1Release Notes - Heimdal - Version Heimdal 1.5 2 3New features 4 5 - SHA512 support 6 - No Kerberos 4 support 7 8Release Notes - Heimdal - Version Heimdal 1.4 9 10 New features 11 12 - Support for reading MIT database file directly 13 - KCM is polished up and now used in production 14 - NTLM first class citizen, credentials stored in KCM 15 - Table driven ASN.1 compiler, smaller!, not enabled by default 16 - Native Windows client support 17 18Notes 19 20 - Disabled write support NDBM hdb backend (read still in there) since 21 it can't handle large records, please migrate to a diffrent backend 22 (like BDB4) 23 24Release Notes - Heimdal - Version Heimdal 1.3.3 25 26 Bug fixes 27 - Check the GSS-API checksum exists before trying to use it [CVE-2010-1321] 28 - Check NULL pointers before dereference them [kdc] 29 30Release Notes - Heimdal - Version Heimdal 1.3.2 31 32 Bug fixes 33 34 - Don't mix length when clearing hmac (could memset too much) 35 - More paranoid underrun checking when decrypting packets 36 - Check the password change requests and refuse to answer empty packets 37 - Build on OpenSolaris 38 - Renumber AD-SIGNED-TICKET since it was stolen from US 39 - Don't cache /dev/*random file descriptor, it doesn't get unloaded 40 - Make C++ safe 41 - Misc warnings 42 43Release Notes - Heimdal - Version Heimdal 1.3.1 44 45 Bug fixes 46 47 - Store KDC offset in credentials 48 - Many many more bug fixes 49 50Release Notes - Heimdal - Version Heimdal 1.3.1 51 52 New features 53 54 - Make work with OpenLDAPs krb5 overlay 55 56Release Notes - Heimdal - Version Heimdal 1.3 57 58 New features 59 60 - Partial support for MIT kadmind rpc protocol in kadmind 61 - Better support for finding keytab entries when using SPN aliases in the KDC 62 - Support BER in ASN.1 library (needed for CMS) 63 - Support decryption in Keychain private keys 64 - Support for new sqlite based credential cache 65 - Try both KDC referals and the common DNS reverse lookup in GSS-API 66 - Fix the KCM to not leak resources on failure 67 - Add IPv6 support to iprop 68 - Support localization of error strings in 69 kinit/klist/kdestroy and Kerberos library 70 - Remove Kerberos 4 support in application (still in KDC) 71 - Deprecate DES 72 - Support i18n password in windows domains (using UTF-8) 73 - More complete API emulation of OpenSSL in hcrypto 74 - Support for ECDSA and ECDH when linking with OpenSSL 75 76 API changes 77 78 - Support for settin friendly name on credential caches 79 - Move to using doxygen to generate documentation. 80 - Sprinkling __attribute__((depricated)) for old function to be removed 81 - Support to export LAST-REQUST information in AS-REQ 82 - Support for client deferrals in in AS-REQ 83 - Add seek support for krb5_storage. 84 - Support for split AS-REQ, first step for IA-KERB 85 - Fix many memory leaks and bugs 86 - Improved regression test 87 - Support krb5_cccol 88 - Switch to krb5_set_error_message 89 - Support krb5_crypto_*_iov 90 - Switch to use EVP for most function 91 - Use SOCK_CLOEXEC and O_CLOEXEC (close on exec) 92 - Add support for GSS_C_DELEG_POLICY_FLAG 93 - Add krb5_cc_[gs]et_config to store data in the credential caches 94 - PTY testing application 95 96Bugfixes 97 - Make building on AIX6 possible. 98 - Bugfixes in LDAP KDC code to make it more stable 99 - Make ipropd-slave reconnect when master down gown 100 101 102Release Notes - Heimdal - Version Heimdal 1.2.1 103 104* Bug 105 106 [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris 107 [HEIMDAL-151] - Make canned tests work again after cert expired 108 [HEIMDAL-152] - iprop test: use full hostname to avoid realm 109 resolving errors 110 [HEIMDAL-153] - ftp: Use the correct length for unmap, msync 111 112Release Notes - Heimdal - Version Heimdal 1.2 113 114* Bug 115 116 [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in 117 