X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=debian%2Fchangelog;h=fea116d3ec10cd94420b4ca03e3c3ba1acc1ea3b;hb=0539c19e661f05d992fdeb6e05ec9dcf99bb691d;hp=38afa8192994b65877fd77c4bb7e9d5bdaec58dd;hpb=bb945fb1a5ba9ddeee3fc90a477cfc49e9b53ce5;p=mirror%2Fuserdir-ldap.git diff --git a/debian/changelog b/debian/changelog index 38afa81..fea116d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,254 @@ -userdir-ldap (0.3.21+X) Xunstable; urgency=low +userdir-ldap (0.3.46) unstable; urgency=low + + * Change the hmac that protect sudopassword entries to also + hash the purpose ("sudo") and the owning user's uid into + the mac. + + -- Peter Palfrader Fri, 14 Nov 2008 20:27:38 +0100 + +userdir-ldap (0.3.45) unstable; urgency=low + + * ud-generate: Declare [UNTRSUTED] flag as obsolete. + * ud-generate: Add [NOMARKERS] flag to not push markers (gps coordinates) to host. + * ud-replicate: Use --delete-after with rsync. Previously we didn't delete + stuff ever. + * ud-replicate: Sync only ssh_known_hosts into chroots, not ssh*. + * ud-replicate: Clean up better, correcting some mistakes done by earlier + versions. + + -- Peter Palfrader Sun, 26 Oct 2008 22:31:46 +0100 + +userdir-ldap (0.3.44) unstable; urgency=low + + * ud-mailgate: Do not support del requests for sshDSAAuthKey - there is no + such attribute. + * ud-generate: do not export sudopassword to untrusted or nopasswd hosts, + unless the password is explicitly added for this host and not just for '*'. + + -- Peter Palfrader Fri, 03 Oct 2008 13:23:22 +0200 + +userdir-ldap (0.3.43) unstable; urgency=low + + * FQHNs sometimes, well always, include dots. + + -- Peter Palfrader Tue, 16 Sep 2008 15:07:21 +0200 + +userdir-ldap (0.3.42) unstable; urgency=low + + * Export all accounts into sudo-passwd, even if they + do not have a sudo password set. Set their password to '*' then. + etc/pam.d/sudo should look like this then: + auth [authinfo_unavail=ignore success=done ignore=ignore default=die] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd + auth required pam_unix.so nullok_secure try_first_pass + @include common-account + + -- Peter Palfrader Tue, 16 Sep 2008 14:30:41 +0200 + +userdir-ldap (0.3.41) unstable; urgency=low + + * ud-generate: lower casing the sudopasswd ldap entry prior to parsing + and verifying it was a bad idea. + + -- Peter Palfrader Mon, 15 Sep 2008 19:26:14 +0200 + +userdir-ldap (0.3.40) unstable; urgency=low + + * Reading the hmac key only once is too troublesome. + + -- Peter Palfrader Mon, 15 Sep 2008 01:12:23 +0200 + +userdir-ldap (0.3.39) unstable; urgency=low + + * Lowercasing hashed sudo passwords in ud-mailgate not considered smart. + + -- Peter Palfrader Mon, 15 Sep 2008 00:40:13 +0200 + +userdir-ldap (0.3.38) unstable; urgency=low + + * Fix order of some calls so stuff works again. + * And import pwd and os and the hmac crowed in userdir_ldap.py. + * Using the right variable name will also help. + + -- Peter Palfrader Mon, 15 Sep 2008 00:18:37 +0200 + +userdir-ldap (0.3.37) unstable; urgency=low + + * ud-mailgate: Do not commit any changes if one of the requests is invalid + or could not be parsed or caused an error or anything. + * Add sudoPassword to schema, and the slapd.conf/ACL snippet + A sudoPassword entry in LDAP has the form of + " unconfirmed ", or + " confirmed:::")> " + * ud-mailgate: Implement confirmation of sudoPassword field: + A confirmationation is of the form + "confirm sudopassword ::")>" + * ud-generate: generate a sudo passwd file + + -- Peter Palfrader Sun, 14 Sep 2008 23:45:36 +0200 + +userdir-ldap (0.3.36) unstable; urgency=low + + * Aha. Error is not some magic variable or exception, it's a + normal string that needs defining when we use it. + + -- Peter Palfrader Sat, 19 Jul 2008 21:35:39 +0200 + +userdir-ldap (0.3.35) unstable; urgency=low + + * Check if a key has encryption capabilities and fail saying so when + trying to encrypt stuff (like passwords) to users. All this does is + give nicer error messages, it previously failed with just "gpg failed". + + -- Peter Palfrader Sat, 19 Jul 2008 16:17:13 +0200 + +userdir-ldap (0.3.34) unstable; urgency=low + + * ud-info: fix changing of DD status/DD status comment - + we were missing prompt information so we got a backtrace. + * ud-info: Warn when we don't have a prompt string for + attributes on startup. + * ud-info: Change the "retired" status to "inactive". + inactive covers memorial, removed, expelled more clearly. + * userdir_gpg.py + - do not use SIGEXPIRED, it's deprecated + - use EXPKEYSIG to tell if a signature is made by an expired key. + - Check that the primary key is not expired, even if we get a + GOODSIG status from gnupg. Based on patch by Jeremy T. Bouse. + + -- Peter Palfrader Tue, 08 Jul 2008 14:33:08 +0200 + +userdir-ldap (0.3.33) unstable; urgency=low + + * add "security simple_bind=128" to sample slapd.conf. + * ud-info: Only show "Lock account" in root mode. + * ud-info: Add "retire developer" option that sets + accountStatus properly to either retiring, retired, memorial + or active. Active is for all currently active developers, + memorial is for those who have passed away and whose accounts + will never be reused, retiring is a developer who is retired + but still receives mail at their @debian.org address. After + a few months they should move on to retired, with their mail + also disabled. accountStatus is just a freeform text, but + these 4 options should be the only ones that exist. + * Allow setting of gender in ud-mailgate. Based on patch by Bernhard + R. Link. + * Add userdir-ldap-slapd.conf, a snipped to be included in slapd.conf + to the package. + + -- Peter Palfrader Mon, 23 Jun 2008 22:59:02 +0200 + +userdir-ldap (0.3.32) unstable; urgency=low + + * Do SSL when connecting to the ldap server. + + -- Peter Palfrader Fri, 23 May 2008 23:50:03 +0200 + +userdir-ldap (0.3.31) unstable; urgency=low + + [ Joerg Jaspert ] + * Use sync_keyrings from config file in ud-generate instead of a + hardcoded list + * Use add_keyrings from config file in ud-useradd instead of a + hardcoded list + * Use ud-config to get the emailappend value in ud-replicate, no longer + hardcoding @debian.org + + [ Stephen Gran ] + * Document how to use unique overlay for uid and keyFingerPrint + + -- Peter Palfrader Fri, 23 May 2008 10:01:51 +0200 + +userdir-ldap (0.3.30) unstable; urgency=low + + * When we touch usePassword in ud-info or ud-mailgate we now also + update shadowLastChange. + * When we lock accounts, set shadowExpire to 1. shadowExpire + is "days since Jan 1, 1970 that account is disabled". + * Properly capitalize shadowInactive and shadowExpire attributes in + ud-info and ud-generate. + * Add copyright statements to ud-info from bzr log. + + -- Peter Palfrader Thu, 22 May 2008 22:39:10 +0200 + +userdir-ldap (0.3.29) unstable; urgency=low + + * ud-info: Add an option "L" to lock accounts in the interactive + interface. Locking an account sets a user's password to "{crypt}*LK*" + and sets a mailDisableMessage of "account locked". + + -- Peter Palfrader Thu, 22 May 2008 21:49:19 +0200 + +userdir-ldap (0.3.28) unstable; urgency=low + + * ud-generate: Do not disable mail just because the account is locked. + + -- Peter Palfrader Thu, 22 May 2008 21:38:56 +0200 + +userdir-ldap (0.3.27) unstable; urgency=low + + * Export ssh-keys.tar.gz to [UNTRUSTED] hosts. Since we already export + ssh-rsa-shadow this is probably the right thing. + * Make keys in the ssh-keys tarball mode 0400 instead of mode 0600. + + -- Peter Palfrader Mon, 19 May 2008 08:55:28 +0200 + +userdir-ldap (0.3.26) unstable; urgency=low + + * ud-replicate: sgran pointed out that if all we care about ignoring is + EEXIST then we should use mkdir -p instead of [ -d userkeys ] || mkdir + userkeys. + * ud-mailgate: a bug in DoSSH caused all changes to fail that came after + DoSSH in HandleChange. Now DoSSH properly returns without raising an + exception if the line to handle is not an ssh public key. + * Fix userdir-ldap.schema (objectClass now contains MAY: VoIP). [zobel] + + -- Peter Palfrader Sun, 18 May 2008 14:27:50 +0200 + +userdir-ldap (0.3.25) unstable; urgency=low + + * Make ssh-keys.tar.gz readable only by the user. + + -- Peter Palfrader Sat, 17 May 2008 16:14:56 +0200 + +userdir-ldap (0.3.24) unstable; urgency=low + + * ud-mailgate: better regex for ssh1 keys, which we reject. [joerg, weasel] + * ud-replicate: Also support the imposter dchroot-dsa from the debian + archive. [aba, weasel] + * ud-generate: Add support for generation of authorized_keys file on + the db host for the sshdist user. This is now possible since + ud-replicate clients use their ssh host key to authenticate to the + db server. The code now supports this but the feature is still + disabled. [aba] + * ud-generate: Add performance optimization by resolving IP adresses + for hosts only once and caching the result. [aba] + * ud-replicate, ud-generate: In addition to one big ssh-rsa-shadow file + ud-generate now produces per-user authorized_keys files and tars + them up. On the receiving end ud-replicate takes the tar and + syncs it to userkeys/. The goal here is to no longer require + a patched sshd. Setting AuthorizedKeysFile2 to + /var/lib/misc/userkeys/%u is sufficient. For homedir creation + we can use pam_mkhomedir. [mhy, sgran] + + -- Peter Palfrader Sat, 17 May 2008 14:49:28 +0200 + +userdir-ldap (0.3.23) unstable; urgency=low + + * Fix generation of known_hosts file. + + -- Peter Palfrader Wed, 14 May 2008 17:55:45 +0200 + +userdir-ldap (0.3.22) unstable; urgency=low * Add VoIP fiels to the LDAP shema and teach ud-info and ud-mailgate about it. [zobel] + * Add IPv6-Adresses (and IPv4 in v6 notation - ::ffff:192.0.2.1) to + ssh_known_hosts. [aba] + * ud-mailgate no longer accepts ssh dss keys, keys with a size smaller + than 1024. Additionally it checks new keys against a blacklist of + ssh key fingerprints. [joerg] - -- Peter Palfrader Wed, 14 May 2008 17:31:22 +0200 + -- Peter Palfrader Wed, 14 May 2008 17:47:45 +0200 userdir-ldap (0.3.21) unstable; urgency=low