1 libpve-access-control (8.1.4) bookworm; urgency=medium
3 * fix #5335: sort ACL entries in user.cfg to make it easier to track changes
5 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Apr 2024 13:45:22 +0200
7 libpve-access-control (8.1.3) bookworm; urgency=medium
9 * user: password change: require confirmation-password parameter so that
10 anybody gaining local or physical access to a device where a user is
11 logged in on a Proxmox VE web-interface cannot give them more permanent
12 access or deny the actual user accessing their account by changing the
13 password. Note that such an attack scenario means that the attacker
14 already has high privileges and can already control the resource
15 completely through another attack.
16 Such initial attacks (like stealing an unlocked device) are almost always
17 are outside of the control of our projects. Still, hardening the API a bit
18 by requiring a confirmation of the original password is to cheap to
19 implement to not do so.
21 * jobs: realm sync: fix scheduled LDAP syncs not applying all attributes,
22 like comments, correctly
24 -- Proxmox Support Team <support@proxmox.com> Fri, 22 Mar 2024 14:14:36 +0100
26 libpve-access-control (8.1.2) bookworm; urgency=medium
28 * add Sys.AccessNetwork privilege
30 -- Proxmox Support Team <support@proxmox.com> Wed, 28 Feb 2024 15:42:12 +0100
32 libpve-access-control (8.1.1) bookworm; urgency=medium
34 * LDAP sync: fix-up assembling valid attribute set
36 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Feb 2024 19:03:26 +0100
38 libpve-access-control (8.1.0) bookworm; urgency=medium
40 * api: user: limit the legacy user-keys option to the depreacated values
41 that could be set in the first limited TFA system, like e.g., 'x!yubico'
42 or base32 encoded secrets.
44 * oidc: enforce generic URI regex for the ACR value to align with OIDC
45 specifications and with Proxmox Backup Server, which was recently changed
46 to actually be less strict.
48 * LDAP sync: improve validation of synced attributes, closely limit the
49 mapped attributes names and their values to avoid glitches through odd
52 * api: user: limit maximum length for first & last name to 1024 characters,
53 email to 254 characters (the maximum actually useable in practice) and
54 comment properties to 2048 characters. This avoid that a few single users
55 bloat the user.cfg to much by mistake, reducing the total amount of users
56 and ACLs that can be set up. Note that only users with User.Modify and
57 realm syncs (setup by admins) can change these in the first place, so this
58 is mostly to avoid mishaps and just to be sure.
60 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Feb 2024 17:50:59 +0100
62 libpve-access-control (8.0.7) bookworm; urgency=medium
64 * fix #1148: allow up to three levels of pool nesting
66 * pools: record parent/subpool information
68 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Nov 2023 12:24:13 +0100
70 libpve-access-control (8.0.6) bookworm; urgency=medium
72 * perms: fix wrong /pools entry in default set of ACL paths
74 * acl: add missing SDN ACL paths to allowed list
76 -- Proxmox Support Team <support@proxmox.com> Fri, 17 Nov 2023 08:27:11 +0100
78 libpve-access-control (8.0.5) bookworm; urgency=medium
80 * fix an issue where setting ldap passwords would refuse to work unless
81 at least one additional property was changed as well
83 * add 'check-connection' parameter to create and update endpoints for ldap
86 -- Proxmox Support Team <support@proxmox.com> Fri, 11 Aug 2023 13:35:23 +0200
88 libpve-access-control (8.0.4) bookworm; urgency=medium
90 * Lookup of second factors is no longer tied to the 'keys' field in the
91 user.cfg. This fixes an issue where certain LDAP/AD sync job settings
92 could disable user-configured 2nd factors.
94 * Existing-but-disabled TFA factors can no longer circumvent realm-mandated
97 -- Proxmox Support Team <support@proxmox.com> Thu, 20 Jul 2023 10:59:21 +0200
99 libpve-access-control (8.0.3) bookworm; urgency=medium
101 * pveum: list tfa: recovery keys have no descriptions
103 * pveum: list tfa: sort by user ID
105 * drop assert_new_tfa_config_available for Proxmox VE 8, as the new format
106 is understood since pve-manager 7.0-15, and users must upgrade to Proxmox
107 VE 7.4 before upgrading to Proxmox VE 8 in addition to that.
109 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 19:45:29 +0200
111 libpve-access-control (8.0.2) bookworm; urgency=medium
113 * api: users: sort groups to avoid "flapping" text
115 * api: tfa: don't block tokens from viewing and list TFA entries, both are
116 safe to do for anybody with enough permissions to view a user.
