2005-03-16 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{cftoken.l|localconf.h|privsep.c|racoon.conf.5}
src/racoon/remoteconf.c: When running in privsep mode, check that
private key and script paths match those given in the path section.
2005-03-15 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{isakmp_cfg|isakmp_cfg.h|isakmp_xauth.c}: initialize
RADIUS accounting at startup
* src/racoon/privsep.c: fix minor bug in PAM cleanup
* src/racoon/isakmp_cfg.c: only call cleanup_pam if PAM is used
2005-03-14 Emmanuel Dreyfus <manu@netbsd.org>
* configure.ac: handle correctly dynamic libradius
* src/racoon/cfparse.y: correctly initialize address pool
2005-03-16 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{cftoken.l|localconf.h|privsep.c|racoon.conf.5}
src/racoon/remoteconf.c: When running in privsep mode, check that
private key and script paths match those given in the path section.
2005-03-15 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{isakmp_cfg|isakmp_cfg.h|isakmp_xauth.c}: initialize
RADIUS accounting at startup
* src/racoon/privsep.c: fix minor bug in PAM cleanup
* src/racoon/isakmp_cfg.c: only call cleanup_pam if PAM is used
2005-03-14 Emmanuel Dreyfus <manu@netbsd.org>
* configure.ac: handle correctly dynamic libradius
* src/racoon/cfparse.y: correctly initialize address pool
2005-03-16 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{cftoken.l|localconf.h|privsep.c|racoon.conf.5}
src/racoon/remoteconf.c: When running in privsep mode, check that
private key and script paths match those given in the path section.
2005-03-15 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{isakmp_cfg|isakmp_cfg.h|isakmp_xauth.c}: initialize
RADIUS accounting at startup
* src/racoon/privsep.c: fix minor bug in PAM cleanup
* src/racoon/isakmp_cfg.c: only call cleanup_pam if PAM is used
2005-03-14 Emmanuel Dreyfus <manu@netbsd.org>
* configure.ac: handle correctly dynamic libradius
* src/racoon/cfparse.y: correctly initialize address pool
according to ipsec-tools' ChangeLog:
2005-02-23 Emmanuel Dreyfus <manu@netbsd.org>
* configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal
support for patented algorithms: IDEA and RC5.
* src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it
is not required in the configuration
* src/racoon/isakmp.c: do not reject addresses for which kernel
refused UDP encapsulation, they can still be used for non NAT-T
traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel)
2005-02-18 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{main.c|eaytest.c|plairsa-gen.c}
src/setkey/setkey.c: don't use fuzzy paths for package_version.h
2005-02-18 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
related DELETE_SA
* src/racoon/pfkey.c: do NOT unbindph12() when SA acquire
2005-02-17 Emmanuel Dreyfus <manu@netbsd.org>
From Fred Senault <fred.letter@lacave.net>
* src/racoon/remoteconf.c: Fix a bug in script init
2005-02-17 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks
2005-02-15 Michal Ludvig <michal@logix.cz>
* configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN
http://mail-index.netbsd.org/tech-net/2004/11/05/0004.html
Slightly modified to differentiate the version string from a stock racoon.
* auth_gssapi.h (GSSAPI_DEF_NAME): Change from "ike" to "host".
(gssapi_get_default_id): Rename to gssapi_get_id.
(gssapi_get_default_gss_id): New prototype.
* cfparse.y (GSSAPI_ID): Rename to GSS_ID.
(GSS_ID_ENC, GSS_ID_ENCTYPE): New tokens.
(gssenc_statement): New statement.
(isakmpproposal_spec): Use GSS_ID token.
(expand_isakmpspec): Fill in gssid in the new proposal only
if authmethod is OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB. If the
GSS ID is not provided, call gssapi_get_default_gss_id() to
place the default ID in the proposal.
* cftoken.l (S_GSSENC): New start condition.
(<S_RMTP>gss_id): New, return the GSS_ID token.
(<S_RMTP>gssapi_id): Return the GSS_ID token.
(<S_INI>gss_id_enc, <S_GSSENC>latin1, <S_GSSENC>utf-16le)
(<S_GSSENC>{semi}): New, tokenize the "gss_id_enc enctype;"
statement.
* gssapi.c: Include <unistd.h>.
(gssapi_get_default_gss_id): New function.
(gssapi_init): Disable a broken debugging message. Make
printf formats consistent in their handling of non-NUL-terminated
strings.
(gssapi_get_default_id): Rename to...
(gssapi_get_id): ...this. If the proposal has a gssid, vdup()
that and return it. Disable a broken debugging message. Make
printf formats consistent in their handling of non-NUL-terminated
strings.
* ipsec_doi.c: Include <iconv.h>.
(get_ph1approval): Make printf formats consistent in their handling
of non-NUL-terminated strings. Call gssapi_get_id() instead of
gssapi_get_default_id(), and remove some complexity that has been
pushed into that function.
(t2isakmpsa): When parsing the OAKLEY_ATTR_GSS_ID attribute,
check convert the attribute from UTF-16LE to ISO-Latin-1, unless
we are configured to assume the attribute is already ISO-Latin-1
encoded.
(setph1attr): When setting the OAKLEY_ATTR_GSS_ID attribute,
convert the attribute from ISO-Latin-1 to UTF-16LE, unless we
are configured to encode the attribute in ISO-Latin-1.
* localconf.c (setdefault): Set the default GSS ID encoding type
to UTF-16LE.
* localconf.h (LC_GSSENC_UTF16LE, LC_GSSENC_LATIN1)
(LC_GSSENC_MAX): New constants.
(struct localconf): Add gss_id_enc member.
* main.c (RACOON_VERSION): Append " - NetBSD 20041110" to the
version string.
