1 libpve-access-control (8.0.6) bookworm; urgency=medium
3 * perms: fix wrong /pools entry in default set of ACL paths
5 * acl: add missing SDN ACL paths to allowed list
7 -- Proxmox Support Team <support@proxmox.com> Fri, 17 Nov 2023 08:27:11 +0100
9 libpve-access-control (8.0.5) bookworm; urgency=medium
11 * fix an issue where setting ldap passwords would refuse to work unless
12 at least one additional property was changed as well
14 * add 'check-connection' parameter to create and update endpoints for ldap
17 -- Proxmox Support Team <support@proxmox.com> Fri, 11 Aug 2023 13:35:23 +0200
19 libpve-access-control (8.0.4) bookworm; urgency=medium
21 * Lookup of second factors is no longer tied to the 'keys' field in the
22 user.cfg. This fixes an issue where certain LDAP/AD sync job settings
23 could disable user-configured 2nd factors.
25 * Existing-but-disabled TFA factors can no longer circumvent realm-mandated
28 -- Proxmox Support Team <support@proxmox.com> Thu, 20 Jul 2023 10:59:21 +0200
30 libpve-access-control (8.0.3) bookworm; urgency=medium
32 * pveum: list tfa: recovery keys have no descriptions
34 * pveum: list tfa: sort by user ID
36 * drop assert_new_tfa_config_available for Proxmox VE 8, as the new format
37 is understood since pve-manager 7.0-15, and users must upgrade to Proxmox
38 VE 7.4 before upgrading to Proxmox VE 8 in addition to that.
40 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 19:45:29 +0200
42 libpve-access-control (8.0.2) bookworm; urgency=medium
44 * api: users: sort groups to avoid "flapping" text
46 * api: tfa: don't block tokens from viewing and list TFA entries, both are
47 safe to do for anybody with enough permissions to view a user.
49 * api: tfa: add missing links for child-routes
51 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 18:13:54 +0200
53 libpve-access-control (8.0.1) bookworm; urgency=medium
55 * tfa: cope with native versions in cluster version check
57 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 16:12:01 +0200
59 libpve-access-control (8.0.0) bookworm; urgency=medium
61 * api: roles: forbid creating new roles starting with "PVE" namespace
63 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 10:14:28 +0200
65 libpve-access-control (8.0.0~3) bookworm; urgency=medium
67 * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path
69 * access control: add /sdn/zones/<zone>/<vnet>/<vlan> ACL object path
71 * add helper for checking bridge access
73 * add new SDN.Use privilege in PVESDNUser role, allowing one to specify
74 which user are allowed to use a bridge (or vnet, if SDN is installed)
76 * add privileges and paths for cluster resource mapping
78 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 19:06:54 +0200
80 libpve-access-control (8.0.0~2) bookworm; urgency=medium
82 * api: user index: only include existing tfa lock flags
84 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
86 * roles: only include Permissions.Modify in Administrator built-in role.
