diff options
Diffstat (limited to 'crypto/kerberosIV/NEWS')
-rw-r--r-- | crypto/kerberosIV/NEWS | 755 |
1 files changed, 0 insertions, 755 deletions
diff --git a/crypto/kerberosIV/NEWS b/crypto/kerberosIV/NEWS deleted file mode 100644 index ac51078..0000000 --- a/crypto/kerberosIV/NEWS +++ /dev/null @@ -1,755 +0,0 @@ -Changes in release 1.0.5: - -* Remember to update version string. - -* Build fixes - -* multiple local realm fix in krb_verify_user - -Changes in release 1.0.4: - -* Only allow a small list of environment variables in telnetd - -* Fix one buffer overflow in libkrb - -* Make su handle multiple local realms - -* Build pic-ed archives (to be used with the pam module) - -* do not handle environment variables, use krb.extra instead - -* Disable KRBCONFDIR environment variable for root - -* fix shared libraries building on solaris - -Changes in release 1.0.3: - -* Handle DoS attacks in the KDC and the admin server better. - -* updated config.guess and config.sub - -* better db/gdbm discovery - -* bug fixes - -Changes in release 1.0.2: - -* Fix syslog(LOG_FOO, bug) calls in kauthd, kipd - -* Fix bug with systems have a 64bit `time_t' - -* Port to Solaris 8 (aka SunOS 5.8), HP-UX 11 - -* Add AIX fix for shared libraries - -* Make afslog work with Arla - -* Be more paranoid about setuid for the sake of Linux 2.2.15 - -* Make rshd afslog to the cell of the home directory - -* Improved kip/kipd - -* syslog with correct level in popper - -* install libraries correctly in lib/sl - -* more paranoia when overwriting and removing ticket files - -Changes in release 1.0.1: - -* Fix bug in ftpd when accepting connections - -* Make `-d' in kauth not imply `-a' - -* Adapt sia to new TKT_ROOT - -* Define `sockaddr_storage' in a fashion that works on - alignment-restricted architectures - -* Rewrite PAM module to work better. - -* Make all files in libdes build with CFLAGS - -Changes in release 1.0: - -* A new configuration option `nat_in_use' in krb.extra to ease use - through Network Address Translators. - -* Support configuration value of KEYFILE and TKT_ROOT in krb.extra - -* Easier building on some platforms - -* built-in ls in ftpd. - -* Bug fixes. - -Changes in release 0.10: - -* Some support for Irix 6.5 capabilities - -* Improved kadmin interface; you can get more info via kadmin. - -* Some improved support for OSF C2. - -* General bug-fixes and improvements, including a large number of - potential buffer overrun fixes. A large number of portability - improvements. - -* Support for multiple local realms. - -* Support batch kadmin operation. - -* Heimdal support in push. - -* Removed `--with-shared' configure option (use `--enable-shared'.) - -* Now uses Autoconf 2.13. - -Changes in release 0.9.9: - -* New configuration file /etc/krb.extra - -* New program `push' for popping mail. - -* Add (still little tested) support for maildir spool files in popper. - -* Added `delete' to ksrvutil. - -* Support the strange X11 sockets used on HP-UX and some versions of - Solaris. - -* Arla compatibility in libkafs. - -* More compatibility with the Solaris version of libkrb. - -* New configure option `--with-mips-abi' - -* Support `/etc/securetty' in login. - -* Bug fixes and improvements to the Win32 telnet. - -* Add support for installing with DESTDIR - -* SIA module with added support for password changing, and - reauthentication. - -* Add better support for MIT `compile_et' and `mk_cmds', this should - make it easier to build things like `zephyr'. - -* Bug fixes: - - Krb: fixed dangling references to flock in libkrb - - FTP: fixed `logwtmp' name conflict - - Telnet: fix a few literal IP-number bugs - - Telnet: hopefully fixed stair-stepping bug - - Kafs: don't store expired tokens in the kernel - - Kafs: fix broken installation of afslib.so in AIX - -Changes in release 0.9.8: - -* several bug fixes; some which deserve mentioning: - - fix non-working `kauth -h' - - the sia-module should work again - - don't leave tickets in popper - -Changes in release 0.9.7: - -* new configure option --disable-otp - -* new configure option --with-afsws - -* includes rxkad implementation - -* ftp client is more careful with suspicious filenames (|, .., /) - -* fixed setuid-vulnerability of rcp, rlogin, and rsh. - -* removed use of tgetent from telnetd (thereby eliminating buffer-overflow) - -* new commands in ftp and ftpd: kdestroy, krbtkfile, and afslog. - -* implement HTTP transport in libkrb and KDC. - -* win32 terminal program much improved. also implemented ticket - management program. - -* introduce `-i' option to kerberos server for listening only on one - interface. - -* updated otp applications and man pages. - -* merged in libdes 4.01 - -* popper is more resilient to badly formatted mails. - -* minor fixes for Cray support. - -* fix popen bug i ftpd. - -* lots of bug fixes and portability fixes. - -* better compatibility with Heimdal. - -Minor changes in release 0.9.6: - -* utmp(x) works correctly on systems with utmpx. - -* A security-related bug in ftpd fixed. - -* Compiles on solaris 2.4, 2.6 and on WinNT/95 with cygwin32 beta18. - -* New option `-w' to rxtelnet, rxterm. - -Major changes in release 0.9.5: - -* We made some changes to be compatible with the other kerberised ftp - implementations and this means that an old kerberised ftp client will - not be able to talk to a new ftp server. So try to upgrade your ftp - clients and servers at the same time. The reason for this change is - described in more detail below. - -* The interpretation of /etc/ftpusers has changed slightly, see - ftpusers(5). These changes come from NetBSD. - -* The function `des_quad_cksum', which is used by `krb_rd_safe', and - `krb_mk_safe', has never been compatible with MIT's DES - library. This has now been fixed. - - This fix will however break some programs that used those functions, - for instance `ftp'. In this version `krb_rd_safe' is modified to - accept checksums of both the new and the old format; `krb_mk_safe' - will always emit checksums of the new type *unless* `krb_rd_safe' - has detected that the client is using the old checksum (this feature - may be removed in some future release). - - If you have programs that use `krb_mk_safe' and `krb_rd_safe' you - should upgrade all clients before upgrading your servers. Client is - here defined as the program that first calls `krb_rd_safe'. - - If you are using some protocol that talks to more than one client or - server in one session, the heuristics to detect which kind of - checksum to use might fail. - - The problem with `des_quad_cksum' was just a byte-order problem, so - there are no security problems with using the old versions. Thanks - to Derrick J Brashear <shadow@DEMENTIA.ORG> for pointing in the - right general direction. - -* Rewrote kx to work always open TCP connections in the same - direction. This was needed to make it work through NATs and is - generally a cleaner way of doing it. Also added `tenletxr'. - Unfortunately the new protocol is not compatible with the old one. - The new kx and kxd programs try to figure out if they are talking to - old versions. - -* Quite a bit of new functionality in otp. Changed default hash - function to `md5'. Fixed implementation of SHA and added downcasing - of seed to conform with `draft-ietf-otp-01.txt'. All verification - examples in the draft now work. - -* Fixed buffer overflows. - -* Add history/line editing in kadmin and ftp. - -* utmp/utmpx and wtmp/wtmpx might work better on strange machines. - -* Bug fixes for `rsh -n' and `rcp -x'. - -* reget now works in ftp and ftpd. Passive mode works. Other minor - bug fixes as well. - -* New option `-g umask' to ftpd for specifying the umask for anonymous users. - -* Fix for `-l' option in rxtelnet and