NEWS   [plain text]

Release Notes - Heimdal - Version Heimdal 1.4

 New features
 - Support for reading MIT database file directly
 - KCM is polished up and now used in production
 - NTLM first class citizen, credentials stored in KCM
 - Table driven ASN.1 compiler, smaller!, not enabled by default
 - Native Windows client support


 - Disabled write support NDBM hdb backend (read still in there) since
   it can't handle large records, please migrate to a diffrent backend
   (like BDB4)

Release Notes - Heimdal - Version Heimdal 1.3.3

 Bug fixes
 - Check the GSS-API checksum exists before trying to use it [CVE-2010-1321]
 - Check NULL pointers before dereference them [kdc]

Release Notes - Heimdal - Version Heimdal 1.3.2

 Bug fixes

 - Don't mix length when clearing hmac (could memset too much)
 - More paranoid underrun checking when decrypting packets
 - Check the password change requests and refuse to answer empty packets
 - Build on OpenSolaris 
 - Renumber AD-SIGNED-TICKET since it was stolen from US
 - Don't cache /dev/*random file descriptor, it doesn't get unloaded
 - Make C++ safe
 - Misc warnings

Release Notes - Heimdal - Version Heimdal 1.3.1

 Bug fixes

 - Store KDC offset in credentials
 - Many many more bug fixes

Release Notes - Heimdal - Version Heimdal 1.3.1

 New features

 - Make work with OpenLDAPs krb5 overlay

Release Notes - Heimdal - Version Heimdal 1.3

 New features

 - Partial support for MIT kadmind rpc protocol in kadmind
 - Better support for finding keytab entries when using SPN aliases in the KDC
 - Support BER in ASN.1 library (needed for CMS)
 - Support decryption in Keychain private keys
 - Support for new sqlite based credential cache
 - Try both KDC referals and the common DNS reverse lookup in GSS-API
 - Fix the KCM to not leak resources on failure
 - Add IPv6 support to iprop
 - Support localization of error strings in
   kinit/klist/kdestroy and Kerberos library
 - Remove Kerberos 4 support in application (still in KDC)
 - Deprecate DES
 - Support i18n password in windows domains (using UTF-8)
 - More complete API emulation of OpenSSL in hcrypto
 - Support for ECDSA and ECDH when linking with OpenSSL

 API changes

 - Support for settin friendly name on credential caches
 - Move to using doxygen to generate documentation.
 - Sprinkling __attribute__((depricated)) for old function to be removed
 - Support to export LAST-REQUST information in AS-REQ
 - Support for client deferrals in in AS-REQ
 - Add seek support for krb5_storage.
 - Support for split AS-REQ, first step for IA-KERB
 - Fix many memory leaks and bugs
 - Improved regression test
 - Support krb5_cccol
 - Switch to krb5_set_error_message
 - Support krb5_crypto_*_iov	
 - Switch to use EVP for most function
 - Use SOCK_CLOEXEC and O_CLOEXEC (close on exec)
 - Add support for GSS_C_DELEG_POLICY_FLAG
 - Add krb5_cc_[gs]et_config to store data in the credential caches
 - PTY testing application

 - Make building on AIX6 possible.
 - Bugfixes in LDAP KDC code to make it more stable
 - Make ipropd-slave reconnect when master down gown

Release Notes - Heimdal - Version Heimdal 1.2.1

* Bug

  [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris
  [HEIMDAL-151] - Make canned tests work again after cert expired
  [HEIMDAL-152] - iprop test: use full hostname to avoid realm
                  resolving errors
  [HEIMDAL-153] - ftp: Use the correct length for unmap, msync

Release Notes - Heimdal - Version Heimdal 1.2

* Bug

  [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in
  		 gss_display_name/gss_export_name when using SPNEGO
  [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1
  [HEIMDAL-17] - Remove support for depricated [libdefaults]capath
  [HEIMDAL-52] - hdb overwrite aliases for db databases
  [HEIMDAL-54] - Two issues which affect credentials delegation
  [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args
  [HEIMDAL-62] - Fix printing of sig_atomic_t
  [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto
  [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase
  [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241)

