diff options
Diffstat (limited to 'crypto/kerberosIV/NEWS')
| -rw-r--r-- | crypto/kerberosIV/NEWS | 563 |
1 files changed, 563 insertions, 0 deletions
diff --git a/crypto/kerberosIV/NEWS b/crypto/kerberosIV/NEWS new file mode 100644 index 0000000..cddbb22 --- /dev/null +++ b/crypto/kerberosIV/NEWS @@ -0,0 +1,563 @@ +Minor changes in release 0.9.6: + +* utmp(x) works correctly on systems with utmpx. + +* A security-related bug in ftpd fixed. + +* Compiles on solaris 2.4, 2.6 and on WinNT/95 with cygwin32 beta18. + +* New option `-w' to rxtelnet, rxterm. + +Major changes in release 0.9.5: + +* We made some changes to be compatible with the other kerberised ftp + implementations and this means that an old kerberised ftp client will + not be able to talk to a new ftp server. So try to upgrade your ftp + clients and servers at the same time. The reason for this change is + described in more detail below. + +* The interpretation of /etc/ftpusers has changed slightly, see + ftpusers(5). These changes come from NetBSD. + +* The function `des_quad_cksum', which is used by `krb_rd_safe', and + `krb_mk_safe', has never been compatible with MIT's DES + library. This has now been fixed. + + This fix will however break some programs that used those functions, + for instance `ftp'. In this version `krb_rd_safe' is modified to + accept checksums of both the new and the old format; `krb_mk_safe' + will always emit checksums of the new type *unless* `krb_rd_safe' + has detected that the client is using the old checksum (this feature + may be removed in some future release). + + If you have programs that use `krb_mk_safe' and `krb_rd_safe' you + should upgrade all clients before upgrading your servers. Client is + here defined as the program that first calls `krb_rd_safe'. + + If you are using some protocol that talks to more than one client or + server in one session, the heuristics to detect which kind of + checksum to use might fail. + + The problem with `des_quad_cksum' was just a byte-order problem, so + there are no security problems with using the old versions. Thanks + to Derrick J Brashear <shadow@DEMENTIA.ORG> for pointing in the + right general direction. + +* Rewrote kx to work always open TCP connections in the same + direction. This was needed to make it work through NATs and is + generally a cleaner way of doing it. Also added `tenletxr'. + Unfortunately the new protocol is not compatible with the old one. + The new kx and kxd programs try to figure out if they are talking to + old versions. + +* Quite a bit of new functionality in otp. Changed default hash + function to `md5'. Fixed implementation of SHA and added downcasing + of seed to conform with `draft-ietf-otp-01.txt'. All verification + examples in the draft now work. + +* Fixed buffer overflows. + +* Add history/line editing in kadmin and ftp. + +* utmp/utmpx and wtmp/wtmpx might work better on strange machines. + +* Bug fixes for `rsh -n' and `rcp -x'. + +* reget now works in ftp and ftpd. Passive mode works. Other minor + bug fixes as well. + +* New option `-g umask' to ftpd for specifying the umask for anonymous users. + +* Fix for `-l' option in rxtelnet and rxterm. + +* XOVER support in popper. + +* Better support for building shared libraries. + +* Better support for talking to the KDC over TCP. This could make it + easier to use brain-damaged firewalls. + +* Support FreeBSD-style MD5 /etc/passwd. + +* New option `-createuser' to afslog. + +* Upgraded to work with socks5-v1.0r1. + +* Almost compiles and works on OS/2 with EMX, and Win95/NT with gnu-win32. + +* Merged in win32-telnet, see README-WIN32 for more details. + +* Possibly fixed telnet bug on HP-UX 10. + +* Updated man-pages. + +* Support for NetBSD/OpenBSD