1Release Notes - Heimdal - Version Heimdal 7.1 2 3 Security 4 5 - kx509 realm-chopping security bug 6 - non-authorization of alias additions/removals in kadmind 7 (CVE-2016-2400) 8 9 Feature 10 11 - iprop has been revamped to fix a number of race conditions that could 12 lead to inconsistent replication 13 - Hierarchical capath support 14 - AES Encryption with HMAC-SHA2 for Kerberos 5 15 draft-ietf-kitten-aes-cts-hmac-sha2-11 16 - hcrypto is now thread safe on all platforms 17 - libhcrypto has new backends: CNG (Windows), PKCS#11 (mainly for 18 Solaris), and OpenSSL. OpenSSL is now a first-class libhcrypto backend. 19 OpenSSL 1.0.x and 1.1 are both supported. AES-NI used when supported by 20 backend 21 - HDB now supports LMDB 22 - Thread support on Windows 23 - RFC 6113 Generalized Framework for Kerberos Pre-Authentication (FAST) 24 - New GSS APIs: 25 . gss_localname 26 - Allow setting what encryption types a principal should have with 27 [kadmin] default_key_rules, see krb5.conf manpage for more info 28 - Unify libhcrypto with LTC (libtomcrypto) 29 - asn1_compile 64-bit INTEGER functionality 30 - HDB key history support including --keepold kadmin password option 31 - Improved cross-realm key rollover safety 32 - New krb5_kuserok() and krb5_aname_to_localname() plug-in interfaces 33 - Improved MIT compatibility 34 . kadm5 API 35 . Migration from MIT KDB via "mitdb" HDB backend 36 . Capable of writing the HDB in MIT dump format 37 - Improved Active Directory interoperability 38 . Enctype selection issues for PAC and other authz-data signatures 39 . Cross realm key rollover (kvno 0) 40 - New [kdc] enctype negotiation configuration: 41 . tgt-use-strongest-session-key 42 . svc-use-strongest-session-key 43 . preauth-use-strongest-session-key 44 . use-strongest-server-key 45 - The KDC process now uses a multi-process model improving 46 resiliency and performance 47 - Allow batch-mode kinit with password file 48 - SIGINFO support added to kinit cmd 49 - New kx509 configuration options: 50 . kx509_ca 51 . kca_service 52 . kx509_include_pkinit_san 53 . kx509_template 54 - Improved Heimdal library/plugin version safety 55 - Name canonicalization 56 . DNS resolver searchlist 57 . Improved referral support 58 . Support host:port host-based services 59 - Pluggable libheimbase interface for DBs 60 - Improve IPv6 Support 61 - LDAP 62 . Bind DN and password 63 . Start TLS 64 - klist --json 65 - DIR credential cache type 66 - Updated upstream SQLite and libedit 67 - Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh, 68 telnet, xnlock 69 - Completely remove RAND_egd support 70 - Moved kadmin and ktutil to /usr/bin 71 - Stricter fcache checks (see fcache_strict_checking krb5.conf setting) 72 . use O_NOFOLLOW 73 . don't follow symlinks 74 . require cache files to be owned by the user 75 . require sensible permissions (not group/other readable) 76 - Implemented gss_store_cred() 77 - Many more 78 79 Bug fixes 80 - iprop has been revamped to fix a number of race conditions that could 81 lead to data loss 82 - Include non-loopback addresses assigned to loopback interfaces 83 when requesting tickets with addresses 84 - KDC 1DES session key selection (for AFS rxkad-k5 compatibility) 85 - Keytab file descriptor and lock leak 86 - Credential cache corruption bugs 87 (NOTE: The FILE ccache is still not entirely safe due to the 88 fundamentally unsafe design of POSIX file locking) 89 - gss_pseudo_random() interop bug 90 - Plugins are now preferentially loaded from the run-time install tree 91 - Reauthentication after password change in init_creds_password 92 - Memory leak in the client kadmin library 93 - TGS client requests renewable/forwardable/proxiable when possible 94 - Locking issues in DB1 and DB3 HDB backends 95 - Master HDB can remain locked while waiting for network I/O 96 - Renewal/refresh logic when kinit is provided with a command 97 - KDC handling of enterprise principals 98 - Use correct bit for anon-pkinit 99 - Many more 100 101 Acknowledgements 102 103 This release of Heimdal includes contributions from: 104 105 Abhinav Upadhyay Heath Kehoe Nico Williams 106 Andreas Schneider Henry Jacques Patrik Lundin 