3 * Support for KCM, a process based credential cache
5 * Support CCAPI credential cache
9 * AES (and the gssapi conterpart, CFX) support
13 Changes in release 0.6.4
15 * fix vulnerabilities in telnet
17 * rshd: encryption without a separate error socket should now work
19 * telnet now uses appdefaults for the encrypt and forward/forwardable
24 Changes in release 0.6.3
26 * fix vulnerabilities in ftpd
28 * support for linux AFS /proc "syscalls"
30 * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
33 * fix possible KDC denial of service
37 Changes in release 0.6.2
39 * Fix possible buffer overrun in v4 kadmin (which now defaults to off)
41 Changes in release 0.6.1
43 * Fixed ARCFOUR suppport
45 * Cross realm vulnerability
47 * kdc: fix denial of service attack
49 * kdc: stop clients from renewing tickets into the future
53 Changes in release 0.6
55 * The DES3 GSS-API mechanism has been changed to inter-operate with
56 other GSSAPI implementations. See man page for gssapi(3) how to turn
57 on generation of correct MIC messages. Next major release of heimdal
58 will generate correct MIC by default.
60 * More complete GSS-API support
62 * Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
63 support in applications no longer requires Kerberos 4 libs
65 * Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
69 Changes in release 0.5.2
71 * kdc: add option for disabling v4 cross-realm (defaults to off)
75 Changes in release 0.5.1
77 * kadmind: fix remote exploit
79 * kadmind: add option to disable kerberos 4
81 * kdc: make sure kaserver token life is positive
83 * telnet: use the session key if there is no subkey
85 * fix EPSV parsing in ftp
89 Changes in release 0.5
91 * add --detach option to kdc
93 * allow setting forward and forwardable option in telnet from
94 .telnetrc, with override from command line
96 * accept addresses with or without ports in krb5_rd_cred
98 * make it work with modern openssl
100 * use our own string2key function even with openssl (that handles weak
103 * more system-specific requirements in login
105 * do not use getlogin() to determine root in su
107 * telnet: abort if telnetd does not support encryption
109 * update autoconf to 2.53
111 * update config.guess, config.sub
115 Changes in release 0.4e
117 * improve libcrypto and database autoconf tests
119 * do not care about salting of server principals when serving v4 requests
121 * some improvements to gssapi library
123 * test for existing compile_et/libcom_err
129 Changes in release 0.4d
131 * fix some problems when using libcrypto from openssl
133 * handle /dev/ptmx `unix98' ptys on Linux
135 * add some forgotten man pages
137 * rsh: clean-up and add man page
139 * fix -A and -a in builtin-ls in tpd
141 * fix building problem on Irix
143 * make `ktutil get' more efficient
147 Changes in release 0.4c
149 * fix buffer overrun in telnetd
151 * repair some of the v4 fallback code in kinit
153 * add more shared library dependencies
155 * simplify and fix hprop handling of v4 databases
157 * fix some building problems (osf's sia and osfc2 login)
161 Changes in release 0.4b
163 * update the shared library version numbers correctly
165 Changes in release 0.4a
167 * corrected key used for checksum in mk_safe, unfortunately this
168 makes it backwards incompatible
170 * update to autoconf 2.50, libtool 1.4
172 * re-write dns/config lookups (krb5_krbhst API)
174 * make order of using subkeys consistent
180 * remove rfc2052 support, now only rfc2782 is supported
182 * always build with kaserver protocol support in the KDC (assuming
183 KRB4 is enabled) and support for reading kaserver databases in
186 Changes in release 0.3f
188 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
189 the new keytab type that tries both of these in order (SRVTAB is
190 also an alias for krb4:)
192 * improve error reporting and error handling (error messages should
193 be more detailed and more useful)
195 * improve building with openssl
197 * add kadmin -K, rcp -F
199 * fix two incorrect weak DES keys
201 * fix building of kaserver compat in KDC
203 * the API is closer to what MIT krb5 is using
205 * more compatible with windows 2000
207 * removed some memory leaks
211 Changes in release 0.3e
213 * rcp program included
215 * fix buffer overrun in ftpd
217 * handle omitted sequence numbers as zeroes to handle MIT krb5 that
218 cannot generate zero sequence numbers
220 * handle v4 /.k files better
222 * configure/portability fixes
224 * fixes in parsing of options to kadmin (sub-)commands
226 * handle errors in kadmin load better
230 Changes in release 0.3d
234 * fix a bug in 3des gss-api mechanism, making it compatible with the
235 specification and the MIT implementation
237 * make telnetd only allow a specific list of environment variables to
238 stop it from setting `sensitive' variables
240 * try to use an existing libdes
242 * lib/krb5, kdc: use correct usage type for ap-req messages. This
243 should improve compatability with MIT krb5 when using 3DES
246 * kdc: fix memory allocation problem
248 * update config.guess and config.sub
250 * lib/roken: more stuff implemented
252 * bug fixes and portability enhancements
254 Changes in release 0.3c
256 * lib/krb5: memory caches now support the resolve operation
258 * appl/login: set PATH to some sane default
260 * kadmind: handle several realms
262 * bug fixes (including memory leaks)
264 Changes in release 0.3b
266 * kdc: prefer default-salted keys on v5 requests
268 * kdc: lowercase hostnames in v4 mode
270 * hprop: handle more types of MIT salts
272 * lib/krb5: fix memory leak
276 Changes in release 0.3a:
278 * implement arcfour-hmac-md5 to interoperate with W2K
280 * modularise the handling of the master key, and allow for other
281 encryption types. This makes it easier to import a database from
282 some other source without having to re-encrypt all keys.