* Improvement
  [HEIMDAL-67] - Fix locking and store credential in atomic writes
                 in the FILE credential cache
  [HEIMDAL-106] - make compile on cygwin again
  [HEIMDAL-107] - Replace old random key generation in des module
                  and use it with RAND_ function instead
  [HEIMDAL-115] - Better documentation and compatibility in hcrypto
                  in regards to OpenSSL

* New Feature
  [HEIMDAL-3] - pkinit alg agility PRF test vectors
  [HEIMDAL-14] - Add libwind to Heimdal
  [HEIMDAL-16] - Use libwind in hx509
  [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to
                 the negotiation
  [HEIMDAL-74] - Add support to report extended error message back
                 in AS-REQ to support windows clients
  [HEIMDAL-116] - test pty based application (using rkpty)
  [HEIMDAL-120] - Use new OpenLDAP API (older deprecated)

* Task
  [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ.
                 This drop compatibility with pre 0.3d KDCs.
  [HEIMDAL-64] - kcm: first implementation of kcm-move-cache
  [HEIMDAL-65] - Failed to compile with --disable-pk-init
  [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some
                 wraparound checks doesn't apply to Heimdal

Changes in release 1.1

 * Read-only PKCS11 provider built-in to hx509.

 * Documentation for hx509, hcrypto and ntlm libraries improved.

 * Better compatibilty with Windows 2008 Server pre-releases and Vista.

 * Mac OS X 10.5 support for native credential cache.

 * Provide pkg-config file for Heimdal (heimdal-gssapi.pc).

 * Bug fixes.

Changes in release 1.0.2

* Ubuntu packages.

* Bug fixes.

Changes in release 1.0.1

 * Serveral bug fixes to iprop.

 * Make work on platforms without dlopen.

 * Add RFC3526 modp group14 as default.

 * Handle [kdc] database = { } entries without realm = stanzas.

 * Make krb5_get_renewed_creds work.

 * Make kaserver preauth work again.

 * Bug fixes.

Changes in release 1.0

 * Add gss_pseudo_random() for mechglue and krb5.

 * Make session key for the krbtgt be selected by the best encryption
   type of the client.

 * Better interoperability with other PK-INIT implementations.

 * Inital support for Mac OS X Keychain for hx509.

 * Alias support for inital ticket requests.

 * Add symbol versioning to selected libraries on platforms that uses
   GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc.

 * New version of imath included in hcrypto.

 * Fix memory leaks.

 * Bugs fixes.

Changes in release 0.8.1

 * Make ASN.1 library less paranoid to with regard to NUL in string to
   make it inter-operate with MIT Kerberos again.

 * Make GSS-API library work again when using gss_acquire_cred

 * Add symbol versioning to libgssapi when using GNU ld.

 * Fix memory leaks 

 * Bugs fixes

Changes in release 0.8

 * PK-INIT support.

 * HDB extensions support, used by PK-INIT.

 * New ASN.1 compiler.

 * GSS-API mechglue from FreeBSD.

 * Updated SPNEGO to support RFC4178.

 * Support for Cryptosystem Negotiation Extension (RFC 4537).

 * A new X.509 library (hx509) and related crypto functions.

 * A new ntlm library (heimntlm) and related crypto functions.

 * Updated the built-in crypto library with bignum support using
   imath, support for RSA and DH and renamed it to libhcrypto.

 * Subsystem in the KDC, digest, that will perform the digest
   operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL
   DIGEST-MD5 NTLMv1 and NTLMv2.

 * KDC will return the "response too big" error to force TCP retries
   for large (default 1400 bytes) UDP replies.  This is common for
   PK-INIT requests.

 * Libkafs defaults to use 2b tokens.

 * Default to use the API cache on Mac OS X.

 * krb5_kuserok() also checks ~/.k5login.d directory for acl files,
   see manpage for krb5_kuserok for description.

 * Many, many, other updates to code and info manual and manual pages.

 * Bug fixes

Changes in release 0.7.2

* Fix security problem in rshd that enable an attacker to overwrite
  and change ownership of any file that root could write.

