|
|
|
|
* kadmind: fix remote exploit
|
|
|
|
* kadmind: add option to disable kerberos 4
|
|
|
|
* kdc: make sure kaserver token life is positive
|
|
|
|
* telnet: use the session key if there is no subkey
|
|
|
|
* fix EPSV parsing in ftp
|
|
|
|
* other bug fixes
|
|
|
|
Changes in release 0.5
|
|
|
|
* add --detach option to kdc
|
|
|
|
* allow setting forward and forwardable option in telnet from
|
|
.telnetrc, with override from command line
|
|
|
|
* accept addresses with or without ports in krb5_rd_cred
|
|
|
|
* make it work with modern openssl
|
|
|
|
* use our own string2key function even with openssl (that handles weak
|
|
keys incorrectly)
|
|
|
|
* more system-specific requirements in login
|
|
|
|
* do not use getlogin() to determine root in su
|
|
|
|
* telnet: abort if telnetd does not support encryption
|
|
|
|
* update autoconf to 2.53
|
|
|
|
* update config.guess, config.sub
|
|
|
|
* other bug fixes
|
|
|
|
Changes in release 0.4e
|
|
|
|
* improve libcrypto and database autoconf tests
|
|
|
|
* do not care about salting of server principals when serving v4 requests
|
|
|
|
* some improvements to gssapi library
|
|
|
|
* test for existing compile_et/libcom_err
|
|
|
|
* portability fixes
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.4d
|
|
|
|
* fix some problems when using libcrypto from openssl
|
|
|
|
* handle /dev/ptmx `unix98' ptys on Linux
|
|
|
|
* add some forgotten man pages
|
|
|
|
* rsh: clean-up and add man page
|
|
|
|
* fix -A and -a in builtin-ls in tpd
|
|
|
|
* fix building problem on Irix
|
|
|
|
* make `ktutil get' more efficient
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.4c
|
|
|
|
* fix buffer overrun in telnetd
|
|
|
|
* repair some of the v4 fallback code in kinit
|
|
|
|
* add more shared library dependencies
|
|
|
|
* simplify and fix hprop handling of v4 databases
|
|
|
|
* fix some building problems (osf's sia and osfc2 login)
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.4b
|
|
|
|
* update the shared library version numbers correctly
|
|
|
|
Changes in release 0.4a
|
|
|
|
* corrected key used for checksum in mk_safe, unfortunately this
|
|
makes it backwards incompatible
|
|
|
|
* update to autoconf 2.50, libtool 1.4
|
|
|
|
* re-write dns/config lookups (krb5_krbhst API)
|
|
|
|
* make order of using subkeys consistent
|
|
|
|
* add man page links
|
|
|
|
* add more man pages
|
|
|
|
* remove rfc2052 support, now only rfc2782 is supported
|
|
|
|
* always build with kaserver protocol support in the KDC (assuming
|
|
KRB4 is enabled) and support for reading kaserver databases in
|
|
hprop
|
|
|
|
Changes in release 0.3f
|
|
|
|
* change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
|
|
the new keytab type that tries both of these in order (SRVTAB is
|
|
also an alias for krb4:)
|
|
|
|
* improve error reporting and error handling (error messages should
|
|
be more detailed and more useful)
|
|
|
|
* improve building with openssl
|
|
|
|
* add kadmin -K, rcp -F
|
|
|
|
* fix two incorrect weak DES keys
|
|
|
|
* fix building of kaserver compat in KDC
|
|
|
|
* the API is closer to what MIT krb5 is using
|
|
|
|
* more compatible with windows 2000
|
|
|
|
* removed some memory leaks
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.3e
|
|
|
|
* rcp program included
|
|
|
|
* fix buffer overrun in ftpd
|
|
|
|
* handle omitted sequence numbers as zeroes to handle MIT krb5 that
|
|
cannot generate zero sequence numbers
|
|
|
|
* handle v4 /.k files better
|
|
|
|
* configure/portability fixes
|
|
|
|
* fixes in parsing of options to kadmin (sub-)commands
|
|
|
|
* handle errors in kadmin load better
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.3d
|
|
|
|
* add krb5-config
|
|
|
|
* fix a bug in 3des gss-api mechanism, making it compatible with the
|
|
specification and the MIT implementation
|
|
|
|
* make telnetd only allow a specific list of environment variables to
|
|
stop it from setting `sensitive' variables
|
|
|
|
* try to use an existing libdes
|
|
|
|
* lib/krb5, kdc: use correct usage type for ap-req messages. This
|
|
should improve compatability with MIT krb5 when using 3DES
|
|
encryption types
|
|
|
|
* kdc: fix memory allocation problem
|
|
|
|
* update config.guess and config.sub
|
|
|
|
* lib/roken: more stuff implemented
|
|
|
|
* bug fixes and portability enhancements
|
|
|
|
Changes in release 0.3c
|
|
|
|
* lib/krb5: memory caches now support the resolve operation
|
|
|
|
* appl/login: set PATH to some sane default
|
|
|
|
* kadmind: handle several realms
|
|
|
|
* bug fixes (including memory leaks)
|
|
|
|
Changes in release 0.3b
|
|
|
|
* kdc: prefer default-salted keys on v5 requests
|
|
|
|
* kdc: lowercase hostnames in v4 mode
|
|
|
|
* hprop: handle more types of MIT salts
|
|
|
|
* lib/krb5: fix memory leak
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.3a:
|
|
|
|
* implement arcfour-hmac-md5 to interoperate with W2K
|
|
|
|
* modularise the handling of the master key, and allow for other
|
|
encryption types. This makes it easier to import a database from
|
|
some other source without having to re-encrypt all keys.
