vendor/kerberosIV/0.9.6

1 files changed, 563 insertions, 0 deletions

diff --git a/crypto/kerberosIV/NEWS b/crypto/kerberosIV/NEWS
new file mode 100644
index 000000000000..cddbb2291699
--- /dev/null
+++ b/crypto/kerberosIV/NEWS
@@ -0,0 +1,563 @@
+Minor changes in release 0.9.6:
+
+* utmp(x) works correctly on systems with utmpx.
+
+* A security-related bug in ftpd fixed.
+
+* Compiles on solaris 2.4, 2.6 and on WinNT/95 with cygwin32 beta18.
+
+* New option `-w' to rxtelnet, rxterm.
+
+Major changes in release 0.9.5:
+
+* We made some changes to be compatible with the other kerberised ftp
+  implementations and this means that an old kerberised ftp client will
+  not be able to talk to a new ftp server.  So try to upgrade your ftp
+  clients and servers at the same time.  The reason for this change is
+  described in more detail below.
+
+* The interpretation of /etc/ftpusers has changed slightly, see
+  ftpusers(5). These changes come from NetBSD.
+
+* The function `des_quad_cksum', which is used by `krb_rd_safe', and
+  `krb_mk_safe', has never been compatible with MIT's DES
+  library. This has now been fixed.
+
+  This fix will however break some programs that used those functions,
+  for instance `ftp'. In this version `krb_rd_safe' is modified to
+  accept checksums of both the new and the old format; `krb_mk_safe'
+  will always emit checksums of the new type *unless* `krb_rd_safe'
+  has detected that the client is using the old checksum (this feature
+  may be removed in some future release).
+
+  If you have programs that use `krb_mk_safe' and `krb_rd_safe' you
+  should upgrade all clients before upgrading your servers. Client is
+  here defined as the program that first calls `krb_rd_safe'.
+
+  If you are using some protocol that talks to more than one client or
+  server in one session, the heuristics to detect which kind of
+  checksum to use might fail.
+
+  The problem with `des_quad_cksum' was just a byte-order problem, so
+  there are no security problems with using the old versions. Thanks
+  to Derrick J Brashear <shadow@DEMENTIA.ORG> for pointing in the
+  right general direction.
+
+* Rewrote kx to work always open TCP connections in the same
+  direction.  This was needed to make it work through NATs and is
+  generally a cleaner way of doing it.  Also added `tenletxr'.
+  Unfortunately the new protocol is not compatible with the old one.
+  The new kx and kxd programs try to figure out if they are talking to
+  old versions.
+
+* Quite a bit of new functionality in otp.  Changed default hash
+  function to `md5'.  Fixed implementation of SHA and added downcasing
+  of seed to conform with `draft-ietf-otp-01.txt'.  All verification
+  examples in the draft now work.
+
+* Fixed buffer overflows.
+
+* Add history/line editing in kadmin and ftp.
+
+* utmp/utmpx and wtmp/wtmpx might work better on strange machines.
+
+* Bug fixes for `rsh -n' and `rcp -x'.
+
+* reget now works in ftp and ftpd.  Passive mode works.  Other minor
+  bug fixes as well.
+
+* New option `-g umask' to ftpd for specifying the umask for anonymous users.
+
+* Fix for `-l' option in rxtelnet and rxterm.
+
+* XOVER support in popper.
+
+* Better support for building shared libraries.
+
+* Better support for talking to the KDC over TCP.  This could make it
+  easier to use brain-damaged firewalls.
+
+* Support FreeBSD-style MD5 /etc/passwd.
+
+* New option `-createuser' to afslog.
+
+* Upgraded to work with socks5-v1.0r1.
+
+* Almost compiles and works on OS/2 with EMX, and Win95/NT with gnu-win32.
+
+* Merged in win32-telnet, see README-WIN32 for more details.
+
+* Possibly fixed telnet bug on HP-UX 10.
+
+* Updated man-pages.
+
+* Support for NetBSD/OpenBSD manual page circus.
+
+* Bug fixes.
+
+Major changes in release 0.9.3:
+
+* kx has been rewritten and is now a lot easier to use.  Two new
+  scripts: rxtelnet and rxterm.  It also works on machines such as
+  Cray where the X-libraries cannot talk unix sockets.
+	
+* experimental OTP (RFC1938).  Included in login, ftpd, and popper.