* Fix a DOS in telnetd. The attacker could force the server to crash
  in a NULL de-reference before the user logged in, resulting in inetd
  turning telnetd off because it forked too fast.

* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
  exists in the keytab before returning success. This allows servers
  to check if its even possible to use GSSAPI.

* Fix receiving end of token delegation for GSS-API. It still wrongly
  uses subkey for sending for compatibility reasons, this will change
  in 0.8.

* telnetd, login and rshd are now more verbose in logging failed and
  successful logins.

* Bug fixes

Changes in release 0.7.1

* Bug fixes

Changes in release 0.7

 * Support for KCM, a process based credential cache

 * Support CCAPI credential cache

 * SPNEGO support

 * AES (and the gssapi conterpart, CFX) support

 * Adding new and improve old documentation

 * Bug fixes

Changes in release 0.6.6

* Fix security problem in rshd that enable an attacker to overwrite
  and change ownership of any file that root could write.

* Fix a DOS in telnetd. The attacker could force the server to crash
  in a NULL de-reference before the user logged in, resulting in inetd
  turning telnetd off because it forked too fast.

Changes in release 0.6.5

 * fix vulnerabilities in telnetd

 * unbreak Kerberos 4 and kaserver

Changes in release 0.6.4

 * fix vulnerabilities in telnet

 * rshd: encryption without a separate error socket should now work

 * telnet now uses appdefaults for the encrypt and forward/forwardable

 * bug fixes

Changes in release 0.6.3

 * fix vulnerabilities in ftpd

 * support for linux AFS /proc "syscalls"

 * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in

 * fix possible KDC denial of service

 * bug fixes

Changes in release 0.6.2

 * Fix possible buffer overrun in v4 kadmin (which now defaults to off)

Changes in release 0.6.1

 * Fixed ARCFOUR suppport

 * Cross realm vulnerability

 * kdc: fix denial of service attack

 * kdc: stop clients from renewing tickets into the future

 * bug fixes
Changes in release 0.6

* The DES3 GSS-API mechanism has been changed to inter-operate with
  other GSSAPI implementations. See man page for gssapi(3) how to turn
  on generation of correct MIC messages. Next major release of heimdal 
  will generate correct MIC by default.

* More complete GSS-API support

* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
  support in applications no longer requires Kerberos 4 libs

* Kerberos 4 support in kdc defaults to turned off (includes ka and 524)

* other bug fixes

Changes in release 0.5.2

 * kdc: add option for disabling v4 cross-realm (defaults to off)

 * bug fixes

Changes in release 0.5.1

 * kadmind: fix remote exploit

 * kadmind: add option to disable kerberos 4

 * kdc: make sure kaserver token life is positive

 * telnet: use the session key if there is no subkey

 * fix EPSV parsing in ftp

 * other bug fixes

Changes in release 0.5

 * add --detach option to kdc

 * allow setting forward and forwardable option in telnet from
   .telnetrc, with override from command line

 * accept addresses with or without ports in krb5_rd_cred

 * make it work with modern openssl

 * use our own string2key function even with openssl (that handles weak
   keys incorrectly)

 * more system-specific requirements in login

 * do not use getlogin() to determine root in su

 * telnet: abort if telnetd does not support encryption

 * update autoconf to 2.53

 * update config.guess, config.sub

 * other bug fixes

Changes in release 0.4e

 * improve libcrypto and database autoconf tests

 * do not care about salting of server principals when serving v4 requests

 * some improvements to gssapi library

 * test for existing compile_et/libcom_err

 * portability fixes

 * bug fixes

Changes in release 0.4d

 * fix some problems when using libcrypto from openssl

 * handle /dev/ptmx `unix98' ptys on Linux

 * add some forgotten man pages

 * rsh: clean-up and add man page

 * fix -A and -a in builtin-ls in tpd

 * fix building problem on Irix

 * make `ktutil get' more efficient

 * bug fixes

Changes in release 0.4c

 * fix buffer overrun in telnetd

 * repair some of the v4 fallback code in kinit

 * add more shared library dependencies

 * simplify and fix hprop handling of v4 databases

 * fix some building problems (osf's sia and osfc2 login)

