5 * AES (and the gssapi conterpart, CFX) support
9 Changes in release 0.6.1
11 * Fixed ARCFOUR suppport
13 * Cross realm vulnerability
15 * kdc: fix denial of service attack
17 * kdc: stop clients from renewing tickets into the future
21 Changes in release 0.6
23 * The DES3 GSS-API mechanism has been changed to inter-operate with
24 other GSSAPI implementations. See man page for gssapi(3) how to turn
25 on generation of correct MIC messages. Next major release of heimdal
26 will generate correct MIC by default.
28 * More complete GSS-API support
30 * Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
31 support in applications no longer requires Kerberos 4 libs
33 * Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
37 Changes in release 0.5.2
39 * kdc: add option for disabling v4 cross-realm (defaults to off)
43 Changes in release 0.5.1
45 * kadmind: fix remote exploit
47 * kadmind: add option to disable kerberos 4
49 * kdc: make sure kaserver token life is positive
51 * telnet: use the session key if there is no subkey
53 * fix EPSV parsing in ftp
57 Changes in release 0.5
59 * add --detach option to kdc
61 * allow setting forward and forwardable option in telnet from
62 .telnetrc, with override from command line
64 * accept addresses with or without ports in krb5_rd_cred
66 * make it work with modern openssl
68 * use our own string2key function even with openssl (that handles weak
71 * more system-specific requirements in login
73 * do not use getlogin() to determine root in su
75 * telnet: abort if telnetd does not support encryption
77 * update autoconf to 2.53
79 * update config.guess, config.sub
83 Changes in release 0.4e
85 * improve libcrypto and database autoconf tests
87 * do not care about salting of server principals when serving v4 requests
89 * some improvements to gssapi library
91 * test for existing compile_et/libcom_err
97 Changes in release 0.4d
99 * fix some problems when using libcrypto from openssl
101 * handle /dev/ptmx `unix98' ptys on Linux
103 * add some forgotten man pages
105 * rsh: clean-up and add man page
107 * fix -A and -a in builtin-ls in tpd
109 * fix building problem on Irix
111 * make `ktutil get' more efficient
115 Changes in release 0.4c
117 * fix buffer overrun in telnetd
119 * repair some of the v4 fallback code in kinit
121 * add more shared library dependencies
123 * simplify and fix hprop handling of v4 databases
125 * fix some building problems (osf's sia and osfc2 login)
129 Changes in release 0.4b
131 * update the shared library version numbers correctly
133 Changes in release 0.4a
135 * corrected key used for checksum in mk_safe, unfortunately this
136 makes it backwards incompatible
138 * update to autoconf 2.50, libtool 1.4
140 * re-write dns/config lookups (krb5_krbhst API)
142 * make order of using subkeys consistent
148 * remove rfc2052 support, now only rfc2782 is supported
150 * always build with kaserver protocol support in the KDC (assuming
151 KRB4 is enabled) and support for reading kaserver databases in
154 Changes in release 0.3f
156 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
157 the new keytab type that tries both of these in order (SRVTAB is
158 also an alias for krb4:)
160 * improve error reporting and error handling (error messages should
161 be more detailed and more useful)
163 * improve building with openssl
165 * add kadmin -K, rcp -F
167 * fix two incorrect weak DES keys
169 * fix building of kaserver compat in KDC
171 * the API is closer to what MIT krb5 is using
173 * more compatible with windows 2000
175 * removed some memory leaks
179 Changes in release 0.3e
181 * rcp program included
183 * fix buffer overrun in ftpd
185 * handle omitted sequence numbers as zeroes to handle MIT krb5 that
186 cannot generate zero sequence numbers
188 * handle v4 /.k files better
190 * configure/portability fixes
192 * fixes in parsing of options to kadmin (sub-)commands
194 * handle errors in kadmin load better
198 Changes in release 0.3d
202 * fix a bug in 3des gss-api mechanism, making it compatible with the
203 specification and the MIT implementation
205 * make telnetd only allow a specific list of environment variables to
206 stop it from setting `sensitive' variables
208 * try to use an existing libdes
210 * lib/krb5, kdc: use correct usage type for ap-req messages. This
211 should improve compatability with MIT krb5 when using 3DES
214 * kdc: fix memory allocation problem
216 * update config.guess and config.sub
218 * lib/roken: more stuff implemented
220 * bug fixes and portability enhancements
222 Changes in release 0.3c
224 * lib/krb5: memory caches now support the resolve operation
226 * appl/login: set PATH to some sane default
228 * kadmind: handle several realms
230 * bug fixes (including memory leaks)
232 Changes in release 0.3b
234 * kdc: prefer default-salted keys on v5 requests
236 * kdc: lowercase hostnames in v4 mode
238 * hprop: handle more types of MIT salts
240 * lib/krb5: fix memory leak
244 Changes in release 0.3a:
246 * implement arcfour-hmac-md5 to interoperate with W2K
248 * modularise the handling of the master key, and allow for other
249 encryption types. This makes it easier to import a database from
250 some other source without having to re-encrypt all keys.