+
+* authentication modules: PAM for linux, SIA for OSF/1, and
+  afskauthlib for Irix.
+
+* popper now has the UIDL command.
+
+* ftpd can now tar and compress files and directories on the fly, also
+  added a find site command.
+
+* updated documentation and man pages.
+
+* Change kuserok so that it acts as if luser@LOCALREALM is always an
+  entry of .klogin, even when it's not possible to verify that there
+  is no such file or the file is unreadable.
+
+* Support for SRV-records.
+
+* Socks v5 support.
+
+* rcp is AFS-aware.
+
+* allow for other transport mechanisms than udp (useful for firewall
+  tormented souls); as a side effect the format of krb.conf had to
+  become more flexible
+
+* sample programs included.
+
+* work arounds for Linux networking bugs in rlogind and rlogin.
+
+* more portable
+
+* quite a number of improvments/bugfixes
+
+* New platforms: HP-UX 10, Irix 6.2
+
+Major changes in release 0.9.2a:
+
+* fix annoying bug with kauth (et al) returning incorrect error
+
+Major changes in release 0.9.2:
+
+* service `kerberos-iv' and port 750 has been registered with IANA.
+
+* Bugfixes.
+
+  - Compiles with gcc on AIX.
+
+  - Compiles with really old resolvers.
+
+  - ftp works with afs string-to-key.
+
+  - shared libraries should work on Linux/ELF.
+
+  - some potential buffer overruns.
+
+  - general code clean-up.
+
+* Better Cray/UNICOS support.
+
+* New platforms: AIX 4.2, IRIX 6.1, and Linux 2.0
+
+Major changes in release 0.9.1:
+
+* Mostly bugfixes.
+
+  - No hardcoded references to /usr/athena
+
+  - Better Linux support with rlogin
+
+  - Fix for broken handling of NULL password in kadmind (such as with
+    `ksrvutil change')
+
+  - AFS-aware programs should work on AIX systems without AFS
+
+* New platforms: Digital UNIX 4.0 and Fujitsu UXP/V
+
+* New mechanism to determine realm from hostname based on DNS. To find
+  the realm of a.b.c.d it tries to find krb4-realm.a.b.c.d and then
+  krb4-realm.b.c.d and so on. The entry in DNS should be a TXT record
+  with the realm name.
+
+  krb4-realm.pdc.kth.se.  7200    TXT     "NADA.KTH.SE"
+
+Major changes in release 0.9:
+
+* Tested platforms:
+
+Dec Alpha	OSF/1 3.2	with cc -std1
+HP 9000/735	HP/UX 9.05	with gcc
+DEC Pmax	Ultrix 4.4	with gcc (cc does not work)
+IBM RS/6000	AIX 4.1		with xlc (gcc works, cc does not)
+SGI		IRIX 5.3	with cc
+Sun		SunOS 4.1.4	with gcc (cc is not ANSI and does not work)
+Sun		SunOS 5.5	with gcc
+Intel i386	NetBSD 1.2	with gcc
+Intel i386	Linux 1.3.95	with gcc
+Cray J90	Unicos 9	with cc
+
+* Mostly ported to Crays running Unicos 9.
+
+* S/Key-support in ftpd.
+
+* Delete operation supported in kerberos database.
+
+* Cleaner and more portable code.
+
+* Even less bugs than before.
+
+* kpopper now supports the old pop3 protocol and has been renamed to popper.
+
+* rsh can be renamed remsh.
+
+* Experimental program for forwarding IP over a kerberos tunnel.
+
+* Updated to libdes 3.23.
+
+Major changes in release 0.8:
+
+* New programs: ftp & ftpd.
+
+* New programs: kx & kxd.  These programs forward X connections over
+  kerberos-encrypted connections.
+
+* Incorporated version 3.21 of libdes.
+
+* login: No double utmp-entries on Solaris.
+
+* kafs
+
+  * Better guessing of what realm a cell belongs to.
+
+  * Support for authenticating to several cells.  Reads
+    /usr/vice/etc/TheseCells, if present.
+
+* ksrvutil: Support for generating AFS keys.
+
+* login, su, rshd, rlogind: tries to counter possible NIS-attack.
+
+* xnlock: several bug fixes and support for more than one screen.
+
+* Default port number for ekshell changed from 2106 to 545.  kauth
+  port changed from 4711 to 2120.