|
|
|
|
* allow for better control over which encryption types are created
|
|
|
|
* make kinit fallback to v4 if given a v4 KDC
|
|
|
|
* make klist work better with v4 and v5, and add some more MIT
|
|
compatibility options
|
|
|
|
* make the kdc listen on the krb524 (4444) port for compatibility
|
|
with MIT krb5 clients
|
|
|
|
* implement more DCE/DFS support, enabled with --enable-dce, see
|
|
lib/kdfs and appl/dceutils
|
|
|
|
* make the sequence numbers work correctly
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.2t:
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.2s:
|
|
|
|
* add OpenLDAP support in hdb
|
|
|
|
* login will get v4 tickets when it receives forwarded tickets
|
|
|
|
* xnlock supports both v5 and v4
|
|
|
|
* repair source routing for telnet
|
|
|
|
* fix building problems with krb4 (krb_mk_req)
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.2r:
|
|
|
|
* fix realloc memory corruption bug in kdc
|
|
|
|
* `add --key' and `cpw --key' in kadmin
|
|
|
|
* klist supports listing v4 tickets
|
|
|
|
* update config.guess and config.sub
|
|
|
|
* make v4 -> v5 principal name conversion more robust
|
|
|
|
* support for anonymous tickets
|
|
|
|
* new man-pages
|
|
|
|
* telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
|
|
|
|
* use and set expiration and not password expiration when dumping
|
|
to/from ka server databases / krb4 databases
|
|
|
|
* make the code happier with 64-bit time_t
|
|
|
|
* follow RFC2782 and by default do not look for non-underscore SRV names
|
|
|
|
Changes in release 0.2q:
|
|
|
|
* bug fix in tcp-handling in kdc
|
|
|
|
* bug fix in expand_hostname
|
|
|
|
Changes in release 0.2p:
|
|
|
|
* bug fix in `kadmin load/merge'
|
|
|
|
* bug fix in krb5_parse_address
|
|
|
|
Changes in release 0.2o:
|
|
|
|
* gss_{import,export}_sec_context added to libgssapi
|
|
|
|
* new option --addresses to kdc (for listening on an explicit set of
|
|
addresses)
|
|
|
|
* bug fixes in the krb4 and kaserver emulation part of the kdc
|
|
|
|
* other bug fixes
|
|
|
|
Changes in release 0.2n:
|
|
|
|
* more robust parsing of dump files in kadmin
|
|
* changed default timestamp format for log messages to extended ISO
|
|
8601 format (Y-M-DTH:M:S)
|
|
* changed md4/md5/sha1 APIes to be de-facto `standard'
|
|
* always make hostname into lower-case before creating principal
|
|
* small bits of more MIT-compatability
|
|
* bug fixes
|
|
|
|
Changes in release 0.2m:
|
|
|
|
* handle glibc's getaddrinfo() that returns several ai_canonname
|
|
|
|
* new endian test
|
|
|
|
* man pages fixes
|
|
|
|
Changes in release 0.2l:
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.2k:
|
|
|
|
* better IPv6 test
|
|
|
|
* make struct sockaddr_storage in roken work better on alphas
|
|
|
|
* some missing [hn]to[hn]s fixed.
