3 * KDC will return the "response too big" error to force TCP retries
4 for large (default 1400 bytes) UDP replies. This is common for
7 * GSS-API mechglue from FreebSD
9 * Updated SPNEGO supporting RFC4178
11 * Support for Cryptosystem Negotiation Extension (RFC 4537)
15 * HDB extensions support, used by PK-INIT
19 * Libkafs defaults to use 2b tokens
21 * Default to use the API cache on Mac OS X
23 * krb5_kuserok() also checks ~/.k5login.d directory for acl files,
24 see manpage for krb5_kuserok for description.
28 Changes in release 0.7.2
30 * Fix security problem in rshd that enable an attacker to overwrite
31 and change ownership of any file that root could write.
33 * Fix a DOS in telnetd. The attacker could force the server to crash
34 in a NULL de-reference before the user logged in, resulting in inetd
35 turning telnetd off because it forked too fast.
37 * Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
38 exists in the keytab before returning success. This allows servers
39 to check if its even possible to use GSSAPI.
41 * Fix receiving end of token delegation for GSS-API. It still wrongly
42 uses subkey for sending for compatibility reasons, this will change
45 * telnetd, login and rshd are now more verbose in logging failed and
50 Changes in release 0.7.1
54 Changes in release 0.7
56 * Support for KCM, a process based credential cache
58 * Support CCAPI credential cache
62 * AES (and the gssapi conterpart, CFX) support
64 * Adding new and improve old documentation
68 Changes in release 0.6.6
70 * Fix security problem in rshd that enable an attacker to overwrite
71 and change ownership of any file that root could write.
73 * Fix a DOS in telnetd. The attacker could force the server to crash
74 in a NULL de-reference before the user logged in, resulting in inetd
75 turning telnetd off because it forked too fast.
77 Changes in release 0.6.5
79 * fix vulnerabilities in telnetd
81 * unbreak Kerberos 4 and kaserver
83 Changes in release 0.6.4
85 * fix vulnerabilities in telnet
87 * rshd: encryption without a separate error socket should now work
89 * telnet now uses appdefaults for the encrypt and forward/forwardable
94 Changes in release 0.6.3
96 * fix vulnerabilities in ftpd
98 * support for linux AFS /proc "syscalls"
100 * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
103 * fix possible KDC denial of service
107 Changes in release 0.6.2
109 * Fix possible buffer overrun in v4 kadmin (which now defaults to off)
111 Changes in release 0.6.1
113 * Fixed ARCFOUR suppport
115 * Cross realm vulnerability
117 * kdc: fix denial of service attack
119 * kdc: stop clients from renewing tickets into the future
123 Changes in release 0.6
125 * The DES3 GSS-API mechanism has been changed to inter-operate with
126 other GSSAPI implementations. See man page for gssapi(3) how to turn
127 on generation of correct MIC messages. Next major release of heimdal
128 will generate correct MIC by default.