+
+* Rumored to work on Fujitsu UXP/V and Cray UNICOS.
+
+Major changes in release 0.7:
+
+* New experimental masterkey generation.   Enable with
+  --enable-random-mkey. Also the default place for the master key has
+  moved from /.k to /var/kerberos/master-key. This is customizable
+  with --with-mkey=file. If you don't want you master key to be on the
+  same backup medium as your database, remember to use this flag. All
+  relevant programs still checks for /.k.
+
+* `-t' option to kadmin.
+
+* Kpopper uses kuserok to verify if user is allowed to pop mail.
+
+* Kpopper tries to locate the mail spool directory: /var/mail or
+  /var/spool/mail.
+
+* kauth has ability to get ticket on a remove host with the `-h' option.
+
+* afslog (aklog clone) and pagsh included.
+
+* New format for /etc/krb.equiv.
+
+* Better multi-homed hosts support in kauth, rcp, rlogin, rlogind,
+  rshd, telnet, telnetd.
+
+* rlogind works on ultrix and aix 3.2.
+
+* lots of bug fixes.
+
+Major changes in release 0.6:
+
+* Tested platforms:
+
+DEC/Alpha	OSF3.2
+HP700		HPux 9.x
+Dec/Pmax	Ultrix 4.4	(rlogind not working)
+IBM RS/6000	AIX 3.2		(rlogind not working)
+IBM RS/6000	AIX 4.1
+SGI		Irix 5.3
+Sun		Sunos 4.1.x
+Sun		Sunos 5.4
+386		BSD/OS 2.0.1
+386		NetBSD 1.1
+386		Linux 1.2.13
+
+It is rumored to work to some extent on NextStep 3.3.
+
+* ksrvutil get to create new keys and put them in the database at the
+same time.
+
+* Support for S/Key in login.
+
+* kstring2key: new program to show string to key conversion.
+
+* Kerberos server should now listen on all available network
+interfaces and on both port 88 and 750.
+
+* Timeout in kpopper.
+
+* Support password quality checks in kadmind.  Use --with-crack-lib to
+link kadmind with cracklib.  The patches in cracklib.patch are needed.
+
+* Movemail from emacs 19.30.
+
+* Logging format uses four digits for years.
+
+* Fallback if port numbers are not listed in /etc/services.
+
+
+	* Relesed version 0.5
+
+	* lib/des/read_pwd.c: Redifine TIOCGETP and TIOCSETP so that the
+        same code is used both for posix termios and others.
+
+	* rsh, rlogin: Add environment variable RSTAR_NO_WARN which when
+	set to "yes" make warnings about "rlogin: warning, using standard
+	rlogin: remote host doesn't support Kerberos." go away.
+
+	* admin/kdb_util.c (load_db) lib/kdb/krb_dbm.c (kerb_db_update):
+        Optimized so that it can handle large databases, previously a
+        10000 entry DB would take *many* minutes, this can now be done in
+        under a minute.
+
+	* Changes in server/kerberos.c, kadmin/*.c slave/*.c to support 64
+        bit machines. Source should now be free of 64 bit assumptions.
+
+	* admin/copykey.c (copy_from_key): New functions for copying to
+        and from keys. Neccessary to solve som problems with longs on 64
+        bit machines in kdb_init, kdb_edit, kdb_util and ext_srvtab.
+
+	* lib/kdb/krb_kdb_utils.c (kdb_verify_master_key): More problems
+        with longs on 64 bit machines.
+
+	* appl/bsd/login.c (main): Lots of stuff to support Psoriasis
+        login. Courtesy of gertz@lysator.liu.se.
+
+	* configure.in, all Makefile.in's: Support for Linux shared
+        libraries. Courtesy of svedja@lysator.liu.se.
+
+	* lib/krb/cr_err_reply.c server/kerberos.c: Moved int req_act_vno
+	= KRB_PROT_VERSION; from server kode to libkrb where it really
+	belongs.
+
+        * appl/bsd/forkpty.c (forkpty): New function that allocates master
+        and slave ptys in a portable way. Used by rlogind.
+
+	* appl/telnet/telnetd/sys_term.c (start_login): Under SunOS5 the
+	same utmpx slot got used by sevral sessions. Courtesy of
+	gertz@lysator.liu.se.
