1 Release Notes - Heimdal - Version Heimdal 7.1
5 - kx509 realm-chopping security bug
6 - non-authorization of alias additions/removals in kadmind
11 - iprop has been revamped to fix a number of race conditions that could
12 lead to inconsistent replication
13 - Hierarchical capath support
14 - AES Encryption with HMAC-SHA2 for Kerberos 5
15 draft-ietf-kitten-aes-cts-hmac-sha2-11
16 - hcrypto is now thread safe on all platforms
17 - libhcrypto has new backends: CNG (Windows), PKCS#11 (mainly for
18 Solaris), and OpenSSL. OpenSSL is now a first-class libhcrypto backend.
19 OpenSSL 1.0.x and 1.1 are both supported. AES-NI used when supported by
21 - HDB now supports LMDB
22 - Thread support on Windows
23 - RFC 6113 Generalized Framework for Kerberos Pre-Authentication (FAST)
26 - Allow setting what encryption types a principal should have with
27 [kadmin] default_key_rules, see krb5.conf manpage for more info
28 - Unify libhcrypto with LTC (libtomcrypto)
29 - asn1_compile 64-bit INTEGER functionality
30 - HDB key history support including --keepold kadmin password option
31 - Improved cross-realm key rollover safety
32 - New krb5_kuserok() and krb5_aname_to_localname() plug-in interfaces
33 - Improved MIT compatibility
35 . Migration from MIT KDB via "mitdb" HDB backend
36 . Capable of writing the HDB in MIT dump format
37 - Improved Active Directory interoperability
38 . Enctype selection issues for PAC and other authz-data signatures
39 . Cross realm key rollover (kvno 0)
40 - New [kdc] enctype negotiation configuration:
41 . tgt-use-strongest-session-key
42 . svc-use-strongest-session-key
43 . preauth-use-strongest-session-key
44 . use-strongest-server-key
45 - The KDC process now uses a multi-process model improving
46 resiliency and performance
47 - Allow batch-mode kinit with password file
48 - SIGINFO support added to kinit cmd
49 - New kx509 configuration options:
52 . kx509_include_pkinit_san
54 - Improved Heimdal library/plugin version safety
55 - Name canonicalization
56 . DNS resolver searchlist
57 . Improved referral support
58 . Support host:port host-based services
59 - Pluggable libheimbase interface for DBs
60 - Improve IPv6 Support
62 . Bind DN and password
65 - DIR credential cache type
66 - Updated upstream SQLite and libedit
67 - Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh,
69 - Completely remove RAND_egd support
70 - Moved kadmin and ktutil to /usr/bin
71 - Stricter fcache checks (see fcache_strict_checking krb5.conf setting)
73 . don't follow symlinks
74 . require cache files to be owned by the user
75 . require sensible permissions (not group/other readable)
76 - Implemented gss_store_cred()
80 - iprop has been revamped to fix a number of race conditions that could
82 - Include non-loopback addresses assigned to loopback interfaces
83 when requesting tickets with addresses
84 - KDC 1DES session key selection (for AFS rxkad-k5 compatibility)
85 - Keytab file descriptor and lock leak
86 - Credential cache corruption bugs
87 (NOTE: The FILE ccache is still not entirely safe due to the
88 fundamentally unsafe design of POSIX file locking)
89 - gss_pseudo_random() interop bug
90 - Plugins are now preferentially loaded from the run-time install tree
91 - Reauthentication after password change in init_creds_password
92 - Memory leak in the client kadmin library
93 - TGS client requests renewable/forwardable/proxiable when possible
94 - Locking issues in DB1 and DB3 HDB backends
95 - Master HDB can remain locked while waiting for network I/O
96 - Renewal/refresh logic when kinit is provided with a command
97 - KDC handling of enterprise principals
98 - Use correct bit for anon-pkinit
103 This release of Heimdal includes contributions from:
105 Abhinav Upadhyay Heath Kehoe Nico Williams
106 Andreas Schneider Henry Jacques Patrik Lundin
107 Andrew Bartlett Howard Chu Philip Boulain
108 Andrew Tridgell Igor Sobrado Ragnar Sundblad
109 Antoine Jacoutot Ingo Schwarze Remi Ferrand
