3 * Provide pkg-config file for Heimdal (heimdal-gssapi.pc).
7 Changes in release 1.0.2
13 Changes in release 1.0.1
15 * Serveral bug fixes to iprop.
17 * Make work on platforms without dlopen.
19 * Add RFC3526 modp group14 as default.
21 * Handle [kdc] database = { } entries without realm = stanzas.
23 * Make krb5_get_renewed_creds work.
25 * Make kaserver preauth work again.
29 Changes in release 1.0
31 * Add gss_pseudo_random() for mechglue and krb5.
33 * Make session key for the krbtgt be selected by the best encryption
36 * Better interoperability with other PK-INIT implementations.
38 * Inital support for Mac OS X Keychain for hx509.
40 * Alias support for inital ticket requests.
42 * Add symbol versioning to selected libraries on platforms that uses
43 GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc.
45 * New version of imath included in hcrypto.
51 Changes in release 0.8.1
53 * Make ASN.1 library less paranoid to with regard to NUL in string to
54 make it inter-operate with MIT Kerberos again.
56 * Make GSS-API library work again when using gss_acquire_cred
58 * Add symbol versioning to libgssapi when using GNU ld.
64 Changes in release 0.8
68 * HDB extensions support, used by PK-INIT.
72 * GSS-API mechglue from FreeBSD.
74 * Updated SPNEGO to support RFC4178.
76 * Support for Cryptosystem Negotiation Extension (RFC 4537).
78 * A new X.509 library (hx509) and related crypto functions.
80 * A new ntlm library (heimntlm) and related crypto functions.
82 * Updated the built-in crypto library with bignum support using
83 imath, support for RSA and DH and renamed it to libhcrypto.
85 * Subsystem in the KDC, digest, that will perform the digest
86 operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL
87 DIGEST-MD5 NTLMv1 and NTLMv2.
89 * KDC will return the "response too big" error to force TCP retries
90 for large (default 1400 bytes) UDP replies. This is common for
93 * Libkafs defaults to use 2b tokens.
95 * Default to use the API cache on Mac OS X.
97 * krb5_kuserok() also checks ~/.k5login.d directory for acl files,
98 see manpage for krb5_kuserok for description.
100 * Many, many, other updates to code and info manual and manual pages.
104 Changes in release 0.7.2
106 * Fix security problem in rshd that enable an attacker to overwrite
107 and change ownership of any file that root could write.
109 * Fix a DOS in telnetd. The attacker could force the server to crash
110 in a NULL de-reference before the user logged in, resulting in inetd
111 turning telnetd off because it forked too fast.
113 * Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
114 exists in the keytab before returning success. This allows servers
115 to check if its even possible to use GSSAPI.
117 * Fix receiving end of token delegation for GSS-API. It still wrongly
118 uses subkey for sending for compatibility reasons, this will change
121 * telnetd, login and rshd are now more verbose in logging failed and
126 Changes in release 0.7.1
130 Changes in release 0.7
132 * Support for KCM, a process based credential cache
134 * Support CCAPI credential cache
138 * AES (and the gssapi conterpart, CFX) support
140 * Adding new and improve old documentation
144 Changes in release 0.6.6
146 * Fix security problem in rshd that enable an attacker to overwrite
147 and change ownership of any file that root could write.
149 * Fix a DOS in telnetd. The attacker could force the server to crash
150 in a NULL de-reference before the user logged in, resulting in inetd
151 turning telnetd off because it forked too fast.
153 Changes in release 0.6.5
155 * fix vulnerabilities in telnetd
157 * unbreak Kerberos 4 and kaserver
159 Changes in release 0.6.4
161 * fix vulnerabilities in telnet
163 * rshd: encryption without a separate error socket should now work
165 * telnet now uses appdefaults for the encrypt and forward/forwardable
170 Changes in release 0.6.3
172 * fix vulnerabilities in ftpd
174 * support for linux AFS /proc "syscalls"
176 * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
179 * fix possible KDC denial of service
183 Changes in release 0.6.2
185 * Fix possible buffer overrun in v4 kadmin (which now defaults to off)
187 Changes in release 0.6.1
189 * Fixed ARCFOUR suppport
191 * Cross realm vulnerability
193 * kdc: fix denial of service attack
195 * kdc: stop clients from renewing tickets into the future
199 Changes in release 0.6
201 * The DES3 GSS-API mechanism has been changed to inter-operate with
202 other GSSAPI implementations. See man page for gssapi(3) how to turn
203 on generation of correct MIC messages. Next major release of heimdal
204 will generate correct MIC by default.