manual page circus. + +* Bug fixes. + +Major changes in release 0.9.3: + +* kx has been rewritten and is now a lot easier to use. Two new + scripts: rxtelnet and rxterm. It also works on machines such as + Cray where the X-libraries cannot talk unix sockets. + +* experimental OTP (RFC1938). Included in login, ftpd, and popper. + +* authentication modules: PAM for linux, SIA for OSF/1, and + afskauthlib for Irix. + +* popper now has the UIDL command. + +* ftpd can now tar and compress files and directories on the fly, also + added a find site command. + +* updated documentation and man pages. + +* Change kuserok so that it acts as if luser@LOCALREALM is always an + entry of .klogin, even when it's not possible to verify that there + is no such file or the file is unreadable. + +* Support for SRV-records. + +* Socks v5 support. + +* rcp is AFS-aware. + +* allow for other transport mechanisms than udp (useful for firewall + tormented souls); as a side effect the format of krb.conf had to + become more flexible + +* sample programs included. + +* work arounds for Linux networking bugs in rlogind and rlogin. + +* more portable + +* quite a number of improvments/bugfixes + +* New platforms: HP-UX 10, Irix 6.2 + +Major changes in release 0.9.2a: + +* fix annoying bug with kauth (et al) returning incorrect error + +Major changes in release 0.9.2: + +* service `kerberos-iv' and port 750 has been registered with IANA. + +* Bugfixes. + + - Compiles with gcc on AIX. + + - Compiles with really old resolvers. + + - ftp works with afs string-to-key. + + - shared libraries should work on Linux/ELF. + + - some potential buffer overruns. + + - general code clean-up. + +* Better Cray/UNICOS support. + +* New platforms: AIX 4.2, IRIX 6.1, and Linux 2.0 + +Major changes in release 0.9.1: + +* Mostly bugfixes. + + - No hardcoded references to /usr/athena + + - Better Linux support with rlogin + + - Fix for broken handling of NULL password in kadmind (such as with + `ksrvutil change') + + - AFS-aware programs should work on AIX systems without AFS + +* New platforms: Digital UNIX 4.0 and Fujitsu UXP/V + +* New mechanism to determine realm from hostname based on DNS. To find + the realm of a.b.c.d it tries to find krb4-realm.a.b.c.d and then + krb4-realm.b.c.d and so on. The entry in DNS should be a TXT record + with the realm name. + + krb4-realm.pdc.kth.se. 7200 TXT "NADA.KTH.SE" + +Major changes in release 0.9: + +* Tested platforms: + +Dec Alpha OSF/1 3.2 with cc -std1 +HP 9000/735 HP/UX 9.05 with gcc +DEC Pmax Ultrix 4.4 with gcc (cc does not work) +IBM RS/6000 AIX 4.1 with xlc (gcc works, cc does not) +SGI IRIX 5.3 with cc +Sun SunOS 4.1.4 with gcc (cc is not ANSI and does not work) +Sun SunOS 5.5 with gcc +Intel i386 NetBSD 1.2 with gcc +Intel i386 Linux 1.3.95 with gcc +Cray J90 Unicos 9 with cc + +* Mostly ported to Crays running Unicos 9. + +* S/Key-support in ftpd. + +* Delete operation supported in kerberos database. + +* Cleaner and more portable code. + +* Even less bugs than before. + +* kpopper now supports the old pop3 protocol and has been renamed to popper. + +* rsh can be renamed remsh. + +* Experimental program for forwarding IP over a kerberos tunnel. + +* Updated to libdes 3.23. + +Major changes in release 0.8: + +* New programs: ftp & ftpd. + +* New programs: kx & kxd. These programs forward X connections over + kerberos-encrypted connections. + +* Incorporated version 3.21 of libdes. + +* login: No double utmp-entries on Solaris. + +* kafs + + * Better guessing of what realm a cell belongs to. + + * Support for authenticating to several cells. Reads + /usr/vice/etc/TheseCells, if present. + +* ksrvutil: Support for generating AFS keys. + +* login, su, rshd, rlogind: tries to