130 * More complete GSS-API support
132 * Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
133 support in applications no longer requires Kerberos 4 libs
135 * Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
139 Changes in release 0.5.2
141 * kdc: add option for disabling v4 cross-realm (defaults to off)
145 Changes in release 0.5.1
147 * kadmind: fix remote exploit
149 * kadmind: add option to disable kerberos 4
151 * kdc: make sure kaserver token life is positive
153 * telnet: use the session key if there is no subkey
155 * fix EPSV parsing in ftp
159 Changes in release 0.5
161 * add --detach option to kdc
163 * allow setting forward and forwardable option in telnet from
164 .telnetrc, with override from command line
166 * accept addresses with or without ports in krb5_rd_cred
168 * make it work with modern openssl
170 * use our own string2key function even with openssl (that handles weak
173 * more system-specific requirements in login
175 * do not use getlogin() to determine root in su
177 * telnet: abort if telnetd does not support encryption
179 * update autoconf to 2.53
181 * update config.guess, config.sub
185 Changes in release 0.4e
187 * improve libcrypto and database autoconf tests
189 * do not care about salting of server principals when serving v4 requests
191 * some improvements to gssapi library
193 * test for existing compile_et/libcom_err
199 Changes in release 0.4d
201 * fix some problems when using libcrypto from openssl
203 * handle /dev/ptmx `unix98' ptys on Linux
205 * add some forgotten man pages
207 * rsh: clean-up and add man page
209 * fix -A and -a in builtin-ls in tpd
211 * fix building problem on Irix
213 * make `ktutil get' more efficient
217 Changes in release 0.4c
219 * fix buffer overrun in telnetd
221 * repair some of the v4 fallback code in kinit
223 * add more shared library dependencies
225 * simplify and fix hprop handling of v4 databases
227 * fix some building problems (osf's sia and osfc2 login)
231 Changes in release 0.4b
233 * update the shared library version numbers correctly
235 Changes in release 0.4a
237 * corrected key used for checksum in mk_safe, unfortunately this
238 makes it backwards incompatible
240 * update to autoconf 2.50, libtool 1.4
242 * re-write dns/config lookups (krb5_krbhst API)
244 * make order of using subkeys consistent
250 * remove rfc2052 support, now only rfc2782 is supported
252 * always build with kaserver protocol support in the KDC (assuming
253 KRB4 is enabled) and support for reading kaserver databases in
256 Changes in release 0.3f
258 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
259 the new keytab type that tries both of these in order (SRVTAB is
260 also an alias for krb4:)
262 * improve error reporting and error handling (error messages should
263 be more detailed and more useful)
265 * improve building with openssl
267 * add kadmin -K, rcp -F
269 * fix two incorrect weak DES keys
271 * fix building of kaserver compat in KDC
273 * the API is closer to what MIT krb5 is using
275 * more compatible with windows 2000
277 * removed some memory leaks
281 Changes in release 0.3e
283 * rcp program included
285 * fix buffer overrun in ftpd
287 * handle omitted sequence numbers as zeroes to handle MIT krb5 that
288 cannot generate zero sequence numbers
290 * handle v4 /.k files better
292 * configure/portability fixes
294 * fixes in parsing of options to kadmin (sub-)commands
296 * handle errors in kadmin load better
300 Changes in release 0.3d
304 * fix a bug in 3des gss-api mechanism, making it compatible with the
305 specification and the MIT implementation
307 * make telnetd only allow a specific list of environment variables to
308 stop it from setting `sensitive' variables
310 * try to use an existing libdes
312 * lib/krb5, kdc: use correct usage type for ap-req messages. This
313 should improve compatability with MIT krb5 when using 3DES
316 * kdc: fix memory allocation problem
318 * update config.guess and config.sub
320 * lib/roken: more stuff implemented
322 * bug fixes and portability enhancements
324 Changes in release 0.3c
326 * lib/krb5: memory caches now support the resolve operation
328 * appl/login: set PATH to some sane default
330 * kadmind: handle several realms
332 * bug fixes (including memory leaks)
334 Changes in release 0.3b
336 * kdc: prefer default-salted keys on v5 requests
338 * kdc: lowercase hostnames in v4 mode
340 * hprop: handle more types of MIT salts
342 * lib/krb5: fix memory leak
346 Changes in release 0.3a:
348 * implement arcfour-hmac-md5 to interoperate with W2K
350 * modularise the handling of the master key, and allow for other
351 encryption types. This makes it easier to import a database from
352 some other source without having to re-encrypt all keys.