107 Andrew Bartlett Howard Chu Philip Boulain 108 Andrew Tridgell Igor Sobrado Ragnar Sundblad 109 Antoine Jacoutot Ingo Schwarze Remi Ferrand 110 Arran Cudbard-Bell Jakub Čajka Rod Widdowson 111 Arvid Requate James Le Cuirot Rok Papež 112 Asanka Herath James Lee Roland C. Dowdeswell 113 Ben Kaduk Jeffrey Altman Ross L Richardson 114 Benjamin Kaduk Jeffrey Clark Russ Allbery 115 Bernard Spil Jeffrey Hutzelman Samuel Cabrero 116 Brian May Jelmer Vernooij Samuel Thibault 117 Chas Williams Ken Dreyer Santosh Kumar Pradhan 118 Chaskiel Grundman Kiran S J Sean Davis 119 Dana Koch Kumar Thangavelu Sergio Gelato 120 Daniel Schepler Landon Fuller Simon Wilkinson 121 David Mulder Linus Nordberg Stef Walter 122 Douglas Bagnall Love Hörnquist Åstrand Stefan Metzmacher 123 Ed Maste Luke Howard Steffen Jaeckel 124 Eray Aslan Magnus Ahltorp Timothy Pearson 125 Florian Best Marc Balmer Tollef Fog Heen 126 Fredrik Pettai Marcin Cieślak Tony Acero 127 Greg Hudson Marco Molteni Uri Simchoni 128 Gustavo Zacarias Matthieu Hautreux Viktor Dukhovni 129 Günther Deschner Michael Meffie Volker Lendecke 130 Harald Barth Moritz Lenz 131 132Release Notes - Heimdal - Version Heimdal 1.5.3 133 134 Bug fixes 135 - Fix leaking file descriptors in KDC 136 - Better socket/timeout handling in libkrb5 137 - General bug fixes 138 - Build fixes 139 140Release Notes - Heimdal - Version Heimdal 1.5.2 141 142 Security fixes 143 - CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege 144 - Check that key types strictly match - denial of service 145 146Release Notes - Heimdal - Version Heimdal 1.5.1 147 148 Bug fixes 149 - Fix building on Solaris, requires c99 150 - Fix building on Windows 151 - Build system updates 152 153Release Notes - Heimdal - Version Heimdal 1.5 154 155New features 156 157 - Support GSS name extensions/attributes 158 - SHA512 support 159 - No Kerberos 4 support 160 - Basic support for MIT Admin protocol (SECGSS flavor) 161 in kadmind (extract keytab) 162 - Replace editline with libedit 163 164Release Notes - Heimdal - Version Heimdal 1.4 165 166 New features 167 168 - Support for reading MIT database file directly 169 - KCM is polished up and now used in production 170 - NTLM first class citizen, credentials stored in KCM 171 - Table driven ASN.1 compiler, smaller!, not enabled by default 172 - Native Windows client support 173 174Notes 175 176 - Disabled write support NDBM hdb backend (read still in there) since 177 it can't handle large records, please migrate to a diffrent backend 178 (like BDB4) 179 180Release Notes - Heimdal - Version Heimdal 1.3.3 181 182 Bug fixes 183 - Check the GSS-API checksum exists before trying to use it [CVE-2010-1321] 184 - Check NULL pointers before dereference them [kdc] 185 186Release Notes - Heimdal - Version Heimdal 1.3.2 187 188 Bug fixes 189 190 - Don't mix length when clearing hmac (could memset too much) 191 - More paranoid underrun checking when decrypting packets 192 - Check the password change requests and refuse to answer empty packets 193 - Build on OpenSolaris 194 - Renumber AD-SIGNED-TICKET since it was stolen from US 195 - Don't cache /dev/*random file descriptor, it doesn't get unloaded 196 - Make C++ safe 197 - Misc warnings 198 199Release Notes - Heimdal - Version Heimdal 1.3.1 200 201 Bug fixes 202 203 - Store KDC offset in credentials 204 - Many many more bug fixes 205 206Release Notes - Heimdal - Version Heimdal 1.3.1 207 208 New features 209 210 - Make work with OpenLDAPs krb5 overlay 211 212Release Notes - Heimdal - Version Heimdal 1.3 213 214 New features 215 216 - Partial support for MIT kadmind rpc protocol in kadmind 217 - Better support for finding keytab entries when using SPN aliases in the KDC 218 - Support BER in ASN.1 library (needed for CMS) 219 - Support decryption in Keychain private keys 220 - Support for new sqlite based credential cache 221 - Try both KDC referals and the common DNS reverse lookup in GSS-API 222 - Fix the KCM to not leak resources on failure 223 - Add IPv6 support to iprop 224 - Support localization of error strings in 225 kinit/klist/kdestroy and Kerberos library 226 - Remove Kerberos 4 support in application (still in KDC) 227 - Deprecate DES 228 - Support i18n password in windows domains (using UTF-8) 229 - More complete API emulation of OpenSSL in hcrypto 230 - Support for ECDSA and ECDH when linking with OpenSSL 231 232 API changes 233 234 - Support for settin friendly name on credential caches 235 - Move to using doxygen to generate documentation. 