206 * More complete GSS-API support
208 * Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
209 support in applications no longer requires Kerberos 4 libs
211 * Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
215 Changes in release 0.5.2
217 * kdc: add option for disabling v4 cross-realm (defaults to off)
221 Changes in release 0.5.1
223 * kadmind: fix remote exploit
225 * kadmind: add option to disable kerberos 4
227 * kdc: make sure kaserver token life is positive
229 * telnet: use the session key if there is no subkey
231 * fix EPSV parsing in ftp
235 Changes in release 0.5
237 * add --detach option to kdc
239 * allow setting forward and forwardable option in telnet from
240 .telnetrc, with override from command line
242 * accept addresses with or without ports in krb5_rd_cred
244 * make it work with modern openssl
246 * use our own string2key function even with openssl (that handles weak
249 * more system-specific requirements in login
251 * do not use getlogin() to determine root in su
253 * telnet: abort if telnetd does not support encryption
255 * update autoconf to 2.53
257 * update config.guess, config.sub
261 Changes in release 0.4e
263 * improve libcrypto and database autoconf tests
265 * do not care about salting of server principals when serving v4 requests
267 * some improvements to gssapi library
269 * test for existing compile_et/libcom_err
275 Changes in release 0.4d
277 * fix some problems when using libcrypto from openssl
279 * handle /dev/ptmx `unix98' ptys on Linux
281 * add some forgotten man pages
283 * rsh: clean-up and add man page
285 * fix -A and -a in builtin-ls in tpd
287 * fix building problem on Irix
289 * make `ktutil get' more efficient
293 Changes in release 0.4c
295 * fix buffer overrun in telnetd
297 * repair some of the v4 fallback code in kinit
299 * add more shared library dependencies
301 * simplify and fix hprop handling of v4 databases
303 * fix some building problems (osf's sia and osfc2 login)
307 Changes in release 0.4b
309 * update the shared library version numbers correctly
311 Changes in release 0.4a
313 * corrected key used for checksum in mk_safe, unfortunately this
314 makes it backwards incompatible
316 * update to autoconf 2.50, libtool 1.4
318 * re-write dns/config lookups (krb5_krbhst API)
320 * make order of using subkeys consistent
326 * remove rfc2052 support, now only rfc2782 is supported
328 * always build with kaserver protocol support in the KDC (assuming
329 KRB4 is enabled) and support for reading kaserver databases in
332 Changes in release 0.3f
334 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
335 the new keytab type that tries both of these in order (SRVTAB is
336 also an alias for krb4:)
338 * improve error reporting and error handling (error messages should
339 be more detailed and more useful)
341 * improve building with openssl
343 * add kadmin -K, rcp -F
345 * fix two incorrect weak DES keys
347 * fix building of kaserver compat in KDC
349 * the API is closer to what MIT krb5 is using
351 * more compatible with windows 2000
353 * removed some memory leaks
357 Changes in release 0.3e
359 * rcp program included
361 * fix buffer overrun in ftpd
363 * handle omitted sequence numbers as zeroes to handle MIT krb5 that
364 cannot generate zero sequence numbers
366 * handle v4 /.k files better
368 * configure/portability fixes
370 * fixes in parsing of options to kadmin (sub-)commands
372 * handle errors in kadmin load better
376 Changes in release 0.3d
380 * fix a bug in 3des gss-api mechanism, making it compatible with the
381 specification and the MIT implementation
383 * make telnetd only allow a specific list of environment variables to
384 stop it from setting `sensitive' variables
386 * try to use an existing libdes
388 * lib/krb5, kdc: use correct usage type for ap-req messages. This
389 should improve compatability with MIT krb5 when using 3DES
392 * kdc: fix memory allocation problem
394 * update config.guess and config.sub
396 * lib/roken: more stuff implemented
398 * bug fixes and portability enhancements
400 Changes in release 0.3c
402 * lib/krb5: memory caches now support the resolve operation
404 * appl/login: set PATH to some sane default
406 * kadmind: handle several realms
408 * bug fixes (including memory leaks)
410 Changes in release 0.3b
412 * kdc: prefer default-salted keys on v5 requests
414 * kdc: lowercase hostnames in v4 mode
416 * hprop: handle more types of MIT salts
418 * lib/krb5: fix memory leak
422 Changes in release 0.3a:
424 * implement arcfour-hmac-md5 to interoperate with W2K
426 * modularise the handling of the master key, and allow for other
427 encryption types. This makes it easier to import a database from
428 some other source without having to re-encrypt all keys.