284 * allow for better control over which encryption types are created
286 * make kinit fallback to v4 if given a v4 KDC
288 * make klist work better with v4 and v5, and add some more MIT
289 compatibility options
291 * make the kdc listen on the krb524 (4444) port for compatibility
292 with MIT krb5 clients
294 * implement more DCE/DFS support, enabled with --enable-dce, see
295 lib/kdfs and appl/dceutils
297 * make the sequence numbers work correctly
301 Changes in release 0.2t:
305 Changes in release 0.2s:
307 * add OpenLDAP support in hdb
309 * login will get v4 tickets when it receives forwarded tickets
311 * xnlock supports both v5 and v4
313 * repair source routing for telnet
315 * fix building problems with krb4 (krb_mk_req)
319 Changes in release 0.2r:
321 * fix realloc memory corruption bug in kdc
323 * `add --key' and `cpw --key' in kadmin
325 * klist supports listing v4 tickets
327 * update config.guess and config.sub
329 * make v4 -> v5 principal name conversion more robust
331 * support for anonymous tickets
335 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
337 * use and set expiration and not password expiration when dumping
338 to/from ka server databases / krb4 databases
340 * make the code happier with 64-bit time_t
342 * follow RFC2782 and by default do not look for non-underscore SRV names
344 Changes in release 0.2q:
346 * bug fix in tcp-handling in kdc
348 * bug fix in expand_hostname
350 Changes in release 0.2p:
352 * bug fix in `kadmin load/merge'
354 * bug fix in krb5_parse_address
356 Changes in release 0.2o:
358 * gss_{import,export}_sec_context added to libgssapi
360 * new option --addresses to kdc (for listening on an explicit set of
363 * bug fixes in the krb4 and kaserver emulation part of the kdc
367 Changes in release 0.2n:
369 * more robust parsing of dump files in kadmin
370 * changed default timestamp format for log messages to extended ISO
371 8601 format (Y-M-DTH:M:S)
372 * changed md4/md5/sha1 APIes to be de-facto `standard'
373 * always make hostname into lower-case before creating principal
374 * small bits of more MIT-compatability
377 Changes in release 0.2m:
379 * handle glibc's getaddrinfo() that returns several ai_canonname
385 Changes in release 0.2l:
389 Changes in release 0.2k:
393 * make struct sockaddr_storage in roken work better on alphas
395 * some missing [hn]to[hn]s fixed.
397 * allow users to change their own passwords with kadmin (with initial
400 * fix stupid bug in parsing KDC specification
402 * add `ktutil change' and `ktutil purge'
404 Changes in release 0.2j:
408 * ftpd works in passive mode
410 * should build on cygwin
412 * work around broken IPv6-code on OpenBSD 2.6, also add configure
413 option --disable-ipv6
415 Changes in release 0.2i:
417 * use getaddrinfo in the missing places.
419 * fix SRV lookup for admin server
421 * use get{addr,name}info everywhere. and implement it in terms of
422 getipnodeby{name,addr} (which uses gethostbyname{,2} and
425 Changes in release 0.2h:
427 * fix typo in kx (now compiles)
429 Changes in release 0.2g:
433 * repair appl/test programs
434 * sockaddr_storage works on solaris (alignment issues)
435 * works better with non-roken getaddrinfo
437 * some non standard C constructs removed
439 Changes in release 0.2f:
441 * support SRV records for kpasswd
442 * look for both _kerberos and krb5-realm when doing host -> realm mapping
444 Changes in release 0.2e:
446 * changed copyright notices to remove `advertising'-clause.