236 - Sprinkling __attribute__((__deprecated__)) for old function to be removed 237 - Support to export LAST-REQUST information in AS-REQ 238 - Support for client deferrals in in AS-REQ 239 - Add seek support for krb5_storage. 240 - Support for split AS-REQ, first step for IA-KERB 241 - Fix many memory leaks and bugs 242 - Improved regression test 243 - Support krb5_cccol 244 - Switch to krb5_set_error_message 245 - Support krb5_crypto_*_iov 246 - Switch to use EVP for most function 247 - Use SOCK_CLOEXEC and O_CLOEXEC (close on exec) 248 - Add support for GSS_C_DELEG_POLICY_FLAG 249 - Add krb5_cc_[gs]et_config to store data in the credential caches 250 - PTY testing application 251 252Bugfixes 253 - Make building on AIX6 possible. 254 - Bugfixes in LDAP KDC code to make it more stable 255 - Make ipropd-slave reconnect when master down gown 256 257 258Release Notes - Heimdal - Version Heimdal 1.2.1 259 260* Bug 261 262 [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris 263 [HEIMDAL-151] - Make canned tests work again after cert expired 264 [HEIMDAL-152] - iprop test: use full hostname to avoid realm 265 resolving errors 266 [HEIMDAL-153] - ftp: Use the correct length for unmap, msync 267 268Release Notes - Heimdal - Version Heimdal 1.2 269 270* Bug 271 272 [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in 273 gss_display_name/gss_export_name when using SPNEGO 274 [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1 275 [HEIMDAL-17] - Remove support for depricated [libdefaults]capath 276 [HEIMDAL-52] - hdb overwrite aliases for db databases 277 [HEIMDAL-54] - Two issues which affect credentials delegation 278 [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args 279 [HEIMDAL-62] - Fix printing of sig_atomic_t 280 [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto 281 [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase 282 [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241) 283 284* Improvement 285 [HEIMDAL-67] - Fix locking and store credential in atomic writes 286 in the FILE credential cache 287 [HEIMDAL-106] - make compile on cygwin again 288 [HEIMDAL-107] - Replace old random key generation in des module 289 and use it with RAND_ function instead 290 [HEIMDAL-115] - Better documentation and compatibility in hcrypto 291 in regards to OpenSSL 292 293* New Feature 294 [HEIMDAL-3] - pkinit alg agility PRF test vectors 295 [HEIMDAL-14] - Add libwind to Heimdal 296 [HEIMDAL-16] - Use libwind in hx509 297 [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to 298 the negotiation 299 [HEIMDAL-74] - Add support to report extended error message back 300 in AS-REQ to support windows clients 301 [HEIMDAL-116] - test pty based application (using rkpty) 302 [HEIMDAL-120] - Use new OpenLDAP API (older deprecated) 303 304* Task 305 [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ. 306 This drop compatibility with pre 0.3d KDCs. 307 [HEIMDAL-64] - kcm: first implementation of kcm-move-cache 308 [HEIMDAL-65] - Failed to compile with --disable-pk-init 309 [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some 310 wraparound checks doesn't apply to Heimdal 311 312Changes in release 1.1 313 314 * Read-only PKCS11 provider built-in to hx509. 315 316 * Documentation for hx509, hcrypto and ntlm libraries improved. 317 318 * Better compatibilty with Windows 2008 Server pre-releases and Vista. 319 320 * Mac OS X 10.5 support for native credential cache. 321 322 * Provide pkg-config file for Heimdal (heimdal-gssapi.pc). 323 324 * Bug fixes. 325 326Changes in release 1.0.2 327 328* Ubuntu packages. 329 330* Bug fixes. 331 332Changes in release 1.0.1 333 334 * Serveral bug fixes to iprop. 335 336 * Make work on platforms without dlopen. 337 338 * Add RFC3526 modp group14 as default. 339 340 * Handle [kdc] database = { } entries without realm = stanzas. 