-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathNEWS
429 lines (314 loc) · 18.4 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
User-Visible kadmin-remctl Changes
kadmin-remctl 3.6 (2014-01-15)
Add a new per-instance configuration option to set the password
expiration time for newly-created principals. Be aware that this only
controls the initial expiration period. After the first password
change, further expiration periods are normally controlled by the KDC
configuration or policy.
In the Heimdal backend, map password quality errors on account
creation or password reset to a generic error. The kadmin protocol
doesn't have a mechanism for passing back the rich error message from
the password quality check, so all failures use the same error string.
Remap it here, since the error message from Heimdal is of dubious
accuracy. This will only apply to sites that have patched Heimdal to
do password quality checks on administrative operations.
Update to rra-c-util 5.1:
* Don't attempt to use Kerberos if no Kerberos error APIs were found.
* Improve error handling in xasprintf and xvasprintf.
* Check the return status of snprintf and vsnprintf properly.
* Preserve errno if snprintf fails in vasprintf replacement.
kadmin-remctl 3.5 (2013-10-10)
Increase the timeout for initial authentication during a kpasswd
password change to ten seconds, and the timeout for a successful
password change to sixty seconds. The previous timeouts of two
seconds and thirty seconds was occasionally too short in production.
Also fix Perl warnings if the initial authentication or password
change time out.
In the Heimdal backend, use get instead of list to check whether a
given principal already exists. list requires a complete database
traversal and is much more resource-intensive.
In the Heimdal backend, recognize the new form of the Heimdal kpasswd
prompt to repeat the new password.
Stop mapping password quality errors in the Heimdal kpasswd backend.
Instead, remove any prefix about an external password quality program
and pass the rest of the error message back to the user.
Check the existence of the principal before enabling or disabling it
in the Heimdal backend so that nonexistent principals report a clearer
error message instead of an internal error about getAttributes
failure.
Update to rra-c-util 4.10:
* Remove some unnecessary includes.
kadmin-remctl 3.4 (2013-07-09)
Set the disallow-svr flag on all newly-created principals. This
prohibits obtaining service tickets for the principal, which provides
some hardening against brute force attacks. Since the create command
is designed for creation of user principals, not service principals,
and use of service tickets for user principals is quite obscure and
rare in Kerberos, this seems like a better default.
Change the default allowed principal regex to allow two-character user
principals. This is just a default and can be overridden by setting
the allowed key in the configuration.
kadmin-remctl 3.3 (2013-03-25)
In the Heimdal version of kadmin-backend, retry the kadmin connection
once if the first connection fails. This is a workaround for a
transient networking error that we're seeing at Stanford and therefore
may not be fully appropriate for other sites, but should hopefully be
harmless. Also suppress the standard error output from the Heimdal
library during connect since Heimdal::Kadm5 does not.
Clean up error reporting in the Heimdal version of kadmin-backend.
Use the correct (rather than the documented) way to tell
Heimdal::Kadm5 to throw exceptions, and ensure that all kadmin
functions uniformly use the same standard error formatting and exit
status for kadmin failures.
Exit with a non-zero status if the check_passwd command rejects the
password. Previously, an error would be reported but the backend
would always report a successful zero status if the password could be
checked, even if it was rejected.
The Heimdal version of kadmin-backend now requires the IPC::Run Perl
module (available from CPAN).
Produce a better error message when trying to change the password of a
disabled account with the Heimdal backend.
When prompting for a username in passwd_change, strip any surrounding
whitespace from that username before proceeding.
Update to rra-c-util 4.8:
* Fix Heimdal libroken probes for old versions of Heimdal.
* Fix Kerberos header probing with non-standard include paths.
* Pass --deps to krb5-config if it is supported.
* Properly find krb5.h on NetBSD systems.
* Fix stripping of -I/usr/include from krb5-config output.
* Avoid using krb5-config if specific Kerberos paths are configured.
* Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config.
* Replace concat with xasprintf.
* xasprintf is now void and always calls the failure handler on error.
* Improve __attribute__ portability to old GCC or non-GCC compilers.
* Add -D_FORTIFY_SOURCE=2 to make warnings flags.
* Probe for ssize_t and replace it in portable/system.h if not found.
* Include strings.h in portable/system.h if it exists.
* Add a pointer to rra-c-util in all files.
kadmin-remctl 3.2 (2011-06-09)
Add support for a separate blacklist of principals whose passwords
cannot be changed with reset_passwd but who do not themselves have the
ability to reset passwords.
Properly handle incorrect password errors from Heimdal's kpasswd.
Previously, if change_passwd failed because the original password was
incorrect, kadmin-remctl-heim would output a confusing Expect error.
When creating principals for Heimdal, set a default set of attributes
before making the principal. Heimdal::Kadm5 doesn't seem to be
working properly with the default attributes from the default
principal. This currently hard-codes enabling pre-auth for new
principals and needs to be revisited.
Update to rra-c-util 3.6:
* Check for krb5-config in /usr/kerberos/bin as well as user's PATH.
* Add replacement for krb5_appdefault_* functions for AIX Kerberos.
* Fix broken GCC attribute markers.