110 Arran Cudbard-Bell Jakub Čajka Rod Widdowson
111 Arvid Requate James Le Cuirot Rok Papež
112 Asanka Herath James Lee Roland C. Dowdeswell
113 Ben Kaduk Jeffrey Altman Ross L Richardson
114 Benjamin Kaduk Jeffrey Clark Russ Allbery
115 Bernard Spil Jeffrey Hutzelman Samuel Cabrero
116 Brian May Jelmer Vernooij Samuel Thibault
117 Chas Williams Ken Dreyer Santosh Kumar Pradhan
118 Chaskiel Grundman Kiran S J Sean Davis
119 Dana Koch Kumar Thangavelu Sergio Gelato
120 Daniel Schepler Landon Fuller Simon Wilkinson
121 David Mulder Linus Nordberg Stef Walter
122 Douglas Bagnall Love Hörnquist Åstrand Stefan Metzmacher
123 Ed Maste Luke Howard Steffen Jaeckel
124 Eray Aslan Magnus Ahltorp Timothy Pearson
125 Florian Best Marc Balmer Tollef Fog Heen
126 Fredrik Pettai Marcin Cieślak Tony Acero
127 Greg Hudson Marco Molteni Uri Simchoni
128 Gustavo Zacarias Matthieu Hautreux Viktor Dukhovni
129 Günther Deschner Michael Meffie Volker Lendecke
130 Harald Barth Moritz Lenz
132 Release Notes - Heimdal - Version Heimdal 1.5.3
135 - Fix leaking file descriptors in KDC
136 - Better socket/timeout handling in libkrb5
140 Release Notes - Heimdal - Version Heimdal 1.5.2
143 - CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege
144 - Check that key types strictly match - denial of service
146 Release Notes - Heimdal - Version Heimdal 1.5.1
149 - Fix building on Solaris, requires c99
150 - Fix building on Windows
151 - Build system updates
153 Release Notes - Heimdal - Version Heimdal 1.5
157 - Support GSS name extensions/attributes
159 - No Kerberos 4 support
160 - Basic support for MIT Admin protocol (SECGSS flavor)
161 in kadmind (extract keytab)
162 - Replace editline with libedit
164 Release Notes - Heimdal - Version Heimdal 1.4
168 - Support for reading MIT database file directly
169 - KCM is polished up and now used in production
170 - NTLM first class citizen, credentials stored in KCM
171 - Table driven ASN.1 compiler, smaller!, not enabled by default
172 - Native Windows client support
176 - Disabled write support NDBM hdb backend (read still in there) since
177 it can't handle large records, please migrate to a diffrent backend
180 Release Notes - Heimdal - Version Heimdal 1.3.3
183 - Check the GSS-API checksum exists before trying to use it [CVE-2010-1321]
184 - Check NULL pointers before dereference them [kdc]
186 Release Notes - Heimdal - Version Heimdal 1.3.2
190 - Don't mix length when clearing hmac (could memset too much)
191 - More paranoid underrun checking when decrypting packets
192 - Check the password change requests and refuse to answer empty packets
193 - Build on OpenSolaris
194 - Renumber AD-SIGNED-TICKET since it was stolen from US
195 - Don't cache /dev/*random file descriptor, it doesn't get unloaded
199 Release Notes - Heimdal - Version Heimdal 1.3.1
203 - Store KDC offset in credentials
204 - Many many more bug fixes
206 Release Notes - Heimdal - Version Heimdal 1.3.1
210 - Make work with OpenLDAPs krb5 overlay
212 Release Notes - Heimdal - Version Heimdal 1.3
216 - Partial support for MIT kadmind rpc protocol in kadmind
217 - Better support for finding keytab entries when using SPN aliases in the KDC
218 - Support BER in ASN.1 library (needed for CMS)
219 - Support decryption in Keychain private keys
220 - Support for new sqlite based credential cache
221 - Try both KDC referals and the common DNS reverse lookup in GSS-API
222 - Fix the KCM to not leak resources on failure
223 - Add IPv6 support to iprop
224 - Support localization of error strings in
225 kinit/klist/kdestroy and Kerberos library
226 - Remove Kerberos 4 support in application (still in KDC)
228 - Support i18n password in windows domains (using UTF-8)
229 - More complete API emulation of OpenSSL in hcrypto
230 - Support for ECDSA and ECDH when linking with OpenSSL
234 - Support for settin friendly name on credential caches
235 - Move to using doxygen to generate documentation.