gss_display_name/gss_export_name when using SPNEGO 118 [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1 119 [HEIMDAL-17] - Remove support for depricated [libdefaults]capath 120 [HEIMDAL-52] - hdb overwrite aliases for db databases 121 [HEIMDAL-54] - Two issues which affect credentials delegation 122 [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args 123 [HEIMDAL-62] - Fix printing of sig_atomic_t 124 [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto 125 [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase 126 [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241) 127 128* Improvement 129 [HEIMDAL-67] - Fix locking and store credential in atomic writes 130 in the FILE credential cache 131 [HEIMDAL-106] - make compile on cygwin again 132 [HEIMDAL-107] - Replace old random key generation in des module 133 and use it with RAND_ function instead 134 [HEIMDAL-115] - Better documentation and compatibility in hcrypto 135 in regards to OpenSSL 136 137* New Feature 138 [HEIMDAL-3] - pkinit alg agility PRF test vectors 139 [HEIMDAL-14] - Add libwind to Heimdal 140 [HEIMDAL-16] - Use libwind in hx509 141 [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to 142 the negotiation 143 [HEIMDAL-74] - Add support to report extended error message back 144 in AS-REQ to support windows clients 145 [HEIMDAL-116] - test pty based application (using rkpty) 146 [HEIMDAL-120] - Use new OpenLDAP API (older deprecated) 147 148* Task 149 [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ. 150 This drop compatibility with pre 0.3d KDCs. 151 [HEIMDAL-64] - kcm: first implementation of kcm-move-cache 152 [HEIMDAL-65] - Failed to compile with --disable-pk-init 153 [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some 154 wraparound checks doesn't apply to Heimdal 155 156Changes in release 1.1 157 158 * Read-only PKCS11 provider built-in to hx509. 159 160 * Documentation for hx509, hcrypto and ntlm libraries improved. 161 162 * Better compatibilty with Windows 2008 Server pre-releases and Vista. 163 164 * Mac OS X 10.5 support for native credential cache. 165 166 * Provide pkg-config file for Heimdal (heimdal-gssapi.pc). 167 168 * Bug fixes. 169 170Changes in release 1.0.2 171 172* Ubuntu packages. 173 174* Bug fixes. 175 176Changes in release 1.0.1 177 178 * Serveral bug fixes to iprop. 179 180 * Make work on platforms without dlopen. 181 182 * Add RFC3526 modp group14 as default. 183 184 * Handle [kdc] database = { } entries without realm = stanzas. 185 186 * Make krb5_get_renewed_creds work. 187 188 * Make kaserver preauth work again. 189 190 * Bug fixes. 191 192Changes in release 1.0 193 194 * Add gss_pseudo_random() for mechglue and krb5. 195 196 * Make session key for the krbtgt be selected by the best encryption 197 type of the client. 198 199 * Better interoperability with other PK-INIT implementations. 200 201 * Inital support for Mac OS X Keychain for hx509. 202 203 * Alias support for inital ticket requests. 204 205 * Add symbol versioning to selected libraries on platforms that uses 206 GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc. 207 208 * New version of imath included in hcrypto. 209 210 * Fix memory leaks. 211 212 * Bugs fixes. 213 214Changes in release 0.8.1 215 216 * Make ASN.1 library less paranoid to with regard to NUL in string to 217 make it inter-operate with MIT Kerberos again. 218 219 * Make GSS-API library work again when using gss_acquire_cred 220 221 * Add symbol versioning to libgssapi when using GNU ld. 222 223 * Fix memory leaks 224 225 * Bugs fixes 226 227Changes in release 0.8 228 229 * PK-INIT support. 230 231 * HDB extensions support, used by PK-INIT. 232 233 * New ASN.1 compiler. 234 235 * GSS-API mechglue from FreeBSD. 236 237 * Updated SPNEGO to support RFC4178. 238 239 * Support for Cryptosystem Negotiation Extension (RFC 4537). 