xref: /freebsd-src/crypto/heimdal/NEWS (revision bbd80c285ead4d04e4b8b9e950164352819694ba)
1Changes in release 0.6
2
3* The DES3 GSS-API mechanism has been changed to inter-operate with
4  other GSSAPI implementations. See man page for gssapi(3) how to turn
5  on generation of correct MIC messages. Next major release of heimdal
6  will generate correct MIC by default.
7
8* More complete GSS-API support
9
10* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
11  support in applications no longer requires Kerberos 4 libs
12
13* Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
14
15* other bug fixes
16
17Changes in release 0.5.2
18
19 * kdc: add option for disabling v4 cross-realm (defaults to off)
20
21 * bug fixes
22
23Changes in release 0.5.1
24
25 * kadmind: fix remote exploit
26
27 * kadmind: add option to disable kerberos 4
28
29 * kdc: make sure kaserver token life is positive
30
31 * telnet: use the session key if there is no subkey
32
33 * fix EPSV parsing in ftp
34
35 * other bug fixes
36
37Changes in release 0.5
38
39 * add --detach option to kdc
40
41 * allow setting forward and forwardable option in telnet from
42   .telnetrc, with override from command line
43
44 * accept addresses with or without ports in krb5_rd_cred
45
46 * make it work with modern openssl
47
48 * use our own string2key function even with openssl (that handles weak
49   keys incorrectly)
50
51 * more system-specific requirements in login
52
53 * do not use getlogin() to determine root in su
54
55 * telnet: abort if telnetd does not support encryption
56
57 * update autoconf to 2.53
58
59 * update config.guess, config.sub
60
61 * other bug fixes
62
63Changes in release 0.4e
64
65 * improve libcrypto and database autoconf tests
66
67 * do not care about salting of server principals when serving v4 requests
68
69 * some improvements to gssapi library
70
71 * test for existing compile_et/libcom_err
72
73 * portability fixes
74
75 * bug fixes
76
77Changes in release 0.4d
78
79 * fix some problems when using libcrypto from openssl
80
81 * handle /dev/ptmx `unix98' ptys on Linux
82
83 * add some forgotten man pages
84
85 * rsh: clean-up and add man page
86
87 * fix -A and -a in builtin-ls in tpd
88
89 * fix building problem on Irix
90
91 * make `ktutil get' more efficient
92
93 * bug fixes
94
95Changes in release 0.4c
96
97 * fix buffer overrun in telnetd
98
99 * repair some of the v4 fallback code in kinit
100
101 * add more shared library dependencies
102
103 * simplify and fix hprop handling of v4 databases
104
105 * fix some building problems (osf's sia and osfc2 login)
106
107 * bug fixes
108
109Changes in release 0.4b
110
111 * update the shared library version numbers correctly
112
113Changes in release 0.4a
114
115 * corrected key used for checksum in mk_safe, unfortunately this
116   makes it backwards incompatible
117
118 * update to autoconf 2.50, libtool 1.4
119
120 * re-write dns/config lookups (krb5_krbhst API)
121
122 * make order of using subkeys consistent
123
124 * add man page links
125
126 * add more man pages
127
128 * remove rfc2052 support, now only rfc2782 is supported
129
130 * always build with kaserver protocol support in the KDC (assuming
131   KRB4 is enabled) and support for reading kaserver databases in
132   hprop
133
134Changes in release 0.3f
135
136 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
137   the new keytab type that tries both of these in order (SRVTAB is
138   also an alias for krb4:)
139
140 * improve error reporting and error handling (error messages should
141   be more detailed and more useful)
142
143 * improve building with openssl
144
145 * add kadmin -K, rcp -F
146
147 * fix two incorrect weak DES keys
148
149 * fix building of kaserver compat in KDC
150
151 * the API is closer to what MIT krb5 is using
152
153 * more compatible with windows 2000
154
155 * removed some memory leaks
156
157 * bug fixes
158
159Changes in release 0.3e
160
161 * rcp program included
162
163 * fix buffer overrun in ftpd
164
165 * handle omitted sequence numbers as zeroes to handle MIT krb5 that
166   cannot generate zero sequence numbers
167
168 * handle v4 /.k files better
169
170 * configure/portability fixes
171
172 * fixes in parsing of options to kadmin (sub-)commands
173
174 * handle errors in kadmin load better