236 - Sprinkling __attribute__((__deprecated__)) for old function to be removed
237 - Support to export LAST-REQUST information in AS-REQ
238 - Support for client deferrals in in AS-REQ
239 - Add seek support for krb5_storage.
240 - Support for split AS-REQ, first step for IA-KERB
241 - Fix many memory leaks and bugs
242 - Improved regression test
244 - Switch to krb5_set_error_message
245 - Support krb5_crypto_*_iov
246 - Switch to use EVP for most function
247 - Use SOCK_CLOEXEC and O_CLOEXEC (close on exec)
248 - Add support for GSS_C_DELEG_POLICY_FLAG
249 - Add krb5_cc_[gs]et_config to store data in the credential caches
250 - PTY testing application
253 - Make building on AIX6 possible.
254 - Bugfixes in LDAP KDC code to make it more stable
255 - Make ipropd-slave reconnect when master down gown
258 Release Notes - Heimdal - Version Heimdal 1.2.1
262 [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris
263 [HEIMDAL-151] - Make canned tests work again after cert expired
264 [HEIMDAL-152] - iprop test: use full hostname to avoid realm
266 [HEIMDAL-153] - ftp: Use the correct length for unmap, msync
268 Release Notes - Heimdal - Version Heimdal 1.2
272 [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in
273 gss_display_name/gss_export_name when using SPNEGO
274 [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1
275 [HEIMDAL-17] - Remove support for depricated [libdefaults]capath
276 [HEIMDAL-52] - hdb overwrite aliases for db databases
277 [HEIMDAL-54] - Two issues which affect credentials delegation
278 [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args
279 [HEIMDAL-62] - Fix printing of sig_atomic_t
280 [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto
281 [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase
282 [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241)
285 [HEIMDAL-67] - Fix locking and store credential in atomic writes
286 in the FILE credential cache
287 [HEIMDAL-106] - make compile on cygwin again
288 [HEIMDAL-107] - Replace old random key generation in des module
289 and use it with RAND_ function instead
290 [HEIMDAL-115] - Better documentation and compatibility in hcrypto
291 in regards to OpenSSL
294 [HEIMDAL-3] - pkinit alg agility PRF test vectors
295 [HEIMDAL-14] - Add libwind to Heimdal
296 [HEIMDAL-16] - Use libwind in hx509
297 [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to
299 [HEIMDAL-74] - Add support to report extended error message back
300 in AS-REQ to support windows clients
301 [HEIMDAL-116] - test pty based application (using rkpty)
302 [HEIMDAL-120] - Use new OpenLDAP API (older deprecated)
305 [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ.
306 This drop compatibility with pre 0.3d KDCs.
307 [HEIMDAL-64] - kcm: first implementation of kcm-move-cache
308 [HEIMDAL-65] - Failed to compile with --disable-pk-init
309 [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some
310 wraparound checks doesn't apply to Heimdal
312 Changes in release 1.1
314 * Read-only PKCS11 provider built-in to hx509.
316 * Documentation for hx509, hcrypto and ntlm libraries improved.
318 * Better compatibilty with Windows 2008 Server pre-releases and Vista.
320 * Mac OS X 10.5 support for native credential cache.
322 * Provide pkg-config file for Heimdal (heimdal-gssapi.pc).
326 Changes in release 1.0.2
332 Changes in release 1.0.1
334 * Serveral bug fixes to iprop.
336 * Make work on platforms without dlopen.
338 * Add RFC3526 modp group14 as default.
340 * Handle [kdc] database = { } entries without realm = stanzas.
342 * Make krb5_get_renewed_creds work.
344 * Make kaserver preauth work again.
348 Changes in release 1.0
350 * Add gss_pseudo_random() for mechglue and krb5.
352 * Make session key for the krbtgt be selected by the best encryption
355 * Better interoperability with other PK-INIT implementations.
357 * Inital support for Mac OS X Keychain for hx509.
359 * Alias support for inital ticket requests.
361 * Add symbol versioning to selected libraries on platforms that uses
362 GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc.
364 * New version of imath included in hcrypto.
370 Changes in release 0.8.1
372 * Make ASN.1 library less paranoid to with regard to NUL in string to
373 make it inter-operate with MIT Kerberos again.