+
+	* util/{ss, et}/Makefile.in (LEX): Use flex or lex. Courtesy of
+        svedja@lysator.liu.se.
+
+	* Fix the above Makefiles to work around bugs in Solaris and OSF/1
+        make rules that was triggered by VPATH functionality in the yacc
+        and lex rules.
+
+	* appl/kpopper/pop_log.c (pop_log) appl/kpopper/pop_msg.c (pop_msg):
+	Use stdarg instead of varargs. The code is still broken though,
+	you'll realize	that on a machine with 64 bit pointers and 32 bit 
+	int:s and no vsprintf, let's hope there will be no such beasts ;-).
+
+	* appl/telnet/telnetd/sys_term.c (getptyslave): Not all systems
+	 have (or need) modules ttcompat and pckt so don't flag it as a
+	 fatal error if they don't exist.
+
+	* kadmin/admin_server.c (kadm_listen) kadmind/kadm_ser_wrap.c
+	(kadm_listen): Add kludge for kadmind running on a multihomed
+	server. #ifdef:ed under MULTIHOMED_KADMIN. Change in acconfig.h
+	if you need this feature.
+
+	* appl/Makefile.in (SUBDIRS): Add applications movemail kpopper
+        and xnlock.
+
+	* appl/bsd/rlogin.c (main): New rlogind.c, forkpty() is not
+        implemented yet though.
+
+	* appl/xnlock/Makefile.in: Some stubs for X11 programs in
+        configure.in as well as a kerberized version of xnlock.
+
+	* appl/bsd/{rlogin.c, rsh.c, rcp.c}: Add code to support fallback
+        port numbers if they can not be found using getservbyname.
+
+	* appl/bsd/klogin.c (klogin): Use differnet ticket files for each
+        login so that a malicous user won't be able to destroy our tickets
+        with a failed login attempt.
+
+	* lib/kafs/afssys.c (k_afsklog): First we try afs.cell@REALM, if
+	there is no such thing try afs@CELL instead. There is now two
+	arguments to k_afslog(char *cell, char *realm).
+
+	* kadmin/admin_server.c (kadm_listen): If we are multihomed we
+        need to figure out which local address that is used this time
+        since it is used in "direction" comparison.
+
+	* kadmin/kadm_ser_wrap.c (kadm_ser_init): Fallback to use default
+        port number.
+
+	* lib/krb/send_to_kdc.c (send_to_kdc): Default port number
+        (KRB_PORT) was not in network byte order.
+
+	* lib/krb/send_to_kdc.c (send_recv): Linux clears timeout struct
+        when selecting.
+
+	* appl/bsd/rcp.c, appl/bsd/rlogin.c, appl/bsd/rsh.c:
+	Now does fallback if there isn't any entries in /etc/services for
+	klogin/kshell. This also made the code a bit more pretty.
+
+	* appl/bsd/login.c: Added support for lots of more struct utmp fields.
+	If there is no ttyslot() use setutent and friends.
+
+	* appl/bsd/Makefile.in, appl/bsd/rlogind.c, appl/bsd/rshd.c:
+	Added extern iruserok().
+
+	* appl/bsd/iruserok.c: Initial revision
+
+	* appl/bsd/bsd_locl.h: Must include sys/filio.h on Psoriasis.
+
+	* appl/bsd/Makefile.in: New install
+
+	* appl/bsd/pathnames.h: Fix default path, rsh and rlogin.
+
+	* appl/bsd/rshd.c: Extend default PATH with bindir to find rcp.
+
+	* appl/bsd/login.c (login): If there is no ttyslot use setutent
+	and friends. Added support for lots of more struct utmp fields.
+
+	* server/kerberos.c (main) lib/kafs/afssys.c appl/bsd/bsd_locl.h:
+        Must include sys/filio.h on Psoriasis to find _IOW and FIO* macros.
+
+	* appl/bsd/rlogind.c (doit): Use _PATH_DEFPATH rather than
+        _PATH_DEF.
+
+	* appl/bsd/login.c, su.c (main): Use fallback to bourne shell if
+        running as root.
+
+	* appl/bsd/su.c (main): Update usage message to reflect that '-'
+	option must come after the ordinary options and before login-id.
+
+	* appl/telnet/telnetd/telnetd.c (doit): If remote host name is to
+	long to fit into utmp try to remove domain part if it does match
+	our local domain.