|
|
|
|
* allow users to change their own passwords with kadmin (with initial
|
|
tickets)
|
|
|
|
* fix stupid bug in parsing KDC specification
|
|
|
|
* add `ktutil change' and `ktutil purge'
|
|
|
|
Changes in release 0.2j:
|
|
|
|
* builds on Irix
|
|
|
|
* ftpd works in passive mode
|
|
|
|
* should build on cygwin
|
|
|
|
* work around broken IPv6-code on OpenBSD 2.6, also add configure
|
|
option --disable-ipv6
|
|
|
|
Changes in release 0.2i:
|
|
|
|
* use getaddrinfo in the missing places.
|
|
|
|
* fix SRV lookup for admin server
|
|
|
|
* use get{addr,name}info everywhere. and implement it in terms of
|
|
getipnodeby{name,addr} (which uses gethostbyname{,2} and
|
|
gethostbyaddr)
|
|
|
|
Changes in release 0.2h:
|
|
|
|
* fix typo in kx (now compiles)
|
|
|
|
Changes in release 0.2g:
|
|
|
|
* lots of bug fixes:
|
|
* push works
|
|
* repair appl/test programs
|
|
* sockaddr_storage works on solaris (alignment issues)
|
|
* works better with non-roken getaddrinfo
|
|
* rsh works
|
|
* some non standard C constructs removed
|
|
|
|
Changes in release 0.2f:
|
|
|
|
* support SRV records for kpasswd
|
|
* look for both _kerberos and krb5-realm when doing host -> realm mapping
|
|
|
|
Changes in release 0.2e:
|
|
|
|
* changed copyright notices to remove `advertising'-clause.
|
|
* get{addr,name}info added to roken and used in the other code
|
|
(this makes things work much better with hosts with both v4 and v6
|
|
addresses, among other things)
|
|
* do pre-auth for both password and key-based get_in_tkt
|
|
* support for having several databases
|
|
* new command `del_enctype' in kadmin
|
|
* strptime (and new strftime) add to roken
|
|
* more paranoia about finding libdb
|
|
* bug fixes
|
|
|
|
Changes in release 0.2d:
|
|
|
|
* new configuration option [libdefaults]default_etypes_des
|
|
* internal ls in ftpd builds without KRB4
|
|
* kx/rsh/push/pop_debug tries v5 and v4 consistenly
|
|
* build bug fixes
|
|
* other bug fixes
|
|
|
|
Changes in release 0.2c:
|
|
|
|
* bug fixes (see ChangeLog's for details)
|
|
|
|
Changes in release 0.2b:
|
|
|
|
* bug fixes
|
|
* actually bump shared library versions
|
|
|
|
Changes in release 0.2a:
|
|
|
|
* a new program verify_krb5_conf for checking your /etc/krb5.conf
|
|
* add 3DES keys when changing password
|
|
* support null keys in database
|
|
* support multiple local realms
|
|
* implement a keytab backend for AFS KeyFile's
|
|
* implement a keytab backend for v4 srvtabs
|
|
* implement `ktutil copy'
|
|
* support password quality control in v4 kadmind
|
|
* improvements in v4 compat kadmind
|
|
* handle the case of having the correct cred in the ccache but with
|
|
the wrong encryption type better
|
|
* v6-ify the remaining programs.
|
|
* internal ls in ftpd
|
|
* rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
|
|
* add `ank --random-password' and `cpw --random-password' in kadmin
|
|
* some programs and documentation for trying to talk to a W2K KDC
|
|
* bug fixes
|
|
|
|
Changes in release 0.1m:
|
|
|
|
* support for getting default from krb5.conf for kinit/kf/rsh/telnet.
|
|
From Miroslav Ruda <ruda@ics.muni.cz>
|
|
* v6-ify hprop and hpropd
|
|
* support numeric addresses in krb5_mk_req
|
|
* shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
|
|
* make rsh/rshd IPv6-aware
|
|
* make the gssapi sample applications better at reporting errors
|
|
* lots of bug fixes
|
|
* handle systems with v6-aware libc and non-v6 kernels (like Linux
|
|
with glibc 2.1) better
|
|
* hide failure of ERPT in ftp
|
|
* lots of bug fixes
|
|
|
|
Changes in release 0.1l:
|
|
|
|
* make ftp and ftpd IPv6-aware
|
|
* add inet_pton to roken
|
|
* more IPv6-awareness
|
|
* make mini_inetd v6 aware
|
|
|
|
Changes in release 0.1k:
|
|
|
|
* bump shared libraries versions
|
|
* add roken version of inet_ntop
|
|
* merge more changes to rshd
|
|
|
|
Changes in release 0.1j:
|
|
|
|
* restore back to the `old' 3DES code. This was supposed to be done
|
|
in 0.1h and 0.1i but I did a CVS screw-up.