87 As, depending on the ACL object path, this privilege might allow one to
88 change their own permissions, which was making the distinction between
89 Admin and PVEAdmin irrelevant.
91 * acls: restrict less-privileged ACL modifications. Through allocate
92 permissions in pools, storages and virtual guests one can do some ACL
93 modifications without having the Permissions.Modify privilege, lock those
94 better down to ensure that one can only hand out only the subset of their
95 own privileges, never more. Note that this is mostly future proofing, as
96 the ACL object paths one could give out more permissions where already
99 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
101 libpve-access-control (8.0.0~1) bookworm; urgency=medium
103 * bump pve-rs dependency to 0.8.3
105 * drop old verify_tfa api call (POST /access/tfa)
107 * drop support for old login API:
108 - 'new-format' is now considured to be 1 and ignored by the API
110 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
113 * cli: add 'pveum tfa list'
115 * cli: add 'pveum tfa unlock'
117 * enable lockout of TFA:
118 - too many TOTP attempts will lock out of TOTP
119 - using a recovery key will unlock TOTP
120 - too many TFA attempts will lock a user's TFA auth for an hour
122 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
123 authentication if it was locked by too many wrong 2nd factor login attempts
125 * api: /access/tfa and /access/users now include the tfa lockout status
127 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
129 libpve-access-control (7.99.0) bookworm; urgency=medium
131 * initial re-build for Proxmox VE 8.x series
133 * switch to native versioning
135 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
137 libpve-access-control (7.4-3) bullseye; urgency=medium
139 * use new 2nd factor verification from pve-rs
141 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
143 libpve-access-control (7.4-2) bullseye; urgency=medium
145 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
146 wasn't accepted anymore
148 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
150 libpve-access-control (7.4-1) bullseye; urgency=medium
152 * realm sync: refactor scope/remove-vanished into a standard option
154 * ldap: Allow quoted values for DN attribute values
156 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
158 libpve-access-control (7.3-2) bullseye; urgency=medium
160 * fix #4518: dramatically improve ACL computation performance
162 * userid format: clarify that this is the full name@realm in description
164 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
166 libpve-access-control (7.3-1) bullseye; urgency=medium
168 * realm: sync: allow explicit 'none' for 'remove-vanished' option
170 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
172 libpve-access-control (7.2-5) bullseye; urgency=medium
174 * api: realm sync: avoid separate log line for "remove-vanished" opt
176 * auth ldap/ad: compare group member dn case-insensitively
178 * two factor auth: only lock tfa config for recovery keys
180 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
181 migrations and storage migrations
183 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
185 libpve-access-control (7.2-4) bullseye; urgency=medium
187 * fix #4074: increase API OpenID code size limit to 2048
189 * auth key: protect against rare chance of a double rotation in clusters,
190 leaving the potential that some set of nodes have the earlier key cached,
191 that then got rotated out due to the race, resulting in a possible other
192 set of nodes having the newer key cached. This is a split view of the auth
193 key and may resulting in spurious failures if API requests are made to a
194 different node than the ticket was generated on.
195 In addition to that, the "keep validity of old tickets if signed in the
196 last two hours before rotation" logic was disabled too in such a case,
197 making such tickets invalid too early.
198 Note that both are cases where Proxmox VE was too strict, so while this
199 had no security implications it can be a nuisance, especially for
200 environments that use the API through an automated or scripted way
202 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
204 libpve-access-control (7.2-3) bullseye; urgency=medium
206 * api: token: use userid-group as API perm check to avoid being overly
207 strict through a misguided use of user id for non-root users.
209 * perm check: forbid undefined/empty ACL path for future proofing of against
212 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
214 libpve-access-control (7.2-2) bullseye; urgency=medium
216 * permissions: merge propagation flag for multiple roles on a path that
217 share privilege in a deterministic way, to avoid that it gets lost
218 depending on perl's random sort, which would result in returing less
219 privileges than an auth-id actually had.
221 * permissions: avoid that token and user privilege intersection is to strict
222 for user permissions that have propagation disabled.
224 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
226 libpve-access-control (7.2-1) bullseye; urgency=medium
228 * user check: fix expiration/enable order
230 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
232 libpve-access-control (7.1-8) bullseye; urgency=medium
234 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
237 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
239 libpve-access-control (7.1-7) bullseye; urgency=medium
241 * userid-group check: distinguish create and update
243 * api: get user: declare token schema
245 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
247 libpve-access-control (7.1-6) bullseye; urgency=medium
249 * fix #3768: warn on bad u2f or webauthn settings
251 * tfa: when modifying others, verify the current user's password
253 * tfa list: account for admin permissions
255 * fix realm sync permissions
257 * fix token permission display bug
259 * include SDN permissions in permission tree
261 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
263 libpve-access-control (7.1-5) bullseye; urgency=medium
265 * openid: fix username-claim fallback
267 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
269 libpve-access-control (7.1-4) bullseye; urgency=medium
271 * set current origin in the webauthn config if no fixed origin was
272 configured, to support webauthn via subdomains