+
+	(main): Add new option -L /bin/login so that it is possible to 
+	specify an alternate login program.
+
+	* appl/telnet/telnet/commands.c (env_init): When exporting
+	variable DISPLAY and if hostname is not the full name, try to get
+	the full name from DNS.
+
+	* appl/telnet/telnet/main.c (main): Option -k realm was broken due
+        to a bogous external declaration.
+
+	* kadmin/kadmin.c (add_new_key): Kadmin now properly sets
+	lifetime, expiration date and attributes in add_new_key command.
+
+	* appl/bsd/su.c (main): Don't handle '-' option with getopt.
+
+	* appl/telnet/telnet/externs.h: Removed protection for multiple
+	inclusions of termio(s).h since it broke definition of termio
+	macro on POSIX systems.
+
+	* lib/krb/lifetime.c (krb_life_to_time): If you want to disable
+	AFS compatible long lifetimes set krb_no_long_lifetimes = 1.
+	
+	Please note that the long lifetimes are 100% compatible up to
+	10h so this should rarely be necessary.
+
+	* lib/krb/krb_equiv.c (krb_equiv): If you don't want to use
+	ipaddress protection of tickets set krb_ignore_ip_address. This
+	makes it possible for an intruder to steal a ticket and then use
+	it from som other machine anywhere on the net.
+
+	* kadmin/kadm_ser_wrap.c (kadm_ser_init): Don't bind to only one
+        local address. Accept request on all interfaces.
+
+	* admin/kdb_edit.c (change_principal): Don't accept illegal
+        dates. Courtesy of gertz@lysator.liu.se.
+
+	* configure.in: AIX specific libraries needed when using standard
+        libc routine getttyent, IBM should be ashamed!
+
+	* lib/krb/recvauth.c (krb_recvauth): Long that should be int32_t
+        problem.
+
+	* Added strdup for su and rlogin.
+
+	* Fix for old syslog macros in appl/bsd/bsd_locl.
+
+	* lib/kdb/krb_dbm.c (kerb_db_rename) admin/kdb_destroy.c: New
+        ifdef HAVE_NEW_DB for new databases residing in one file only.
+
+	* appl/bsd/rlogin.c (oob): Add workaround for Linux.
+
+	* appl/bsd/getpass.c: New routine that reads up to 127 char
+        passwords. Used in su.c and login.c.
+
+	* appl/telnet/telnetd/sys_term.c (login_tty): Ioctl TIOCSCTTY
+        should not be used on HP-UX.
+
+==========================*** Released 0.2? ***=============================
+
+ksrvutil
+  If there is a dot in the about to be added principals name there is
+  no need to ask for instance name.
+
+kerberos & kadmind
+  Logfiles are created with small permissions (600).
+
+krb.conf and krb.realms
+ Use domain part as realm name if there is no match in krb.realms.
+ Use kerberos.REALMNAME if there is no match in krb.realms.
+
+rlogin
+  The rlogin client is supported both with and without encryption,
+  there is no rlogind yet though.
+
+login
+  There is login program that supports the -f option. Both kerberos
+  and /etc/passwd authentication is enabled.
+
+  Vendors login programs typically have no -f option (needed by
+  telnetd) and also does not know how to verify passwords againts
+  kerberos.
+
+appl/bsd/*
+  Now uses POSIX signals.
+
+kdb_edit, kadmin
+  Generate random passwords if administrator enters empty password.
+
+lib/kafs
+  New library to support AFS. Routines:
+  int k_hasafs(void);
+  int k_afsklog(...); or some other name
+  int k_setpag(void);
+  int k_unlog(void);
+  int k_pioctl(char *, int, struct ViceIoctl *, int);
+
+  Library supports more than one single entry point AFS syscalls
+  (needed be HP/UX and OSF/1 when running DFS). Doesn't rely on
+  transarc headers or library code. Same binaries can be used both on
+  machines running AFS and others.
+
+  This library is used in telnetd, login and the r* programs.
+
+telnet & telnetd
+  Based on telnet.95.05.31.NE but with the encryption hacks from
+  ftp.funet.fi:/pub/unix/security/esrasrc-1.0 added.  This encryption
+  stuff needed some more modifications (done by joda@nada.kth.se)
+  before it was usable. Telnet has also been modified to use GNU
+  autoconf.
+
+Numerous other changes that are long since forgotten.