* racoon.conf.5: Document changes to GSS ID encoding and default
GSS ID computation. Document "gss_id_enc enctype;" statement.
* samples/racoon.conf.sample-gssapi: Update and add comments to
provide more information.
Changes in release 0.6.3
* fix vulnerabilities in ftpd
* support for linux AFS /proc "syscalls"
* support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
kpasswdd
* fix possible KDC denial of service
* bug fixes
1) It's not documented anywhere.
2) The problem it's attempting to warn about is not documented anywhere.
3) There are no example configs (or any I found with Google) that use the
"listen" directive.
4) In any event, it's poorly worded and unclear what it's talking about.
(lha@NetBSD.ORG), to incorporate contemporary (last-year-ish)
set-password and change-password extensions derived RFC-3244
(Microsoft set-password/change-password extensions), and the
subsequent MIT-KRB5 APIs for changing and setting passwords.
Required for compatibility with recent (2002/2003-ish) open-source
code which uses the MIT KRB5 APIs for setting passwords, or for
joining Microsoft domains as a "computer account".
Modified files (for pullup tracking purposes):
lib/libasn1/Makefile
crypto/dist/heimdal/lib/asn1/k5.asn1
crypto/dist/heimdal/lib/krb5/changepw.c
crypto/dist/heimdal/lib/krb5/krb5-protos.h
crypto/dist/heimdal/lib/krb5/krb5.h
and without Kerberos 4 & 5 (MKKERBEROS=no). Previously checkflist
complained of missing files.
* move kerberos- and kerberos 4-only files into new flists,
distrib/sets/lists/*/krb.*
* make the flist generators grok MKKERBEROS{,4} variables
* fix Makefiles which treat MKKERBEROS=no as MKKERBEROS5=no.
9 out of 10 experts agree that it is ludicrous to build w/
KERBEROS4 and w/o KERBEROS5.
* fix header files, also, which treat MKKERBEROS=no as MKKERBEROS5=no.
* omit some Kerberos-only subdirectories from the build as
MKKERBEROS{,4} indicate
(I acknowledge the sentiment that flists are the wrong way to go,
and that the makefiles should produce the metalog directly. That
sounds to me like the right way to go, but I am not prepared to do
revamp all the makefiles. While my approach is expedient, it fits
painlessly within the current build architecture until we are
delivered from flist purgatory, and it does not postpone our
delivery. Fair enough?)
(per kernel policy) for crypto transforms for which hardware
acceleration is available. Affects:
crypto/dist/openssl/crypto/engine/eng_all.c
crypto/dist/openssl/crypto/engine/hw_cryptodev.c
crypto/dist/openssl/crypto/evp/c_all.c
as posted to tech-crypto for review/comment on 2003-08-21.
mcc -> fcc; from Love Hörnquist Åstrand <lha@it.su.se>
otherwise the kerberos credentinal is stored in a memory cache
in the privileged sshd.
Presumably, this will also come in as part of a later OpenSSH release via
`cvs import', but this is worth having now.
note that official openssh distribution have already dropped kerberosIV support,
therefore maintenance cost needs to be paid by us. and have no intent to help.
alter des.h to be friendly with openssl/des.h (you can include both in the
same file)
make libkrb to depend on libdes. bump major.
massage various portioin of heimdal to be friendly with openssl 0.9.7b.
>change key_load_public to try to read a public from:
>rsa1 private or rsa1 public and ssh2 keys.
>this makes ssh-keygen -e fail for ssh1 keys more gracefully
>for example; report from itojun (netbsd pr 20550).
* The 'kex guesses' bugfix from OpenSSH 3.6 triggers a bug
in a few other SSH v2 implementations and causes connections to
stall. OpenSSH 3.6.1 disables this bugfix when interoperating
with these implementations.
* RSA blinding is now used by ssh(1), sshd(8) and ssh-agent(1).
in order to avoid potential timing attacks against the RSA keys.
Older versions of OpenSSH have been using RSA blinding in
ssh-keysign(1) only.
* ssh-agent(1) optionally requires user confirmation if a key gets
used, see '-c' in ssh-add(1).
* sshd(8) now handles PermitRootLogin correctly when UsePrivilegeSeparation
is enabled.
* sshd(8) now removes X11 cookies when a session gets closed.
* ssh-keysign(8) is disabled by default and only enabled if the
new EnableSSHKeysign option is set in the global ssh_config(5)
file.
* ssh(1) and sshd(8) now handle 'kex guesses' correctly (key exchange
guesses).
* ssh(1) no longer overwrites SIG_IGN. This matches behaviour from
rsh(1) and is used by backup tools.
* setting ProxyCommand to 'none' disables the proxy feature, see
ssh_config(5).
* scp(1) supports add -1 and -2.
* scp(1) supports bandwidth limiting.
* sftp(1) displays a progressmeter.
* sftp(1) has improved error handling for scripting.
hp = strtok(NULL, ",");
to end of while loop which parses "host.allow" from login.conf(5).
Otherwise, sshd(8) would just infinite loop unless there was a
(positive or negative) match in the first word of the "host.allow" list...
to debug (on the server) why a login failed with this information.
* If _PASSWORD_CHGNOW is defined (it's -1 in NetBSD), check that pw_change
is not set to that before testing if the password has expired.
Still prevent the login, but log a different failure message in this case.
XXX: we need to decide if we let interactive logins occur in this case,
but force a password change, a la login(1).
via timing by performing a MAC computation even if incorrect
block cipher padding has been found. This is a countermeasure
against active attacks where the attacker has to distinguish
between bad padding and a MAC verification error. (CAN-2003-0078)
two macros GSSAPI_KRB5_INIT() or GSSAPI_KRB5_INIT_MS() which call
the former, check its return code and bail on error.
Addresses PR lib/19191
Given a quick look by joda@.