rxterm. - -* XOVER support in popper. - -* Better support for building shared libraries. - -* Better support for talking to the KDC over TCP. This could make it - easier to use brain-damaged firewalls. - -* Support FreeBSD-style MD5 /etc/passwd. - -* New option `-createuser' to afslog. - -* Upgraded to work with socks5-v1.0r1. - -* Almost compiles and works on OS/2 with EMX, and Win95/NT with gnu-win32. - -* Merged in win32-telnet, see README-WIN32 for more details. - -* Possibly fixed telnet bug on HP-UX 10. - -* Updated man-pages. - -* Support for NetBSD/OpenBSD manual page circus. - -* Bug fixes. - -Major changes in release 0.9.3: - -* kx has been rewritten and is now a lot easier to use. Two new - scripts: rxtelnet and rxterm. It also works on machines such as - Cray where the X-libraries cannot talk unix sockets. - -* experimental OTP (RFC1938). Included in login, ftpd, and popper. - -* authentication modules: PAM for linux, SIA for OSF/1, and - afskauthlib for Irix. - -* popper now has the UIDL command. - -* ftpd can now tar and compress files and directories on the fly, also - added a find site command. - -* updated documentation and man pages. - -* Change kuserok so that it acts as if luser@LOCALREALM is always an - entry of .klogin, even when it's not possible to verify that there - is no such file or the file is unreadable. - -* Support for SRV-records. - -* Socks v5 support. - -* rcp is AFS-aware. - -* allow for other transport mechanisms than udp (useful for firewall - tormented souls); as a side effect the format of krb.conf had to - become more flexible - -* sample programs included. - -* work arounds for Linux networking bugs in rlogind and rlogin. - -* more portable - -* quite a number of improvments/bugfixes - -* New platforms: HP-UX 10, Irix 6.2 - -Major changes in release 0.9.2a: - -* fix annoying bug with kauth (et al) returning incorrect error - -Major changes in release 0.9.2: - -* service `kerberos-iv' and port 750 has been registered with IANA. - -* Bugfixes. - - - Compiles with gcc on AIX. - - - Compiles with really old resolvers. - - - ftp works with afs string-to-key. - - - shared libraries should work on Linux/ELF. - - - some potential buffer overruns. - - - general code clean-up. - -* Better Cray/UNICOS support. - -* New platforms: AIX 4.2, IRIX 6.1, and Linux 2.0 - -Major changes in release 0.9.1: - -* Mostly bugfixes. - - - No hardcoded references to /usr/athena - - - Better Linux support with rlogin - - - Fix for broken handling of NULL password in kadmind (such as with - `ksrvutil change') - - - AFS-aware programs should work on AIX systems without AFS - -* New platforms: Digital UNIX 4.0 and Fujitsu UXP/V - -* New mechanism to determine realm from hostname based on DNS. To find - the realm of a.b.c.d it tries to find krb4-realm.a.b.c.d and then - krb4-realm.b.c.d and so on. The entry in DNS should be a TXT record - with the realm name. - - krb4-realm.pdc.kth.se. 7200 TXT "NADA.KTH.SE" - -Major changes in release 0.9: - -* Tested platforms: - -Dec Alpha OSF/1 3.2 with cc -std1 -HP 9000/735 HP/UX 9.05 with gcc -DEC Pmax Ultrix 4.4 with gcc (cc does not work) -IBM RS/6000 AIX 4.1 with xlc (gcc works, cc does not) -SGI IRIX 5.3 with cc -Sun SunOS 4.1.4 with gcc (cc is not ANSI and does not work) -Sun SunOS 5.5 with gcc -Intel i386 NetBSD 1.2 with gcc -Intel i386 Linux 1.3.95 with gcc -Cray J90 Unicos 9 with cc - -* Mostly ported to Crays running Unicos 9. - -* S/Key-support in ftpd. - -* Delete operation supported in kerberos database. - -* Cleaner and more portable code. - -* Even less bugs than before. - -* kpopper now supports the old pop3 protocol and has been renamed to popper. - -* rsh can be renamed remsh. - -* Experimental program for forwarding IP over a kerberos tunnel. - -* Updated to libdes 3.23. - -Major changes in release 0.8: - -* New programs: ftp & ftpd. - -* New programs: kx & kxd. These programs forward X connections over - kerberos-encrypted connections. - -* Incorporated version 3.21 of libdes. - -* login: No double utmp-entries on Solaris. - -* kafs - - * Better guessing of what realm a cell belongs to. - - * Support for authenticating to several cells. Reads - /usr/vice/etc/TheseCells, if present. - -* ksrvutil: Support for generating AFS keys. - -* login, su, rshd, rlogind: tries to counter possible NIS-attack. - -* xnlock: several bug fixes and support for more than one screen. - -* Default port number for ekshell changed from 2106 to 545. kauth - port changed from 4711 to 2120. - -* Rumored to work on Fujitsu UXP/V and Cray UNICOS. - -Major changes in release 0.7: - -* New experimental masterkey generation. Enable with - --enable-random-mkey. Also the default place for the master key has - moved from /.k to /var/kerberos/master-key. This is customizable - with --with-mkey=file. If you don't want you master key to be on the - same backup medium as your database, remember to use this flag. All - relevant programs still checks for /.k. - -* `-t' option to kadmin. - -* Kpopper uses kuserok to verify if user is allowed to pop mail. - -* Kpopper tries to locate the mail spool directory: /var/mail or - /var/spool/mail. - -* kauth has ability to get ticket on a remove host with the `-h' option. - -* afslog (aklog clone) and pagsh included. - -* New format for /etc/krb.equiv. - -* Better multi-homed hosts support in kauth, rcp, rlogin, rlogind, - rshd, telnet, telnetd. - -* rlogind works on ultrix and aix 3.2. - -* lots of bug fixes. - -Major changes in release 0.6: - -* Tested platforms: - -DEC/Alpha OSF3.2 -HP700 HPux 9.x -Dec/Pmax Ultrix 4.4 (rlogind not working) -IBM RS/6000 AIX 3.2 (rlogind not working) -IBM RS/6000 AIX 4.1 -SGI Irix 5.3 -Sun Sunos 4.1.x -Sun Sunos 5.4 -386 BSD/OS 2.0.1 -386 NetBSD 1.1 -386 Linux 1.2.13 - -It is rumored to work to some extent on NextStep 3.3. - -* ksrvutil get to create new keys and put them in the database at the -same time. - -* Support for S/Key in login. - -* kstring2key: new program to show string to key conversion. - -* Kerberos server should now listen on all available network -interfaces and on both port 88 and 750. - -* Timeout in kpopper. - -* Support password quality checks in kadmind. Use --with-crack-lib to -link kadmind with cracklib. The patches in cracklib.patch are needed. - -* Movemail from emacs 19.30. - -* Logging format uses four digits for years. - -* Fallback if port numbers are not listed in /etc/services. - - - * Relesed version 0.5 - - * lib/des/read_pwd.c: Redifine TIOCGETP and TIOCSETP so that the - same code is used both for posix termios and others. - - * rsh, rlogin: Add environment variable RSTAR_NO_WARN which when - set to "yes" make warnings about "rlogin: warning, using standard - rlogin: remote host doesn't support Kerberos." go away. - - * admin/kdb_util.c (load_db) lib/kdb/krb_dbm.c (kerb_db_update): - Optimized so that it can handle large databases, previously a - 10000 entry DB would take *many* minutes, this can now be done in - under a minute. - - * Changes in server/kerberos.c, kadmin/*.c slave/*.c to support 64 - bit machines. Source should now be free of 64 bit assumptions. - - * admin/copykey.c (copy_from_key): New functions for copying to - and from keys. Neccessary to solve som problems with longs on 64 - bit machines in kdb_init, kdb_edit, kdb_util and ext_srvtab. - - * lib/kdb/krb_kdb_utils.c (kdb_verify_master_key): More problems - with longs on 64 bit machines. - - * appl/bsd/login.c (main): Lots of stuff to support Psoriasis - login. Courtesy of gertz@lysator.liu.se. - - * configure.in, all Makefile.in's: Support for Linux shared - libraries. Courtesy of svedja@lysator.liu.se. - - * lib/krb/cr_err_reply.c server/kerberos.c: Moved int req_act_vno - = KRB_PROT_VERSION; from server kode to libkrb where