forked from Yubico/yubico-pam
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
362 lines (213 loc) · 10.1 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
pam_yubico NEWS -- History of user-visible changes. -*- outline -*-
* Version 2.28 (unreleased)
* Version 2.27 (released 2021-04-09)
** Add always_prompt configuration option.
** Add client certificate support for ldap.
** Add starttls support for ldap.
** Add ldap_bind_as_user support.
** Parsing, cleanliness and string fixes.
** Documentation and spelling fixes.
* Version 2.26 (released 2018-04-20)
** Make sure to close authfile (CVE-2018-9275).
** Fix compiler warnings.
** Open file descriptors with O_CLOEXEC.
** Use mkostemp() instead of mkstemp().
* Version 2.25 (released 2018-03-27)
** Documentation updates.
** Only do OTP validation if it's a token that might be valid.
** Return early in case user has no valid tokens.
** Ldap, compare values only with yubi_attr attributes.
** Add nullok parameter.
* Version 2.24 (released 2016-11-25)
** Debug mode changed, allows file output with debug_file.
** Fixup returning user-unknown correctly.
* Version 2.23 (released 2016-06-15)
** Fix an issue where a failure to set permissions was wrongly outputted.
* Version 2.22 (released 2016-05-23)
** Documentation improvements.
** Retain ownership and permission of challenge files (issue #92).
** Make dependency on yubico-c-client 2.15 clearer.
* Version 2.21 (released 2016-02-19)
** Add proxy support for yubico-c-client.
** Check that conv is set before trying to use it
fixes a crash bug with the osx loginwindow.
** Add building of a mac installer.
* Version 2.20 (released 2015-09-22)
** Add cainfo option to allow usage of a cabundle instead of path.
** Support comments in authfile.
** For challenge response with system-wide directory, write the files as root
instead of the user.
* Version 2.19 (released 2015-03-23)
** Add new ldap functionality
ldap_bind_user and ldap_bind_password for authenticated binds
ldap_filter for using subtree search and a filter
ldap_cacertfile to use a specific cacert for ldaps
* Version 2.18 (released 2015-02-12)
** Fix a memory leak of the pam response data.
** Add more tests.
** Add version flag to ykpamcfg.
* Version 2.17 (released 2014-08-26)
** Fix a bug with the 'urllist' parameter where urls would be forgotten.
** Manpages converted to asciidoc.
* Version 2.16 (released 2014-06-10)
** Fix a crashbug with the new parameter 'urllist'
* Version 2.15 (released 2014-04-30)
** Added new parameter 'urllist'
** Added pam_yubico(8) man page.
** Fix memory leak.
** Bump yubico-c-client version requirement to 2.12.
* Version 2.14 (released 2013-09-27)
** Don't install internal header files.
** Don't print debug info when the "debug" parameter is not given.
** Use PBKDF2 to process expected reply for challenge-response mode.
** Fixup memory leaks and leaks of privilege.
** Let return values reflect whether the user wasn't found or other error.
* Version 2.13 (released 2013-03-01)
** Fix a bug in the version check to support major version > 2 (neo).
Patch from https://github.com/wwest4
** Give ykpamcfg an option for specifying path.
* Version 2.12 (released 2012-06-15)
** Only use libyubikey when --with-cr is used.
** Set correct permissions on tempfile.
** YubiKey 2.2 contains a bug in challenge-response that makes it output the
same response to all challenges unless HMAC_LT64 is set. Add warnings to
ykpamcfg and a warning through conversate in the pam module. Keys programmed
like this should be reprogrammed with the HMAC_LT64 flag set.
* Version 2.11 (released 2012-02-10)
** Fix crash-bug with challenge-response mode when button press is required,
but button is never pressed. Reported and fixed by
Lingzhu Xiang <[email protected]>.
** Fix a memset() with wrong size as reported by clang, as well as some
other problems/warnings when building on Mac OS X, thanks to
Clemens Lang <[email protected]>.
** Add prefix-matching of LDAP fetched values, so you can store the
token-to-user mapping in a multi-value attribute with values like
"yubikey:publicid", "other-token:something" etc. Patch by
Remi Mollon <[email protected]>.
* Version 2.10 (released 2011-12-14)
** Drop permissions (to the user that is trying to authenticate) before
accessing files in the users home directory. Largely based on a patch by
Ricky Zhou <[email protected]>. Thanks!
** Restore challenge-response support - version 2.7 was supposed to make
the dependency on libykpers optional, but in reality accidentally
disabled challenge-response for all configurations. As before, use
--without-cr to compile pam_yubico without the ykpers dependency.
* Version 2.9 (released 2011-11-17)
** Security: Explicitly request ykclient to verify server signature.
ykclient <= 2.5 strangely enough defaults to signing requests, but not
verifying signatures in responses when it is supplied with a client key.
Reported and patched by Dominic Rutherford <[email protected]>.
* Version 2.8 (released 2011-08-26)
** Fix big security hole: Authentication succeeded when no password
was given, unless use_first_pass was being used.
This is fatal if pam_yubico is considered 'sufficient' in the PAM
configuration.
Reported and patched by Nanakos Chrysostomos <[email protected]>.