240 241 * A new X.509 library (hx509) and related crypto functions. 242 243 * A new ntlm library (heimntlm) and related crypto functions. 244 245 * Updated the built-in crypto library with bignum support using 246 imath, support for RSA and DH and renamed it to libhcrypto. 247 248 * Subsystem in the KDC, digest, that will perform the digest 249 operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL 250 DIGEST-MD5 NTLMv1 and NTLMv2. 251 252 * KDC will return the "response too big" error to force TCP retries 253 for large (default 1400 bytes) UDP replies. This is common for 254 PK-INIT requests. 255 256 * Libkafs defaults to use 2b tokens. 257 258 * Default to use the API cache on Mac OS X. 259 260 * krb5_kuserok() also checks ~/.k5login.d directory for acl files, 261 see manpage for krb5_kuserok for description. 262 263 * Many, many, other updates to code and info manual and manual pages. 264 265 * Bug fixes 266 267Changes in release 0.7.2 268 269* Fix security problem in rshd that enable an attacker to overwrite 270 and change ownership of any file that root could write. 271 272* Fix a DOS in telnetd. The attacker could force the server to crash 273 in a NULL de-reference before the user logged in, resulting in inetd 274 turning telnetd off because it forked too fast. 275 276* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name 277 exists in the keytab before returning success. This allows servers 278 to check if its even possible to use GSSAPI. 279 280* Fix receiving end of token delegation for GSS-API. It still wrongly 281 uses subkey for sending for compatibility reasons, this will change 282 in 0.8. 283 284* telnetd, login and rshd are now more verbose in logging failed and 285 successful logins. 286 287* Bug fixes 288 289Changes in release 0.7.1 290 291* Bug fixes 292 293Changes in release 0.7 294 295 * Support for KCM, a process based credential cache 296 297 * Support CCAPI credential cache 298 299 * SPNEGO support 300 301 * AES (and the gssapi conterpart, CFX) support 302 303 * Adding new and improve old documentation 304 305 * Bug fixes 306 307Changes in release 0.6.6 308 309* Fix security problem in rshd that enable an attacker to overwrite 310 and change ownership of any file that root could write. 311 312* Fix a DOS in telnetd. The attacker could force the server to crash 313 in a NULL de-reference before the user logged in, resulting in inetd 314 turning telnetd off because it forked too fast. 315 316Changes in release 0.6.5 317 318 * fix vulnerabilities in telnetd 319 320 * unbreak Kerberos 4 and kaserver 321 322Changes in release 0.6.4 323 324 * fix vulnerabilities in telnet 325 326 * rshd: encryption without a separate error socket should now work 327 328 * telnet now uses appdefaults for the encrypt and forward/forwardable 329 settings 330 331 * bug fixes 332 333Changes in release 0.6.3 334 335 * fix vulnerabilities in ftpd 336 337 * support for linux AFS /proc "syscalls" 338 339 * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in 340 kpasswdd 341 342 * fix possible KDC denial of service 343 344 * bug fixes 345 346Changes in release 0.6.2 347 348 * Fix possible buffer overrun in v4 kadmin (which now defaults to off) 349 350Changes in release 0.6.1 351 352 * Fixed ARCFOUR suppport 353 354 * Cross realm vulnerability 355 356 * kdc: fix denial of service attack 357 358 * kdc: stop clients from renewing tickets into the future 359 360 * bug fixes 361 362Changes in release 0.6 363 364* The DES3 GSS-API mechanism has been changed to inter-operate with 365 other GSSAPI implementations. See man page for gssapi(3) how to turn 366 on generation of correct MIC messages. Next major release of heimdal 367 will generate correct MIC by default. 