375 * Make GSS-API library work again when using gss_acquire_cred
377 * Add symbol versioning to libgssapi when using GNU ld.
383 Changes in release 0.8
387 * HDB extensions support, used by PK-INIT.
389 * New ASN.1 compiler.
391 * GSS-API mechglue from FreeBSD.
393 * Updated SPNEGO to support RFC4178.
395 * Support for Cryptosystem Negotiation Extension (RFC 4537).
397 * A new X.509 library (hx509) and related crypto functions.
399 * A new ntlm library (heimntlm) and related crypto functions.
401 * Updated the built-in crypto library with bignum support using
402 imath, support for RSA and DH and renamed it to libhcrypto.
404 * Subsystem in the KDC, digest, that will perform the digest
405 operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL
406 DIGEST-MD5 NTLMv1 and NTLMv2.
408 * KDC will return the "response too big" error to force TCP retries
409 for large (default 1400 bytes) UDP replies. This is common for
412 * Libkafs defaults to use 2b tokens.
414 * Default to use the API cache on Mac OS X.
416 * krb5_kuserok() also checks ~/.k5login.d directory for acl files,
417 see manpage for krb5_kuserok for description.
419 * Many, many, other updates to code and info manual and manual pages.
423 Changes in release 0.7.2
425 * Fix security problem in rshd that enable an attacker to overwrite
426 and change ownership of any file that root could write.
428 * Fix a DOS in telnetd. The attacker could force the server to crash
429 in a NULL de-reference before the user logged in, resulting in inetd
430 turning telnetd off because it forked too fast.
432 * Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
433 exists in the keytab before returning success. This allows servers
434 to check if its even possible to use GSSAPI.
436 * Fix receiving end of token delegation for GSS-API. It still wrongly
437 uses subkey for sending for compatibility reasons, this will change
440 * telnetd, login and rshd are now more verbose in logging failed and
445 Changes in release 0.7.1
449 Changes in release 0.7
451 * Support for KCM, a process based credential cache
453 * Support CCAPI credential cache
457 * AES (and the gssapi conterpart, CFX) support
459 * Adding new and improve old documentation
463 Changes in release 0.6.6
465 * Fix security problem in rshd that enable an attacker to overwrite
466 and change ownership of any file that root could write.
468 * Fix a DOS in telnetd. The attacker could force the server to crash
469 in a NULL de-reference before the user logged in, resulting in inetd
470 turning telnetd off because it forked too fast.
472 Changes in release 0.6.5
474 * fix vulnerabilities in telnetd
476 * unbreak Kerberos 4 and kaserver
478 Changes in release 0.6.4
480 * fix vulnerabilities in telnet
482 * rshd: encryption without a separate error socket should now work
484 * telnet now uses appdefaults for the encrypt and forward/forwardable
489 Changes in release 0.6.3
491 * fix vulnerabilities in ftpd
493 * support for linux AFS /proc "syscalls"
495 * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
498 * fix possible KDC denial of service
502 Changes in release 0.6.2
504 * Fix possible buffer overrun in v4 kadmin (which now defaults to off)
506 Changes in release 0.6.1
508 * Fixed ARCFOUR suppport
510 * Cross realm vulnerability
512 * kdc: fix denial of service attack
514 * kdc: stop clients from renewing tickets into the future
518 Changes in release 0.6
520 * The DES3 GSS-API mechanism has been changed to inter-operate with
521 other GSSAPI implementations. See man page for gssapi(3) how to turn
522 on generation of correct MIC messages. Next major release of heimdal
523 will generate correct MIC by default.