175
176 * bug fixes
177
178Changes in release 0.3d
179
180 * add krb5-config
181
182 * fix a bug in 3des gss-api mechanism, making it compatible with the
183   specification and the MIT implementation
184
185 * make telnetd only allow a specific list of environment variables to
186   stop it from setting `sensitive' variables
187
188 * try to use an existing libdes
189
190 * lib/krb5, kdc: use correct usage type for ap-req messages.  This
191   should improve compatability with MIT krb5 when using 3DES
192   encryption types
193
194 * kdc: fix memory allocation problem
195
196 * update config.guess and config.sub
197
198 * lib/roken: more stuff implemented
199
200 * bug fixes and portability enhancements
201
202Changes in release 0.3c
203
204 * lib/krb5: memory caches now support the resolve operation
205
206 * appl/login: set PATH to some sane default
207
208 * kadmind: handle several realms
209
210 * bug fixes (including memory leaks)
211
212Changes in release 0.3b
213
214 * kdc: prefer default-salted keys on v5 requests
215
216 * kdc: lowercase hostnames in v4 mode
217
218 * hprop: handle more types of MIT salts
219
220 * lib/krb5: fix memory leak
221
222 * bug fixes
223
224Changes in release 0.3a:
225
226 * implement arcfour-hmac-md5 to interoperate with W2K
227
228 * modularise the handling of the master key, and allow for other
229   encryption types. This makes it easier to import a database from
230   some other source without having to re-encrypt all keys.
231
232 * allow for better control over which encryption types are created
233
234 * make kinit fallback to v4 if given a v4 KDC
235
236 * make klist work better with v4 and v5, and add some more MIT
237   compatibility options
238
239 * make the kdc listen on the krb524 (4444) port for compatibility
240   with MIT krb5 clients
241
242 * implement more DCE/DFS support, enabled with --enable-dce, see
243   lib/kdfs and appl/dceutils
244
245 * make the sequence numbers work correctly
246
247 * bug fixes
248
249Changes in release 0.2t:
250
251 * bug fixes
252
253Changes in release 0.2s:
254
255 * add OpenLDAP support in hdb
256
257 * login will get v4 tickets when it receives forwarded tickets
258
259 * xnlock supports both v5 and v4
260
261 * repair source routing for telnet
262
263 * fix building problems with krb4 (krb_mk_req)
264
265 * bug fixes
266
267Changes in release 0.2r:
268
269 * fix realloc memory corruption bug in kdc
270
271 * `add --key' and `cpw --key' in kadmin
272
273 * klist supports listing v4 tickets
274
275 * update config.guess and config.sub
276
277 * make v4 -> v5 principal name conversion more robust
278
279 * support for anonymous tickets
280
281 * new man-pages
282
283 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
284
285 * use and set expiration and not password expiration when dumping
286   to/from ka server databases / krb4 databases
287
288 * make the code happier with 64-bit time_t
289
290 * follow RFC2782 and by default do not look for non-underscore SRV names
291
292Changes in release 0.2q:
293
294 * bug fix in tcp-handling in kdc
295
296 * bug fix in expand_hostname
297
298Changes in release 0.2p:
299
300 * bug fix in `kadmin load/merge'
301
302 * bug fix in krb5_parse_address
303
304Changes in release 0.2o:
305
306 * gss_{import,export}_sec_context added to libgssapi
307
308 * new option --addresses to kdc (for listening on an explicit set of
309   addresses)
310
311 * bug fixes in the krb4 and kaserver emulation part of the kdc
312
313 * other bug fixes
314
315Changes in release 0.2n:
316
317 * more robust parsing of dump files in kadmin
318 * changed default timestamp format for log messages to extended ISO
319   8601 format (Y-M-DTH:M:S)
320 * changed md4/md5/sha1 APIes to be de-facto `standard'
321 * always make hostname into lower-case before creating principal
322 * small bits of more MIT-compatability
323 * bug fixes
324
325Changes in release 0.2m:
326
327 * handle glibc's getaddrinfo() that returns several ai_canonname
328
329 * new endian test
330
331 * man pages fixes
332
333Changes in release 0.2l:
334
335 * bug fixes
336
337Changes in release 0.2k:
338
339 * better IPv6 test
340
341 * make struct sockaddr_storage in roken work better on alphas
342
343 * some missing [hn]to[hn]s fixed.