252 * allow for better control over which encryption types are created
254 * make kinit fallback to v4 if given a v4 KDC
256 * make klist work better with v4 and v5, and add some more MIT
257 compatibility options
259 * make the kdc listen on the krb524 (4444) port for compatibility
260 with MIT krb5 clients
262 * implement more DCE/DFS support, enabled with --enable-dce, see
263 lib/kdfs and appl/dceutils
265 * make the sequence numbers work correctly
269 Changes in release 0.2t:
273 Changes in release 0.2s:
275 * add OpenLDAP support in hdb
277 * login will get v4 tickets when it receives forwarded tickets
279 * xnlock supports both v5 and v4
281 * repair source routing for telnet
283 * fix building problems with krb4 (krb_mk_req)
287 Changes in release 0.2r:
289 * fix realloc memory corruption bug in kdc
291 * `add --key' and `cpw --key' in kadmin
293 * klist supports listing v4 tickets
295 * update config.guess and config.sub
297 * make v4 -> v5 principal name conversion more robust
299 * support for anonymous tickets
303 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
305 * use and set expiration and not password expiration when dumping
306 to/from ka server databases / krb4 databases
308 * make the code happier with 64-bit time_t
310 * follow RFC2782 and by default do not look for non-underscore SRV names
312 Changes in release 0.2q:
314 * bug fix in tcp-handling in kdc
316 * bug fix in expand_hostname
318 Changes in release 0.2p:
320 * bug fix in `kadmin load/merge'
322 * bug fix in krb5_parse_address
324 Changes in release 0.2o:
326 * gss_{import,export}_sec_context added to libgssapi
328 * new option --addresses to kdc (for listening on an explicit set of
331 * bug fixes in the krb4 and kaserver emulation part of the kdc
335 Changes in release 0.2n:
337 * more robust parsing of dump files in kadmin
338 * changed default timestamp format for log messages to extended ISO
339 8601 format (Y-M-DTH:M:S)
340 * changed md4/md5/sha1 APIes to be de-facto `standard'
341 * always make hostname into lower-case before creating principal
342 * small bits of more MIT-compatability
345 Changes in release 0.2m:
347 * handle glibc's getaddrinfo() that returns several ai_canonname
353 Changes in release 0.2l:
357 Changes in release 0.2k:
361 * make struct sockaddr_storage in roken work better on alphas
363 * some missing [hn]to[hn]s fixed.
365 * allow users to change their own passwords with kadmin (with initial
368 * fix stupid bug in parsing KDC specification
370 * add `ktutil change' and `ktutil purge'
372 Changes in release 0.2j:
376 * ftpd works in passive mode
378 * should build on cygwin
380 * work around broken IPv6-code on OpenBSD 2.6, also add configure
381 option --disable-ipv6
383 Changes in release 0.2i:
385 * use getaddrinfo in the missing places.
387 * fix SRV lookup for admin server
389 * use get{addr,name}info everywhere. and implement it in terms of
390 getipnodeby{name,addr} (which uses gethostbyname{,2} and
393 Changes in release 0.2h:
395 * fix typo in kx (now compiles)
397 Changes in release 0.2g:
401 * repair appl/test programs
402 * sockaddr_storage works on solaris (alignment issues)
403 * works better with non-roken getaddrinfo
405 * some non standard C constructs removed
407 Changes in release 0.2f:
409 * support SRV records for kpasswd
410 * look for both _kerberos and krb5-realm when doing host -> realm mapping
412 Changes in release 0.2e:
414 * changed copyright notices to remove `advertising'-clause.
415 * get{addr,name}info added to roken and used in the other code
416 (this makes things work much better with hosts with both v4 and v6
417 addresses, among other things)
418 * do pre-auth for both password and key-based get_in_tkt
419 * support for having several databases
420 * new command `del_enctype' in kadmin
421 * strptime (and new strftime) add to roken
422 * more paranoia about finding libdb
425 Changes in release 0.2d:
427 * new configuration option [libdefaults]default_etypes_des
428 * internal ls in ftpd builds without KRB4
429 * kx/rsh/push/pop_debug tries v5 and v4 consistenly
433 Changes in release 0.2c:
435 * bug fixes (see ChangeLog's for details)
437 Changes in release 0.2b:
440 * actually bump shared library versions
442 Changes in release 0.2a:
444 * a new program verify_krb5_conf for checking your /etc/krb5.conf
445 * add 3DES keys when changing password
446 * support null keys in database
447 * support multiple local realms
448 * implement a keytab backend for AFS KeyFile's
449 * implement a keytab backend for v4 srvtabs
450 * implement `ktutil copy'
451 * support password quality control in v4 kadmind
452 * improvements in v4 compat kadmind
453 * handle the case of having the correct cred in the ccache but with
454 the wrong encryption type better
455 * v6-ify the remaining programs.