447 * get{addr,name}info added to roken and used in the other code
448 (this makes things work much better with hosts with both v4 and v6
449 addresses, among other things)
450 * do pre-auth for both password and key-based get_in_tkt
451 * support for having several databases
452 * new command `del_enctype' in kadmin
453 * strptime (and new strftime) add to roken
454 * more paranoia about finding libdb
457 Changes in release 0.2d:
459 * new configuration option [libdefaults]default_etypes_des
460 * internal ls in ftpd builds without KRB4
461 * kx/rsh/push/pop_debug tries v5 and v4 consistenly
465 Changes in release 0.2c:
467 * bug fixes (see ChangeLog's for details)
469 Changes in release 0.2b:
472 * actually bump shared library versions
474 Changes in release 0.2a:
476 * a new program verify_krb5_conf for checking your /etc/krb5.conf
477 * add 3DES keys when changing password
478 * support null keys in database
479 * support multiple local realms
480 * implement a keytab backend for AFS KeyFile's
481 * implement a keytab backend for v4 srvtabs
482 * implement `ktutil copy'
483 * support password quality control in v4 kadmind
484 * improvements in v4 compat kadmind
485 * handle the case of having the correct cred in the ccache but with
486 the wrong encryption type better
487 * v6-ify the remaining programs.
488 * internal ls in ftpd
489 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
490 * add `ank --random-password' and `cpw --random-password' in kadmin
491 * some programs and documentation for trying to talk to a W2K KDC
494 Changes in release 0.1m:
496 * support for getting default from krb5.conf for kinit/kf/rsh/telnet.
497 From Miroslav Ruda <ruda@ics.muni.cz>
498 * v6-ify hprop and hpropd
499 * support numeric addresses in krb5_mk_req
500 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
501 * make rsh/rshd IPv6-aware
502 * make the gssapi sample applications better at reporting errors
504 * handle systems with v6-aware libc and non-v6 kernels (like Linux
505 with glibc 2.1) better
506 * hide failure of ERPT in ftp
509 Changes in release 0.1l:
511 * make ftp and ftpd IPv6-aware
512 * add inet_pton to roken
513 * more IPv6-awareness
514 * make mini_inetd v6 aware
516 Changes in release 0.1k:
518 * bump shared libraries versions
519 * add roken version of inet_ntop
520 * merge more changes to rshd
522 Changes in release 0.1j:
524 * restore back to the `old' 3DES code. This was supposed to be done
525 in 0.1h and 0.1i but I did a CVS screw-up.
526 * make telnetd handle v6 connections
528 Changes in release 0.1i:
530 * start using `struct sockaddr_storage' which simplifies the code
531 (with a fallback definition if it's not defined)
532 * bug fixes (including in hprop and kf)
533 * don't use mawk which seems to mishandle roken.awk
534 * get_addrs should be able to handle v6 addresses on Linux (with the
535 required patch to the Linux kernel -- ask within)
536 * rshd builds with shadow passwords
538 Changes in release 0.1h:
540 * kf: new program for forwarding credentials
542 * make forwarding credentials work with MIT code
543 * better conversion of ka database
544 * add etc/services.append
545 * correct `modified by' from kpasswdd
548 Changes in release 0.1g:
550 * kgetcred: new program for explicitly obtaining tickets
555 Changes in release 0.1f;
557 * experimental support for v4 kadmin protokoll in kadmind
560 Changes in release 0.1e:
562 * try to handle old DCE and MIT kdcs
563 * support for older versions of credential cache files and keytabs
564 * postdated tickets work
565 * support for password quality checks in kpasswdd
566 * new flag --enable-kaserver for kdc
568 * prototype su program
569 * updated (some) manpages
570 * support for KDC resource records
571 * should build with --without-krb4
574 Changes in release 0.1d:
576 * Support building with DB2 (uses 1.85-compat API)
577 * Support krb5-realm.DOMAIN in DNS
578 * new `ktutil srvcreate'
579 * v4/kafs support in klist/kdestroy
582 Changes in release 0.1c:
584 * fix ASN.1 encoding of signed integers
585 * somewhat working `ktutil get'
586 * some documentation updates
587 * update to Autoconf 2.13 and Automake 1.4
588 * the usual bug fixes
590 Changes in release 0.1b:
592 * some old -> new crypto conversion utils
595 Changes in release 0.1a:
599 * make sure we ask for DES keys in gssapi
600 * support signed ints in ASN1
603 Changes in release 0.0u:
607 Changes in release 0.0t:
609 * more robust parsing of krb5.conf
610 * include net{read,write} in lib/roken
613 Changes in release 0.0s:
615 * kludges for parsing options to rsh
616 * more robust parsing of krb5.conf
617 * removed some arbitrary limits
620 Changes in release 0.0r:
622 * default options for some programs
625 Changes in release 0.0q:
627 * support for building shared libraries with libtool
630 Changes in release 0.0p:
632 * keytab moved to /etc/krb5.keytab
633 * avoid false detection of IPv6 on Linux
634 * Lots of more functionality in the gssapi-library
635 * hprop can now read ka-server databases
638 Changes in release 0.0o:
640 * FTP with GSSAPI support.
643 Changes in release 0.0n:
645 * Incremental database propagation.
646 * Somewhat improved kadmin ui; the stuff in admin is now removed.
647 * Some support for using enctypes instead of keytypes.
648 * Lots of other improvement and bug fixes, see ChangeLog for details.