forked from Yubico/yubico-pam-dpkg
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
253 lines (156 loc) · 7.71 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
pam_yubico NEWS -- History of user-visible changes. -*- outline -*-
* Version 2.14 (released 2013-09-27)
** Don't install internal header files.
** Don't print debug info when the "debug" parameter is not given.
** Use PBKDF2 to process expected reply for challenge-response mode.
** Fixup memory leaks and leaks of privilege.
** Let return values reflect whether the user wasn't found or other error.
* Version 2.13 (released 2013-03-01)
* Fix a bug in the version check to support major version > 2 (neo).
Patch from https://github.com/wwest4
* Give ykpamcfg an option for specifying path.
* Version 2.12 (released 2012-06-15)
** Only use libyubikey when --with-cr is used.
** Set correct permissions on tempfile.
** YubiKey 2.2 contains a bug in challenge-response that makes it output the
same response to all challenges unless HMAC_LT64 is set. Add warnings to
ykpamcfg and a warning through conversate in the pam module. Keys programmed
like this should be reprogrammed with the HMAC_LT64 flag set.
* Version 2.11 (released 2012-02-10)
** Fix crash-bug with challenge-response mode when button press is required,
but button is never pressed. Reported and fixed by
Lingzhu Xiang <[email protected]>.
** Fix a memset() with wrong size as reported by clang, as well as some
other problems/warnings when building on Mac OS X, thanks to
Clemens Lang <[email protected]>.
** Add prefix-matching of LDAP fetched values, so you can store the
token-to-user mapping in a multi-value attribute with values like
"yubikey:publicid", "other-token:something" etc. Patch by
Remi Mollon <[email protected]>.
* Version 2.10 (released 2011-12-14)
** Drop permissions (to the user that is trying to authenticate) before
accessing files in the users home directory. Largely based on a patch by
Ricky Zhou <[email protected]>. Thanks!
** Restore challenge-response support - version 2.7 was supposed to make
the dependency on libykpers optional, but in reality accidentally
disabled challenge-response for all configurations. As before, use
--without-cr to compile pam_yubico without the ykpers dependency.
* Version 2.9 (released 2011-11-17)
** Security: Explicitly request ykclient to verify server signature.
ykclient <= 2.5 strangely enough defaults to signing requests, but not
verifying signatures in responses when it is supplied with a client key.
Reported and patched by Dominic Rutherford <[email protected]>.
* Version 2.8 (released 2011-08-26)
** Fix big security hole: Authentication succeeded when no password
was given, unless use_first_pass was being used.
This is fatal if pam_yubico is considered 'sufficient' in the PAM
configuration.
Reported and patched by Nanakos Chrysostomos <[email protected]>.
* Version 2.7 (released 2011-06-07)
** Make dependency on libykpers optional.
Use --without-cr to force it. Reported by Jussi Sallinen <[email protected]>.
* Version 2.6 (released 2011-04-11)
** This release includes lots of patches by members of our open
source community. Thank you all!
** Add Challenge-Response mode for offline validation (requires
YubiKey 2.2). Patch by Tollef Fog Heen.
** Eliminate all problems with pam_get_data by simply getting rid
of that code completely. This seems to have caused problems for a lot
of people.
** Numerous LDAP bug fixes and improvements, including community
patches by judas.iscariote and [email protected]. Change to
LDAPv3, since v2 has been declared historic for a looong time.
** Support passing capath parameter to Yubico validation client.
Patch by Remi Mollon.
** Support public id's longer/shorter than 6 bytes. Patch by
** Convert documentation to Asciidoc format used in Github wiki.
** Try to never log passwords in debug logs.
* Version 2.5 (released 2010-09-10)
** Wiki articles are now inclded in the archive. Same license as code.
Reported by dmitrij.ledkov in Issue #30:
<http://code.google.com/p/yubico-pam/issues/detail?id=30>.
