mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-23 11:18:54 +00:00
626 lines
14 KiB
Plaintext
626 lines
14 KiB
Plaintext
Changes in release 0.6.3
|
|
|
|
* fix vulnerabilities in ftpd
|
|
|
|
* support for linux AFS /proc "syscalls"
|
|
|
|
* support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
|
|
kpasswdd
|
|
|
|
* fix possible KDC denial of service
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.6.2
|
|
|
|
* Fix possible buffer overrun in v4 kadmin (which now defaults to off)
|
|
|
|
Changes in release 0.6.1
|
|
|
|
* Fixed ARCFOUR suppport
|
|
|
|
* Cross realm vulnerability
|
|
|
|
* kdc: fix denial of service attack
|
|
|
|
* kdc: stop clients from renewing tickets into the future
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.6
|
|
|
|
* The DES3 GSS-API mechanism has been changed to inter-operate with
|
|
other GSSAPI implementations. See man page for gssapi(3) how to turn
|
|
on generation of correct MIC messages. Next major release of heimdal
|
|
will generate correct MIC by default.
|
|
|
|
* More complete GSS-API support
|
|
|
|
* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
|
|
support in applications no longer requires Kerberos 4 libs
|
|
|
|
* Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
|
|
|
|
* other bug fixes
|
|
|
|
Changes in release 0.5.2
|
|
|
|
* kdc: add option for disabling v4 cross-realm (defaults to off)
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.5.1
|
|
|
|
* kadmind: fix remote exploit
|
|
|
|
* kadmind: add option to disable kerberos 4
|
|
|
|
* kdc: make sure kaserver token life is positive
|
|
|
|
* telnet: use the session key if there is no subkey
|
|
|
|
* fix EPSV parsing in ftp
|
|
|
|
* other bug fixes
|
|
|
|
Changes in release 0.5
|
|
|
|
* add --detach option to kdc
|
|
|
|
* allow setting forward and forwardable option in telnet from
|
|
.telnetrc, with override from command line
|
|
|
|
* accept addresses with or without ports in krb5_rd_cred
|
|
|
|
* make it work with modern openssl
|
|
|
|
* use our own string2key function even with openssl (that handles weak
|
|
keys incorrectly)
|
|
|
|
* more system-specific requirements in login
|
|
|
|
* do not use getlogin() to determine root in su
|
|
|
|
* telnet: abort if telnetd does not support encryption
|
|
|
|
* update autoconf to 2.53
|
|
|
|
* update config.guess, config.sub
|
|
|
|
* other bug fixes
|
|
|
|
Changes in release 0.4e
|
|
|
|
* improve libcrypto and database autoconf tests
|
|
|
|
* do not care about salting of server principals when serving v4 requests
|
|
|
|
* some improvements to gssapi library
|
|
|
|
* test for existing compile_et/libcom_err
|
|
|
|
* portability fixes
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.4d
|
|
|
|
* fix some problems when using libcrypto from openssl
|
|
|
|
* handle /dev/ptmx `unix98' ptys on Linux
|
|
|
|
* add some forgotten man pages
|
|
|
|
* rsh: clean-up and add man page
|
|
|
|
* fix -A and -a in builtin-ls in tpd
|
|
|
|
* fix building problem on Irix
|
|
|
|
* make `ktutil get' more efficient
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.4c
|
|
|
|
* fix buffer overrun in telnetd
|
|
|
|
* repair some of the v4 fallback code in kinit
|
|
|
|
* add more shared library dependencies
|
|
|
|
* simplify and fix hprop handling of v4 databases