 * bug fixes

Changes in release 0.4b

 * update the shared library version numbers correctly

Changes in release 0.4a

 * corrected key used for checksum in mk_safe, unfortunately this
   makes it backwards incompatible

 * update to autoconf 2.50, libtool 1.4

 * re-write dns/config lookups (krb5_krbhst API)

 * make order of using subkeys consistent

 * add man page links

 * add more man pages

 * remove rfc2052 support, now only rfc2782 is supported

 * always build with kaserver protocol support in the KDC (assuming
   KRB4 is enabled) and support for reading kaserver databases in

Changes in release 0.3f

 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
   the new keytab type that tries both of these in order (SRVTAB is
   also an alias for krb4:)

 * improve error reporting and error handling (error messages should
   be more detailed and more useful)

 * improve building with openssl

 * add kadmin -K, rcp -F 

 * fix two incorrect weak DES keys

 * fix building of kaserver compat in KDC

 * the API is closer to what MIT krb5 is using

 * more compatible with windows 2000

 * removed some memory leaks

 * bug fixes

Changes in release 0.3e

 * rcp program included

 * fix buffer overrun in ftpd

 * handle omitted sequence numbers as zeroes to handle MIT krb5 that
   cannot generate zero sequence numbers

 * handle v4 /.k files better

 * configure/portability fixes

 * fixes in parsing of options to kadmin (sub-)commands

 * handle errors in kadmin load better

 * bug fixes

Changes in release 0.3d

 * add krb5-config

 * fix a bug in 3des gss-api mechanism, making it compatible with the
   specification and the MIT implementation

 * make telnetd only allow a specific list of environment variables to
   stop it from setting `sensitive' variables

 * try to use an existing libdes

 * lib/krb5, kdc: use correct usage type for ap-req messages.  This
   should improve compatability with MIT krb5 when using 3DES
   encryption types

 * kdc: fix memory allocation problem

 * update config.guess and config.sub

 * lib/roken: more stuff implemented

 * bug fixes and portability enhancements

Changes in release 0.3c

 * lib/krb5: memory caches now support the resolve operation

 * appl/login: set PATH to some sane default

 * kadmind: handle several realms

 * bug fixes (including memory leaks)

Changes in release 0.3b

 * kdc: prefer default-salted keys on v5 requests

 * kdc: lowercase hostnames in v4 mode

 * hprop: handle more types of MIT salts

 * lib/krb5: fix memory leak

 * bug fixes

Changes in release 0.3a:

 * implement arcfour-hmac-md5 to interoperate with W2K

 * modularise the handling of the master key, and allow for other
   encryption types. This makes it easier to import a database from
   some other source without having to re-encrypt all keys.

 * allow for better control over which encryption types are created

 * make kinit fallback to v4 if given a v4 KDC

 * make klist work better with v4 and v5, and add some more MIT
   compatibility options

 * make the kdc listen on the krb524 (4444) port for compatibility
   with MIT krb5 clients

 * implement more DCE/DFS support, enabled with --enable-dce, see
   lib/kdfs and appl/dceutils

 * make the sequence numbers work correctly

 * bug fixes

Changes in release 0.2t:

 * bug fixes

Changes in release 0.2s:

 * add OpenLDAP support in hdb

 * login will get v4 tickets when it receives forwarded tickets

 * xnlock supports both v5 and v4

 * repair source routing for telnet

 * fix building problems with krb4 (krb_mk_req)

 * bug fixes

Changes in release 0.2r:

 * fix realloc memory corruption bug in kdc

 * `add --key' and `cpw --key' in kadmin

 * klist supports listing v4 tickets

 * update config.guess and config.sub

 * make v4 -> v5 principal name conversion more robust

 * support for anonymous tickets

 * new man-pages

 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.