274 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
276 libpve-access-control (7.1-3) bullseye; urgency=medium
278 * openid: allow arbitrary username-claims
280 * openid: support configuring the prompt, scopes and ACR values
282 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
284 libpve-access-control (7.1-2) bullseye; urgency=medium
286 * catch incompatible tfa entries with a nice error
288 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
290 libpve-access-control (7.1-1) bullseye; urgency=medium
292 * tfa: map HTTP 404 error in get_tfa_entry correctly
294 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
296 libpve-access-control (7.0-7) bullseye; urgency=medium
298 * fix #3513: pass configured proxy to OpenID
300 * use rust based parser for TFA config
302 * use PBS-like auth api call flow,
304 * merge old user.cfg keys to tfa config when adding entries
306 * implement version checks for new tfa config writer to ensure all
307 cluster nodes are ready to avoid login issues
309 * tickets: add tunnel ticket
311 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
313 libpve-access-control (7.0-6) bullseye; urgency=medium
315 * fix regression in user deletion when realm does not enforce TFA
317 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
319 libpve-access-control (7.0-5) bullseye; urgency=medium
321 * acl: check path: add /sdn/vnets/* path
323 * fix #2302: allow deletion of users when realm enforces TFA
325 * api: delete user: disable user first to avoid surprise on error during the
326 various cleanup action required for user deletion (e.g., TFA, ACL, group)
328 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
330 libpve-access-control (7.0-4) bullseye; urgency=medium
332 * realm: add OpenID configuration
334 * api: implement OpenID related endpoints
336 * implement opt-in OpenID autocreate user feature
338 * api: user: add 'realm-type' to user list response
340 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
342 libpve-access-control (7.0-3) bullseye; urgency=medium
344 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
345 `/sdn/zones/<zone>` to allowed ACL paths
347 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
349 libpve-access-control (7.0-2) bullseye; urgency=medium
351 * fix #3402: add Pool.Audit privilege - custom roles containing
352 Pool.Allocate must be updated to include the new privilege.
354 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
356 libpve-access-control (7.0-1) bullseye; urgency=medium
358 * re-build for Debian 11 Bullseye based releases
360 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
362 libpve-access-control (6.4-1) pve; urgency=medium
364 * fix #1670: change PAM service name to project specific name
366 * fix #1500: permission path syntax check for access control
368 * pveum: add resource pool CLI commands
370 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
372 libpve-access-control (6.1-3) pve; urgency=medium
374 * partially fix #2825: authkey: rotate if it was generated in the
377 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
380 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
382 libpve-access-control (6.1-2) pve; urgency=medium
384 * also check SDN permission path when computing coarse permissions heuristic
387 * add SDN Permissions.Modify
389 * add VM.Config.Cloudinit
391 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
393 libpve-access-control (6.1-1) pve; urgency=medium
395 * pveum: add tfa delete subcommand for deleting user-TFA
397 * LDAP: don't complain about missing credentials on realm removal
399 * LDAP: skip anonymous bind when client certificate and key is configured
401 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
403 libpve-access-control (6.0-7) pve; urgency=medium
405 * fix #2575: die when trying to edit built-in roles
407 * add realm sub commands to pveum CLI tool
409 * api: domains: add user group sync API endpoint
411 * allow one to sync and import users and groups from LDAP/AD based realms
413 * realm: add default-sync-options to config for more convenient sync configuration
415 * api: token create: return also full token id for convenience
417 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
419 libpve-access-control (6.0-6) pve; urgency=medium
421 * API: add group members to group index
423 * implement API token support and management
425 * pveum: add 'pveum user token add/update/remove/list'
427 * pveum: add permissions sub-commands
429 * API: add 'permissions' API endpoint
431 * user.cfg: skip inexisting roles when parsing ACLs
433 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
435 libpve-access-control (6.0-5) pve; urgency=medium
437 * pveum: add list command for users, groups, ACLs and roles
439 * add initial permissions for experimental SDN integration
441 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
443 libpve-access-control (6.0-4) pve; urgency=medium
445 * ticket: use clinfo to get cluster name
447 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
450 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
452 libpve-access-control (6.0-3) pve; urgency=medium
454 * fix #2433: increase possible TFA secret length
456 * parse user configuration: correctly parse group names in ACLs, for users
457 which begin their name with an @
459 * sort user.cfg entries alphabetically
461 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
463 libpve-access-control (6.0-2) pve; urgency=medium
465 * improve CSRF verification compatibility with newer PVE
467 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
469 libpve-access-control (6.0-1) pve; urgency=medium
471 * ticket: properly verify exactly 5 minute old tickets
473 * use hmac_sha256 instead of sha1 for CSRF token generation
475 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
477 libpve-access-control (6.0-0+1) pve; urgency=medium
479 * bump for Debian buster
481 * fix #2079: add periodic auth key rotation
483 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
485 libpve-access-control (5.1-10) unstable; urgency=medium
487 * add /access/user/{id}/tfa api call to get tfa types
489 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
491 libpve-access-control (5.1-9) unstable; urgency=medium
493 * store the tfa type in user.cfg allowing to get it without proxying the call
494 to a higher privileged daemon.