354 * allow for better control over which encryption types are created
356 * make kinit fallback to v4 if given a v4 KDC
358 * make klist work better with v4 and v5, and add some more MIT
359 compatibility options
361 * make the kdc listen on the krb524 (4444) port for compatibility
362 with MIT krb5 clients
364 * implement more DCE/DFS support, enabled with --enable-dce, see
365 lib/kdfs and appl/dceutils
367 * make the sequence numbers work correctly
371 Changes in release 0.2t:
375 Changes in release 0.2s:
377 * add OpenLDAP support in hdb
379 * login will get v4 tickets when it receives forwarded tickets
381 * xnlock supports both v5 and v4
383 * repair source routing for telnet
385 * fix building problems with krb4 (krb_mk_req)
389 Changes in release 0.2r:
391 * fix realloc memory corruption bug in kdc
393 * `add --key' and `cpw --key' in kadmin
395 * klist supports listing v4 tickets
397 * update config.guess and config.sub
399 * make v4 -> v5 principal name conversion more robust
401 * support for anonymous tickets
405 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
407 * use and set expiration and not password expiration when dumping
408 to/from ka server databases / krb4 databases
410 * make the code happier with 64-bit time_t
412 * follow RFC2782 and by default do not look for non-underscore SRV names
414 Changes in release 0.2q:
416 * bug fix in tcp-handling in kdc
418 * bug fix in expand_hostname
420 Changes in release 0.2p:
422 * bug fix in `kadmin load/merge'
424 * bug fix in krb5_parse_address
426 Changes in release 0.2o:
428 * gss_{import,export}_sec_context added to libgssapi
430 * new option --addresses to kdc (for listening on an explicit set of
433 * bug fixes in the krb4 and kaserver emulation part of the kdc
437 Changes in release 0.2n:
439 * more robust parsing of dump files in kadmin
440 * changed default timestamp format for log messages to extended ISO
441 8601 format (Y-M-DTH:M:S)
442 * changed md4/md5/sha1 APIes to be de-facto `standard'
443 * always make hostname into lower-case before creating principal
444 * small bits of more MIT-compatability
447 Changes in release 0.2m:
449 * handle glibc's getaddrinfo() that returns several ai_canonname
455 Changes in release 0.2l:
459 Changes in release 0.2k:
463 * make struct sockaddr_storage in roken work better on alphas
465 * some missing [hn]to[hn]s fixed.
467 * allow users to change their own passwords with kadmin (with initial
470 * fix stupid bug in parsing KDC specification
472 * add `ktutil change' and `ktutil purge'
474 Changes in release 0.2j:
478 * ftpd works in passive mode
480 * should build on cygwin
482 * work around broken IPv6-code on OpenBSD 2.6, also add configure
483 option --disable-ipv6
485 Changes in release 0.2i:
487 * use getaddrinfo in the missing places.
489 * fix SRV lookup for admin server
491 * use get{addr,name}info everywhere. and implement it in terms of
492 getipnodeby{name,addr} (which uses gethostbyname{,2} and
495 Changes in release 0.2h:
497 * fix typo in kx (now compiles)
499 Changes in release 0.2g:
503 * repair appl/test programs
504 * sockaddr_storage works on solaris (alignment issues)
505 * works better with non-roken getaddrinfo
507 * some non standard C constructs removed
509 Changes in release 0.2f:
511 * support SRV records for kpasswd
512 * look for both _kerberos and krb5-realm when doing host -> realm mapping
514 Changes in release 0.2e:
516 * changed copyright notices to remove `advertising'-clause.
517 * get{addr,name}info added to roken and used in the other code
518 (this makes things work much better with hosts with both v4 and v6
519 addresses, among other things)
520 * do pre-auth for both password and key-based get_in_tkt
521 * support for having several databases
522 * new command `del_enctype' in kadmin
523 * strptime (and new strftime) add to roken
524 * more paranoia about finding libdb
527 Changes in release 0.2d:
529 * new configuration option [libdefaults]default_etypes_des
530 * internal ls in ftpd builds without KRB4
531 * kx/rsh/push/pop_debug tries v5 and v4 consistenly
535 Changes in release 0.2c:
537 * bug fixes (see ChangeLog's for details)
539 Changes in release 0.2b:
542 * actually bump shared library versions
544 Changes in release 0.2a:
546 * a new program verify_krb5_conf for checking your /etc/krb5.conf
547 * add 3DES keys when changing password
548 * support null keys in database
549 * support multiple local realms
550 * implement a keytab backend for AFS KeyFile's
551 * implement a keytab backend for v4 srvtabs
552 * implement `ktutil copy'
553 * support password quality control in v4 kadmind
554 * improvements in v4 compat kadmind
555 * handle the case of having the correct cred in the ccache but with
556 the wrong encryption type better
557 * v6-ify the remaining programs.
