1 Changes in release 0.5.2
3 * kdc: add option for disabling v4 cross-realm (defaults to off)
7 Changes in release 0.5.1
9 * kadmind: fix remote exploit
11 * kadmind: add option to disable kerberos 4
13 * kdc: make sure kaserver token life is positive
15 * telnet: use the session key if there is no subkey
17 * fix EPSV parsing in ftp
21 Changes in release 0.5
23 * add --detach option to kdc
25 * allow setting forward and forwardable option in telnet from
26 .telnetrc, with override from command line
28 * accept addresses with or without ports in krb5_rd_cred
30 * make it work with modern openssl
32 * use our own string2key function even with openssl (that handles weak
35 * more system-specific requirements in login
37 * do not use getlogin() to determine root in su
39 * telnet: abort if telnetd does not support encryption
41 * update autoconf to 2.53
43 * update config.guess, config.sub
47 Changes in release 0.4e
49 * improve libcrypto and database autoconf tests
51 * do not care about salting of server principals when serving v4 requests
53 * some improvements to gssapi library
55 * test for existing compile_et/libcom_err
61 Changes in release 0.4d
63 * fix some problems when using libcrypto from openssl
65 * handle /dev/ptmx `unix98' ptys on Linux
67 * add some forgotten man pages
69 * rsh: clean-up and add man page
71 * fix -A and -a in builtin-ls in tpd
73 * fix building problem on Irix
75 * make `ktutil get' more efficient
79 Changes in release 0.4c
81 * fix buffer overrun in telnetd
83 * repair some of the v4 fallback code in kinit
85 * add more shared library dependencies
87 * simplify and fix hprop handling of v4 databases
89 * fix some building problems (osf's sia and osfc2 login)
93 Changes in release 0.4b
95 * update the shared library version numbers correctly
97 Changes in release 0.4a
99 * corrected key used for checksum in mk_safe, unfortunately this
100 makes it backwards incompatible
102 * update to autoconf 2.50, libtool 1.4
104 * re-write dns/config lookups (krb5_krbhst API)
106 * make order of using subkeys consistent
112 * remove rfc2052 support, now only rfc2782 is supported
114 * always build with kaserver protocol support in the KDC (assuming
115 KRB4 is enabled) and support for reading kaserver databases in
118 Changes in release 0.3f
120 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
121 the new keytab type that tries both of these in order (SRVTAB is
122 also an alias for krb4:)
124 * improve error reporting and error handling (error messages should
125 be more detailed and more useful)
127 * improve building with openssl
129 * add kadmin -K, rcp -F
131 * fix two incorrect weak DES keys
133 * fix building of kaserver compat in KDC
135 * the API is closer to what MIT krb5 is using
137 * more compatible with windows 2000
139 * removed some memory leaks
143 Changes in release 0.3e
145 * rcp program included
147 * fix buffer overrun in ftpd
149 * handle omitted sequence numbers as zeroes to handle MIT krb5 that
150 cannot generate zero sequence numbers
152 * handle v4 /.k files better
154 * configure/portability fixes
156 * fixes in parsing of options to kadmin (sub-)commands
158 * handle errors in kadmin load better
162 Changes in release 0.3d
166 * fix a bug in 3des gss-api mechanism, making it compatible with the
167 specification and the MIT implementation
169 * make telnetd only allow a specific list of environment variables to
170 stop it from setting `sensitive' variables
172 * try to use an existing libdes
174 * lib/krb5, kdc: use correct usage type for ap-req messages. This
175 should improve compatability with MIT krb5 when using 3DES
178 * kdc: fix memory allocation problem
180 * update config.guess and config.sub
182 * lib/roken: more stuff implemented
184 * bug fixes and portability enhancements
186 Changes in release 0.3c
188 * lib/krb5: memory caches now support the resolve operation
190 * appl/login: set PATH to some sane default
192 * kadmind: handle several realms
194 * bug fixes (including memory leaks)
196 Changes in release 0.3b
198 * kdc: prefer default-salted keys on v5 requests
200 * kdc: lowercase hostnames in v4 mode
202 * hprop: handle more types of MIT salts
204 * lib/krb5: fix memory leak
208 Changes in release 0.3a:
210 * implement arcfour-hmac-md5 to interoperate with W2K
212 * modularise the handling of the master key, and allow for other
213 encryption types. This makes it easier to import a database from
214 some other source without having to re-encrypt all keys.