496 * tfa: realm required TFA should lock out users without TFA configured, as it
497 was done before Proxmox VE 5.4
499 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
501 libpve-access-control (5.1-8) unstable; urgency=medium
503 * U2F: ensure we save correct public key on registration
505 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
507 libpve-access-control (5.1-7) unstable; urgency=medium
509 * verify_ticket: allow general non-challenge tfa to be run as two step
512 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
514 libpve-access-control (5.1-6) unstable; urgency=medium
516 * more general 2FA configuration via priv/tfa.cfg
518 * add u2f api endpoints
520 * delete TFA entries when deleting a user
522 * allow users to change their TOTP settings
524 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
526 libpve-access-control (5.1-5) unstable; urgency=medium
528 * fix vnc ticket verification without authkey lifetime
530 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
532 libpve-access-control (5.1-4) unstable; urgency=medium
534 * fix #1891: Add zsh command completion for pveum
536 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
537 to avoid issues on upgrade, will be enabled with 6.0
539 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
541 libpve-access-control (5.1-3) unstable; urgency=medium
543 * api/ticket: move getting cluster name into an eval
545 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
547 libpve-access-control (5.1-2) unstable; urgency=medium
549 * fix #1998: correct return properties for read_role
551 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
553 libpve-access-control (5.1-1) unstable; urgency=medium
555 * pveum: introduce sub-commands
557 * register userid with completion
559 * fix #233: return cluster name on successful login
561 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
563 libpve-access-control (5.0-8) unstable; urgency=medium
565 * fix #1612: ldap: make 2nd server work with bind domains again
567 * fix an error message where passing a bad pool id to an API function would
568 make it complain about a wrong group name instead
570 * fix the API-returned permission list so that the GUI knows to show the
571 'Permissions' tab for a storage to an administrator apart from root@pam
573 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
575 libpve-access-control (5.0-7) unstable; urgency=medium
577 * VM.Snapshot.Rollback privilege added
579 * api: check for special roles before locking the usercfg
581 * fix #1501: pveum: die when deleting special role
583 * API/ticket: rework coarse grained permission computation
585 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
587 libpve-access-control (5.0-6) unstable; urgency=medium
589 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
590 'verify' option. For compatibility reasons this defaults to off for now,
591 but that might change with future updates.
593 * AD, LDAP: Add ability to specify a CA path or file, and a client
594 certificate via the 'capath', 'cert' and 'certkey' options.
596 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
598 libpve-access-control (5.0-5) unstable; urgency=medium
600 * change from dpkg-deb to dpkg-buildpackage
602 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
604 libpve-access-control (5.0-4) unstable; urgency=medium
606 * PVE/CLI/pveum.pm: call setup_default_cli_env()
608 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
610 * check_api2_permissions: avoid warning about uninitialized value
612 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
614 libpve-access-control (5.0-3) unstable; urgency=medium
616 * use new PVE::OTP class from pve-common
618 * use new PVE::Tools::encrypt_pw from pve-common
620 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
622 libpve-access-control (5.0-2) unstable; urgency=medium
624 * encrypt_pw: avoid '+' for crypt salt
626 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
628 libpve-access-control (5.0-1) unstable; urgency=medium
630 * rebuild for PVE 5.0
632 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
634 libpve-access-control (4.0-23) unstable; urgency=medium
636 * use new PVE::Ticket class
638 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
640 libpve-access-control (4.0-22) unstable; urgency=medium
642 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
643 (moved to PVE::Storage)
645 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
647 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
649 libpve-access-control (4.0-21) unstable; urgency=medium
651 * setup_default_cli_env: expect $class as first parameter
653 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
655 libpve-access-control (4.0-20) unstable; urgency=medium
657 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
659 * PVE/API2/Domains.pm: fix property description
661 * use new repoman for upload target
663 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
665 libpve-access-control (4.0-19) unstable; urgency=medium