430 * allow for better control over which encryption types are created
432 * make kinit fallback to v4 if given a v4 KDC
434 * make klist work better with v4 and v5, and add some more MIT
435 compatibility options
437 * make the kdc listen on the krb524 (4444) port for compatibility
438 with MIT krb5 clients
440 * implement more DCE/DFS support, enabled with --enable-dce, see
441 lib/kdfs and appl/dceutils
443 * make the sequence numbers work correctly
447 Changes in release 0.2t:
451 Changes in release 0.2s:
453 * add OpenLDAP support in hdb
455 * login will get v4 tickets when it receives forwarded tickets
457 * xnlock supports both v5 and v4
459 * repair source routing for telnet
461 * fix building problems with krb4 (krb_mk_req)
465 Changes in release 0.2r:
467 * fix realloc memory corruption bug in kdc
469 * `add --key' and `cpw --key' in kadmin
471 * klist supports listing v4 tickets
473 * update config.guess and config.sub
475 * make v4 -> v5 principal name conversion more robust
477 * support for anonymous tickets
481 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
483 * use and set expiration and not password expiration when dumping
484 to/from ka server databases / krb4 databases
486 * make the code happier with 64-bit time_t
488 * follow RFC2782 and by default do not look for non-underscore SRV names
490 Changes in release 0.2q:
492 * bug fix in tcp-handling in kdc
494 * bug fix in expand_hostname
496 Changes in release 0.2p:
498 * bug fix in `kadmin load/merge'
500 * bug fix in krb5_parse_address
502 Changes in release 0.2o:
504 * gss_{import,export}_sec_context added to libgssapi
506 * new option --addresses to kdc (for listening on an explicit set of
509 * bug fixes in the krb4 and kaserver emulation part of the kdc
513 Changes in release 0.2n:
515 * more robust parsing of dump files in kadmin
516 * changed default timestamp format for log messages to extended ISO
517 8601 format (Y-M-DTH:M:S)
518 * changed md4/md5/sha1 APIes to be de-facto `standard'
519 * always make hostname into lower-case before creating principal
520 * small bits of more MIT-compatability
523 Changes in release 0.2m:
525 * handle glibc's getaddrinfo() that returns several ai_canonname
531 Changes in release 0.2l:
535 Changes in release 0.2k:
539 * make struct sockaddr_storage in roken work better on alphas
541 * some missing [hn]to[hn]s fixed.
543 * allow users to change their own passwords with kadmin (with initial
546 * fix stupid bug in parsing KDC specification
548 * add `ktutil change' and `ktutil purge'
550 Changes in release 0.2j:
554 * ftpd works in passive mode
556 * should build on cygwin
558 * work around broken IPv6-code on OpenBSD 2.6, also add configure
559 option --disable-ipv6
561 Changes in release 0.2i:
563 * use getaddrinfo in the missing places.
565 * fix SRV lookup for admin server
567 * use get{addr,name}info everywhere. and implement it in terms of
568 getipnodeby{name,addr} (which uses gethostbyname{,2} and
571 Changes in release 0.2h:
573 * fix typo in kx (now compiles)
575 Changes in release 0.2g:
579 * repair appl/test programs
580 * sockaddr_storage works on solaris (alignment issues)
581 * works better with non-roken getaddrinfo
583 * some non standard C constructs removed
585 Changes in release 0.2f:
587 * support SRV records for kpasswd
588 * look for both _kerberos and krb5-realm when doing host -> realm mapping
590 Changes in release 0.2e:
592 * changed copyright notices to remove `advertising'-clause.
593 * get{addr,name}info added to roken and used in the other code
594 (this makes things work much better with hosts with both v4 and v6
595 addresses, among other things)
596 * do pre-auth for both password and key-based get_in_tkt
597 * support for having several databases
598 * new command `del_enctype' in kadmin
599 * strptime (and new strftime) add to roken
600 * more paranoia about finding libdb
603 Changes in release 0.2d:
605 * new configuration option [libdefaults]default_etypes_des
606 * internal ls in ftpd builds without KRB4
607 * kx/rsh/push/pop_debug tries v5 and v4 consistenly
611 Changes in release 0.2c:
613 * bug fixes (see ChangeLog's for details)
615 Changes in release 0.2b:
618 * actually bump shared library versions
620 Changes in release 0.2a:
622 * a new program verify_krb5_conf for checking your /etc/krb5.conf
623 * add 3DES keys when changing password
624 * support null keys in database
625 * support multiple local realms
626 * implement a keytab backend for AFS KeyFile's
627 * implement a keytab backend for v4 srvtabs
628 * implement `ktutil copy'
629 * support password quality control in v4 kadmind
630 * improvements in v4 compat kadmind
631 * handle the case of having the correct cred in the ccache but with
632 the wrong encryption type better
633 * v6-ify the remaining programs.