* Version 2.7 (released 2011-06-07)
** Make dependency on libykpers optional.
Use --without-cr to force it. Reported by Jussi Sallinen <[email protected]>.
* Version 2.6 (released 2011-04-11)
** This release includes lots of patches by members of our open
source community. Thank you all!
** Add Challenge-Response mode for offline validation (requires
YubiKey 2.2). Patch by Tollef Fog Heen.
** Eliminate all problems with pam_get_data by simply getting rid
of that code completely. This seems to have caused problems for a lot
of people.
** Numerous LDAP bug fixes and improvements, including community
patches by judas.iscariote and [email protected]. Change to
LDAPv3, since v2 has been declared historic for a looong time.
** Support passing capath parameter to Yubico validation client.
Patch by Remi Mollon.
** Support public id's longer/shorter than 6 bytes. Patch by
** Convert documentation to Asciidoc format used in Github wiki.
** Try to never log passwords in debug logs.
* Version 2.5 (released 2010-09-10)
** Wiki articles are now inclded in the archive. Same license as code.
Reported by dmitrij.ledkov in Issue #30:
<http://code.google.com/p/yubico-pam/issues/detail?id=30>.
* Version 2.4 (released 2010-09-10)
** New keyword "verbose_otp" to allow displaying OTP characters.
Contributed by qistoph reported in Issue #22:
<http://code.google.com/p/yubico-pam/issues/detail?id=22>.
** Build with -DPAM_DEBUG so that debug file writing works.
Reported by qistoph in Issue #20:
<http://code.google.com/p/yubico-pam/issues/detail?id=20>.
** Make deprecated "ldapserver" work again.
Reported by giovannibajo in Issue #27:
<http://code.google.com/p/yubico-pam/issues/detail?id=27>.
** Fix segmentation fault on 64-bit systems.
Reported by multiple people in Issue #11:
<http://code.google.com/p/yubico-pam/issues/detail?id=11>.
** Don't crash on ^D at su prompt, or generally, on a NULL password value.
* Version 2.3 (released 2010-04-14)
** New keyword "ldap_uri" added.
This keyword is preferred over the old "ldapserver" keyword, and
allows you to specify a complete LDAP URI instead of only the hostname
of your LDAP server. Contributed by Zubrick.
** Improved README.
Contributed by Erinn Looney-Triggs <[email protected]>.
* Version 2.2 (released 2009-05-11)
** Added new PAM configuration variable "key" for base64 client key.
* Version 2.1 (released 2009-03-31)
** Fix documentation.
** Fix warning.
* Version 2.0 (released 2009-03-25)
** Requires libykclient v2.0 or later.
See <http://code.google.com/p/yubico-c-client/>.
* Version 1.14 (released 2009-03-24)
** Quick release to sync release archive with svn code.
* Version 1.13 (released 2009-03-24)
** Fix parsing of password into OTP/ID/password.
Earlier string handling may have been incorrect for short strings.
** Don't pass integers via pam_set_data/pam_get_data.
May solve problems on 64-bit platforms. Based on patch from
forum.yubico.com.
* Version 1.12 (released 2009-03-24)
** Add support for "use_first_pass" and "try_first_pass".
They work similar to other PAM modules, see README for more
documentation.
Upgrade notice: If you are relying on getting the YubiKey OTP from an
earlier PAM module, and no prompting by the pam_yubico module, you
need to add "try_first_pass" to preserve the same behaviour.
* Version 1.11 (released 2009-02-11)
** Added support to store user:keyid mapping in LDAP.
Contributed by Gregory Brusick <[email protected]>.
* Version 1.10 (released 2009-01-13)
** Change license to 2-clause BSD.
The Linux-PAM license is unclear, and in any case, the 2-clause BSD
license is compatible with 3-clause BSD and GPL.
* Version 1.9 (released 2009-01-13)
** Solaris portability improvements.
Suggested by Martin Englund <[email protected]>.
* Version 1.8 (released 2008-09-15)
** Add new parameter 'url' to specify the server template URL.
* Version 1.7 (released 2008-09-01)
** Support two-factor mode to provide a password.
** Support a user-specific configuration file to allow yubikeys per user.
** Use libyubikey-client instead of direct use of libcurl.
** Move *.m4's to m4/.
* Version 1.6 (released 2008-01-11)
** First release from code.google.com repository.
** Clarify documentation with regard to license and development info.
* Version 1.5 (internal release)
** Clarify that license is the same as Linux-PAM (GPLv2 or modified BSD).
This is likely the last internal release, source moving to code.google.com.
* Version 1.4 (internal release)
** Don't free CURL's user agent string before we're done.
** Version 1.3 (internal release)
** Disable echo'ing of password, for FreeRadius.
* Version 1.2 (internal release)
** Added PDF/HTML manual, see yubico-pam.pdf and yubico-pam.html.
** Fixes to use new web service API.
** Add "url" parameter.
** Fix "alwaysok" parameter.
** Fix crash on empty server responses.
** Parse "status" properly.
** Better debug info.
* Version 1.1 (internal release)
** Fix ws-api usage.
** Support "alwaysok".
* Version 1.0 (internal release)
** Initial release.