667 * Close #833: ldap: non-anonymous bind support
669 * don't import 'RFC' from MIME::Base32
671 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
673 libpve-access-control (4.0-18) unstable; urgency=medium
675 * fix #1062: recognize base32 otp keys again
677 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
679 libpve-access-control (4.0-17) unstable; urgency=medium
681 * drop oathtool and libdigest-hmac-perl dependencies
683 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
685 libpve-access-control (4.0-16) unstable; urgency=medium
687 * use pve-doc-generator to generate man pages
689 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
691 libpve-access-control (4.0-15) unstable; urgency=medium
693 * Fix uninitialized warning when shadow.cfg does not exist
695 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
697 libpve-access-control (4.0-14) unstable; urgency=medium
699 * Add is_worker to RPCEnvironment
701 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
703 libpve-access-control (4.0-13) unstable; urgency=medium
705 * fix #916: allow HTTPS to access custom yubico url
707 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
709 libpve-access-control (4.0-12) unstable; urgency=medium
711 * Catch certificate errors instead of segfaulting
713 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
715 libpve-access-control (4.0-11) unstable; urgency=medium
717 * Fix #861: use safer sprintf formatting
719 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
721 libpve-access-control (4.0-10) unstable; urgency=medium
723 * Auth::LDAP, Auth::AD: ipv6 support
725 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
727 libpve-access-control (4.0-9) unstable; urgency=medium
729 * pveum: implement bash completion
731 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
733 libpve-access-control (4.0-8) unstable; urgency=medium
735 * remove_storage_access: cleanup of access permissions for removed storage
737 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
739 libpve-access-control (4.0-7) unstable; urgency=medium
741 * new helper to remove access permissions for removed VMs
743 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
745 libpve-access-control (4.0-6) unstable; urgency=medium
747 * improve parse_user_config, parse_shadow_config
749 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
751 libpve-access-control (4.0-5) unstable; urgency=medium
753 * pveum: check for $cmd being defined
755 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
757 libpve-access-control (4.0-4) unstable; urgency=medium
759 * use activate-noawait triggers
761 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
763 libpve-access-control (4.0-3) unstable; urgency=medium
769 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
771 libpve-access-control (4.0-2) unstable; urgency=medium
773 * trigger pve-api-updates event
775 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
777 libpve-access-control (4.0-1) unstable; urgency=medium
779 * bump version for Debian Jessie
781 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
783 libpve-access-control (3.0-16) unstable; urgency=low
785 * root@pam can now be disabled in GUI.
787 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
789 libpve-access-control (3.0-15) unstable; urgency=low
791 * oath: add 'step' and 'digits' option
793 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
795 libpve-access-control (3.0-14) unstable; urgency=low
797 * add oath two factor auth
799 * add oathkeygen binary to generate keys for oath
801 * add yubico two factor auth
805 * depend on libmime-base32-perl
807 * allow to write builtin auth domains config (comment/tfa/default)
809 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
811 libpve-access-control (3.0-13) unstable; urgency=low
813 * use correct connection string for AD auth
815 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
817 libpve-access-control (3.0-12) unstable; urgency=low
819 * add dummy API for GET /access/ticket (useful to generate login pages)
821 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
823 libpve-access-control (3.0-11) unstable; urgency=low
825 * Sets common hot keys for spice client
827 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
829 libpve-access-control (3.0-10) unstable; urgency=low
831 * implement helper to generate SPICE remote-viewer configuration
833 * depend on libnet-ssleay-perl
835 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
837 libpve-access-control (3.0-9) unstable; urgency=low
839 * prevent user enumeration attacks
841 * allow dots in access paths
843 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
845 libpve-access-control (3.0-8) unstable; urgency=low
847 * spice: use lowercase hostname in ticktet signature
849 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
851 libpve-access-control (3.0-7) unstable; urgency=low
853 * check_volume_access : use parse_volname instead of path, and remove
856 * use warnings instead of global -w flag.