* Fix Kerberos library probing without transitive shared libraries.
* Suppress warnings when probing for AIX-only Kerberos headers.
* Support Heimdal GSS-API on OpenBSD without a separate libroken.
* Update GCC warning flags for GCC 4.6.1.
kadmin-remctl 3.1 (2010-07-21)
In the Heimdal backend, don't set KADM5_POLICY_NORMAL_MASK or
KADM5_POLICY_CLR as attributes when creating a new principal. These
are not valid attribute values and end up setting or clearing large
numbers of other attributes.
In the Heimdal backend, don't unconditionally set the preauth required
attribute on newly created principals. This should be handled using
the "default" principal in Heimdal to configure the desired default
principal lifetime and attributes.
kadmin-backend for an MIT Kerberos server no longer has the boolean
checking configuration parameter, which said whether to do password
checking. Instead, there is a new policy configuration parameter
which, if set, sets that password policy for newly created accounts.
To duplicate the previous behavior when checking was true, set policy
to "standard".
Add an expiration command, which sets the expiration date of a
principal. Based on a patch from Garrett Wollman.
Add a pwexpiration command, which sets the expiration date of the
password of a principal.
Add a check_expire command, which returns the expiration date of
either a principal or a password.
kadmin backend for an MIT Kerberos server now supports the create_opts
configuration parameter, which adds additional options that are passed
to kadmin addprinc when a principal is created. Based on a patch by
Garrett Wollman.
Allow underscores in principal names by default in the examine
function.
Update to rra-c-util 2.5:
* Restore default settings after probing for GSS-API libraries.
* Support the *BSD build of Heimdal in the Kerberos probes.
* Fix krb5_free_error_message replacement for older Kerberos libraries.
kadmin-remctl 3.0 (2010-02-17)
Add kadmin-backend-heim, which duplicates the kadmin-backend
functionality for Heimdal. The examine function of this backend
duplicates the output of the MIT getprinc function so that the output
is compatible with the output of kadmin-backend. This separate script
is a temporary measure until both scripts can be refactored as Perl
modules and use a better method to avoid code duplication.
Use the Heimdal external program API for password strength checking in
kadmin-backend-heim and check password strength on create if strength
checking is enabled for that instance, since the Heimdal kadmin API
doesn't enforce password strength on passwords changed by
administrators.
Allow - in principal names for the examine function.
Add new config item for each instance, locked. This optional value
contains an array of a command and any arguments to it, which is
called to determine if the instance is locked for some external
policy reason. If so, the enable command will fail for this instance.
Significantly improve the error reporting in ksetpass and
passwd_change by using modern Kerberos error functions where
available, and avoid Kerberos API calls that are deprecated on
Heimdal.
kadmin-remctl 2.4 (2009-10-05)
When enabling or disabling accounts in Active Directory via LDAP, send
the required "replace: userAccountControl" portion of the LDIF.
Enable Automake silent rules. For a quieter build, pass the
--enable-silent-rules option to configure or build with make V=0.
Update to rra-c-util 2.0:
* Sanity-check the results of krb5-config before proceeding.
* Fall back on manual probing if krb5-config results don't work.
* Don't break if the user clobbers CPPFLAGS or LDFLAGS at build time.
* Support Solaris 10's native generic GSS-API libraries.
* Require Autoconf 2.64 and Automake 1.11.
kadmin-remctl 2.3 (2009-01-07)
Properly add support for examining principals with instances we don't
manage. Previous versions were supposed to support this but didn't
due to a bug in argument passing.
Improve the conversion of Kerberos v5 principal names to Kerberos v4
principal names for examine against an AFS kaserver, although it's
still not as good as calling the Kerberos library routine would be.
Attempt to determine if the library directory for remctl (and the
directory for Kerberos and GSS-API libraries if krb5-config isn't
found) is lib32 or lib64 instead of lib and set LDFLAGS accordingly.
Based on an idea from the CMU Autoconf macros.
Add --with-remctl-include, --with-remctl-lib, --with-gssapi-include,
--with-gssapi-lib, --with-krb5-include, and --with-krb5-lib configure
options to allow more specific setting of paths if necessary.
Check at configure time that we can link with the remctl library we
found.
kadmin-remctl 2.2 (2008-07-31)
As of this release, AFS kaserver support is frozen and no longer
tested. It may be removed in a future release if there is significant
code restructuring.
Close the kasetkey output file descriptor before checking its exit
status so that we get accurate results.
Produce better error messages if REMOTE_USER isn't set in the
environment when checking authorization for instance management and
document the use of REMOTE_USER in the man page.
kadmin-remctl 2.1 (2008-04-25)
kasetkey now supports examine, enable, and disable, so drop all
remaining calls to a Kerberos v4 kadmin client and use kasetkey for
all AFS kaserver integration.
Honor allowed regex configuration for valid principal names in examine
as well.
Improve the library probing and allow for systems where shared library
dependencies don't work properly.
If KRB5_CONFIG was explicitly set in the environment, don't use a
different krb5-config based on --with-krb4 or --with-krb5. If
krb5-config isn't executable, don't use it. This allows one to force
library probing by setting KRB5_CONFIG to point to a nonexistent file.