341 342 * Make krb5_get_renewed_creds work. 343 344 * Make kaserver preauth work again. 345 346 * Bug fixes. 347 348Changes in release 1.0 349 350 * Add gss_pseudo_random() for mechglue and krb5. 351 352 * Make session key for the krbtgt be selected by the best encryption 353 type of the client. 354 355 * Better interoperability with other PK-INIT implementations. 356 357 * Inital support for Mac OS X Keychain for hx509. 358 359 * Alias support for inital ticket requests. 360 361 * Add symbol versioning to selected libraries on platforms that uses 362 GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc. 363 364 * New version of imath included in hcrypto. 365 366 * Fix memory leaks. 367 368 * Bugs fixes. 369 370Changes in release 0.8.1 371 372 * Make ASN.1 library less paranoid to with regard to NUL in string to 373 make it inter-operate with MIT Kerberos again. 374 375 * Make GSS-API library work again when using gss_acquire_cred 376 377 * Add symbol versioning to libgssapi when using GNU ld. 378 379 * Fix memory leaks 380 381 * Bugs fixes 382 383Changes in release 0.8 384 385 * PK-INIT support. 386 387 * HDB extensions support, used by PK-INIT. 388 389 * New ASN.1 compiler. 390 391 * GSS-API mechglue from FreeBSD. 392 393 * Updated SPNEGO to support RFC4178. 394 395 * Support for Cryptosystem Negotiation Extension (RFC 4537). 396 397 * A new X.509 library (hx509) and related crypto functions. 398 399 * A new ntlm library (heimntlm) and related crypto functions. 400 401 * Updated the built-in crypto library with bignum support using 402 imath, support for RSA and DH and renamed it to libhcrypto. 403 404 * Subsystem in the KDC, digest, that will perform the digest 405 operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL 406 DIGEST-MD5 NTLMv1 and NTLMv2. 407 408 * KDC will return the "response too big" error to force TCP retries 409 for large (default 1400 bytes) UDP replies. This is common for 410 PK-INIT requests. 411 412 * Libkafs defaults to use 2b tokens. 413 414 * Default to use the API cache on Mac OS X. 415 416 * krb5_kuserok() also checks ~/.k5login.d directory for acl files, 417 see manpage for krb5_kuserok for description. 418 419 * Many, many, other updates to code and info manual and manual pages. 420 421 * Bug fixes 422 423Changes in release 0.7.2 424 425* Fix security problem in rshd that enable an attacker to overwrite 426 and change ownership of any file that root could write. 427 428* Fix a DOS in telnetd. The attacker could force the server to crash 429 in a NULL de-reference before the user logged in, resulting in inetd 430 turning telnetd off because it forked too fast. 431 432* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name 433 exists in the keytab before returning success. This allows servers 434 to check if its even possible to use GSSAPI. 435 436* Fix receiving end of token delegation for GSS-API. It still wrongly 437 uses subkey for sending for compatibility reasons, this will change 438 in 0.8. 439 440* telnetd, login and rshd are now more verbose in logging failed and 441 successful logins. 442 443* Bug fixes 444 445Changes in release 0.7.1 446 447* Bug fixes 448 449Changes in release 0.7 450 451 * Support for KCM, a process based credential cache 452 453 * Support CCAPI credential cache 454 455 * SPNEGO support 456 457 * AES (and the gssapi conterpart, CFX) support 458 459 * Adding new and improve old documentation 460 461 * Bug fixes 462 463Changes in release 0.6.6 464 465* Fix security problem in rshd that enable an attacker to overwrite 466 and change ownership of any file that root could write. 