525 * More complete GSS-API support
527 * Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
528 support in applications no longer requires Kerberos 4 libs
530 * Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
534 Changes in release 0.5.2
536 * kdc: add option for disabling v4 cross-realm (defaults to off)
540 Changes in release 0.5.1
542 * kadmind: fix remote exploit
544 * kadmind: add option to disable kerberos 4
546 * kdc: make sure kaserver token life is positive
548 * telnet: use the session key if there is no subkey
550 * fix EPSV parsing in ftp
554 Changes in release 0.5
556 * add --detach option to kdc
558 * allow setting forward and forwardable option in telnet from
559 .telnetrc, with override from command line
561 * accept addresses with or without ports in krb5_rd_cred
563 * make it work with modern openssl
565 * use our own string2key function even with openssl (that handles weak
568 * more system-specific requirements in login
570 * do not use getlogin() to determine root in su
572 * telnet: abort if telnetd does not support encryption
574 * update autoconf to 2.53
576 * update config.guess, config.sub
580 Changes in release 0.4e
582 * improve libcrypto and database autoconf tests
584 * do not care about salting of server principals when serving v4 requests
586 * some improvements to gssapi library
588 * test for existing compile_et/libcom_err
594 Changes in release 0.4d
596 * fix some problems when using libcrypto from openssl
598 * handle /dev/ptmx `unix98' ptys on Linux
600 * add some forgotten man pages
602 * rsh: clean-up and add man page
604 * fix -A and -a in builtin-ls in tpd
606 * fix building problem on Irix
608 * make `ktutil get' more efficient
612 Changes in release 0.4c
614 * fix buffer overrun in telnetd
616 * repair some of the v4 fallback code in kinit
618 * add more shared library dependencies
620 * simplify and fix hprop handling of v4 databases
622 * fix some building problems (osf's sia and osfc2 login)
626 Changes in release 0.4b
628 * update the shared library version numbers correctly
630 Changes in release 0.4a
632 * corrected key used for checksum in mk_safe, unfortunately this
633 makes it backwards incompatible
635 * update to autoconf 2.50, libtool 1.4
637 * re-write dns/config lookups (krb5_krbhst API)
639 * make order of using subkeys consistent
645 * remove rfc2052 support, now only rfc2782 is supported
647 * always build with kaserver protocol support in the KDC (assuming
648 KRB4 is enabled) and support for reading kaserver databases in
651 Changes in release 0.3f
653 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
654 the new keytab type that tries both of these in order (SRVTAB is
655 also an alias for krb4:)
657 * improve error reporting and error handling (error messages should
658 be more detailed and more useful)
660 * improve building with openssl
662 * add kadmin -K, rcp -F
664 * fix two incorrect weak DES keys
666 * fix building of kaserver compat in KDC
668 * the API is closer to what MIT krb5 is using
670 * more compatible with windows 2000
672 * removed some memory leaks
676 Changes in release 0.3e
678 * rcp program included
680 * fix buffer overrun in ftpd
682 * handle omitted sequence numbers as zeroes to handle MIT krb5 that
683 cannot generate zero sequence numbers
685 * handle v4 /.k files better
687 * configure/portability fixes
689 * fixes in parsing of options to kadmin (sub-)commands
691 * handle errors in kadmin load better
695 Changes in release 0.3d
699 * fix a bug in 3des gss-api mechanism, making it compatible with the
700 specification and the MIT implementation
702 * make telnetd only allow a specific list of environment variables to
703 stop it from setting `sensitive' variables
705 * try to use an existing libdes
707 * lib/krb5, kdc: use correct usage type for ap-req messages. This
708 should improve compatability with MIT krb5 when using 3DES
711 * kdc: fix memory allocation problem
713 * update config.guess and config.sub
715 * lib/roken: more stuff implemented
717 * bug fixes and portability enhancements
719 Changes in release 0.3c
721 * lib/krb5: memory caches now support the resolve operation
723 * appl/login: set PATH to some sane default
725 * kadmind: handle several realms
727 * bug fixes (including memory leaks)
729 Changes in release 0.3b
731 * kdc: prefer default-salted keys on v5 requests
733 * kdc: lowercase hostnames in v4 mode
735 * hprop: handle more types of MIT salts
737 * lib/krb5: fix memory leak
741 Changes in release 0.3a:
743 * implement arcfour-hmac-md5 to interoperate with W2K
745 * modularise the handling of the master key, and allow for other
746 encryption types. This makes it easier to import a database from
747 some other source without having to re-encrypt all keys.