Sanity-check the results of krb5-config before proceeding and error
out in configure if they don't work.
kadmin-remctl 2.0 (2008-03-25)
Significantly rework kadmin-backend. The configuration variable for
instance management has been renamed to %CONFIG and now must be set.
It controls both instances and principals without instances. Many of
the global settings have been moved into that hash and can be set
per-instance. Particular instances may now be configured to only
exist in Active Directory and bypass Kerberos v5 entirely.
Add the ksetpass client, which sets a Kerberos password via the
password change protocol using an existing Kerberos ticket cache.
Support using it for password resets in Active Directory and to work
around a Windows Server 2008 bug that prevents setting passwords at
the time of account creation when using GSS-API authentication. Based
on work by Dmitri Priimak.
Support enable and disable commands for instance management as well.
Recognize instance list errors from kadmin correctly. kadmin returns
errors prefixed by get_principals, not list_principals.
Allow for kadmin binaries that print error messages in two parts by
waiting for the end of the line before extracting the error message.
When checking against ACLs, support include commands with the same
syntax as remctld.
Change some kadmin-backend defaults to be less Stanford-specific.
kadmin-remctl 1.9 (2007-09-11)
Add support for optionally adding principals with instances created in
Active Directory to an Active Directory authorization group at the
time of creation.
kadmin-remctl 1.8 (2007-08-08)
Increase the timeouts in the Expect calls while performing the actual
operation, since the propagation to Active Directory can take some
time.
When stripping error messages for reporting to the user, don't stop
stripping at newlines.
Add a newline after a remctl library error when reporting such errors
to the user in passwd_change.
kadmin-remctl 1.7 (2007-08-06)
Add the $K5_HOST configuration variable to kadmin-backend which, if
set, tells kadmin-backend to contact the given kadmin server instead
of the default for the local realm.
Tweak kadmin-backend slightly so that it runs properly with Perl
5.6.1 without warnings.
kadmin-remctl 1.6 (2007-07-13)
Use the correct configuration key when reading the LDIF file to find
the DN for deleting instances and extract just the DN rather than
keeping the "dn: " prefix.
Active Directory expects passwords to be encoded in UCS-2LE. Change
the password provided to the LDIF template to match those expectations
and move the modules needed for talking to Active Directory to
require statements from use statements so that those Perl modules
aren't required unless Active Directory integration is desired.
When listing instances, add a wildcard after the instance pattern
rather than letting kadmin append the local realm so that we can use
the same code on development servers that may be serving different
realms than the local realm.
Correctly handle errors on account creation in kadmin-backend. It was
treating all Kerberos errors as success.
Kerberos v4 examine output faking was prepending "retstr: " even to
error messages. Drop "retstr: " when there is an error.
Standardize across the non-instance functions of kadmin-backend the
ordering of error and retstr messages and return retstr for the case
of creating an account that already exists instead of just error.
kadmin-remctl 1.5 (2007-07-11)
Add support for propagation of instance creation and deletion into
Active Directory.
When faking Kerberos v4 examine output in kadmin-backend, strip the
time zone information from the Kerberos v5 timestamps. Kerberos v4
kadmin examine didn't include time zone information.
Fix the passwd_change configuration documentation to use the correct
krb5.conf parameters.
kadmin-remctl 1.4 (2007-06-28)
Add support in passwd_change for reading configuration from the system
krb5.conf and only use the compiled-in values as defaults.
Properly handle K4 output faking when the principal doesn't exist.
kadmin-remctl 1.3 (2007-06-11)
MIT Kerberos kadmin doesn't return a useful exit status in conjunction
with -q. It always exits 0, even if the operation failed. Adjust for
this by inspecting its output instead.
Add support for faking K4 kadmin examine output based on the K5
getprinc output, for backwards compatibility for Stanford Registry
integration.
kadmin-remctl 1.2 (2007-06-05)
Support disabling all Kerberos v4 actions in kadmin-backend by setting
one of the Kerberos v4 configuration variables to undef.
Handle CRs in the output of commands run via Expect in kadmin-backend.
kadmin-remctl 1.1 (2007-05-31)
Add support for creating and manipulating account instances to
kadmin-backend using a separate set of commands.
Add support in kadmin-backend for loading configuration from an
external configuration file, which can override the defaults set at
the top of the script.
Add support for reserved principals in kadmin-backend (principals that
the script will refuse to act on).
For password change and reset, always return both an error: and a
retstr: line to match the behavior of the old Kerberos v4 interface.
Strip out the kpasswd advice to see its man page, since that text will
mostly not be useful to our users.
On password reset, have kadmin-backend exit with a different exit
status if the user does not have permission to change passwords for
that account and use that exit status as a trigger in passwd_change to
break out of the loop and not keep prompting for a new password.
Truncate error messages from kpasswd after the first sentence and
replace newlines with spaces to put them on a single line. kpasswd is
more verbose about its errors than kadmin.
kadmin-remctl 1.0 (2007-03-21)
First public release. Many defaults are hard-coded into source code
and synchronization with an AFS kaserver realm is done using
Stanford-specific external programs.