368 369* More complete GSS-API support 370 371* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS 372 support in applications no longer requires Kerberos 4 libs 373 374* Kerberos 4 support in kdc defaults to turned off (includes ka and 524) 375 376* other bug fixes 377 378Changes in release 0.5.2 379 380 * kdc: add option for disabling v4 cross-realm (defaults to off) 381 382 * bug fixes 383 384Changes in release 0.5.1 385 386 * kadmind: fix remote exploit 387 388 * kadmind: add option to disable kerberos 4 389 390 * kdc: make sure kaserver token life is positive 391 392 * telnet: use the session key if there is no subkey 393 394 * fix EPSV parsing in ftp 395 396 * other bug fixes 397 398Changes in release 0.5 399 400 * add --detach option to kdc 401 402 * allow setting forward and forwardable option in telnet from 403 .telnetrc, with override from command line 404 405 * accept addresses with or without ports in krb5_rd_cred 406 407 * make it work with modern openssl 408 409 * use our own string2key function even with openssl (that handles weak 410 keys incorrectly) 411 412 * more system-specific requirements in login 413 414 * do not use getlogin() to determine root in su 415 416 * telnet: abort if telnetd does not support encryption 417 418 * update autoconf to 2.53 419 420 * update config.guess, config.sub 421 422 * other bug fixes 423 424Changes in release 0.4e 425 426 * improve libcrypto and database autoconf tests 427 428 * do not care about salting of server principals when serving v4 requests 429 430 * some improvements to gssapi library 431 432 * test for existing compile_et/libcom_err 433 434 * portability fixes 435 436 * bug fixes 437 438Changes in release 0.4d 439 440 * fix some problems when using libcrypto from openssl 441 442 * handle /dev/ptmx `unix98' ptys on Linux 443 444 * add some forgotten man pages 445 446 * rsh: clean-up and add man page 447 448 * fix -A and -a in builtin-ls in tpd 449 450 * fix building problem on Irix 451 452 * make `ktutil get' more efficient 453 454 * bug fixes 455 456Changes in release 0.4c 457 458 * fix buffer overrun in telnetd 459 460 * repair some of the v4 fallback code in kinit 461 462 * add more shared library dependencies 463 464 * simplify and fix hprop handling of v4 databases 465 466 * fix some building problems (osf's sia and osfc2 login) 467 468 * bug fixes 469 470Changes in release 0.4b 471 472 * update the shared library version numbers correctly 473 474Changes in release 0.4a 475 476 * corrected key used for checksum in mk_safe, unfortunately this 477 makes it backwards incompatible 478 479 * update to autoconf 2.50, libtool 1.4 480 481 * re-write dns/config lookups (krb5_krbhst API) 482 483 * make order of using subkeys consistent 484 485 * add man page links 486 487 * add more man pages 488 489 * remove rfc2052 support, now only rfc2782 is supported 490 491 * always build with kaserver protocol support in the KDC (assuming 492 KRB4 is enabled) and support for reading kaserver databases in 493 hprop 494 495Changes in release 0.3f 496 497 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab, 498 the new keytab type that tries both of these in order (SRVTAB is 499 also an alias for krb4:) 500 501 * improve error reporting and error handling (error messages should 502 be more detailed and more useful) 503 504 * improve building with openssl 505 506 * add kadmin -K, rcp -F 507 508 * fix two incorrect weak DES keys 509 510 * fix building of kaserver compat in KDC 511 512 * the API is closer to what MIT krb5 is using 513 514 * more compatible with windows 2000 515 516 * removed some memory leaks 517 518 * bug fixes 519 520Changes in release 0.3e 521 522 * rcp program included 523 524 * fix buffer overrun in ftpd 525 526 * handle omitted sequence numbers as zeroes to handle MIT krb5 that 527 cannot generate zero sequence numbers 528 529 * handle v4 /.k files better 530 531 * configure/portability fixes 532 533 * fixes in parsing of options to kadmin (sub-)commands 534 535 * handle errors in kadmin load