456 * internal ls in ftpd
457 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
458 * add `ank --random-password' and `cpw --random-password' in kadmin
459 * some programs and documentation for trying to talk to a W2K KDC
462 Changes in release 0.1m:
464 * support for getting default from krb5.conf for kinit/kf/rsh/telnet.
465 From Miroslav Ruda <ruda@ics.muni.cz>
466 * v6-ify hprop and hpropd
467 * support numeric addresses in krb5_mk_req
468 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
469 * make rsh/rshd IPv6-aware
470 * make the gssapi sample applications better at reporting errors
472 * handle systems with v6-aware libc and non-v6 kernels (like Linux
473 with glibc 2.1) better
474 * hide failure of ERPT in ftp
477 Changes in release 0.1l:
479 * make ftp and ftpd IPv6-aware
480 * add inet_pton to roken
481 * more IPv6-awareness
482 * make mini_inetd v6 aware
484 Changes in release 0.1k:
486 * bump shared libraries versions
487 * add roken version of inet_ntop
488 * merge more changes to rshd
490 Changes in release 0.1j:
492 * restore back to the `old' 3DES code. This was supposed to be done
493 in 0.1h and 0.1i but I did a CVS screw-up.
494 * make telnetd handle v6 connections
496 Changes in release 0.1i:
498 * start using `struct sockaddr_storage' which simplifies the code
499 (with a fallback definition if it's not defined)
500 * bug fixes (including in hprop and kf)
501 * don't use mawk which seems to mishandle roken.awk
502 * get_addrs should be able to handle v6 addresses on Linux (with the
503 required patch to the Linux kernel -- ask within)
504 * rshd builds with shadow passwords
506 Changes in release 0.1h:
508 * kf: new program for forwarding credentials
510 * make forwarding credentials work with MIT code
511 * better conversion of ka database
512 * add etc/services.append
513 * correct `modified by' from kpasswdd
516 Changes in release 0.1g:
518 * kgetcred: new program for explicitly obtaining tickets
523 Changes in release 0.1f;
525 * experimental support for v4 kadmin protokoll in kadmind
528 Changes in release 0.1e:
530 * try to handle old DCE and MIT kdcs
531 * support for older versions of credential cache files and keytabs
532 * postdated tickets work
533 * support for password quality checks in kpasswdd
534 * new flag --enable-kaserver for kdc
536 * prototype su program
537 * updated (some) manpages
538 * support for KDC resource records
539 * should build with --without-krb4
542 Changes in release 0.1d:
544 * Support building with DB2 (uses 1.85-compat API)
545 * Support krb5-realm.DOMAIN in DNS
546 * new `ktutil srvcreate'
547 * v4/kafs support in klist/kdestroy
550 Changes in release 0.1c:
552 * fix ASN.1 encoding of signed integers
553 * somewhat working `ktutil get'
554 * some documentation updates
555 * update to Autoconf 2.13 and Automake 1.4
556 * the usual bug fixes
558 Changes in release 0.1b:
560 * some old -> new crypto conversion utils
563 Changes in release 0.1a:
567 * make sure we ask for DES keys in gssapi
568 * support signed ints in ASN1
571 Changes in release 0.0u:
575 Changes in release 0.0t:
577 * more robust parsing of krb5.conf
578 * include net{read,write} in lib/roken
581 Changes in release 0.0s:
583 * kludges for parsing options to rsh
584 * more robust parsing of krb5.conf
585 * removed some arbitrary limits
588 Changes in release 0.0r:
590 * default options for some programs
593 Changes in release 0.0q:
595 * support for building shared libraries with libtool
598 Changes in release 0.0p:
600 * keytab moved to /etc/krb5.keytab
601 * avoid false detection of IPv6 on Linux
602 * Lots of more functionality in the gssapi-library
603 * hprop can now read ka-server databases
606 Changes in release 0.0o:
608 * FTP with GSSAPI support.
611 Changes in release 0.0n:
613 * Incremental database propagation.
614 * Somewhat improved kadmin ui; the stuff in admin is now removed.
615 * Some support for using enctypes instead of keytypes.
616 * Lots of other improvement and bug fixes, see ChangeLog for details.