|
|
* make telnetd handle v6 connections
|
|
|
|
Changes in release 0.1i:
|
|
|
|
* start using `struct sockaddr_storage' which simplifies the code
|
|
(with a fallback definition if it's not defined)
|
|
* bug fixes (including in hprop and kf)
|
|
* don't use mawk which seems to mishandle roken.awk
|
|
* get_addrs should be able to handle v6 addresses on Linux (with the
|
|
required patch to the Linux kernel -- ask within)
|
|
* rshd builds with shadow passwords
|
|
|
|
Changes in release 0.1h:
|
|
|
|
* kf: new program for forwarding credentials
|
|
* portability fixes
|
|
* make forwarding credentials work with MIT code
|
|
* better conversion of ka database
|
|
* add etc/services.append
|
|
* correct `modified by' from kpasswdd
|
|
* lots of bug fixes
|
|
|
|
Changes in release 0.1g:
|
|
|
|
* kgetcred: new program for explicitly obtaining tickets
|
|
* configure fixes
|
|
* krb5-aware kx
|
|
* bug fixes
|
|
|
|
Changes in release 0.1f;
|
|
|
|
* experimental support for v4 kadmin protokoll in kadmind
|
|
* bug fixes
|
|
|
|
Changes in release 0.1e:
|
|
|
|
* try to handle old DCE and MIT kdcs
|
|
* support for older versions of credential cache files and keytabs
|
|
* postdated tickets work
|
|
* support for password quality checks in kpasswdd
|
|
* new flag --enable-kaserver for kdc
|
|
* renew fixes
|
|
* prototype su program
|
|
* updated (some) manpages
|
|
* support for KDC resource records
|
|
* should build with --without-krb4
|
|
* bug fixes
|
|
|
|
Changes in release 0.1d:
|
|
|
|
* Support building with DB2 (uses 1.85-compat API)
|
|
* Support krb5-realm.DOMAIN in DNS
|
|
* new `ktutil srvcreate'
|
|
* v4/kafs support in klist/kdestroy
|
|
* bug fixes
|
|
|
|
Changes in release 0.1c:
|
|
|
|
* fix ASN.1 encoding of signed integers
|
|
* somewhat working `ktutil get'
|
|
* some documentation updates
|
|
* update to Autoconf 2.13 and Automake 1.4
|
|
* the usual bug fixes
|
|
|
|
Changes in release 0.1b:
|
|
|
|
* some old -> new crypto conversion utils
|
|
* bug fixes
|
|
|
|
Changes in release 0.1a:
|
|
|
|
* new crypto code
|
|
* more bug fixes
|
|
* make sure we ask for DES keys in gssapi
|
|
* support signed ints in ASN1
|
|
* IPv6-bug fixes
|
|
|
|
Changes in release 0.0u:
|
|
|
|
* lots of bug fixes
|
|
|
|
Changes in release 0.0t:
|
|
|
|
* more robust parsing of krb5.conf
|
|
* include net{read,write} in lib/roken
|
|
* bug fixes
|
|
|
|
Changes in release 0.0s:
|
|
|
|
* kludges for parsing options to rsh
|
|
* more robust parsing of krb5.conf
|
|
* removed some arbitrary limits
|
|
* bug fixes
|
|
|
|
Changes in release 0.0r:
|
|
|
|
* default options for some programs
|
|
* bug fixes
|
|
|
|
Changes in release 0.0q:
|
|
|
|
* support for building shared libraries with libtool
|
|
* bug fixes
|
|
|
|
Changes in release 0.0p:
|
|
|
|
* keytab moved to /etc/krb5.keytab
|
|
* avoid false detection of IPv6 on Linux
|
|
* Lots of more functionality in the gssapi-library
|
|
* hprop can now read ka-server databases
|
|
* bug fixes
|
|
|
|
Changes in release 0.0o:
|
|
|
|
* FTP with GSSAPI support.
|
|
* Bug fixes.
|
|
|
|
Changes in release 0.0n:
|
|
|
|
* Incremental database propagation.
|
|
* Somewhat improved kadmin ui; the stuff in admin is now removed.
|
|
* Some support for using enctypes instead of keytypes.
|
|
* Lots of other improvement and bug fixes, see ChangeLog for details.
|