749 * allow for better control over which encryption types are created
751 * make kinit fallback to v4 if given a v4 KDC
753 * make klist work better with v4 and v5, and add some more MIT
754 compatibility options
756 * make the kdc listen on the krb524 (4444) port for compatibility
757 with MIT krb5 clients
759 * implement more DCE/DFS support, enabled with --enable-dce, see
760 lib/kdfs and appl/dceutils
762 * make the sequence numbers work correctly
766 Changes in release 0.2t:
770 Changes in release 0.2s:
772 * add OpenLDAP support in hdb
774 * login will get v4 tickets when it receives forwarded tickets
776 * xnlock supports both v5 and v4
778 * repair source routing for telnet
780 * fix building problems with krb4 (krb_mk_req)
784 Changes in release 0.2r:
786 * fix realloc memory corruption bug in kdc
788 * `add --key' and `cpw --key' in kadmin
790 * klist supports listing v4 tickets
792 * update config.guess and config.sub
794 * make v4 -> v5 principal name conversion more robust
796 * support for anonymous tickets
800 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
802 * use and set expiration and not password expiration when dumping
803 to/from ka server databases / krb4 databases
805 * make the code happier with 64-bit time_t
807 * follow RFC2782 and by default do not look for non-underscore SRV names
809 Changes in release 0.2q:
811 * bug fix in tcp-handling in kdc
813 * bug fix in expand_hostname
815 Changes in release 0.2p:
817 * bug fix in `kadmin load/merge'
819 * bug fix in krb5_parse_address
821 Changes in release 0.2o:
823 * gss_{import,export}_sec_context added to libgssapi
825 * new option --addresses to kdc (for listening on an explicit set of
828 * bug fixes in the krb4 and kaserver emulation part of the kdc
832 Changes in release 0.2n:
834 * more robust parsing of dump files in kadmin
835 * changed default timestamp format for log messages to extended ISO
836 8601 format (Y-M-DTH:M:S)
837 * changed md4/md5/sha1 APIes to be de-facto `standard'
838 * always make hostname into lower-case before creating principal
839 * small bits of more MIT-compatability
842 Changes in release 0.2m:
844 * handle glibc's getaddrinfo() that returns several ai_canonname
850 Changes in release 0.2l:
854 Changes in release 0.2k:
858 * make struct sockaddr_storage in roken work better on alphas
860 * some missing [hn]to[hn]s fixed.
862 * allow users to change their own passwords with kadmin (with initial
865 * fix stupid bug in parsing KDC specification
867 * add `ktutil change' and `ktutil purge'
869 Changes in release 0.2j:
873 * ftpd works in passive mode
875 * should build on cygwin
877 * work around broken IPv6-code on OpenBSD 2.6, also add configure
878 option --disable-ipv6
880 Changes in release 0.2i:
882 * use getaddrinfo in the missing places.
884 * fix SRV lookup for admin server
886 * use get{addr,name}info everywhere. and implement it in terms of
887 getipnodeby{name,addr} (which uses gethostbyname{,2} and
890 Changes in release 0.2h:
892 * fix typo in kx (now compiles)
894 Changes in release 0.2g:
898 * repair appl/test programs
899 * sockaddr_storage works on solaris (alignment issues)
900 * works better with non-roken getaddrinfo
902 * some non standard C constructs removed
904 Changes in release 0.2f:
906 * support SRV records for kpasswd
907 * look for both _kerberos and krb5-realm when doing host -> realm mapping
909 Changes in release 0.2e:
911 * changed copyright notices to remove `advertising'-clause.
912 * get{addr,name}info added to roken and used in the other code
913 (this makes things work much better with hosts with both v4 and v6
914 addresses, among other things)
915 * do pre-auth for both password and key-based get_in_tkt
916 * support for having several databases
917 * new command `del_enctype' in kadmin
918 * strptime (and new strftime) add to roken
919 * more paranoia about finding libdb
922 Changes in release 0.2d:
924 * new configuration option [libdefaults]default_etypes_des
925 * internal ls in ftpd builds without KRB4
926 * kx/rsh/push/pop_debug tries v5 and v4 consistenly
930 Changes in release 0.2c:
932 * bug fixes (see ChangeLog's for details)
934 Changes in release 0.2b:
937 * actually bump shared library versions
939 Changes in release 0.2a:
941 * a new program verify_krb5_conf for checking your /etc/krb5.conf
942 * add 3DES keys when changing password
943 * support null keys in database
944 * support multiple local realms
945 * implement a keytab backend for AFS KeyFile's
946 * implement a keytab backend for v4 srvtabs
947 * implement `ktutil copy'
948 * support password quality control in v4 kadmind
949 * improvements in v4 compat kadmind
950 * handle the case of having the correct cred in the ccache but with
951 the wrong encryption type better
952 * v6-ify the remaining programs.