better 536 537 * bug fixes 538 539Changes in release 0.3d 540 541 * add krb5-config 542 543 * fix a bug in 3des gss-api mechanism, making it compatible with the 544 specification and the MIT implementation 545 546 * make telnetd only allow a specific list of environment variables to 547 stop it from setting `sensitive' variables 548 549 * try to use an existing libdes 550 551 * lib/krb5, kdc: use correct usage type for ap-req messages. This 552 should improve compatability with MIT krb5 when using 3DES 553 encryption types 554 555 * kdc: fix memory allocation problem 556 557 * update config.guess and config.sub 558 559 * lib/roken: more stuff implemented 560 561 * bug fixes and portability enhancements 562 563Changes in release 0.3c 564 565 * lib/krb5: memory caches now support the resolve operation 566 567 * appl/login: set PATH to some sane default 568 569 * kadmind: handle several realms 570 571 * bug fixes (including memory leaks) 572 573Changes in release 0.3b 574 575 * kdc: prefer default-salted keys on v5 requests 576 577 * kdc: lowercase hostnames in v4 mode 578 579 * hprop: handle more types of MIT salts 580 581 * lib/krb5: fix memory leak 582 583 * bug fixes 584 585Changes in release 0.3a: 586 587 * implement arcfour-hmac-md5 to interoperate with W2K 588 589 * modularise the handling of the master key, and allow for other 590 encryption types. This makes it easier to import a database from 591 some other source without having to re-encrypt all keys. 592 593 * allow for better control over which encryption types are created 594 595 * make kinit fallback to v4 if given a v4 KDC 596 597 * make klist work better with v4 and v5, and add some more MIT 598 compatibility options 599 600 * make the kdc listen on the krb524 (4444) port for compatibility 601 with MIT krb5 clients 602 603 * implement more DCE/DFS support, enabled with --enable-dce, see 604 lib/kdfs and appl/dceutils 605 606 * make the sequence numbers work correctly 607 608 * bug fixes 609 610Changes in release 0.2t: 611 612 * bug fixes 613 614Changes in release 0.2s: 615 616 * add OpenLDAP support in hdb 617 618 * login will get v4 tickets when it receives forwarded tickets 619 620 * xnlock supports both v5 and v4 621 622 * repair source routing for telnet 623 624 * fix building problems with krb4 (krb_mk_req) 625 626 * bug fixes 627 628Changes in release 0.2r: 629 630 * fix realloc memory corruption bug in kdc 631 632 * `add --key' and `cpw --key' in kadmin 633 634 * klist supports listing v4 tickets 635 636 * update config.guess and config.sub 637 638 * make v4 -> v5 principal name conversion more robust 639 640 * support for anonymous tickets 641 642 * new man-pages 643 644 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab. 645 646 * use and set expiration and not password expiration when dumping 647 to/from ka server databases / krb4 databases 648 649 * make the code happier with 64-bit time_t 650 651 * follow RFC2782 and by default do not look for non-underscore SRV names 652 653Changes in release 0.2q: 654 655 * bug fix in tcp-handling in kdc 656 657 * bug fix in expand_hostname 658 659Changes in release 0.2p: 660 661 * bug fix in `kadmin load/merge' 662 663 * bug fix in krb5_parse_address 664 665Changes in release 0.2o: 666 667 * gss_{import,export}_sec_context added to libgssapi 668 669 * new option --addresses to kdc (for listening on an explicit set of 670 addresses) 671 672 * bug fixes in the krb4 and kaserver emulation part of the kdc 673 674 * other bug fixes 675 676Changes in release 0.2n: 677 678 * more robust parsing of dump files in kadmin 679 * changed default timestamp format for log messages to extended ISO 680 8601 format (Y-M-DTH:M:S) 681 * changed md4/md5/sha1 APIes to be de-facto `standard' 682 * always make hostname into lower-case before creating principal 683 * small bits of more MIT-compatability 684 * bug fixes 685 686Changes in release 0.2m: 687 688 * handle glibc's getaddrinfo() that returns several ai_canonname 689 690 * new endian test 691 692 * man pages fixes 693 694Changes in release 0.2l: 695 696 * bug fixes 697 698Changes in release 0.2k: 699 700 * better IPv6 test 701 702 * make struct sockaddr_storage in roken work better on alphas 703 704 * some missing [hn]to[hn]s fixed. 