* Version 2.4 (released 2010-09-10)
** New keyword "verbose_otp" to allow displaying OTP characters.
Contributed by qistoph reported in Issue #22:
<http://code.google.com/p/yubico-pam/issues/detail?id=22>.
** Build with -DPAM_DEBUG so that debug file writing works.
Reported by qistoph in Issue #20:
<http://code.google.com/p/yubico-pam/issues/detail?id=20>.
** Make deprecated "ldapserver" work again.
Reported by giovannibajo in Issue #27:
<http://code.google.com/p/yubico-pam/issues/detail?id=27>.
** Fix segmentation fault on 64-bit systems.
Reported by multiple people in Issue #11:
<http://code.google.com/p/yubico-pam/issues/detail?id=11>.
** Don't crash on ^D at su prompt, or generally, on a NULL password value.
* Version 2.3 (released 2010-04-14)
** New keyword "ldap_uri" added.
This keyword is preferred over the old "ldapserver" keyword, and
allows you to specify a complete LDAP URI instead of only the hostname
of your LDAP server. Contributed by Zubrick.
** Improved README.
Contributed by Erinn Looney-Triggs <[email protected]>.
* Version 2.2 (released 2009-05-11)
** Added new PAM configuration variable "key" for base64 client key.
* Version 2.1 (released 2009-03-31)
** Fix documentation.
** Fix warning.
* Version 2.0 (released 2009-03-25)
** Requires libykclient v2.0 or later.
See <http://code.google.com/p/yubico-c-client/>.
* Version 1.14 (released 2009-03-24)
** Quick release to sync release archive with svn code.
* Version 1.13 (released 2009-03-24)
** Fix parsing of password into OTP/ID/password.
Earlier string handling may have been incorrect for short strings.
** Don't pass integers via pam_set_data/pam_get_data.
May solve problems on 64-bit platforms. Based on patch from
forum.yubico.com.
* Version 1.12 (released 2009-03-24)
** Add support for "use_first_pass" and "try_first_pass".
They work similar to other PAM modules, see README for more
documentation.
Upgrade notice: If you are relying on getting the Yubikey OTP from an
earlier PAM module, and no prompting by the pam_yubico module, you
need to add "try_first_pass" to preserve the same behaviour.
* Version 1.11 (released 2009-02-11)
** Added support to store user:keyid mapping in LDAP.
Contributed by Gregory Brusick <[email protected]>.
* Version 1.10 (released 2009-01-13)
** Change license to 2-clause BSD.
The Linux-PAM license is unclear, and in any case, the 2-clause BSD
license is compatible with 3-clause BSD and GPL.
* Version 1.9 (released 2009-01-13)
** Solaris portability improvements.
Suggested by Martin Englund <[email protected]>.
* Version 1.8 (released 2008-09-15)
** Add new parameter 'url' to specify the server template URL.
* Version 1.7 (released 2008-09-01)
** Support two-factor mode to provide a password.
** Support a user-specific configuration file to allow yubikeys per user.
** Use libyubikey-client instead of direct use of libcurl.
** Move *.m4's to m4/.
* Version 1.6 (released 2008-01-11)
** First release from code.google.com repository.
** Clarify documentation with regard to license and development info.
* Version 1.5 (internal release)
** Clarify that license is the same as Linux-PAM (GPLv2 or modified BSD).
This is likely the last internal release, source moving to code.google.com.
* Version 1.4 (internal release)
** Don't free CURL's user agent string before we're done.
** Version 1.3 (internal release)
** Disable echo'ing of password, for FreeRadius.
* Version 1.2 (internal release)
** Added PDF/HTML manual, see yubico-pam.pdf and yubico-pam.html.
** Fixes to use new web service API.
** Add "url" parameter.
** Fix "alwaysok" parameter.
** Fix crash on empty server responses.
** Parse "status" properly.
** Better debug info.
* Version 1.1 (internal release)
** Fix ws-api usage.
** Support "alwaysok".
* Version 1.0 (internal release)
** Initial release.