|
|
|
|
* fix some building problems (osf's sia and osfc2 login)
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.4b
|
|
|
|
* update the shared library version numbers correctly
|
|
|
|
Changes in release 0.4a
|
|
|
|
* corrected key used for checksum in mk_safe, unfortunately this
|
|
makes it backwards incompatible
|
|
|
|
* update to autoconf 2.50, libtool 1.4
|
|
|
|
* re-write dns/config lookups (krb5_krbhst API)
|
|
|
|
* make order of using subkeys consistent
|
|
|
|
* add man page links
|
|
|
|
* add more man pages
|
|
|
|
* remove rfc2052 support, now only rfc2782 is supported
|
|
|
|
* always build with kaserver protocol support in the KDC (assuming
|
|
KRB4 is enabled) and support for reading kaserver databases in
|
|
hprop
|
|
|
|
Changes in release 0.3f
|
|
|
|
* change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
|
|
the new keytab type that tries both of these in order (SRVTAB is
|
|
also an alias for krb4:)
|
|
|
|
* improve error reporting and error handling (error messages should
|
|
be more detailed and more useful)
|
|
|
|
* improve building with openssl
|
|
|
|
* add kadmin -K, rcp -F
|
|
|
|
* fix two incorrect weak DES keys
|
|
|
|
* fix building of kaserver compat in KDC
|
|
|
|
* the API is closer to what MIT krb5 is using
|
|
|
|
* more compatible with windows 2000
|
|
|
|
* removed some memory leaks
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.3e
|
|
|
|
* rcp program included
|
|
|
|
* fix buffer overrun in ftpd
|
|
|
|
* handle omitted sequence numbers as zeroes to handle MIT krb5 that
|
|
cannot generate zero sequence numbers
|
|
|
|
* handle v4 /.k files better
|
|
|
|
* configure/portability fixes
|
|
|
|
* fixes in parsing of options to kadmin (sub-)commands
|
|
|
|
* handle errors in kadmin load better
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.3d
|
|
|
|
* add krb5-config
|
|
|
|
* fix a bug in 3des gss-api mechanism, making it compatible with the
|
|
specification and the MIT implementation
|
|
|
|
* make telnetd only allow a specific list of environment variables to
|
|
stop it from setting `sensitive' variables
|
|
|
|
* try to use an existing libdes
|
|
|
|
* lib/krb5, kdc: use correct usage type for ap-req messages. This
|
|
should improve compatability with MIT krb5 when using 3DES
|
|
encryption types
|
|
|
|
* kdc: fix memory allocation problem
|
|
|
|
* update config.guess and config.sub
|
|
|
|
* lib/roken: more stuff implemented
|
|
|
|
* bug fixes and portability enhancements
|
|
|
|
Changes in release 0.3c
|
|
|
|
* lib/krb5: memory caches now support the resolve operation
|
|
|
|
* appl/login: set PATH to some sane default
|
|
|
|
* kadmind: handle several realms
|
|
|
|
* bug fixes (including memory leaks)
|
|
|
|
Changes in release 0.3b
|
|
|
|
* kdc: prefer default-salted keys on v5 requests
|
|
|
|
* kdc: lowercase hostnames in v4 mode
|
|
|
|
* hprop: handle more types of MIT salts
|
|
|
|
* lib/krb5: fix memory leak
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.3a:
|
|
|
|
* implement arcfour-hmac-md5 to interoperate with W2K
|
|
|
|
* modularise the handling of the master key, and allow for other
|
|
encryption types. This makes it easier to import a database from
|
|
some other source without having to re-encrypt all keys.