634 * internal ls in ftpd
635 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
636 * add `ank --random-password' and `cpw --random-password' in kadmin
637 * some programs and documentation for trying to talk to a W2K KDC
640 Changes in release 0.1m:
642 * support for getting default from krb5.conf for kinit/kf/rsh/telnet.
643 From Miroslav Ruda <ruda@ics.muni.cz>
644 * v6-ify hprop and hpropd
645 * support numeric addresses in krb5_mk_req
646 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
647 * make rsh/rshd IPv6-aware
648 * make the gssapi sample applications better at reporting errors
650 * handle systems with v6-aware libc and non-v6 kernels (like Linux
651 with glibc 2.1) better
652 * hide failure of ERPT in ftp
655 Changes in release 0.1l:
657 * make ftp and ftpd IPv6-aware
658 * add inet_pton to roken
659 * more IPv6-awareness
660 * make mini_inetd v6 aware
662 Changes in release 0.1k:
664 * bump shared libraries versions
665 * add roken version of inet_ntop
666 * merge more changes to rshd
668 Changes in release 0.1j:
670 * restore back to the `old' 3DES code. This was supposed to be done
671 in 0.1h and 0.1i but I did a CVS screw-up.
672 * make telnetd handle v6 connections
674 Changes in release 0.1i:
676 * start using `struct sockaddr_storage' which simplifies the code
677 (with a fallback definition if it's not defined)
678 * bug fixes (including in hprop and kf)
679 * don't use mawk which seems to mishandle roken.awk
680 * get_addrs should be able to handle v6 addresses on Linux (with the
681 required patch to the Linux kernel -- ask within)
682 * rshd builds with shadow passwords
684 Changes in release 0.1h:
686 * kf: new program for forwarding credentials
688 * make forwarding credentials work with MIT code
689 * better conversion of ka database
690 * add etc/services.append
691 * correct `modified by' from kpasswdd
694 Changes in release 0.1g:
696 * kgetcred: new program for explicitly obtaining tickets
701 Changes in release 0.1f;
703 * experimental support for v4 kadmin protokoll in kadmind
706 Changes in release 0.1e:
708 * try to handle old DCE and MIT kdcs
709 * support for older versions of credential cache files and keytabs
710 * postdated tickets work
711 * support for password quality checks in kpasswdd
712 * new flag --enable-kaserver for kdc
714 * prototype su program
715 * updated (some) manpages
716 * support for KDC resource records
717 * should build with --without-krb4
720 Changes in release 0.1d:
722 * Support building with DB2 (uses 1.85-compat API)
723 * Support krb5-realm.DOMAIN in DNS
724 * new `ktutil srvcreate'
725 * v4/kafs support in klist/kdestroy
728 Changes in release 0.1c:
730 * fix ASN.1 encoding of signed integers
731 * somewhat working `ktutil get'
732 * some documentation updates
733 * update to Autoconf 2.13 and Automake 1.4
734 * the usual bug fixes
736 Changes in release 0.1b:
738 * some old -> new crypto conversion utils
741 Changes in release 0.1a:
745 * make sure we ask for DES keys in gssapi
746 * support signed ints in ASN1
749 Changes in release 0.0u:
753 Changes in release 0.0t:
755 * more robust parsing of krb5.conf
756 * include net{read,write} in lib/roken
759 Changes in release 0.0s:
761 * kludges for parsing options to rsh
762 * more robust parsing of krb5.conf
763 * removed some arbitrary limits
766 Changes in release 0.0r:
768 * default options for some programs
771 Changes in release 0.0q:
773 * support for building shared libraries with libtool
776 Changes in release 0.0p:
778 * keytab moved to /etc/krb5.keytab
779 * avoid false detection of IPv6 on Linux
780 * Lots of more functionality in the gssapi-library
781 * hprop can now read ka-server databases
784 Changes in release 0.0o:
786 * FTP with GSSAPI support.
789 Changes in release 0.0n:
791 * Incremental database propagation.
792 * Somewhat improved kadmin ui; the stuff in admin is now removed.
793 * Some support for using enctypes instead of keytypes.
794 * Lots of other improvement and bug fixes, see ChangeLog for details.