858 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
860 libpve-access-control (3.0-6) unstable; urgency=low
862 * use shorter spiceproxy tickets
864 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
866 libpve-access-control (3.0-5) unstable; urgency=low
868 * add code to generate tickets for SPICE
870 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
872 libpve-access-control (3.0-4) unstable; urgency=low
874 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
876 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
878 libpve-access-control (3.0-3) unstable; urgency=low
880 * Add new role PVETemplateUser (and VM.Clone privilege)
882 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
884 libpve-access-control (3.0-2) unstable; urgency=low
886 * remove CGI.pm related code (pveproxy does not need that)
888 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
890 libpve-access-control (3.0-1) unstable; urgency=low
892 * bump version for wheezy release
894 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
896 libpve-access-control (1.0-26) unstable; urgency=low
898 * check_volume_access: fix access permissions for backup files
900 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
902 libpve-access-control (1.0-25) unstable; urgency=low
904 * add VM.Snapshot permission
906 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
908 libpve-access-control (1.0-24) unstable; urgency=low
910 * untaint path (allow root to restore arbitrary paths)
912 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
914 libpve-access-control (1.0-23) unstable; urgency=low
916 * correctly compute GUI capabilities (consider pools)
918 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
920 libpve-access-control (1.0-22) unstable; urgency=low
922 * new plugin architecture for Auth modules, minor API change for Auth
923 domains (new 'delete' parameter)
925 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
927 libpve-access-control (1.0-21) unstable; urgency=low
929 * do not allow user names including slash
931 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
933 libpve-access-control (1.0-20) unstable; urgency=low
935 * add ability to fork cli workers in background
937 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
939 libpve-access-control (1.0-19) unstable; urgency=low
941 * return set of privileges on login - can be used to adopt GUI
943 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
945 libpve-access-control (1.0-18) unstable; urgency=low
947 * fix bug #151: correctly parse username inside ticket
949 * fix bug #152: allow user to change his own password
951 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
953 libpve-access-control (1.0-17) unstable; urgency=low
955 * set propagate flag by default
957 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
959 libpve-access-control (1.0-16) unstable; urgency=low
961 * add 'pveum passwd' method
963 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
965 libpve-access-control (1.0-15) unstable; urgency=low
967 * Add VM.Config.CDROM privilege to PVEVMUser rule
969 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
971 libpve-access-control (1.0-14) unstable; urgency=low
973 * fix buf in userid-param permission check
975 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
977 libpve-access-control (1.0-13) unstable; urgency=low
979 * allow more characters in ldap base_dn attribute
981 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
983 libpve-access-control (1.0-12) unstable; urgency=low
985 * allow more characters with realm IDs
987 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
989 libpve-access-control (1.0-11) unstable; urgency=low
991 * fix bug in exec_api2_perm_check
993 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
995 libpve-access-control (1.0-10) unstable; urgency=low
997 * fix ACL group name parser
999 * changed 'pveum aclmod' command line arguments
1001 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
1003 libpve-access-control (1.0-9) unstable; urgency=low
1005 * fix bug in check_volume_access (fixes vzrestore)
1007 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
1009 libpve-access-control (1.0-8) unstable; urgency=low
1011 * fix return value for empty ACL list.
1013 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
1015 libpve-access-control (1.0-7) unstable; urgency=low
1017 * fix bug #85: allow root@pam to generate tickets for other users
1019 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
1021 libpve-access-control (1.0-6) unstable; urgency=low
1023 * API change: allow to filter enabled/disabled users.
1025 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
1027 libpve-access-control (1.0-5) unstable; urgency=low
1029 * add a way to return file changes (diffs): set_result_changes()
1031 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
1033 libpve-access-control (1.0-4) unstable; urgency=low
1035 * new environment type for ha agents
1037 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
1039 libpve-access-control (1.0-3) unstable; urgency=low
1041 * add support for delayed parameter parsing - We need that to disable
1042 file upload for normal API request (avoid DOS attacks)
1044 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
1046 libpve-access-control (1.0-2) unstable; urgency=low
1048 * fix bug in fork_worker
1050 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
1052 libpve-access-control (1.0-1) unstable; urgency=low
1054 * allow '-' in permission paths
1056 * bump version to 1.0
1058 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
1060 libpve-access-control (0.1) unstable; urgency=low
1062 * first dummy package - no functionality
1064 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200