|
|
|
|
* allow for better control over which encryption types are created
|
|
|
|
* make kinit fallback to v4 if given a v4 KDC
|
|
|
|
* make klist work better with v4 and v5, and add some more MIT
|
|
compatibility options
|
|
|
|
* make the kdc listen on the krb524 (4444) port for compatibility
|
|
with MIT krb5 clients
|
|
|
|
* implement more DCE/DFS support, enabled with --enable-dce, see
|
|
lib/kdfs and appl/dceutils
|
|
|
|
* make the sequence numbers work correctly
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.2t:
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.2s:
|
|
|
|
* add OpenLDAP support in hdb
|
|
|
|
* login will get v4 tickets when it receives forwarded tickets
|
|
|
|
* xnlock supports both v5 and v4
|
|
|
|
* repair source routing for telnet
|
|
|
|
* fix building problems with krb4 (krb_mk_req)
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.2r:
|
|
|
|
* fix realloc memory corruption bug in kdc
|
|
|
|
* `add --key' and `cpw --key' in kadmin
|
|
|
|
* klist supports listing v4 tickets
|
|
|
|
* update config.guess and config.sub
|
|
|
|
* make v4 -> v5 principal name conversion more robust
|
|
|
|
* support for anonymous tickets
|
|
|
|
* new man-pages
|
|
|
|
* telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
|
|
|
|
* use and set expiration and not password expiration when dumping
|
|
to/from ka server databases / krb4 databases
|
|
|
|
* make the code happier with 64-bit time_t
|
|
|
|
* follow RFC2782 and by default do not look for non-underscore SRV names
|
|
|
|
Changes in release 0.2q:
|
|
|
|
* bug fix in tcp-handling in kdc
|
|
|
|
* bug fix in expand_hostname
|
|
|
|
Changes in release 0.2p:
|
|
|
|
* bug fix in `kadmin load/merge'
|
|
|
|
* bug fix in krb5_parse_address
|
|
|
|
Changes in release 0.2o:
|
|
|
|
* gss_{import,export}_sec_context added to libgssapi
|
|
|
|
* new option --addresses to kdc (for listening on an explicit set of
|
|
addresses)
|
|
|
|
* bug fixes in the krb4 and kaserver emulation part of the kdc
|
|
|
|
* other bug fixes
|
|
|
|
Changes in release 0.2n:
|
|
|
|
* more robust parsing of dump files in kadmin
|
|
* changed default timestamp format for log messages to extended ISO
|
|
8601 format (Y-M-DTH:M:S)
|
|
* changed md4/md5/sha1 APIes to be de-facto `standard'
|
|
* always make hostname into lower-case before creating principal
|
|
* small bits of more MIT-compatability
|
|
* bug fixes
|
|
|
|
Changes in release 0.2m:
|
|
|
|
* handle glibc's getaddrinfo() that returns several ai_canonname
|
|
|
|
* new endian test
|
|
|
|
* man pages fixes
|
|
|
|
Changes in release 0.2l:
|
|
|
|
* bug fixes
|
|
|
|
Changes in release 0.2k:
|
|
|
|
* better IPv6 test
|
|
|
|
* make struct sockaddr_storage in roken work better on alphas
|
|
|
|
* some missing [hn]to[hn]s fixed.
|
|
|
|
* allow users to change their own passwords with kadmin (with initial
|
|
tickets)
|
|
|
|
* fix stupid bug in parsing KDC specification
|
|
|
|
* add `ktutil change' and `ktutil purge'
|
|
|
|
Changes in release 0.2j:
|
|
|
|
* builds on Irix
|
|
|
|
* ftpd works in passive mode
|
|
|
|
* should build on cygwin
|
|
|
|
* work around broken IPv6-code on OpenBSD 2.6, also add configure
|
|
option --disable-ipv6
|
|
|
|
Changes in release 0.2i:
|
|
|
|
* use getaddrinfo in the missing places.
|
|
|
|
* fix SRV lookup for admin server
|
|
|
|
* use get{addr,name}info everywhere. and implement it in terms of
|
|
getipnodeby{name,addr} (which uses gethostbyname{,2} and
|
|
gethostbyaddr)
|
|
|
|
Changes in release 0.2h:
|
|
|
|
* fix typo in kx (now compiles)
|
|
|
|
Changes in release 0.2g:
|
|
|
|
* lots of bug fixes:
|
|
* push works
|
|
* repair appl/test programs
|
|
* sockaddr_storage works on solaris (alignment issues)
|
|
* works better with non-roken getaddrinfo
|
|
* rsh works
|
|
* some non standard C constructs removed
|
|
|
|
Changes in release 0.2f:
|
|
|
|
* support SRV records for kpasswd
|
|
* look for both _kerberos and krb5-realm when doing host -> realm mapping
|
|
|
|
Changes in release 0.2e:
|
|
|
|
* changed copyright notices to remove `advertising'-clause.