558 * internal ls in ftpd
559 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
560 * add `ank --random-password' and `cpw --random-password' in kadmin
561 * some programs and documentation for trying to talk to a W2K KDC
564 Changes in release 0.1m:
566 * support for getting default from krb5.conf for kinit/kf/rsh/telnet.
567 From Miroslav Ruda <ruda@ics.muni.cz>
568 * v6-ify hprop and hpropd
569 * support numeric addresses in krb5_mk_req
570 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
571 * make rsh/rshd IPv6-aware
572 * make the gssapi sample applications better at reporting errors
574 * handle systems with v6-aware libc and non-v6 kernels (like Linux
575 with glibc 2.1) better
576 * hide failure of ERPT in ftp
579 Changes in release 0.1l:
581 * make ftp and ftpd IPv6-aware
582 * add inet_pton to roken
583 * more IPv6-awareness
584 * make mini_inetd v6 aware
586 Changes in release 0.1k:
588 * bump shared libraries versions
589 * add roken version of inet_ntop
590 * merge more changes to rshd
592 Changes in release 0.1j:
594 * restore back to the `old' 3DES code. This was supposed to be done
595 in 0.1h and 0.1i but I did a CVS screw-up.
596 * make telnetd handle v6 connections
598 Changes in release 0.1i:
600 * start using `struct sockaddr_storage' which simplifies the code
601 (with a fallback definition if it's not defined)
602 * bug fixes (including in hprop and kf)
603 * don't use mawk which seems to mishandle roken.awk
604 * get_addrs should be able to handle v6 addresses on Linux (with the
605 required patch to the Linux kernel -- ask within)
606 * rshd builds with shadow passwords
608 Changes in release 0.1h:
610 * kf: new program for forwarding credentials
612 * make forwarding credentials work with MIT code
613 * better conversion of ka database
614 * add etc/services.append
615 * correct `modified by' from kpasswdd
618 Changes in release 0.1g:
620 * kgetcred: new program for explicitly obtaining tickets
625 Changes in release 0.1f;
627 * experimental support for v4 kadmin protokoll in kadmind
630 Changes in release 0.1e:
632 * try to handle old DCE and MIT kdcs
633 * support for older versions of credential cache files and keytabs
634 * postdated tickets work
635 * support for password quality checks in kpasswdd
636 * new flag --enable-kaserver for kdc
638 * prototype su program
639 * updated (some) manpages
640 * support for KDC resource records
641 * should build with --without-krb4
644 Changes in release 0.1d:
646 * Support building with DB2 (uses 1.85-compat API)
647 * Support krb5-realm.DOMAIN in DNS
648 * new `ktutil srvcreate'
649 * v4/kafs support in klist/kdestroy
652 Changes in release 0.1c:
654 * fix ASN.1 encoding of signed integers
655 * somewhat working `ktutil get'
656 * some documentation updates
657 * update to Autoconf 2.13 and Automake 1.4
658 * the usual bug fixes
660 Changes in release 0.1b:
662 * some old -> new crypto conversion utils
665 Changes in release 0.1a:
669 * make sure we ask for DES keys in gssapi
670 * support signed ints in ASN1
673 Changes in release 0.0u:
677 Changes in release 0.0t:
679 * more robust parsing of krb5.conf
680 * include net{read,write} in lib/roken
683 Changes in release 0.0s:
685 * kludges for parsing options to rsh
686 * more robust parsing of krb5.conf
687 * removed some arbitrary limits
690 Changes in release 0.0r:
692 * default options for some programs
695 Changes in release 0.0q:
697 * support for building shared libraries with libtool
700 Changes in release 0.0p:
702 * keytab moved to /etc/krb5.keytab
703 * avoid false detection of IPv6 on Linux
704 * Lots of more functionality in the gssapi-library
705 * hprop can now read ka-server databases
708 Changes in release 0.0o:
710 * FTP with GSSAPI support.
713 Changes in release 0.0n:
715 * Incremental database propagation.
716 * Somewhat improved kadmin ui; the stuff in admin is now removed.
717 * Some support for using enctypes instead of keytypes.
718 * Lots of other improvement and bug fixes, see ChangeLog for details.