216 * allow for better control over which encryption types are created
218 * make kinit fallback to v4 if given a v4 KDC
220 * make klist work better with v4 and v5, and add some more MIT
221 compatibility options
223 * make the kdc listen on the krb524 (4444) port for compatibility
224 with MIT krb5 clients
226 * implement more DCE/DFS support, enabled with --enable-dce, see
227 lib/kdfs and appl/dceutils
229 * make the sequence numbers work correctly
233 Changes in release 0.2t:
237 Changes in release 0.2s:
239 * add OpenLDAP support in hdb
241 * login will get v4 tickets when it receives forwarded tickets
243 * xnlock supports both v5 and v4
245 * repair source routing for telnet
247 * fix building problems with krb4 (krb_mk_req)
251 Changes in release 0.2r:
253 * fix realloc memory corruption bug in kdc
255 * `add --key' and `cpw --key' in kadmin
257 * klist supports listing v4 tickets
259 * update config.guess and config.sub
261 * make v4 -> v5 principal name conversion more robust
263 * support for anonymous tickets
267 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
269 * use and set expiration and not password expiration when dumping
270 to/from ka server databases / krb4 databases
272 * make the code happier with 64-bit time_t
274 * follow RFC2782 and by default do not look for non-underscore SRV names
276 Changes in release 0.2q:
278 * bug fix in tcp-handling in kdc
280 * bug fix in expand_hostname
282 Changes in release 0.2p:
284 * bug fix in `kadmin load/merge'
286 * bug fix in krb5_parse_address
288 Changes in release 0.2o:
290 * gss_{import,export}_sec_context added to libgssapi
292 * new option --addresses to kdc (for listening on an explicit set of
295 * bug fixes in the krb4 and kaserver emulation part of the kdc
299 Changes in release 0.2n:
301 * more robust parsing of dump files in kadmin
302 * changed default timestamp format for log messages to extended ISO
303 8601 format (Y-M-DTH:M:S)
304 * changed md4/md5/sha1 APIes to be de-facto `standard'
305 * always make hostname into lower-case before creating principal
306 * small bits of more MIT-compatability
309 Changes in release 0.2m:
311 * handle glibc's getaddrinfo() that returns several ai_canonname
317 Changes in release 0.2l:
321 Changes in release 0.2k:
325 * make struct sockaddr_storage in roken work better on alphas
327 * some missing [hn]to[hn]s fixed.
329 * allow users to change their own passwords with kadmin (with initial
332 * fix stupid bug in parsing KDC specification
334 * add `ktutil change' and `ktutil purge'
336 Changes in release 0.2j:
340 * ftpd works in passive mode
342 * should build on cygwin
344 * work around broken IPv6-code on OpenBSD 2.6, also add configure
345 option --disable-ipv6
347 Changes in release 0.2i:
349 * use getaddrinfo in the missing places.
351 * fix SRV lookup for admin server
353 * use get{addr,name}info everywhere. and implement it in terms of
354 getipnodeby{name,addr} (which uses gethostbyname{,2} and
357 Changes in release 0.2h:
359 * fix typo in kx (now compiles)
361 Changes in release 0.2g:
365 * repair appl/test programs
366 * sockaddr_storage works on solaris (alignment issues)
367 * works better with non-roken getaddrinfo
369 * some non standard C constructs removed
371 Changes in release 0.2f:
373 * support SRV records for kpasswd
374 * look for both _kerberos and krb5-realm when doing host -> realm mapping
376 Changes in release 0.2e:
378 * changed copyright notices to remove `advertising'-clause.
379 * get{addr,name}info added to roken and used in the other code
380 (this makes things work much better with hosts with both v4 and v6
381 addresses, among other things)
382 * do pre-auth for both password and key-based get_in_tkt
383 * support for having several databases
384 * new command `del_enctype' in kadmin
385 * strptime (and new strftime) add to roken
386 * more paranoia about finding libdb
389 Changes in release 0.2d:
391 * new configuration option [libdefaults]default_etypes_des
392 * internal ls in ftpd builds without KRB4
393 * kx/rsh/push/pop_debug tries v5 and v4 consistenly
397 Changes in release 0.2c:
399 * bug fixes (see ChangeLog's for details)
401 Changes in release 0.2b:
404 * actually bump shared library versions
406 Changes in release 0.2a:
408 * a new program verify_krb5_conf for checking your /etc/krb5.conf
409 * add 3DES keys when changing password
410 * support null keys in database
411 * support multiple local realms
412 * implement a keytab backend for AFS KeyFile's
413 * implement a keytab backend for v4 srvtabs
414 * implement `ktutil copy'
415 * support password quality control in v4 kadmind
416 * improvements in v4 compat kadmind
417 * handle the case of having the correct cred in the ccache but with
418 the wrong encryption type better
419 * v6-ify the remaining programs.