705 706 * allow users to change their own passwords with kadmin (with initial 707 tickets) 708 709 * fix stupid bug in parsing KDC specification 710 711 * add `ktutil change' and `ktutil purge' 712 713Changes in release 0.2j: 714 715 * builds on Irix 716 717 * ftpd works in passive mode 718 719 * should build on cygwin 720 721 * work around broken IPv6-code on OpenBSD 2.6, also add configure 722 option --disable-ipv6 723 724Changes in release 0.2i: 725 726 * use getaddrinfo in the missing places. 727 728 * fix SRV lookup for admin server 729 730 * use get{addr,name}info everywhere. and implement it in terms of 731 getipnodeby{name,addr} (which uses gethostbyname{,2} and 732 gethostbyaddr) 733 734Changes in release 0.2h: 735 736 * fix typo in kx (now compiles) 737 738Changes in release 0.2g: 739 740 * lots of bug fixes: 741 * push works 742 * repair appl/test programs 743 * sockaddr_storage works on solaris (alignment issues) 744 * works better with non-roken getaddrinfo 745 * rsh works 746 * some non standard C constructs removed 747 748Changes in release 0.2f: 749 750 * support SRV records for kpasswd 751 * look for both _kerberos and krb5-realm when doing host -> realm mapping 752 753Changes in release 0.2e: 754 755 * changed copyright notices to remove `advertising'-clause. 756 * get{addr,name}info added to roken and used in the other code 757 (this makes things work much better with hosts with both v4 and v6 758 addresses, among other things) 759 * do pre-auth for both password and key-based get_in_tkt 760 * support for having several databases 761 * new command `del_enctype' in kadmin 762 * strptime (and new strftime) add to roken 763 * more paranoia about finding libdb 764 * bug fixes 765 766Changes in release 0.2d: 767 768 * new configuration option [libdefaults]default_etypes_des 769 * internal ls in ftpd builds without KRB4 770 * kx/rsh/push/pop_debug tries v5 and v4 consistenly 771 * build bug fixes 772 * other bug fixes 773 774Changes in release 0.2c: 775 776 * bug fixes (see ChangeLog's for details) 777 778Changes in release 0.2b: 779 780 * bug fixes 781 * actually bump shared library versions 782 783Changes in release 0.2a: 784 785 * a new program verify_krb5_conf for checking your /etc/krb5.conf 786 * add 3DES keys when changing password 787 * support null keys in database 788 * support multiple local realms 789 * implement a keytab backend for AFS KeyFile's 790 * implement a keytab backend for v4 srvtabs 791 * implement `ktutil copy' 792 * support password quality control in v4 kadmind 793 * improvements in v4 compat kadmind 794 * handle the case of having the correct cred in the ccache but with 795 the wrong encryption type better 796 * v6-ify the remaining programs. 797 * internal ls in ftpd 798 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat 799 * add `ank --random-password' and `cpw --random-password' in kadmin 800 * some programs and documentation for trying to talk to a W2K KDC 801 * bug fixes 802 803Changes in release 0.1m: 804 805 * support for getting default from krb5.conf for kinit/kf/rsh/telnet. 