counter possible NIS-attack. + +* xnlock: several bug fixes and support for more than one screen. + +* Default port number for ekshell changed from 2106 to 545. kauth + port changed from 4711 to 2120. + +* Rumored to work on Fujitsu UXP/V and Cray UNICOS. + +Major changes in release 0.7: + +* New experimental masterkey generation. Enable with + --enable-random-mkey. Also the default place for the master key has + moved from /.k to /var/kerberos/master-key. This is customizable + with --with-mkey=file. If you don't want you master key to be on the + same backup medium as your database, remember to use this flag. All + relevant programs still checks for /.k. + +* `-t' option to kadmin. + +* Kpopper uses kuserok to verify if user is allowed to pop mail. + +* Kpopper tries to locate the mail spool directory: /var/mail or + /var/spool/mail. + +* kauth has ability to get ticket on a remove host with the `-h' option. + +* afslog (aklog clone) and pagsh included. + +* New format for /etc/krb.equiv. + +* Better multi-homed hosts support in kauth, rcp, rlogin, rlogind, + rshd, telnet, telnetd. + +* rlogind works on ultrix and aix 3.2. + +* lots of bug fixes. + +Major changes in release 0.6: + +* Tested platforms: + +DEC/Alpha OSF3.2 +HP700 HPux 9.x +Dec/Pmax Ultrix 4.4 (rlogind not working) +IBM RS/6000 AIX 3.2 (rlogind not working) +IBM RS/6000 AIX 4.1 +SGI Irix 5.3 +Sun Sunos 4.1.x +Sun Sunos 5.4 +386 BSD/OS 2.0.1 +386 NetBSD 1.1 +386 Linux 1.2.13 + +It is rumored to work to some extent on NextStep 3.3. + +* ksrvutil get to create new keys and put them in the database at the +same time. + +* Support for S/Key in login. + +* kstring2key: new program to show string to key conversion. + +* Kerberos server should now listen on all available network +interfaces and on both port 88 and 750. + +* Timeout in kpopper. + +* Support password quality checks in kadmind. Use --with-crack-lib to +link kadmind with cracklib. The patches in cracklib.patch are needed. + +* Movemail from emacs 19.30. + +* Logging format uses four digits for years. + +* Fallback if port numbers are not listed in /etc/services. + + + * Relesed version 0.5 + + * lib/des/read_pwd.c: Redifine TIOCGETP and TIOCSETP so that the + same code is used both for posix termios and others. + + * rsh, rlogin: Add environment variable RSTAR_NO_WARN which when + set to "yes" make warnings about "rlogin: warning, using standard + rlogin: remote host doesn't support Kerberos." go away. + + * admin/kdb_util.c (load_db) lib/kdb/krb_dbm.c (kerb_db_update): + Optimized so that it can handle large databases, previously a + 10000 entry DB would take *many* minutes, this can now be done in + under a minute. + + * Changes in server/kerberos.c, kadmin/*.c slave/*.c to support 64 + bit machines. Source should now be free of 64 bit assumptions. + + * admin/copykey.c (copy_from_key): New functions for copying to + and from keys. Neccessary to solve som problems with longs on 64 + bit machines in kdb_init, kdb_edit, kdb_util and ext_srvtab. + + * lib/kdb/krb_kdb_utils.c (kdb_verify_master_key): More problems + with longs on 64 bit machines. + + * appl/bsd/login.c (main): Lots of stuff to support Psoriasis + login. Courtesy of gertz@lysator.liu.se. + + * configure.in, all Makefile.in's: Support for Linux shared + libraries. Courtesy of svedja@lysator.liu.se. + + * lib/krb/cr_err_reply.c server/kerberos.c: Moved int req_act_vno + = KRB_PROT_VERSION; from server kode to libkrb where it really + belongs. + + * appl/bsd/forkpty.c (forkpty): New function that allocates master + and slave ptys in a portable way. Used by rlogind. + + * appl/telnet/telnetd/sys_term.c (start_login): Under SunOS5 the + same utmpx slot got used by sevral sessions. Courtesy of + gertz@lysator.liu.se. + + * util/{ss, et}/Makefile.in (LEX): Use flex or lex. Courtesy of + svedja@lysator.liu.se. + + * Fix the above Makefiles to work around bugs in Solaris and OSF/1 + make rules that was triggered by VPATH functionality in the yacc + and lex rules. + + * appl/kpopper/pop_log.c (pop_log) appl/kpopper/pop_msg.c (pop_msg): + Use stdarg instead of varargs. The code is still broken though, + you'll realize that on a machine with 64 bit pointers and 32 bit + int:s and no vsprintf, let's hope there will be no such beasts ;-). + + * appl/telnet/telnetd/sys_term.c (getptyslave): Not all systems + have (or need) modules ttcompat and pckt so don't flag it as a + fatal error if they don't exist. + + * kadmin/admin_server.c (kadm_listen) kadmind/kadm_ser_wrap.c + (kadm_listen): Add kludge for kadmind running on a multihomed + server. #ifdef:ed under MULTIHOMED_KADMIN. Change in acconfig.h + if you need this feature. + + * appl/Makefile.in (SUBDIRS): Add applications movemail kpopper + and xnlock. + + * appl/bsd/rlogin.c (main): New rlogind.c, forkpty() is not + implemented yet though. + + * appl/xnlock/Makefile.in: Some stubs for X11 programs in + configure.in as well as a kerberized version of xnlock. + + * appl/bsd/{rlogin.c, rsh.c, rcp.c}: Add code to support fallback + port numbers if they can not be found using getservbyname. + + * appl/bsd/klogin.c (klogin): Use differnet ticket files for each + login so that a malicous user won't be able to destroy our tickets + with a failed login attempt. + + * lib/kafs/afssys.c (k_afsklog): First we try afs.cell@REALM, if + there is no such thing try afs@CELL instead. There is now two + arguments to k_afslog(char *cell, char *realm). + + * kadmin/admin_server.c (kadm_listen): If we are multihomed we + need to figure out which local address that is used this time + since it is used in "direction" comparison. + + * kadmin/kadm_ser_wrap.c (kadm_ser_init): Fallback to use default + port number. + + * lib/krb/send_to_kdc.c (send_to_kdc): Default port number + (KRB_PORT) was not in network byte order. + + * lib/krb/send_to_kdc.c (send_recv): Linux clears timeout struct + when selecting. + + * appl/bsd/rcp.c, appl/bsd/rlogin.c, appl/bsd/rsh.c: + Now does fallback if there isn't any entries in /etc/services for + klogin/kshell. This also made the code a bit more pretty. + + * appl/bsd/login.c: Added support for lots of more struct utmp fields. + If there is no ttyslot() use setutent and friends. + + * appl/bsd/Makefile.in, appl/bsd/rlogind.c, appl/bsd/rshd.c: + Added extern iruserok(). + + * appl/bsd/iruserok.c: Initial revision + + * appl/bsd/bsd_locl.h: Must include sys/filio.h on Psoriasis. + + * appl/bsd/Makefile.in: New install + + * appl/bsd/pathnames.h: Fix default path, rsh and rlogin. + + * appl/bsd/rshd.c: Extend default PATH with bindir to find rcp. + + * appl/bsd/login.c (login): If there is no ttyslot use setutent + and friends. Added support for lots of more struct utmp fields. + + * server/kerberos.c (main) lib/kafs/afssys.c appl/bsd/bsd_locl.h: + Must include sys/filio.h on Psoriasis to find _IOW and FIO* macros. + + * appl/bsd/rlogind.c (doit): Use _PATH_DEFPATH rather than + _PATH_DEF. + + * appl/bsd/login.c, su.c (main): Use fallback to bourne shell if + running as root. + + * appl/bsd/su.c (main): Update usage message to reflect that '-' + option must come after the ordinary options and before login-id. + + * appl/telnet/telnetd/telnetd.c (doit): If remote host name is to + long to fit into utmp try to remove domain part if it does match + our local domain. + + (main): Add new option -L /bin/login so that it is possible to + specify an alternate login program. + + * appl/telnet/telnet/commands.c (env_init): When exporting + variable DISPLAY and if hostname is not the full name, try to get + the full name from DNS. + + * appl/telnet/telnet/main.c (main): Option -k realm was broken due + to a bogous external declaration. + + * kadmin/kadmin.c (add_new_key): Kadmin now properly sets + lifetime, expiration date and attributes in add_new_key command. + + * appl/bsd/su.c (main): Don't handle '-' option with getopt. + + * appl/telnet/telnet/externs.h: Removed protection for multiple + inclusions of termio(s).h since it broke definition of termio + macro on POSIX systems. + + * lib/krb/lifetime.c (krb_life_to_time): If you want to disable + AFS compatible long lifetimes set krb_no_long_lifetimes = 1. + + Please note that the long lifetimes are 100% compatible up to + 10h so this should rarely be necessary. + + * lib/krb/krb_equiv.c (krb_equiv): If you don't want to use + ipaddress protection of tickets set krb_ignore_ip_address. This + makes it possible for an intruder to steal a ticket and then use + it from som other machine anywhere on the net. + + * kadmin/kadm_ser_wrap.c (kadm_ser_init): Don't bind to only one + local address. Accept request on all interfaces. + + * admin/kdb_edit.c (change_principal): Don't accept illegal + dates. Courtesy of gertz@lysator.liu.se. + + * configure.in: AIX specific libraries needed when using standard + libc routine getttyent, IBM should be ashamed! + + * lib/krb/recvauth.c (krb_recvauth): Long that should be int32_t + problem. + + * Added strdup for su and rlogin. + + * Fix for old syslog macros in appl/bsd/bsd_locl. + + * lib/kdb/krb_dbm.c (kerb_db_rename) admin/kdb_destroy.c: New + ifdef HAVE_NEW_DB for new databases residing in one file only. + + * appl/bsd/rlogin.c (oob): Add workaround for Linux. + + * appl/bsd/getpass.c: New routine that reads up to 127 char + passwords. Used in su.c and login.c. + + * appl/telnet/telnetd/sys_term.c (login_tty): Ioctl TIOCSCTTY + should not be used on HP-UX. + +==========================*** Released 0.2? ***============================= + +ksrvutil + If there is a dot in the about to be added principals name there is + no need to ask for instance name. + +kerberos & kadmind + Logfiles are created with small permissions (600). + +krb.conf and krb.realms + Use domain part as realm name if there is no match in krb.realms. + Use kerberos.REALMNAME if there is no match in krb.realms. + +rlogin + The rlogin client is supported both with and without encryption, + there is no rlogind yet though. + +login + There is login program that supports the -f option. Both kerberos + and /etc/passwd authentication is enabled. + + Vendors login programs typically have no -f option (needed by + telnetd) and also does not know how to verify passwords againts + kerberos. + +appl/bsd/* + Now uses POSIX signals. + +kdb_edit, kadmin + Generate random passwords if administrator enters empty password. + +lib/kafs + New library to support AFS. Routines: + int k_hasafs(void); + int k_afsklog(...); or some other name + int k_setpag(void); + int k_unlog(void); + int k_pioctl(char *, int, struct ViceIoctl *, int); + + Library supports more than one single entry point AFS syscalls + (needed be HP/UX and OSF/1 when running DFS). Doesn't rely on + transarc headers or library code. Same binaries can be used both on + machines running AFS and others. + + This library is used in telnetd, login and the r* programs. + +telnet & telnetd + Based on telnet.95.05.31.NE but with the encryption hacks from + ftp.funet.fi:/pub/unix/security/esrasrc-1.0 added. This encryption + stuff needed some more modifications (done by joda@nada.kth.se) + before it was usable. Telnet has also been modified to use GNU + autoconf. + +Numerous other changes that are long since forgotten. |