467 468* Fix a DOS in telnetd. The attacker could force the server to crash 469 in a NULL de-reference before the user logged in, resulting in inetd 470 turning telnetd off because it forked too fast. 471 472Changes in release 0.6.5 473 474 * fix vulnerabilities in telnetd 475 476 * unbreak Kerberos 4 and kaserver 477 478Changes in release 0.6.4 479 480 * fix vulnerabilities in telnet 481 482 * rshd: encryption without a separate error socket should now work 483 484 * telnet now uses appdefaults for the encrypt and forward/forwardable 485 settings 486 487 * bug fixes 488 489Changes in release 0.6.3 490 491 * fix vulnerabilities in ftpd 492 493 * support for linux AFS /proc "syscalls" 494 495 * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in 496 kpasswdd 497 498 * fix possible KDC denial of service 499 500 * bug fixes 501 502Changes in release 0.6.2 503 504 * Fix possible buffer overrun in v4 kadmin (which now defaults to off) 505 506Changes in release 0.6.1 507 508 * Fixed ARCFOUR suppport 509 510 * Cross realm vulnerability 511 512 * kdc: fix denial of service attack 513 514 * kdc: stop clients from renewing tickets into the future 515 516 * bug fixes 517 518Changes in release 0.6 519 520* The DES3 GSS-API mechanism has been changed to inter-operate with 521 other GSSAPI implementations. See man page for gssapi(3) how to turn 522 on generation of correct MIC messages. Next major release of heimdal 523 will generate correct MIC by default. 524 525* More complete GSS-API support 526 527* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS 528 support in applications no longer requires Kerberos 4 libs 529 530* Kerberos 4 support in kdc defaults to turned off (includes ka and 524) 531 532* other bug fixes 533 534Changes in release 0.5.2 535 536 * kdc: add option for disabling v4 cross-realm (defaults to off) 537 538 * bug fixes 539 540Changes in release 0.5.1 541 542 * kadmind: fix remote exploit 543 544 * kadmind: add option to disable kerberos 4 545 546 * kdc: make sure kaserver token life is positive 547 548 * telnet: use the session key if there is no subkey 549 550 * fix EPSV parsing in ftp 551 552 * other bug fixes 553 554Changes in release 0.5 555 556 * add --detach option to kdc 557 558 * allow setting forward and forwardable option in telnet from 559 .telnetrc, with override from command line 560 561 * accept addresses with or without ports in krb5_rd_cred 562 563 * make it work with modern openssl 564 565 * use our own string2key function even with openssl (that handles weak 566 keys incorrectly) 567 568 * more system-specific requirements in login 569 570 * do not use getlogin() to determine root in su 571 572 * telnet: abort if telnetd does not support encryption 573 574 * update autoconf to 2.53 575 576 * update config.guess, config.sub 577 578 * other bug fixes 579 580Changes in release 0.4e 581 582 * improve libcrypto and database autoconf tests 583 584 * do not care about salting of server principals when serving v4 requests 585 586 * some improvements to gssapi library 587 588 * test for existing compile_et/libcom_err 589 590 * portability fixes 591 592 * bug fixes 593 594Changes in release 0.4d 595 596 * fix some problems when using libcrypto from openssl 597 598 * handle /dev/ptmx `unix98' ptys on Linux 599 600 * add some forgotten man pages 601 602 * rsh: clean-up and add man page 603 604 * fix -A and -a in builtin-ls in tpd 605 606 * fix building problem on Irix 607 608 * make `ktutil get' more efficient 609 610 * bug fixes 611 612Changes in release 0.4c 613 614 * fix buffer overrun in telnetd 615 616 * repair some of the v4 fallback code in kinit 617 618 * add more shared library dependencies 619 620 * simplify and fix hprop handling of v4 databases 621 622 * fix some building problems (osf's sia and osfc2 login) 623 624 * bug fixes 625 626Changes in release 0.4b 627 628 * update the shared library version numbers correctly 629 630Changes in release 0.4a 631 632 * corrected key used for checksum in mk_safe, unfortunately this 633 makes it backwards incompatible 634 635 * update to autoconf 2.50, libtool 1.4 636 637 * re-write dns/config lookups (krb5_krbhst API) 638 639 * make order of using subkeys consistent 640 641 * add man page links 642 643 * add more man pages 644 645 * remove rfc2052 support, now only rfc2782 is supported 646 647 * always build with kaserver protocol support in the KDC (assuming 648 KRB4 is enabled) and support for reading kaserver databases in 649 hprop 650 651Changes in release 0.3f 652 653 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab, 654 the new keytab type that tries both of these in order (SRVTAB is 655 also an alias for krb4:) 656 657 * improve error reporting and