Add.

[shishi.git] / NEWS

Shishi NEWS -- History of user-visible changes.                 -*- outline -*-
Copyright (C) 2002, 2003 Simon Josefsson
See the end for copying conditions.

* Version 0.0.10 (unreleased)

** The TLS support in Shishid now works.

** All command line interfaces now uses getopt instead of argp.

* Version 0.0.9 (released 2003-12-12)

** A Kerberos 5 information storage system added, called Shisa.
Shisa is used by Kerberos 5 servers (KDCs) to find information about
principals.  Shisa can be extended to support various backends, such
as LDAP and SQL databases, but currently only a file system based
database is supported.  Shisa consists of two parts, a library
(libshisa, see db/) and a command line tool (shisa, see src/).  Shisa
is designed to be concurrent write safe, i.e., multiple writers to the
same database is permitted.  This is very much work in progress.

** A new tool 'shisa' added to add/remove/list/modify the Shisa database.

** The Administration and Reference Manual has been (re)written.
There is now a step-by-step walk-through on creating the database for
a new realm, adding a few principals, starting the server and testing
it by getting tickets.

** Shishid (the Kerberos server) now read keys via the Shisa database.
The old hostkeys-alike file based "database" is no longer supported.

** A sample Shisa database and host keys are created during installation.
The default realm name (typically your hostname) is used, which might
not be what you prefer, but should get you started.

** Improve behaviour with poorly synchronized clocks.
Earlier newly acquired tickets were discarded if they were not yet
valid when you acquire them.  Now tickets are only discarded when
their end time is in the past.

** Support for DES and 3DES without integrity checking re-added.
Those encryption algorithms are needed by GSS Wrap/Unwrap, but was
accidently removed from Shishi during an earlier cleanup.

** When Libgcrypt is used, ARCFOUR now handle streamed operations.
This is needed for, e.g., Kerberos rsh in the Shishi patched version
of GNU InetUtils.

** Paths to configurations files and host keys changed.
The configuration files and host keys are now stored (by default, but
see next entry) in $prefix/etc/shishi/, instead of, as it was before,
in $prefix/etc (for configuration and host keys) and
$prefix/share/shishi (for user configuration file template).

** Paths to configurations, host keys and the database root now configurable.
The configure parameters --with-conf-dir, --with-skel-dir,
--with-key-dir, and --with-db-dir can be used to specify the location
of shishi.conf and shisa.conf (system configuration files),
shishi.skel (user configuration file template), shishi.keys (host
specific keys) and the Shisa database root, respectively.

** IANA allocated Telnet Encrypt command 12 for the AES-CCM mode.

** Autoconf 2.59, Automake 1.8, and Libtool from CVS is used.

** Some more self tests were added.

* Version 0.0.8 (released 2003-10-16)

** Passwords are processed with SASLprep instead of KRBprep.

** Authorization improvements.

** Documentation additions.
Protocol descriptions for STARTTLS, AES-CCM encrypted telnet, and
Kerberos rsh/rlogin.

** Support for upgrading TCP connections to KDC to TLS supported (STARTTLS).
STARTTLS support will be compiled in automatically, if you have GNUTLS
installed, but can be disabled unconditionally by configuring with
--disable-tls.  Use the 'realm-kdc' configuration token to specify
which KDCs the client should use it against, e.g.,
'realm-kdc=MYREALM.ORG,kdc.myrealm.org/tls'.

* Version 0.0.7 (released 2003-09-21)

** Encryption types can now be referred to using shorter aliases.
E.g., you can write "aes" instead of "aes256-cts-hmac-sha1-96".

** ARCFOUR encryption support according to draft-brezak-win2k-krb-rc4-hmac-04.

** DES-CBC-CRC now works.

* Version 0.0.6 (released 2003-09-14)

** Proxiable, proxy, forwardable and forwarded tickets supported.
See the User Manual for discussion and examples.

** Man pages for all public functions are included.

** Installed versions of Libgcrypt and libtasn1 used where possible.
Shishi need Libgcrypt 1.1.44 or later, and libtasn1 0.2.5 or later.
If a usable version is not found, the internal Nettle (crypto/) and/or
libminitasn1 (asn1/) libraries are used instead.

** It is possible to enable and disable part of the system at compile time.
See --disable-des, --disable-3des, --disable-aes, --disable-md,
--disable-null, and --enable-arcfour.

** The internal crypto interface now fully modularized.
If you wish to add support for a new low-level cryptographic library,
to, e.g., utilize specialized hardware, it is now easy to do so.  Two
wrappers for Nettle (lib/nettle.c) and Libgcrypt (lib/libgcrypt.c) are
included.

** Logging destination for warnings and informational messages can be changed.
By default, message are sent to stderr for clients, and syslog for
servers.  See the new API functions shishi_outputtype and
shishi_set_outputtype for more information.

* Version 0.0.5 (released 2003-09-07)

** Server host name to realm mapping via DNS supported.

** SAFE functions improved.
Example code of a client using integrity protected application data
exchanges is in examples/client-safe.c and examples/server.c.

** PRIV functions added.
Example code of a client using privacy protected application data
exchanges is in examples/client-priv.c.

** Documentation improvements.
E.g., a reference manual was added, that document the configuration
file, and the shishi and shishid parameters.

** Various API changes.

* Version 0.0.4 (released 2003-08-31)

** The rsh/rlogin client 'rsh-redone' ported to Shishi, by Nicolas Pouvesle.
The client is located in extra/rsh-redone/.  It supports
authentication and encryption.  It interoperate with other
implementations.

** Authenticator subkeys are supported, and is used by default in AP/TGS.
Some KDCs does not understand subkeys in TGS requests, and use the
session key instead.  Shishi detect and work around this problem but
prints a warning.

** Simplistic key distribution center (KDC) is working.
See the Administration Manual for a walk through on how to get it up
and running.

** Various API changes.

* Version 0.0.3 (released 2003-08-22)

** Documentation fixes.

** Cleanups.

* Version 0.0.2 (released 2003-08-17)

** Command line handling of the 'shishi' application rewritten.
See the (updated) user manual and --help output for the new story.

** It is possible to acquire renewable tickets.

** Example client and server included.
Application data protection is not supported, but authentication is
demonstrated.  The files are in src/client.c and src/server.c.

** New configuration verbs: 'ticket-life' and 'renew-life'.

** AES ciphers didn't work when nettle was used.

** Cleanups, bug fixes and improved portability.

* Version 0.0.1 (released 2003-08-10)

** InetUtils copy removed.
The patches (also found in extra/inetutils.diff) are forwarded upstream.

** Libidn copy removed.
Libidn is optional, but recommended.  It is used automatically if
present on your system.

** Gettext not included.
Due to some conflicts between libtool and gettext, if you want i18n on
platforms that does not already have a useful gettext implementation,
you can install GNU gettext before building this package.  If you
don't care about i18n, this package should work fine (except for i18n,
of course).

** Low-level crypto uses nettle if libgcrypt is not installed.
Libgcrypt is not shipped with Shishi any more, instead a more
streamlined crypto implementation based on nettle is included.
Specify --with-libgcrypt to use libgcrypt.

** Libtasn1 updated and replaced by "minitasn1" from gnutls.
Specify --with-system-libtasn1 to link with the installed libtasn1, if
you have it.

** KDC addresses are now found via DNS SRV RRs as a last resort.
This is only enabled if libresolv and resolv.h is found on your
system.

** Argp and other compatibility files replaced by gl/ directory.

** Cleanups, bug fixes and various improvements.

* Version 0.0.0 (released 2003-06-02)

** Initial release

----------------------------------------------------------------------
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved.