]> git.proxmox.com Git - pve-access-control.git/blame - debian/changelog
projects / pve-access-control.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bump version to 8.0.0~2
[pve-access-control.git] / debian / changelog
CommitLineData
3ef602fe
TL		 1libpve-access-control (8.0.0~2) bookworm; urgency=medium
2
3 * api: user index: only include existing tfa lock flags
4
5 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
6
7 * roles: only include Permissions.Modify in Administrator built-in role.
8 As, depending on the ACL object path, this privilege might allow one to
9 change their own permissions, which was making the distinction between
10 Admin and PVEAdmin irrelevant.
11
12 * acls: restrict less-privileged ACL modifications. Through allocate
13 permissions in pools, storages and virtual guests one can do some ACL
14 modifications without having the Permissions.Modify privilege, lock those
15 better down to ensure that one can only hand out only the subset of their
16 own privileges, never more. Note that this is mostly future proofing, as
17 the ACL object paths one could give out more permissions where already
18 limiting the scope.
19
20 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
21
f63364a7
WB		 22libpve-access-control (8.0.0~1) bookworm; urgency=medium
23
24 * bump pve-rs dependency to 0.8.3
25
26 * drop old verify_tfa api call (POST /access/tfa)
27
28 * drop support for old login API:
29 - 'new-format' is now considured to be 1 and ignored by the API
30
31 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
32 address
33
34 * cli: add 'pveum tfa list'
35
36 * cli: add 'pveum tfa unlock'
37
38 * enable lockout of TFA:
39 - too many TOTP attempts will lock out of TOTP
40 - using a recovery key will unlock TOTP
41 - too many TFA attempts will lock a user's TFA auth for an hour
42
43 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
44 authentication if it was locked by too many wrong 2nd factor login attempts
45
46 * api: /access/tfa and /access/users now include the tfa lockout status
47
48 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
49
a3dc6ff4
TL		 50libpve-access-control (7.99.0) bookworm; urgency=medium
51
52 * initial re-build for Proxmox VE 8.x series
53
54 * switch to native versioning
55
56 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
57
f2762a03
WB		 58libpve-access-control (7.4-3) bullseye; urgency=medium
59
60 * use new 2nd factor verification from pve-rs
61
62 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
63
f0595d15
TL		 64libpve-access-control (7.4-2) bullseye; urgency=medium
65
66 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
67 wasn't accepted anymore
68
69 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
70
a23eaa1a
TL		 71libpve-access-control (7.4-1) bullseye; urgency=medium
72
73 * realm sync: refactor scope/remove-vanished into a standard option
74
75 * ldap: Allow quoted values for DN attribute values
76
77 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
78
df33b3b9
TL		 79libpve-access-control (7.3-2) bullseye; urgency=medium
80
81 * fix #4518: dramatically improve ACL computation performance
82
83 * userid format: clarify that this is the full name@realm in description
84
85 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
86
2da8c203
TL		 87libpve-access-control (7.3-1) bullseye; urgency=medium
88
89 * realm: sync: allow explicit 'none' for 'remove-vanished' option
90
91 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
92
b84bf623
TL		 93libpve-access-control (7.2-5) bullseye; urgency=medium
94
95 * api: realm sync: avoid separate log line for "remove-vanished" opt
96
97 * auth ldap/ad: compare group member dn case-insensitively
98
99 * two factor auth: only lock tfa config for recovery keys
100
101 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
102 migrations and storage migrations
103
104 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
105
f4e68e49
TL		 106libpve-access-control (7.2-4) bullseye; urgency=medium
107
108 * fix #4074: increase API OpenID code size limit to 2048
109
110 * auth key: protect against rare chance of a double rotation in clusters,
111 leaving the potential that some set of nodes have the earlier key cached,
112 that then got rotated out due to the race, resulting in a possible other
113 set of nodes having the newer key cached. This is a split view of the auth
114 key and may resulting in spurious failures if API requests are made to a
115 different node than the ticket was generated on.
116 In addition to that, the "keep validity of old tickets if signed in the
117 last two hours before rotation" logic was disabled too in such a case,
118 making such tickets invalid too early.
119 Note that both are cases where Proxmox VE was too strict, so while this
120 had no security implications it can be a nuisance, especially for
121 environments that use the API through an automated or scripted way
122
123 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
124
26dde491
TL		 125libpve-access-control (7.2-3) bullseye; urgency=medium
126
127 * api: token: use userid-group as API perm check to avoid being overly
128 strict through a misguided use of user id for non-root users.
129
130 * perm check: forbid undefined/empty ACL path for future proofing of against
131 above issue
132
133 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
134
1cf4389b
TL		 135libpve-access-control (7.2-2) bullseye; urgency=medium
136
137 * permissions: merge propagation flag for multiple roles on a path that
138 share privilege in a deterministic way, to avoid that it gets lost
139 depending on perl's random sort, which would result in returing less
140 privileges than an auth-id actually had.
141
142 * permissions: avoid that token and user privilege intersection is to strict
143 for user permissions that have propagation disabled.
144
145 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
146
e3604d48
TL		 147libpve-access-control (7.2-1) bullseye; urgency=medium
148
149 * user check: fix expiration/enable order
150
151 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
152
79ae250f
TL		 153libpve-access-control (7.1-8) bullseye; urgency=medium
154
155 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
156 vanished'
157
158 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
159
eed46286
TL		 160libpve-access-control (7.1-7) bullseye; urgency=medium
161
162 * userid-group check: distinguish create and update
163
164 * api: get user: declare token schema
165
166 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
167
cd78b295
FG		 168libpve-access-control (7.1-6) bullseye; urgency=medium
169
170 * fix #3768: warn on bad u2f or webauthn settings
171
172 * tfa: when modifying others, verify the current user's password
173
174 * tfa list: account for admin permissions
175
176 * fix realm sync permissions
177
178 * fix token permission display bug
179
180 * include SDN permissions in permission tree
181
182 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
183
118088d8
TL		 184libpve-access-control (7.1-5) bullseye; urgency=medium
185
186 * openid: fix username-claim fallback
187
188 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
189
ebb14277
WB		 190libpve-access-control (7.1-4) bullseye; urgency=medium
191
192 * set current origin in the webauthn config if no fixed origin was
193 configured, to support webauthn via subdomains
194
195 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
196
44a55ff7
TL		 197libpve-access-control (7.1-3) bullseye; urgency=medium
198
199 * openid: allow arbitrary username-claims
200
201 * openid: support configuring the prompt, scopes and ACR values
202
203 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
204
6f643e79
TL		 205libpve-access-control (7.1-2) bullseye; urgency=medium
206
207 * catch incompatible tfa entries with a nice error
208
209 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
210
92bca71e
TL		 211libpve-access-control (7.1-1) bullseye; urgency=medium
212
213 * tfa: map HTTP 404 error in get_tfa_entry correctly
214
215 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
216
1c9b6501
TL		 217libpve-access-control (7.0-7) bullseye; urgency=medium
218
219 * fix #3513: pass configured proxy to OpenID
220
221 * use rust based parser for TFA config
222
223 * use PBS-like auth api call flow,
224
225 * merge old user.cfg keys to tfa config when adding entries
226
227 * implement version checks for new tfa config writer to ensure all
228 cluster nodes are ready to avoid login issues
229
230 * tickets: add tunnel ticket
231
232 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
233
cd46b379
TL		 234libpve-access-control (7.0-6) bullseye; urgency=medium
235
236 * fix regression in user deletion when realm does not enforce TFA
237
238 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
239
52da88a8
TL		 240libpve-access-control (7.0-5) bullseye; urgency=medium
241
242 * acl: check path: add /sdn/vnets/* path
243
244 * fix #2302: allow deletion of users when realm enforces TFA
245
246 * api: delete user: disable user first to avoid surprise on error during the
247 various cleanup action required for user deletion (e.g., TFA, ACL, group)
248
249 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
250
543d646c
TL		 251libpve-access-control (7.0-4) bullseye; urgency=medium
252
253 * realm: add OpenID configuration
254
255 * api: implement OpenID related endpoints
256
257 * implement opt-in OpenID autocreate user feature
258
259 * api: user: add 'realm-type' to user list response
260
261 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
262
7a4c4fd8
TL		 263libpve-access-control (7.0-3) bullseye; urgency=medium
264
265 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
266 `/sdn/zones/<zone>` to allowed ACL paths
267
268 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
269
0902a936
FG		 270libpve-access-control (7.0-2) bullseye; urgency=medium
271
272 * fix #3402: add Pool.Audit privilege - custom roles containing
273 Pool.Allocate must be updated to include the new privilege.
274
275 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
276
67febb69
TL		 277libpve-access-control (7.0-1) bullseye; urgency=medium
278
279 * re-build for Debian 11 Bullseye based releases
280
281 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
282
2942ba41
TL		 283libpve-access-control (6.4-1) pve; urgency=medium
284
285 * fix #1670: change PAM service name to project specific name
286
287 * fix #1500: permission path syntax check for access control
288
289 * pveum: add resource pool CLI commands
290
291 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
292
54d312f3
TL		 293libpve-access-control (6.1-3) pve; urgency=medium
294
295 * partially fix #2825: authkey: rotate if it was generated in the
296 future
297
298 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
299 insensitive
300
301 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
302
6a9be12f
TL		 303libpve-access-control (6.1-2) pve; urgency=medium
304
305 * also check SDN permission path when computing coarse permissions heuristic
306 for UIs
307
308 * add SDN Permissions.Modify
309
310 * add VM.Config.Cloudinit
311
312 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
313
e6624f50
TL		 314libpve-access-control (6.1-1) pve; urgency=medium
315
316 * pveum: add tfa delete subcommand for deleting user-TFA
317
318 * LDAP: don't complain about missing credentials on realm removal
319
320 * LDAP: skip anonymous bind when client certificate and key is configured
321
322 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
323
8f4a522f
TL		 324libpve-access-control (6.0-7) pve; urgency=medium
325
326 * fix #2575: die when trying to edit built-in roles
327
328 * add realm sub commands to pveum CLI tool
329
7d23b7ca 330 * api: domains: add user group sync API endpoint
8f4a522f
TL		 331
332 * allow one to sync and import users and groups from LDAP/AD based realms
333
334 * realm: add default-sync-options to config for more convenient sync configuration
335
336 * api: token create: return also full token id for convenience
337
338 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
339
23059f35
TL		 340libpve-access-control (6.0-6) pve; urgency=medium
341
342 * API: add group members to group index
343
344 * implement API token support and management
345
346 * pveum: add 'pveum user token add/update/remove/list'
347
348 * pveum: add permissions sub-commands
349
350 * API: add 'permissions' API endpoint
351
352 * user.cfg: skip inexisting roles when parsing ACLs
353
354 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
355
3dd692e9
TL		 356libpve-access-control (6.0-5) pve; urgency=medium
357
358 * pveum: add list command for users, groups, ACLs and roles
359
360 * add initial permissions for experimental SDN integration
361
362 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
363
4ef92d0d
FG		 364libpve-access-control (6.0-4) pve; urgency=medium
365
366 * ticket: use clinfo to get cluster name
367
368 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
369 SSL version
370
371 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
372
6e5bbca4
TL		 373libpve-access-control (6.0-3) pve; urgency=medium
374
375 * fix #2433: increase possible TFA secret length
376
377 * parse user configuration: correctly parse group names in ACLs, for users
378 which begin their name with an @
379
380 * sort user.cfg entries alphabetically
381
382 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
383
e073493c
TL		 384libpve-access-control (6.0-2) pve; urgency=medium
385
386 * improve CSRF verification compatibility with newer PVE
387
388 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
389
a237dc2e
TL		 390libpve-access-control (6.0-1) pve; urgency=medium
391
392 * ticket: properly verify exactly 5 minute old tickets
393
394 * use hmac_sha256 instead of sha1 for CSRF token generation
395
396 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
397
f1531f22
TL		 398libpve-access-control (6.0-0+1) pve; urgency=medium
399
400 * bump for Debian buster
401
402 * fix #2079: add periodic auth key rotation
403
404 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
405
ef761f51
TL		 406libpve-access-control (5.1-10) unstable; urgency=medium
407
408 * add /access/user/{id}/tfa api call to get tfa types
409
410 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
411
860ddcba
TL		 412libpve-access-control (5.1-9) unstable; urgency=medium
413
414 * store the tfa type in user.cfg allowing to get it without proxying the call
7d23b7ca 415 to a higher privileged daemon.
860ddcba
TL		 416
417 * tfa: realm required TFA should lock out users without TFA configured, as it
418 was done before Proxmox VE 5.4
419
420 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
421
9fbad012
TL		 422libpve-access-control (5.1-8) unstable; urgency=medium
423
424 * U2F: ensure we save correct public key on registration
425
426 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
427
4473c96c
TL		 428libpve-access-control (5.1-7) unstable; urgency=medium
429
430 * verify_ticket: allow general non-challenge tfa to be run as two step
431 call
432
433 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
434
a270d4e1
TL		 435libpve-access-control (5.1-6) unstable; urgency=medium
436
437 * more general 2FA configuration via priv/tfa.cfg
438
439 * add u2f api endpoints
440
441 * delete TFA entries when deleting a user
442
443 * allow users to change their TOTP settings
444
445 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
446
374647e8
TL		 447libpve-access-control (5.1-5) unstable; urgency=medium
448
449 * fix vnc ticket verification without authkey lifetime
450
451 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
452
7fb70c94
TL		 453libpve-access-control (5.1-4) unstable; urgency=medium
454
455 * fix #1891: Add zsh command completion for pveum
456
457 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
458 to avoid issues on upgrade, will be enabled with 6.0
459
460 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
461
6e010cde
TL		 462libpve-access-control (5.1-3) unstable; urgency=medium
463
464 * api/ticket: move getting cluster name into an eval
465
466 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
467
f5a9380a
TL		 468libpve-access-control (5.1-2) unstable; urgency=medium
469
470 * fix #1998: correct return properties for read_role
471
472 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
473
b54b7474
TL		 474libpve-access-control (5.1-1) unstable; urgency=medium
475
476 * pveum: introduce sub-commands
477
478 * register userid with completion
479
480 * fix #233: return cluster name on successful login
481
482 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
483
52192dd4
WB		 484libpve-access-control (5.0-8) unstable; urgency=medium
485
486 * fix #1612: ldap: make 2nd server work with bind domains again
487
488 * fix an error message where passing a bad pool id to an API function would
489 make it complain about a wrong group name instead
490
491 * fix the API-returned permission list so that the GUI knows to show the
492 'Permissions' tab for a storage to an administrator apart from root@pam
493
494 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
495
3dadf8cf
FG		 496libpve-access-control (5.0-7) unstable; urgency=medium
497
498 * VM.Snapshot.Rollback privilege added
499
500 * api: check for special roles before locking the usercfg
501
502 * fix #1501: pveum: die when deleting special role
503
504 * API/ticket: rework coarse grained permission computation
505
506 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
507
ec4141f4
WB		 508libpve-access-control (5.0-6) unstable; urgency=medium
509
510 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
511 'verify' option. For compatibility reasons this defaults to off for now,
512 but that might change with future updates.
513
514 * AD, LDAP: Add ability to specify a CA path or file, and a client
515 certificate via the 'capath', 'cert' and 'certkey' options.
516
517 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
518
63134bd4
DM		 519libpve-access-control (5.0-5) unstable; urgency=medium
520
521 * change from dpkg-deb to dpkg-buildpackage
522
523 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
524
868fb1ea
DM		 525libpve-access-control (5.0-4) unstable; urgency=medium
526
527 * PVE/CLI/pveum.pm: call setup_default_cli_env()
528
529 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
530
531 * check_api2_permissions: avoid warning about uninitialized value
532
533 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
534
63358f40
DM		 535libpve-access-control (5.0-3) unstable; urgency=medium
536
537 * use new PVE::OTP class from pve-common
538
539 * use new PVE::Tools::encrypt_pw from pve-common
540
541 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
542
05fd50af
DM		 543libpve-access-control (5.0-2) unstable; urgency=medium
544
545 * encrypt_pw: avoid '+' for crypt salt
546
547 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
548
0835385b
FG		 549libpve-access-control (5.0-1) unstable; urgency=medium
550
551 * rebuild for PVE 5.0
552
553 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
554
730f8863
DM		 555libpve-access-control (4.0-23) unstable; urgency=medium
556
557 * use new PVE::Ticket class
558
559 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
560
1f1c4593
DM		 561libpve-access-control (4.0-22) unstable; urgency=medium
562
563 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
564 (moved to PVE::Storage)
565
566 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
567
568 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
569
f9105063
DM		 570libpve-access-control (4.0-21) unstable; urgency=medium
571
572 * setup_default_cli_env: expect $class as first parameter
573
574 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
575
9595066e
DM		 576libpve-access-control (4.0-20) unstable; urgency=medium
577
578 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
579
580 * PVE/API2/Domains.pm: fix property description
581
582 * use new repoman for upload target
583
584 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
585
2af5a793
DM		 586libpve-access-control (4.0-19) unstable; urgency=medium
587
588 * Close #833: ldap: non-anonymous bind support
589
590 * don't import 'RFC' from MIME::Base32
591
592 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
593
5d87bb77
WB		 594libpve-access-control (4.0-18) unstable; urgency=medium
595
596 * fix #1062: recognize base32 otp keys again
597
598 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
599
28ddf48b
WB		 600libpve-access-control (4.0-17) unstable; urgency=medium
601
602 * drop oathtool and libdigest-hmac-perl dependencies
603
604 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
605
15cebb28
DM		 606libpve-access-control (4.0-16) unstable; urgency=medium
607
608 * use pve-doc-generator to generate man pages
609
610 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
611
678df887
DM		 612libpve-access-control (4.0-15) unstable; urgency=medium
613
614 * Fix uninitialized warning when shadow.cfg does not exist
615
616 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
617
cca9761a
DM		 618libpve-access-control (4.0-14) unstable; urgency=medium
619
620 * Add is_worker to RPCEnvironment
621
622 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
623
8643c99d
DM		 624libpve-access-control (4.0-13) unstable; urgency=medium
625
626 * fix #916: allow HTTPS to access custom yubico url
627
628 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
629
ae2a6bf9
DM		 630libpve-access-control (4.0-12) unstable; urgency=medium
631
632 * Catch certificate errors instead of segfaulting
633
634 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
635
4836db5f
DM		 636libpve-access-control (4.0-11) unstable; urgency=medium
637
638 * Fix #861: use safer sprintf formatting
639
640 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
641
ccbe23dc
DM		 642libpve-access-control (4.0-10) unstable; urgency=medium
643
644 * Auth::LDAP, Auth::AD: ipv6 support
645
646 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
647
90399ca4
DM		 648libpve-access-control (4.0-9) unstable; urgency=medium
649
650 * pveum: implement bash completion
651
652 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
653
364ffc13
DM		 654libpve-access-control (4.0-8) unstable; urgency=medium
655
656 * remove_storage_access: cleanup of access permissions for removed storage
657
658 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
659
7c26cb4a
DM		 660libpve-access-control (4.0-7) unstable; urgency=medium
661
662 * new helper to remove access permissions for removed VMs
663
664 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
665
296afbd1
DM		 666libpve-access-control (4.0-6) unstable; urgency=medium
667
668 * improve parse_user_config, parse_shadow_config
669
670 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
671
7d2df2ef
DM		 672libpve-access-control (4.0-5) unstable; urgency=medium
673
674 * pveum: check for $cmd being defined
675
676 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
677
98a34e3f
DM		 678libpve-access-control (4.0-4) unstable; urgency=medium
679
680 * use activate-noawait triggers
681
682 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
683
15462727
DM		 684libpve-access-control (4.0-3) unstable; urgency=medium
685
686 * IPv6 fixes
687
688 * non-root buildfix
689
690 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
691
bbf4cc9a
DM		 692libpve-access-control (4.0-2) unstable; urgency=medium
693
694 * trigger pve-api-updates event
695
696 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
697
dfbcf6d3
DM		 698libpve-access-control (4.0-1) unstable; urgency=medium
699
700 * bump version for Debian Jessie
701
702 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
703
94971b3a
DM		 704libpve-access-control (3.0-16) unstable; urgency=low
705
706 * root@pam can now be disabled in GUI.
707
708 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
709
7b17c7cb
DM		 710libpve-access-control (3.0-15) unstable; urgency=low
711
712 * oath: add 'step' and 'digits' option
713
714 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
715
1abc2c0a
DM		 716libpve-access-control (3.0-14) unstable; urgency=low
717
718 * add oath two factor auth
719
720 * add oathkeygen binary to generate keys for oath
721
722 * add yubico two factor auth
723
724 * dedend on oathtool
725
726 * depend on libmime-base32-perl
30be0de9
DM		 727
728 * allow to write builtin auth domains config (comment/tfa/default)
1abc2c0a
DM		 729
730 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
731
298450ab
DM		 732libpve-access-control (3.0-13) unstable; urgency=low
733
734 * use correct connection string for AD auth
735
736 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
737
396034e4
DM		 738libpve-access-control (3.0-12) unstable; urgency=low
739
740 * add dummy API for GET /access/ticket (useful to generate login pages)
741
742 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
743
26361123
DM		 744libpve-access-control (3.0-11) unstable; urgency=low
745
746 * Sets common hot keys for spice client
747
748 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
749
3643383d
DM		 750libpve-access-control (3.0-10) unstable; urgency=low
751
752 * implement helper to generate SPICE remote-viewer configuration
753
754 * depend on libnet-ssleay-perl
755
756 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
757
0baedcf7
DM		 758libpve-access-control (3.0-9) unstable; urgency=low
759
760 * prevent user enumeration attacks
e4f8fc2e
DM		 761
762 * allow dots in access paths
0baedcf7
DM		 763
764 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
765
d4b63eae
DM		 766libpve-access-control (3.0-8) unstable; urgency=low
767
768 * spice: use lowercase hostname in ticktet signature
769
770 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
771
49594944
DM		 772libpve-access-control (3.0-7) unstable; urgency=low
773
774 * check_volume_access : use parse_volname instead of path, and remove
775 path related code.
7c410d63
DM		 776
777 * use warnings instead of global -w flag.
49594944
DM		 778
779 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
780
fe7de5d0
DM		 781libpve-access-control (3.0-6) unstable; urgency=low
782
783 * use shorter spiceproxy tickets
784
785 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
786
4cdd9507
DM		 787libpve-access-control (3.0-5) unstable; urgency=low
788
789 * add code to generate tickets for SPICE
790
791 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
792
677f9ab0
DM		 793libpve-access-control (3.0-4) unstable; urgency=low
794
795 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
796
797 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
798
139a8ecf
DM		 799libpve-access-control (3.0-3) unstable; urgency=low
800
7d23b7ca 801 * Add new role PVETemplateUser (and VM.Clone privilege)
139a8ecf
DM		 802
803 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
804
b78ce7c2
DM		 805libpve-access-control (3.0-2) unstable; urgency=low
806
807 * remove CGI.pm related code (pveproxy does not need that)
808
809 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
810
786820f9
DM		 811libpve-access-control (3.0-1) unstable; urgency=low
812
813 * bump version for wheezy release
814
815 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
816
e5ae5487
DM		 817libpve-access-control (1.0-26) unstable; urgency=low
818
819 * check_volume_access: fix access permissions for backup files
820
821 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
822
e3e6510c
DM		 823libpve-access-control (1.0-25) unstable; urgency=low
824
825 * add VM.Snapshot permission
826
827 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
828
1e15ebe7
DM		 829libpve-access-control (1.0-24) unstable; urgency=low
830
831 * untaint path (allow root to restore arbitrary paths)
832
833 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
834
437be042
DM		 835libpve-access-control (1.0-23) unstable; urgency=low
836
837 * correctly compute GUI capabilities (consider pools)
838
839 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
840
5bb4e06a
DM		 841libpve-access-control (1.0-22) unstable; urgency=low
842
843 * new plugin architecture for Auth modules, minor API change for Auth
844 domains (new 'delete' parameter)
845
846 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