error handling (error messages should 658 be more detailed and more useful) 659 660 * improve building with openssl 661 662 * add kadmin -K, rcp -F 663 664 * fix two incorrect weak DES keys 665 666 * fix building of kaserver compat in KDC 667 668 * the API is closer to what MIT krb5 is using 669 670 * more compatible with windows 2000 671 672 * removed some memory leaks 673 674 * bug fixes 675 676Changes in release 0.3e 677 678 * rcp program included 679 680 * fix buffer overrun in ftpd 681 682 * handle omitted sequence numbers as zeroes to handle MIT krb5 that 683 cannot generate zero sequence numbers 684 685 * handle v4 /.k files better 686 687 * configure/portability fixes 688 689 * fixes in parsing of options to kadmin (sub-)commands 690 691 * handle errors in kadmin load better 692 693 * bug fixes 694 695Changes in release 0.3d 696 697 * add krb5-config 698 699 * fix a bug in 3des gss-api mechanism, making it compatible with the 700 specification and the MIT implementation 701 702 * make telnetd only allow a specific list of environment variables to 703 stop it from setting `sensitive' variables 704 705 * try to use an existing libdes 706 707 * lib/krb5, kdc: use correct usage type for ap-req messages. This 708 should improve compatability with MIT krb5 when using 3DES 709 encryption types 710 711 * kdc: fix memory allocation problem 712 713 * update config.guess and config.sub 714 715 * lib/roken: more stuff implemented 716 717 * bug fixes and portability enhancements 718 719Changes in release 0.3c 720 721 * lib/krb5: memory caches now support the resolve operation 722 723 * appl/login: set PATH to some sane default 724 725 * kadmind: handle several realms 726 727 * bug fixes (including memory leaks) 728 729Changes in release 0.3b 730 731 * kdc: prefer default-salted keys on v5 requests 732 733 * kdc: lowercase hostnames in v4 mode 734 735 * hprop: handle more types of MIT salts 736 737 * lib/krb5: fix memory leak 738 739 * bug fixes 740 741Changes in release 0.3a: 742 743 * implement arcfour-hmac-md5 to interoperate with W2K 744 745 * modularise the handling of the master key, and allow for other 746 encryption types. This makes it easier to import a database from 747 some other source without having to re-encrypt all keys. 748 749 * allow for better control over which encryption types are created 750 751 * make kinit fallback to v4 if given a v4 KDC 752 753 * make klist work better with v4 and v5, and add some more MIT 754 compatibility options 755 756 * make the kdc listen on the krb524 (4444) port for compatibility 757 with MIT krb5 clients 758 759 * implement more DCE/DFS support, enabled with --enable-dce, see 760 lib/kdfs and appl/dceutils 761 762 * make the sequence numbers work correctly 763 764 * bug fixes 765 766Changes in release 0.2t: 767 768 * bug fixes 769 770Changes in release 0.2s: 771 772 * add OpenLDAP support in hdb 773 774 * login will get v4 tickets when it receives forwarded tickets 775 776 * xnlock supports both v5 and v4 777 778 * repair source routing for telnet 779 780 * fix building problems with krb4 (krb_mk_req) 781 782 * bug fixes 783 784Changes in release 0.2r: 785 786 * fix realloc memory corruption bug in kdc 787 788 * `add --key' and `cpw --key' in kadmin 789 790 * klist supports listing v4 tickets 791 792 * update config.guess and config.sub 793 794 * make v4 -> v5 principal name conversion more robust 795 796 * support for anonymous tickets 797 798 * new man-pages 799 800 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab. 801 802 * use and set expiration and not password expiration when dumping 803 to/from ka server databases / krb4 databases 804 805 * make the code happier with 64-bit time_t 806 807 * follow RFC2782 and by default do not look for non-underscore SRV names 808 809Changes in release 0.2q: 810 811 * bug fix in tcp-handling in kdc 812 813 * bug fix in expand_hostname 814 815Changes in release 0.2p: 816 817 * bug fix in `kadmin load/merge' 818 819 * bug fix in krb5_parse_address 820 821Changes in release 0.2o: 822 823 * gss_{import,export}_sec_context added to libgssapi 824 825 * new option --addresses to kdc (for listening on an explicit