806 From Miroslav Ruda <ruda@ics.muni.cz> 807 * v6-ify hprop and hpropd 808 * support numeric addresses in krb5_mk_req 809 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz> 810 * make rsh/rshd IPv6-aware 811 * make the gssapi sample applications better at reporting errors 812 * lots of bug fixes 813 * handle systems with v6-aware libc and non-v6 kernels (like Linux 814 with glibc 2.1) better 815 * hide failure of ERPT in ftp 816 * lots of bug fixes 817 818Changes in release 0.1l: 819 820 * make ftp and ftpd IPv6-aware 821 * add inet_pton to roken 822 * more IPv6-awareness 823 * make mini_inetd v6 aware 824 825Changes in release 0.1k: 826 827 * bump shared libraries versions 828 * add roken version of inet_ntop 829 * merge more changes to rshd 830 831Changes in release 0.1j: 832 833 * restore back to the `old' 3DES code. This was supposed to be done 834 in 0.1h and 0.1i but I did a CVS screw-up. 835 * make telnetd handle v6 connections 836 837Changes in release 0.1i: 838 839 * start using `struct sockaddr_storage' which simplifies the code 840 (with a fallback definition if it's not defined) 841 * bug fixes (including in hprop and kf) 842 * don't use mawk which seems to mishandle roken.awk 843 * get_addrs should be able to handle v6 addresses on Linux (with the 844 required patch to the Linux kernel -- ask within) 845 * rshd builds with shadow passwords 846 847Changes in release 0.1h: 848 849 * kf: new program for forwarding credentials 850 * portability fixes 851 * make forwarding credentials work with MIT code 852 * better conversion of ka database 853 * add etc/services.append 854 * correct `modified by' from kpasswdd 855 * lots of bug fixes 856 857Changes in release 0.1g: 858 859 * kgetcred: new program for explicitly obtaining tickets 860 * configure fixes 861 * krb5-aware kx 862 * bug fixes 863 864Changes in release 0.1f; 865 866 * experimental support for v4 kadmin protokoll in kadmind 867 * bug fixes 868 869Changes in release 0.1e: 870 871 * try to handle old DCE and MIT kdcs 872 * support for older versions of credential cache files and keytabs 873 * postdated tickets work 874 * support for password quality checks in kpasswdd 875 * new flag --enable-kaserver for kdc 876 * renew fixes 877 * prototype su program 878 * updated (some) manpages 879 * support for KDC resource records 880 * should build with --without-krb4 881 * bug fixes 882 883Changes in release 0.1d: 884 885 * Support building with DB2 (uses 1.85-compat API) 886 * Support krb5-realm.DOMAIN in DNS 887 * new `ktutil srvcreate' 888 * v4/kafs support in klist/kdestroy 889 * bug fixes 890 891Changes in release 0.1c: 892 893 * fix ASN.1 encoding of signed integers 894 * somewhat working `ktutil get' 895 * some documentation updates 896 * update to Autoconf 2.13 and Automake 1.4 897 * the usual bug fixes 898 899Changes in release 0.1b: 900 901 * some old -> new crypto conversion utils 902 * bug fixes 903 904Changes in release 0.1a: 905 906 * new crypto code 907 * more bug fixes 908 * make sure we ask for DES keys in gssapi 909 * support signed ints in ASN1 910 * IPv6-bug fixes 911 912Changes in release 0.0u: 913 914 * lots of bug fixes 915 916Changes in release 0.0t: 917 918 * more robust parsing of krb5.conf 919 * include net{read,write} in lib/roken 920 * bug fixes 921 922Changes in release 0.0s: 923 924 * kludges for parsing options to rsh 925 * more robust parsing of krb5.conf 926 * removed some arbitrary limits 927 * bug fixes 928 929Changes in release 0.0r: 930 931 * default options for some programs 932 * bug fixes 933 934Changes in release 0.0q: 935 936 * support for building shared libraries with libtool 937 * bug fixes 938 939Changes in release 0.0p: 940 941 * keytab moved to /etc/krb5.keytab 942 * avoid false detection of IPv6 on Linux 943 * Lots of more functionality in the gssapi-library 944 * hprop can now read ka-server databases 945 * bug fixes 946 947Changes in release 0.0o: 948 949 * FTP with GSSAPI support. 950 * Bug fixes. 951 952Changes in release 0.0n: 953 954 * Incremental database propagation. 955 * Somewhat improved kadmin ui; the stuff in admin is now removed. 956 * Some support for using enctypes instead of keytypes. 957 * Lots of other improvement and bug fixes, see ChangeLog for details. 958