847
3030a176
DM		 848libpve-access-control (1.0-21) unstable; urgency=low
849
850 * do not allow user names including slash
851
852 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
853
854libpve-access-control (1.0-20) unstable; urgency=low
855
856 * add ability to fork cli workers in background
857
858 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
859
dd2cfee0
DM		 860libpve-access-control (1.0-19) unstable; urgency=low
861
862 * return set of privileges on login - can be used to adopt GUI
863
864 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
865
1cf154b7
DM		 866libpve-access-control (1.0-18) unstable; urgency=low
867
7d23b7ca 868 * fix bug #151: correctly parse username inside ticket
533219a1
DM		 869
870 * fix bug #152: allow user to change his own password
1cf154b7
DM		 871
872 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
873
2de14407
DM		 874libpve-access-control (1.0-17) unstable; urgency=low
875
876 * set propagate flag by default
877
878 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
879
bdc61d7a
DM		 880libpve-access-control (1.0-16) unstable; urgency=low
881
882 * add 'pveum passwd' method
883
884 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
885
cc7bdf33
DM		 886libpve-access-control (1.0-15) unstable; urgency=low
887
888 * Add VM.Config.CDROM privilege to PVEVMUser rule
889
890 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
891
a69bbe2e
DM		 892libpve-access-control (1.0-14) unstable; urgency=low
893
894 * fix buf in userid-param permission check
895
896 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
897
d9483d94
DM		 898libpve-access-control (1.0-13) unstable; urgency=low
899
900 * allow more characters in ldap base_dn attribute
901
902 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
903
84619607
DM		 904libpve-access-control (1.0-12) unstable; urgency=low
905
906 * allow more characters with realm IDs
907
908 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
909
09d27058
DM		 910libpve-access-control (1.0-11) unstable; urgency=low
911
912 * fix bug in exec_api2_perm_check
913
914 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
915
7a4c849e
DM		 916libpve-access-control (1.0-10) unstable; urgency=low
917
918 * fix ACL group name parser
919
920 * changed 'pveum aclmod' command line arguments
921
922 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
923
3eac4e35
DM		 924libpve-access-control (1.0-9) unstable; urgency=low
925
926 * fix bug in check_volume_access (fixes vzrestore)
927
928 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
929
4384e19e
DM		 930libpve-access-control (1.0-8) unstable; urgency=low
931
932 * fix return value for empty ACL list.
933
934 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
935
d8a56966
DM		 936libpve-access-control (1.0-7) unstable; urgency=low
937
938 * fix bug #85: allow root@pam to generate tickets for other users
939
940 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
941
cb6f2f93
DM		 942libpve-access-control (1.0-6) unstable; urgency=low
943
944 * API change: allow to filter enabled/disabled users.
945
946 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
947
272fe9ff
DM		 948libpve-access-control (1.0-5) unstable; urgency=low
949
950 * add a way to return file changes (diffs): set_result_changes()
951
952 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
953
e42eedbc
DM		 954libpve-access-control (1.0-4) unstable; urgency=low
955
956 * new environment type for ha agents
957
958 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
959
1fba27e0
DM		 960libpve-access-control (1.0-3) unstable; urgency=low
961
962 * add support for delayed parameter parsing - We need that to disable
7d23b7ca 963 file upload for normal API request (avoid DOS attacks)
1fba27e0
DM		 964
965 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
966
5bf71a96
DM		 967libpve-access-control (1.0-2) unstable; urgency=low
968
969 * fix bug in fork_worker
970
971 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
972
2c3a6c0a
DM		 973libpve-access-control (1.0-1) unstable; urgency=low
974
975 * allow '-' in permission paths
976
977 * bump version to 1.0
978
979 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
980
981libpve-access-control (0.1) unstable; urgency=low
982
983 * first dummy package - no functionality
984
985 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200
986
Access control framework