953 * internal ls in ftpd
954 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
955 * add `ank --random-password' and `cpw --random-password' in kadmin
956 * some programs and documentation for trying to talk to a W2K KDC
959 Changes in release 0.1m:
961 * support for getting default from krb5.conf for kinit/kf/rsh/telnet.
962 From Miroslav Ruda <ruda@ics.muni.cz>
963 * v6-ify hprop and hpropd
964 * support numeric addresses in krb5_mk_req
965 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
966 * make rsh/rshd IPv6-aware
967 * make the gssapi sample applications better at reporting errors
969 * handle systems with v6-aware libc and non-v6 kernels (like Linux
970 with glibc 2.1) better
971 * hide failure of ERPT in ftp
974 Changes in release 0.1l:
976 * make ftp and ftpd IPv6-aware
977 * add inet_pton to roken
978 * more IPv6-awareness
979 * make mini_inetd v6 aware
981 Changes in release 0.1k:
983 * bump shared libraries versions
984 * add roken version of inet_ntop
985 * merge more changes to rshd
987 Changes in release 0.1j:
989 * restore back to the `old' 3DES code. This was supposed to be done
990 in 0.1h and 0.1i but I did a CVS screw-up.
991 * make telnetd handle v6 connections
993 Changes in release 0.1i:
995 * start using `struct sockaddr_storage' which simplifies the code
996 (with a fallback definition if it's not defined)
997 * bug fixes (including in hprop and kf)
998 * don't use mawk which seems to mishandle roken.awk
999 * get_addrs should be able to handle v6 addresses on Linux (with the
1000 required patch to the Linux kernel -- ask within)
1001 * rshd builds with shadow passwords
1003 Changes in release 0.1h:
1005 * kf: new program for forwarding credentials
1007 * make forwarding credentials work with MIT code
1008 * better conversion of ka database
1009 * add etc/services.append
1010 * correct `modified by' from kpasswdd
1013 Changes in release 0.1g:
1015 * kgetcred: new program for explicitly obtaining tickets
1020 Changes in release 0.1f;
1022 * experimental support for v4 kadmin protokoll in kadmind
1025 Changes in release 0.1e:
1027 * try to handle old DCE and MIT kdcs
1028 * support for older versions of credential cache files and keytabs
1029 * postdated tickets work
1030 * support for password quality checks in kpasswdd
1031 * new flag --enable-kaserver for kdc
1033 * prototype su program
1034 * updated (some) manpages
1035 * support for KDC resource records
1036 * should build with --without-krb4
1039 Changes in release 0.1d:
1041 * Support building with DB2 (uses 1.85-compat API)
1042 * Support krb5-realm.DOMAIN in DNS
1043 * new `ktutil srvcreate'
1044 * v4/kafs support in klist/kdestroy
1047 Changes in release 0.1c:
1049 * fix ASN.1 encoding of signed integers
1050 * somewhat working `ktutil get'
1051 * some documentation updates
1052 * update to Autoconf 2.13 and Automake 1.4
1053 * the usual bug fixes
1055 Changes in release 0.1b:
1057 * some old -> new crypto conversion utils
1060 Changes in release 0.1a:
1064 * make sure we ask for DES keys in gssapi
1065 * support signed ints in ASN1
1068 Changes in release 0.0u:
1072 Changes in release 0.0t:
1074 * more robust parsing of krb5.conf
1075 * include net{read,write} in lib/roken
1078 Changes in release 0.0s:
1080 * kludges for parsing options to rsh
1081 * more robust parsing of krb5.conf
1082 * removed some arbitrary limits
1085 Changes in release 0.0r:
1087 * default options for some programs
1090 Changes in release 0.0q:
1092 * support for building shared libraries with libtool
1095 Changes in release 0.0p:
1097 * keytab moved to /etc/krb5.keytab
1098 * avoid false detection of IPv6 on Linux
1099 * Lots of more functionality in the gssapi-library
1100 * hprop can now read ka-server databases
1103 Changes in release 0.0o:
1105 * FTP with GSSAPI support.
1108 Changes in release 0.0n:
1110 * Incremental database propagation.
1111 * Somewhat improved kadmin ui; the stuff in admin is now removed.
1112 * Some support for using enctypes instead of keytypes.
1113 * Lots of other improvement and bug fixes, see ChangeLog for details.