it really - belongs. - - * appl/bsd/forkpty.c (forkpty): New function that allocates master - and slave ptys in a portable way. Used by rlogind. - - * appl/telnet/telnetd/sys_term.c (start_login): Under SunOS5 the - same utmpx slot got used by sevral sessions. Courtesy of - gertz@lysator.liu.se. - - * util/{ss, et}/Makefile.in (LEX): Use flex or lex. Courtesy of - svedja@lysator.liu.se. - - * Fix the above Makefiles to work around bugs in Solaris and OSF/1 - make rules that was triggered by VPATH functionality in the yacc - and lex rules. - - * appl/kpopper/pop_log.c (pop_log) appl/kpopper/pop_msg.c (pop_msg): - Use stdarg instead of varargs. The code is still broken though, - you'll realize that on a machine with 64 bit pointers and 32 bit - int:s and no vsprintf, let's hope there will be no such beasts ;-). - - * appl/telnet/telnetd/sys_term.c (getptyslave): Not all systems - have (or need) modules ttcompat and pckt so don't flag it as a - fatal error if they don't exist. - - * kadmin/admin_server.c (kadm_listen) kadmind/kadm_ser_wrap.c - (kadm_listen): Add kludge for kadmind running on a multihomed - server. #ifdef:ed under MULTIHOMED_KADMIN. Change in acconfig.h - if you need this feature. - - * appl/Makefile.in (SUBDIRS): Add applications movemail kpopper - and xnlock. - - * appl/bsd/rlogin.c (main): New rlogind.c, forkpty() is not - implemented yet though. - - * appl/xnlock/Makefile.in: Some stubs for X11 programs in - configure.in as well as a kerberized version of xnlock. - - * appl/bsd/{rlogin.c, rsh.c, rcp.c}: Add code to support fallback - port numbers if they can not be found using getservbyname. - - * appl/bsd/klogin.c (klogin): Use differnet ticket files for each - login so that a malicous user won't be able to destroy our tickets - with a failed login attempt. - - * lib/kafs/afssys.c (k_afsklog): First we try afs.cell@REALM, if - there is no such thing try afs@CELL instead. There is now two - arguments to k_afslog(char *cell, char *realm). - - * kadmin/admin_server.c (kadm_listen): If we are multihomed we - need to figure out which local address that is used this time - since it is used in "direction" comparison. - - * kadmin/kadm_ser_wrap.c (kadm_ser_init): Fallback to use default - port number. - - * lib/krb/send_to_kdc.c (send_to_kdc): Default port number - (KRB_PORT) was not in network byte order. - - * lib/krb/send_to_kdc.c (send_recv): Linux clears timeout struct - when selecting. - - * appl/bsd/rcp.c, appl/bsd/rlogin.c, appl/bsd/rsh.c: - Now does fallback if there isn't any entries in /etc/services for - klogin/kshell. This also made the code a bit more pretty. - - * appl/bsd/login.c: Added support for lots of more struct utmp fields. - If there is no ttyslot() use setutent and friends. - - * appl/bsd/Makefile.in, appl/bsd/rlogind.c, appl/bsd/rshd.c: - Added extern iruserok(). - - * appl/bsd/iruserok.c: Initial revision - - * appl/bsd/bsd_locl.h: Must include sys/filio.h on Psoriasis. - - * appl/bsd/Makefile.in: New install - - * appl/bsd/pathnames.h: Fix default path, rsh and rlogin. - - * appl/bsd/rshd.c: Extend default PATH with bindir to find rcp. - - * appl/bsd/login.c (login): If there is no ttyslot use setutent - and friends. Added support for lots of more struct utmp fields. - - * server/kerberos.c (main) lib/kafs/afssys.c appl/bsd/bsd_locl.h: - Must include sys/filio.h on Psoriasis to find _IOW and FIO* macros. - - * appl/bsd/rlogind.c (doit): Use _PATH_DEFPATH rather than - _PATH_DEF. - - * appl/bsd/login.c, su.c (main): Use fallback to bourne shell if - running as root. - - * appl/bsd/su.c (main): Update usage message to reflect that '-' - option must come after the ordinary options and before login-id. - - * appl/telnet/telnetd/telnetd.c (doit): If remote host name is to - long to fit into utmp try to remove domain part if it does match - our local domain. - - (main): Add new option -L /bin/login so that it is possible to - specify an alternate login program. - - * appl/telnet/telnet/commands.c (env_init): When exporting - variable DISPLAY and if hostname is not the full name, try to get - the full name from DNS. - - * appl/telnet/telnet/main.c (main): Option -k realm was broken due - to a bogous external declaration. - - * kadmin/kadmin.c (add_new_key): Kadmin now properly sets - lifetime, expiration date and attributes in add_new_key command. - - * appl/bsd/su.c (main): Don't handle '-' option with getopt. - - * appl/telnet/telnet/externs.h: Removed protection for multiple - inclusions of termio(s).h since it broke definition of termio - macro on POSIX systems. - - * lib/krb/lifetime.c (krb_life_to_time): If you want to disable - AFS compatible long lifetimes set krb_no_long_lifetimes = 1. - - Please note that the long lifetimes are 100% compatible up to - 10h so this should rarely be necessary. - - * lib/krb/krb_equiv.c (krb_equiv): If you don't want to use - ipaddress protection of tickets set krb_ignore_ip_address. This - makes it possible for an intruder to steal a ticket and then use - it from som other machine anywhere on the net. - - * kadmin/kadm_ser_wrap.c (kadm_ser_init): Don't bind to only one - local address. Accept request on all interfaces. - - * admin/kdb_edit.c (change_principal): Don't accept illegal - dates. Courtesy of gertz@lysator.liu.se. - - * configure.in: AIX specific libraries needed when using standard - libc routine getttyent, IBM should be ashamed! - - * lib/krb/recvauth.c (krb_recvauth): Long that should be int32_t - problem. - - * Added strdup for su and rlogin. - - * Fix for old syslog macros in appl/bsd/bsd_locl. - - * lib/kdb/krb_dbm.c (kerb_db_rename) admin/kdb_destroy.c: New - ifdef HAVE_NEW_DB for new databases residing in one file only. - - * appl/bsd/rlogin.c (oob): Add workaround for Linux. - - * appl/bsd/getpass.c: New routine that reads up to 127 char - passwords. Used in su.c and login.c. - - * appl/telnet/telnetd/sys_term.c (login_tty): Ioctl TIOCSCTTY - should not be used on HP-UX. - -==========================*** Released 0.2? ***============================= - -ksrvutil - If there is a dot in the about to be added principals name there is - no need to ask for instance name. - -kerberos & kadmind - Logfiles are created with small permissions (600). - -krb.conf and krb.realms - Use domain part as realm name if there is no match in krb.realms. - Use kerberos.REALMNAME if there is no match in krb.realms. - -rlogin - The rlogin client is supported both with and without encryption, - there is no rlogind yet though. - -login - There is login program that supports the -f option. Both kerberos - and /etc/passwd authentication is enabled. - - Vendors login programs typically have no -f option (needed by - telnetd) and also does not know how to verify passwords againts - kerberos. - -appl/bsd/* - Now uses POSIX signals. - -kdb_edit, kadmin - Generate random passwords if administrator enters empty password. - -lib/kafs - New library to support AFS. Routines: - int k_hasafs(void); - int k_afsklog(...); or some other name - int k_setpag(void); - int k_unlog(void); - int k_pioctl(char *, int, struct ViceIoctl *, int); - - Library supports more than one single entry point AFS syscalls - (needed be HP/UX and OSF/1 when running DFS). Doesn't rely on - transarc headers or library code. Same binaries can be used both on - machines running AFS and others. - - This library is used in telnetd, login and the r* programs. - -telnet & telnetd - Based on telnet.95.05.31.NE but with the encryption hacks from - ftp.funet.fi:/pub/unix/security/esrasrc-1.0 added. This encryption - stuff needed some more modifications (done by joda@nada.kth.se) - before it was usable. Telnet has also been modified to use GNU - autoconf. - -Numerous other changes that are long since forgotten. |