|
|
* get{addr,name}info added to roken and used in the other code
|
|
(this makes things work much better with hosts with both v4 and v6
|
|
addresses, among other things)
|
|
* do pre-auth for both password and key-based get_in_tkt
|
|
* support for having several databases
|
|
* new command `del_enctype' in kadmin
|
|
* strptime (and new strftime) add to roken
|
|
* more paranoia about finding libdb
|
|
* bug fixes
|
|
|
|
Changes in release 0.2d:
|
|
|
|
* new configuration option [libdefaults]default_etypes_des
|
|
* internal ls in ftpd builds without KRB4
|
|
* kx/rsh/push/pop_debug tries v5 and v4 consistenly
|
|
* build bug fixes
|
|
* other bug fixes
|
|
|
|
Changes in release 0.2c:
|
|
|
|
* bug fixes (see ChangeLog's for details)
|
|
|
|
Changes in release 0.2b:
|
|
|
|
* bug fixes
|
|
* actually bump shared library versions
|
|
|
|
Changes in release 0.2a:
|
|
|
|
* a new program verify_krb5_conf for checking your /etc/krb5.conf
|
|
* add 3DES keys when changing password
|
|
* support null keys in database
|
|
* support multiple local realms
|
|
* implement a keytab backend for AFS KeyFile's
|
|
* implement a keytab backend for v4 srvtabs
|
|
* implement `ktutil copy'
|
|
* support password quality control in v4 kadmind
|
|
* improvements in v4 compat kadmind
|
|
* handle the case of having the correct cred in the ccache but with
|
|
the wrong encryption type better
|
|
* v6-ify the remaining programs.
|
|
* internal ls in ftpd
|
|
* rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
|
|
* add `ank --random-password' and `cpw --random-password' in kadmin
|
|
* some programs and documentation for trying to talk to a W2K KDC
|
|
* bug fixes
|
|
|
|
Changes in release 0.1m:
|
|
|
|
* support for getting default from krb5.conf for kinit/kf/rsh/telnet.
|
|
From Miroslav Ruda <ruda@ics.muni.cz>
|
|
* v6-ify hprop and hpropd
|
|
* support numeric addresses in krb5_mk_req
|
|
* shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
|
|
* make rsh/rshd IPv6-aware
|
|
* make the gssapi sample applications better at reporting errors
|
|
* lots of bug fixes
|
|
* handle systems with v6-aware libc and non-v6 kernels (like Linux
|
|
with glibc 2.1) better
|
|
* hide failure of ERPT in ftp
|
|
* lots of bug fixes
|
|
|
|
Changes in release 0.1l:
|
|
|
|
* make ftp and ftpd IPv6-aware
|
|
* add inet_pton to roken
|
|
* more IPv6-awareness
|
|
* make mini_inetd v6 aware
|
|
|
|
Changes in release 0.1k:
|
|
|
|
* bump shared libraries versions
|
|
* add roken version of inet_ntop
|
|
* merge more changes to rshd
|
|
|
|
Changes in release 0.1j:
|
|
|
|
* restore back to the `old' 3DES code. This was supposed to be done
|
|
in 0.1h and 0.1i but I did a CVS screw-up.