420 * internal ls in ftpd
421 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
422 * add `ank --random-password' and `cpw --random-password' in kadmin
423 * some programs and documentation for trying to talk to a W2K KDC
426 Changes in release 0.1m:
428 * support for getting default from krb5.conf for kinit/kf/rsh/telnet.
429 From Miroslav Ruda <ruda@ics.muni.cz>
430 * v6-ify hprop and hpropd
431 * support numeric addresses in krb5_mk_req
432 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
433 * make rsh/rshd IPv6-aware
434 * make the gssapi sample applications better at reporting errors
436 * handle systems with v6-aware libc and non-v6 kernels (like Linux
437 with glibc 2.1) better
438 * hide failure of ERPT in ftp
441 Changes in release 0.1l:
443 * make ftp and ftpd IPv6-aware
444 * add inet_pton to roken
445 * more IPv6-awareness
446 * make mini_inetd v6 aware
448 Changes in release 0.1k:
450 * bump shared libraries versions
451 * add roken version of inet_ntop
452 * merge more changes to rshd
454 Changes in release 0.1j:
456 * restore back to the `old' 3DES code. This was supposed to be done
457 in 0.1h and 0.1i but I did a CVS screw-up.
458 * make telnetd handle v6 connections
460 Changes in release 0.1i:
462 * start using `struct sockaddr_storage' which simplifies the code
463 (with a fallback definition if it's not defined)
464 * bug fixes (including in hprop and kf)
465 * don't use mawk which seems to mishandle roken.awk
466 * get_addrs should be able to handle v6 addresses on Linux (with the
467 required patch to the Linux kernel -- ask within)
468 * rshd builds with shadow passwords
470 Changes in release 0.1h:
472 * kf: new program for forwarding credentials
474 * make forwarding credentials work with MIT code
475 * better conversion of ka database
476 * add etc/services.append
477 * correct `modified by' from kpasswdd
480 Changes in release 0.1g:
482 * kgetcred: new program for explicitly obtaining tickets
487 Changes in release 0.1f;
489 * experimental support for v4 kadmin protokoll in kadmind
492 Changes in release 0.1e:
494 * try to handle old DCE and MIT kdcs
495 * support for older versions of credential cache files and keytabs
496 * postdated tickets work
497 * support for password quality checks in kpasswdd
498 * new flag --enable-kaserver for kdc
500 * prototype su program
501 * updated (some) manpages
502 * support for KDC resource records
503 * should build with --without-krb4
506 Changes in release 0.1d:
508 * Support building with DB2 (uses 1.85-compat API)
509 * Support krb5-realm.DOMAIN in DNS
510 * new `ktutil srvcreate'
511 * v4/kafs support in klist/kdestroy
514 Changes in release 0.1c:
516 * fix ASN.1 encoding of signed integers
517 * somewhat working `ktutil get'
518 * some documentation updates
519 * update to Autoconf 2.13 and Automake 1.4
520 * the usual bug fixes
522 Changes in release 0.1b:
524 * some old -> new crypto conversion utils
527 Changes in release 0.1a:
531 * make sure we ask for DES keys in gssapi
532 * support signed ints in ASN1
535 Changes in release 0.0u:
539 Changes in release 0.0t:
541 * more robust parsing of krb5.conf
542 * include net{read,write} in lib/roken
545 Changes in release 0.0s:
547 * kludges for parsing options to rsh
548 * more robust parsing of krb5.conf
549 * removed some arbitrary limits
552 Changes in release 0.0r:
554 * default options for some programs
557 Changes in release 0.0q:
559 * support for building shared libraries with libtool
562 Changes in release 0.0p:
564 * keytab moved to /etc/krb5.keytab
565 * avoid false detection of IPv6 on Linux
566 * Lots of more functionality in the gssapi-library
567 * hprop can now read ka-server databases
570 Changes in release 0.0o:
572 * FTP with GSSAPI support.
575 Changes in release 0.0n:
577 * Incremental database propagation.
578 * Somewhat improved kadmin ui; the stuff in admin is now removed.
579 * Some support for using enctypes instead of keytypes.
580 * Lots of other improvement and bug fixes, see ChangeLog for details.