set of 826 addresses) 827 828 * bug fixes in the krb4 and kaserver emulation part of the kdc 829 830 * other bug fixes 831 832Changes in release 0.2n: 833 834 * more robust parsing of dump files in kadmin 835 * changed default timestamp format for log messages to extended ISO 836 8601 format (Y-M-DTH:M:S) 837 * changed md4/md5/sha1 APIes to be de-facto `standard' 838 * always make hostname into lower-case before creating principal 839 * small bits of more MIT-compatability 840 * bug fixes 841 842Changes in release 0.2m: 843 844 * handle glibc's getaddrinfo() that returns several ai_canonname 845 846 * new endian test 847 848 * man pages fixes 849 850Changes in release 0.2l: 851 852 * bug fixes 853 854Changes in release 0.2k: 855 856 * better IPv6 test 857 858 * make struct sockaddr_storage in roken work better on alphas 859 860 * some missing [hn]to[hn]s fixed. 861 862 * allow users to change their own passwords with kadmin (with initial 863 tickets) 864 865 * fix stupid bug in parsing KDC specification 866 867 * add `ktutil change' and `ktutil purge' 868 869Changes in release 0.2j: 870 871 * builds on Irix 872 873 * ftpd works in passive mode 874 875 * should build on cygwin 876 877 * work around broken IPv6-code on OpenBSD 2.6, also add configure 878 option --disable-ipv6 879 880Changes in release 0.2i: 881 882 * use getaddrinfo in the missing places. 883 884 * fix SRV lookup for admin server 885 886 * use get{addr,name}info everywhere. and implement it in terms of 887 getipnodeby{name,addr} (which uses gethostbyname{,2} and 888 gethostbyaddr) 889 890Changes in release 0.2h: 891 892 * fix typo in kx (now compiles) 893 894Changes in release 0.2g: 895 896 * lots of bug fixes: 897 * push works 898 * repair appl/test programs 899 * sockaddr_storage works on solaris (alignment issues) 900 * works better with non-roken getaddrinfo 901 * rsh works 902 * some non standard C constructs removed 903 904Changes in release 0.2f: 905 906 * support SRV records for kpasswd 907 * look for both _kerberos and krb5-realm when doing host -> realm mapping 908 909Changes in release 0.2e: 910 911 * changed copyright notices to remove `advertising'-clause. 912 * get{addr,name}info added to roken and used in the other code 913 (this makes things work much better with hosts with both v4 and v6 914 addresses, among other things) 915 * do pre-auth for both password and key-based get_in_tkt 916 * support for having several databases 917 * new command `del_enctype' in kadmin 918 * strptime (and new strftime) add to roken 919 * more paranoia about finding libdb 920 * bug fixes 921 922Changes in release 0.2d: 923 924 * new configuration option [libdefaults]default_etypes_des 925 * internal ls in ftpd builds without KRB4 926 * kx/rsh/push/pop_debug tries v5 and v4 consistenly 927 * build bug fixes 928 * other bug fixes 929 930Changes in release 0.2c: 931 932 * bug fixes (see ChangeLog's for details) 933 934Changes in release 0.2b: 935 936 * bug fixes 937 * actually bump shared library versions 938 939Changes in release 0.2a: 940 941 * a new program verify_krb5_conf for checking your /etc/krb5.conf 942 * add 3DES keys when changing password 943 * support null keys in database 944 * support multiple local realms 945 * implement a keytab backend for AFS KeyFile's 946 * implement a keytab backend for v4 srvtabs 947 * implement `ktutil copy' 948 * support password quality control in v4 kadmind 949 * improvements in v4 compat kadmind 950 * handle the case of having the correct cred in the ccache but with 951 the wrong encryption type better 952 * v6-ify the remaining programs. 953 * internal ls in ftpd 954 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat 955 * add `ank --random-password' and `cpw --random-password' in kadmin 956 * some programs and documentation for trying to talk to a W2K KDC 957 * bug fixes 958 959Changes in release 0.1m: 960 961 * support for getting default from krb5.conf for kinit/kf/rsh/telnet. 