344
345 * allow users to change their own passwords with kadmin (with initial
346   tickets)
347
348 * fix stupid bug in parsing KDC specification
349
350 * add `ktutil change' and `ktutil purge'
351
352Changes in release 0.2j:
353
354 * builds on Irix
355
356 * ftpd works in passive mode
357
358 * should build on cygwin
359
360 * work around broken IPv6-code on OpenBSD 2.6, also add configure
361   option --disable-ipv6
362
363Changes in release 0.2i:
364
365 * use getaddrinfo in the missing places.
366
367 * fix SRV lookup for admin server
368
369 * use get{addr,name}info everywhere.  and implement it in terms of
370   getipnodeby{name,addr} (which uses gethostbyname{,2} and
371   gethostbyaddr)
372
373Changes in release 0.2h:
374
375 * fix typo in kx (now compiles)
376
377Changes in release 0.2g:
378
379 * lots of bug fixes:
380   * push works
381   * repair appl/test programs
382   * sockaddr_storage works on solaris (alignment issues)
383   * works better with non-roken getaddrinfo
384   * rsh works
385   * some non standard C constructs removed
386
387Changes in release 0.2f:
388
389 * support SRV records for kpasswd
390 * look for both _kerberos and krb5-realm when doing host -> realm mapping
391
392Changes in release 0.2e:
393
394 * changed copyright notices to remove `advertising'-clause.
395 * get{addr,name}info added to roken and used in the other code
396   (this makes things work much better with hosts with both v4 and v6
397    addresses, among other things)
398 * do pre-auth for both password and key-based get_in_tkt
399 * support for having several databases
400 * new command `del_enctype' in kadmin
401 * strptime (and new strftime) add to roken
402 * more paranoia about finding libdb
403 * bug fixes
404
405Changes in release 0.2d:
406
407 * new configuration option [libdefaults]default_etypes_des
408 * internal ls in ftpd builds without KRB4
409 * kx/rsh/push/pop_debug tries v5 and v4 consistenly
410 * build bug fixes
411 * other bug fixes
412
413Changes in release 0.2c:
414
415 * bug fixes (see ChangeLog's for details)
416
417Changes in release 0.2b:
418
419 * bug fixes
420 * actually bump shared library versions
421
422Changes in release 0.2a:
423
424 * a new program verify_krb5_conf for checking your /etc/krb5.conf
425 * add 3DES keys when changing password
426 * support null keys in database
427 * support multiple local realms
428 * implement a keytab backend for AFS KeyFile's
429 * implement a keytab backend for v4 srvtabs
430 * implement `ktutil copy'
431 * support password quality control in v4 kadmind
432 * improvements in v4 compat kadmind
433 * handle the case of having the correct cred in the ccache but with
434   the wrong encryption type better
435 * v6-ify the remaining programs.
436 * internal ls in ftpd
437 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
438 * add `ank --random-password' and `cpw --random-password' in kadmin
439 * some programs and documentation for trying to talk to a W2K KDC
440 * bug fixes
441
442Changes in release 0.1m:
443
444 * support for getting default from krb5.conf for kinit/kf/rsh/telnet.