|
|
* make telnetd handle v6 connections
|
|
|
|
Changes in release 0.1i:
|
|
|
|
* start using `struct sockaddr_storage' which simplifies the code
|
|
(with a fallback definition if it's not defined)
|
|
* bug fixes (including in hprop and kf)
|
|
* don't use mawk which seems to mishandle roken.awk
|
|
* get_addrs should be able to handle v6 addresses on Linux (with the
|
|
required patch to the Linux kernel -- ask within)
|
|
* rshd builds with shadow passwords
|
|
|
|
Changes in release 0.1h:
|
|
|
|
* kf: new program for forwarding credentials
|
|
* portability fixes
|
|
* make forwarding credentials work with MIT code
|
|
* better conversion of ka database
|
|
* add etc/services.append
|
|
* correct `modified by' from kpasswdd
|
|
* lots of bug fixes
|
|
|
|
Changes in release 0.1g:
|
|
|
|
* kgetcred: new program for explicitly obtaining tickets
|
|
* configure fixes
|
|
* krb5-aware kx
|
|
* bug fixes
|
|
|
|
Changes in release 0.1f;
|
|
|
|
* experimental support for v4 kadmin protokoll in kadmind
|
|
* bug fixes
|
|
|
|
Changes in release 0.1e:
|
|
|
|
* try to handle old DCE and MIT kdcs
|
|
* support for older versions of credential cache files and keytabs
|
|
* postdated tickets work
|
|
* support for password quality checks in kpasswdd
|
|
* new flag --enable-kaserver for kdc
|
|
* renew fixes
|
|
* prototype su program
|
|
* updated (some) manpages
|
|
* support for KDC resource records
|
|
* should build with --without-krb4
|
|
* bug fixes
|
|
|
|
Changes in release 0.1d:
|
|
|
|
* Support building with DB2 (uses 1.85-compat API)
|
|
* Support krb5-realm.DOMAIN in DNS
|
|
* new `ktutil srvcreate'
|
|
* v4/kafs support in klist/kdestroy
|
|
* bug fixes
|
|
|
|
Changes in release 0.1c:
|
|
|
|
* fix ASN.1 encoding of signed integers
|
|
* somewhat working `ktutil get'
|
|
* some documentation updates
|
|
* update to Autoconf 2.13 and Automake 1.4
|
|
* the usual bug fixes
|
|
|
|
Changes in release 0.1b:
|
|
|
|
* some old -> new crypto conversion utils
|
|
* bug fixes
|
|
|
|
Changes in release 0.1a:
|
|
|
|
* new crypto code
|
|
* more bug fixes
|
|
* make sure we ask for DES keys in gssapi
|
|
* support signed ints in ASN1
|
|
* IPv6-bug fixes
|
|
|
|
Changes in release 0.0u:
|
|
|
|
* lots of bug fixes
|
|
|
|
Changes in release 0.0t:
|
|
|
|
* more robust parsing of krb5.conf
|
|
* include net{read,write} in lib/roken
|
|
* bug fixes
|
|
|
|
Changes in release 0.0s:
|
|
|
|
* kludges for parsing options to rsh
|
|
* more robust parsing of krb5.conf
|
|
* removed some arbitrary limits
|
|
* bug fixes
|
|
|
|
Changes in release 0.0r:
|
|
|
|
* default options for some programs
|
|
* bug fixes
|
|
|
|
Changes in release 0.0q:
|
|
|
|
* support for building shared libraries with libtool
|
|
* bug fixes
|
|
|
|
Changes in release 0.0p:
|
|
|
|
* keytab moved to /etc/krb5.keytab
|
|
* avoid false detection of IPv6 on Linux
|
|
* Lots of more functionality in the gssapi-library
|
|
* hprop can now read ka-server databases
|
|
* bug fixes
|
|
|
|
Changes in release 0.0o:
|
|
|
|
* FTP with GSSAPI support.
|
|
* Bug fixes.
|
|
|
|
Changes in release 0.0n:
|
|
|
|
* Incremental database propagation.
|
|
* Somewhat improved kadmin ui; the stuff in admin is now removed.
|
|
* Some support for using enctypes instead of keytypes.
|
|
* Lots of other improvement and bug fixes, see ChangeLog for details.
|