962 From Miroslav Ruda <ruda@ics.muni.cz> 963 * v6-ify hprop and hpropd 964 * support numeric addresses in krb5_mk_req 965 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz> 966 * make rsh/rshd IPv6-aware 967 * make the gssapi sample applications better at reporting errors 968 * lots of bug fixes 969 * handle systems with v6-aware libc and non-v6 kernels (like Linux 970 with glibc 2.1) better 971 * hide failure of ERPT in ftp 972 * lots of bug fixes 973 974Changes in release 0.1l: 975 976 * make ftp and ftpd IPv6-aware 977 * add inet_pton to roken 978 * more IPv6-awareness 979 * make mini_inetd v6 aware 980 981Changes in release 0.1k: 982 983 * bump shared libraries versions 984 * add roken version of inet_ntop 985 * merge more changes to rshd 986 987Changes in release 0.1j: 988 989 * restore back to the `old' 3DES code. This was supposed to be done 990 in 0.1h and 0.1i but I did a CVS screw-up. 991 * make telnetd handle v6 connections 992 993Changes in release 0.1i: 994 995 * start using `struct sockaddr_storage' which simplifies the code 996 (with a fallback definition if it's not defined) 997 * bug fixes (including in hprop and kf) 998 * don't use mawk which seems to mishandle roken.awk 999 * get_addrs should be able to handle v6 addresses on Linux (with the 1000 required patch to the Linux kernel -- ask within) 1001 * rshd builds with shadow passwords 1002 1003Changes in release 0.1h: 1004 1005 * kf: new program for forwarding credentials 1006 * portability fixes 1007 * make forwarding credentials work with MIT code 1008 * better conversion of ka database 1009 * add etc/services.append 1010 * correct `modified by' from kpasswdd 1011 * lots of bug fixes 1012 1013Changes in release 0.1g: 1014 1015 * kgetcred: new program for explicitly obtaining tickets 1016 * configure fixes 1017 * krb5-aware kx 1018 * bug fixes 1019 1020Changes in release 0.1f; 1021 1022 * experimental support for v4 kadmin protokoll in kadmind 1023 * bug fixes 1024 1025Changes in release 0.1e: 1026 1027 * try to handle old DCE and MIT kdcs 1028 * support for older versions of credential cache files and keytabs 1029 * postdated tickets work 1030 * support for password quality checks in kpasswdd 1031 * new flag --enable-kaserver for kdc 1032 * renew fixes 1033 * prototype su program 1034 * updated (some) manpages 1035 * support for KDC resource records 1036 * should build with --without-krb4 1037 * bug fixes 1038 1039Changes in release 0.1d: 1040 1041 * Support building with DB2 (uses 1.85-compat API) 1042 * Support krb5-realm.DOMAIN in DNS 1043 * new `ktutil srvcreate' 1044 * v4/kafs support in klist/kdestroy 1045 * bug fixes 1046 1047Changes in release 0.1c: 1048 1049 * fix ASN.1 encoding of signed integers 1050 * somewhat working `ktutil get' 1051 * some documentation updates 1052 * update to Autoconf 2.13 and Automake 1.4 1053 * the usual bug fixes 1054 1055Changes in release 0.1b: 1056 1057 * some old -> new crypto conversion utils 1058 * bug fixes 1059 1060Changes in release 0.1a: 1061 1062 * new crypto code 1063 * more bug fixes 1064 * make sure we ask for DES keys in gssapi 1065 * support signed ints in ASN1 1066 * IPv6-bug fixes 1067 1068Changes in release 0.0u: 1069 1070 * lots of bug fixes 1071 1072Changes in release 0.0t: 1073 1074 * more robust parsing of krb5.conf 1075 * include net{read,write} in lib/roken 1076 * bug fixes 1077 1078Changes in release 0.0s: 1079 1080 * kludges for parsing options to rsh 1081 * more robust parsing of krb5.conf 1082 * removed some arbitrary limits 1083 * bug fixes 1084 1085Changes in release 0.0r: 1086 1087 * default options for some programs 1088 * bug fixes 1089 1090Changes in release 0.0q: 1091 1092 * support for building shared libraries with libtool 1093 * bug fixes 1094 1095Changes in release 0.0p: 1096 1097 * keytab moved to /etc/krb5.keytab 1098 * avoid false detection of IPv6 on Linux 1099 * Lots of more functionality in the gssapi-library 1100 * hprop can now read ka-server databases 1101 * bug fixes 1102 1103Changes in release 0.0o: 1104 1105 * FTP with GSSAPI support. 1106 * Bug fixes. 1107 1108Changes in release 0.0n: 1109 1110 * Incremental database propagation. 1111 * Somewhat improved kadmin ui; the stuff in admin is now removed. 1112 * Some support for using enctypes instead of keytypes. 1113 * Lots of other improvement and bug fixes, see ChangeLog for details. 1114