445   From Miroslav Ruda <ruda@ics.muni.cz>
446 * v6-ify hprop and hpropd
447 * support numeric addresses in krb5_mk_req
448 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
449 * make rsh/rshd IPv6-aware
450 * make the gssapi sample applications better at reporting errors
451 * lots of bug fixes
452 * handle systems with v6-aware libc and non-v6 kernels (like Linux
453   with glibc 2.1) better
454 * hide failure of ERPT in ftp
455 * lots of bug fixes
456
457Changes in release 0.1l:
458
459 * make ftp and ftpd IPv6-aware
460 * add inet_pton to roken
461 * more IPv6-awareness
462 * make mini_inetd v6 aware
463
464Changes in release 0.1k:
465
466 * bump shared libraries versions
467 * add roken version of inet_ntop
468 * merge more changes to rshd
469
470Changes in release 0.1j:
471
472 * restore back to the `old' 3DES code.  This was supposed to be done
473   in 0.1h and 0.1i but I did a CVS screw-up.
474 * make telnetd handle v6 connections
475
476Changes in release 0.1i:
477
478 * start using `struct sockaddr_storage' which simplifies the code
479   (with a fallback definition if it's not defined)
480 * bug fixes (including in hprop and kf)
481 * don't use mawk which seems to mishandle roken.awk
482 * get_addrs should be able to handle v6 addresses on Linux (with the
483   required patch to the Linux kernel -- ask within)
484 * rshd builds with shadow passwords
485
486Changes in release 0.1h:
487
488 * kf: new program for forwarding credentials
489 * portability fixes
490 * make forwarding credentials work with MIT code
491 * better conversion of ka database
492 * add etc/services.append
493 * correct `modified by' from kpasswdd
494 * lots of bug fixes
495
496Changes in release 0.1g:
497
498 * kgetcred: new program for explicitly obtaining tickets
499 * configure fixes
500 * krb5-aware kx
501 * bug fixes
502
503Changes in release 0.1f;
504
505 * experimental support for v4 kadmin protokoll in kadmind
506 * bug fixes
507
508Changes in release 0.1e:
509
510 * try to handle old DCE and MIT kdcs
511 * support for older versions of credential cache files and keytabs
512 * postdated tickets work
513 * support for password quality checks in kpasswdd
514 * new flag --enable-kaserver for kdc
515 * renew fixes
516 * prototype su program
517 * updated (some) manpages
518 * support for KDC resource records
519 * should build with --without-krb4
520 * bug fixes
521
522Changes in release 0.1d:
523
524 * Support building with DB2 (uses 1.85-compat API)
525 * Support krb5-realm.DOMAIN in DNS
526 * new `ktutil srvcreate'
527 * v4/kafs support in klist/kdestroy
528 * bug fixes
529
530Changes in release 0.1c:
531
532 * fix ASN.1 encoding of signed integers
533 * somewhat working `ktutil get'
534 * some documentation updates
535 * update to Autoconf 2.13 and Automake 1.4
536 * the usual bug fixes
537
538Changes in release 0.1b:
539
540 * some old -> new crypto conversion utils
541 * bug fixes
542
543Changes in release 0.1a:
544
545 * new crypto code
546 * more bug fixes
547 * make sure we ask for DES keys in gssapi
548 * support signed ints in ASN1
549 * IPv6-bug fixes
550
551Changes in release 0.0u:
552
553 * lots of bug fixes
554
555Changes in release 0.0t:
556
557 * more robust parsing of krb5.conf
558 * include net{read,write} in lib/roken
559 * bug fixes
560
561Changes in release 0.0s:
562
563 * kludges for parsing options to rsh
564 * more robust parsing of krb5.conf
565 * removed some arbitrary limits
566 * bug fixes
567
568Changes in release 0.0r:
569
570 * default options for some programs
571 * bug fixes
572
573Changes in release 0.0q:
574
575 * support for building shared libraries with libtool
576 * bug fixes
577
578Changes in release 0.0p:
579
580 * keytab moved to /etc/krb5.keytab
581 * avoid false detection of IPv6 on Linux
582 * Lots of more functionality in the gssapi-library
583 * hprop can now read ka-server databases
584 * bug fixes
585
586Changes in release 0.0o:
587
588 * FTP with GSSAPI support.
589 * Bug fixes.
590
591Changes in release 0.0n:
592
593 * Incremental database propagation.
594 * Somewhat improved kadmin ui; the stuff in admin is now removed.
595 * Some support for using enctypes instead of keytypes.
596 * Lots of other improvement and bug fixes, see ChangeLog for details.
597