 * use and set expiration and not password expiration when dumping
   to/from ka server databases / krb4 databases

 * make the code happier with 64-bit time_t

 * follow RFC2782 and by default do not look for non-underscore SRV names

Changes in release 0.2q:

 * bug fix in tcp-handling in kdc

 * bug fix in expand_hostname

Changes in release 0.2p:

 * bug fix in `kadmin load/merge'

 * bug fix in krb5_parse_address

Changes in release 0.2o:

 * gss_{import,export}_sec_context added to libgssapi

 * new option --addresses to kdc (for listening on an explicit set of

 * bug fixes in the krb4 and kaserver emulation part of the kdc

 * other bug fixes

Changes in release 0.2n:

 * more robust parsing of dump files in kadmin
 * changed default timestamp format for log messages to extended ISO
   8601 format (Y-M-DTH:M:S)
 * changed md4/md5/sha1 APIes to be de-facto `standard'
 * always make hostname into lower-case before creating principal
 * small bits of more MIT-compatability
 * bug fixes

Changes in release 0.2m:

 * handle glibc's getaddrinfo() that returns several ai_canonname

 * new endian test

 * man pages fixes

Changes in release 0.2l:

 * bug fixes

Changes in release 0.2k:

 * better IPv6 test

 * make struct sockaddr_storage in roken work better on alphas

 * some missing [hn]to[hn]s fixed.

 * allow users to change their own passwords with kadmin (with initial

 * fix stupid bug in parsing KDC specification

 * add `ktutil change' and `ktutil purge'

Changes in release 0.2j:

 * builds on Irix

 * ftpd works in passive mode

 * should build on cygwin

 * work around broken IPv6-code on OpenBSD 2.6, also add configure
   option --disable-ipv6

Changes in release 0.2i:

 * use getaddrinfo in the missing places.

 * fix SRV lookup for admin server

 * use get{addr,name}info everywhere.  and implement it in terms of
   getipnodeby{name,addr} (which uses gethostbyname{,2} and

Changes in release 0.2h:

 * fix typo in kx (now compiles)

Changes in release 0.2g:

 * lots of bug fixes:
   * push works
   * repair appl/test programs
   * sockaddr_storage works on solaris (alignment issues)
   * works better with non-roken getaddrinfo
   * rsh works
   * some non standard C constructs removed

Changes in release 0.2f:

 * support SRV records for kpasswd
 * look for both _kerberos and krb5-realm when doing host -> realm mapping

Changes in release 0.2e:

 * changed copyright notices to remove `advertising'-clause.
 * get{addr,name}info added to roken and used in the other code
   (this makes things work much better with hosts with both v4 and v6
    addresses, among other things)
 * do pre-auth for both password and key-based get_in_tkt
 * support for having several databases
 * new command `del_enctype' in kadmin
 * strptime (and new strftime) add to roken
 * more paranoia about finding libdb
 * bug fixes

Changes in release 0.2d:

 * new configuration option [libdefaults]default_etypes_des
 * internal ls in ftpd builds without KRB4
 * kx/rsh/push/pop_debug tries v5 and v4 consistenly
 * build bug fixes
 * other bug fixes

Changes in release 0.2c:

 * bug fixes (see ChangeLog's for details)

Changes in release 0.2b:

 * bug fixes
 * actually bump shared library versions

Changes in release 0.2a:

 * a new program verify_krb5_conf for checking your /etc/krb5.conf
 * add 3DES keys when changing password
 * support null keys in database
 * support multiple local realms
 * implement a keytab backend for AFS KeyFile's
 * implement a keytab backend for v4 srvtabs
 * implement `ktutil copy'
 * support password quality control in v4 kadmind
 * improvements in v4 compat kadmind
 * handle the case of having the correct cred in the ccache but with
   the wrong encryption type better
 * v6-ify the remaining programs.
 * internal ls in ftpd
 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
 * add `ank --random-password' and `cpw --random-password' in kadmin
 * some programs and documentation for trying to talk to a W2K KDC
 * bug fixes

Changes in release 0.1m:

 * support for getting default from krb5.conf for kinit/kf/rsh/telnet.
   From Miroslav Ruda <>
 * v6-ify hprop and hpropd
 * support numeric addresses in krb5_mk_req
 * shadow support in login and su. From Miroslav Ruda <>
 * make rsh/rshd IPv6-aware
 * make the gssapi sample applications better at reporting errors
 * lots of bug fixes
 * handle systems with v6-aware libc and non-v6 kernels (like Linux
   with glibc 2.1) better
 * hide failure of ERPT in ftp
 * lots of bug fixes

Changes in release 0.1l:

 * make ftp and ftpd IPv6-aware
 * add inet_pton to roken
 * more IPv6-awareness
 * make mini_inetd v6 aware

Changes in release 0.1k:

 * bump shared libraries versions
 * add roken version of inet_ntop
 * merge more changes to rshd

Changes in release 0.1j:

 * restore back to the `old' 3DES code.  This was supposed to be done
   in 0.1h and 0.1i but I did a CVS screw-up.
 * make telnetd handle v6 connections

Changes in release 0.1i:

 * start using `struct sockaddr_storage' which simplifies the code
   (with a fallback definition if it's not defined)
 * bug fixes (including in hprop and kf)
 * don't use mawk which seems to mishandle roken.awk
 * get_addrs should be able to handle v6 addresses on Linux (with the
   required patch to the Linux kernel -- ask within)
 * rshd builds with shadow passwords

Changes in release 0.1h:

 * kf: new program for forwarding credentials
 * portability fixes
 * make forwarding credentials work with MIT code
 * better conversion of ka database
 * add etc/services.append
 * correct `modified by' from kpasswdd
 * lots of bug fixes

Changes in release 0.1g:

 * kgetcred: new program for explicitly obtaining tickets
 * configure fixes
 * krb5-aware kx
 * bug fixes

Changes in release 0.1f;

 * experimental support for v4 kadmin protokoll in kadmind
 * bug fixes

Changes in release 0.1e:

 * try to handle old DCE and MIT kdcs
 * support for older versions of credential cache files and keytabs
 * postdated tickets work
 * support for password quality checks in kpasswdd
 * new flag --enable-kaserver for kdc
 * renew fixes
 * prototype su program
 * updated (some) manpages
 * support for KDC resource records
 * should build with --without-krb4
 * bug fixes

Changes in release 0.1d:

 * Support building with DB2 (uses 1.85-compat API)
 * Support krb5-realm.DOMAIN in DNS
 * new `ktutil srvcreate'
 * v4/kafs support in klist/kdestroy
 * bug fixes

Changes in release 0.1c:

 * fix ASN.1 encoding of signed integers
 * somewhat working `ktutil get'
 * some documentation updates
 * update to Autoconf 2.13 and Automake 1.4
 * the usual bug fixes

Changes in release 0.1b:

 * some old -> new crypto conversion utils
 * bug fixes

Changes in release 0.1a:

 * new crypto code
 * more bug fixes
 * make sure we ask for DES keys in gssapi
 * support signed ints in ASN1
 * IPv6-bug fixes

Changes in release 0.0u:

 * lots of bug fixes

Changes in release 0.0t:

 * more robust parsing of krb5.conf
 * include net{read,write} in lib/roken
 * bug fixes

Changes in release 0.0s:

 * kludges for parsing options to rsh
 * more robust parsing of krb5.conf
 * removed some arbitrary limits
 * bug fixes

Changes in release 0.0r:

 * default options for some programs
 * bug fixes

Changes in release 0.0q:

 * support for building shared libraries with libtool
 * bug fixes

Changes in release 0.0p:

 * keytab moved to /etc/krb5.keytab
 * avoid false detection of IPv6 on Linux
 * Lots of more functionality in the gssapi-library
 * hprop can now read ka-server databases
 * bug fixes

Changes in release 0.0o:

 * FTP with GSSAPI support.
 * Bug fixes.

Changes in release 0.0n:

 * Incremental database propagation.
 * Somewhat improved kadmin ui; the stuff in admin is now removed.
 * Some support for using enctypes instead of keytypes.
 * Lots of other improvement and bug fixes, see ChangeLog for details.