118 * api: tfa: add missing links for child-routes
120 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 18:13:54 +0200
122 libpve-access-control (8.0.1) bookworm; urgency=medium
124 * tfa: cope with native versions in cluster version check
126 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 16:12:01 +0200
128 libpve-access-control (8.0.0) bookworm; urgency=medium
130 * api: roles: forbid creating new roles starting with "PVE" namespace
132 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 10:14:28 +0200
134 libpve-access-control (8.0.0~3) bookworm; urgency=medium
136 * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path
138 * access control: add /sdn/zones/<zone>/<vnet>/<vlan> ACL object path
140 * add helper for checking bridge access
142 * add new SDN.Use privilege in PVESDNUser role, allowing one to specify
143 which user are allowed to use a bridge (or vnet, if SDN is installed)
145 * add privileges and paths for cluster resource mapping
147 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 19:06:54 +0200
149 libpve-access-control (8.0.0~2) bookworm; urgency=medium
151 * api: user index: only include existing tfa lock flags
153 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
155 * roles: only include Permissions.Modify in Administrator built-in role.
156 As, depending on the ACL object path, this privilege might allow one to
157 change their own permissions, which was making the distinction between
158 Admin and PVEAdmin irrelevant.
160 * acls: restrict less-privileged ACL modifications. Through allocate
161 permissions in pools, storages and virtual guests one can do some ACL
162 modifications without having the Permissions.Modify privilege, lock those
163 better down to ensure that one can only hand out only the subset of their
164 own privileges, never more. Note that this is mostly future proofing, as
165 the ACL object paths one could give out more permissions where already
168 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
170 libpve-access-control (8.0.0~1) bookworm; urgency=medium
172 * bump pve-rs dependency to 0.8.3
174 * drop old verify_tfa api call (POST /access/tfa)
176 * drop support for old login API:
177 - 'new-format' is now considured to be 1 and ignored by the API
179 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
182 * cli: add 'pveum tfa list'
184 * cli: add 'pveum tfa unlock'
186 * enable lockout of TFA:
187 - too many TOTP attempts will lock out of TOTP
188 - using a recovery key will unlock TOTP
189 - too many TFA attempts will lock a user's TFA auth for an hour
191 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
192 authentication if it was locked by too many wrong 2nd factor login attempts
194 * api: /access/tfa and /access/users now include the tfa lockout status
196 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
198 libpve-access-control (7.99.0) bookworm; urgency=medium
200 * initial re-build for Proxmox VE 8.x series
202 * switch to native versioning
204 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
206 libpve-access-control (7.4-3) bullseye; urgency=medium
208 * use new 2nd factor verification from pve-rs
210 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
212 libpve-access-control (7.4-2) bullseye; urgency=medium
214 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
215 wasn't accepted anymore
217 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
219 libpve-access-control (7.4-1) bullseye; urgency=medium
221 * realm sync: refactor scope/remove-vanished into a standard option
223 * ldap: Allow quoted values for DN attribute values
225 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
227 libpve-access-control (7.3-2) bullseye; urgency=medium
229 * fix #4518: dramatically improve ACL computation performance
231 * userid format: clarify that this is the full name@realm in description
233 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
235 libpve-access-control (7.3-1) bullseye; urgency=medium
237 * realm: sync: allow explicit 'none' for 'remove-vanished' option
239 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
241 libpve-access-control (7.2-5) bullseye; urgency=medium
243 * api: realm sync: avoid separate log line for "remove-vanished" opt
245 * auth ldap/ad: compare group member dn case-insensitively
247 * two factor auth: only lock tfa config for recovery keys
249 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
250 migrations and storage migrations
252 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
254 libpve-access-control (7.2-4) bullseye; urgency=medium
256 * fix #4074: increase API OpenID code size limit to 2048
258 * auth key: protect against rare chance of a double rotation in clusters,
259 leaving the potential that some set of nodes have the earlier key cached,
260 that then got rotated out due to the race, resulting in a possible other
261 set of nodes having the newer key cached. This is a split view of the auth
262 key and may resulting in spurious failures if API requests are made to a
263 different node than the ticket was generated on.
264 In addition to that, the "keep validity of old tickets if signed in the
265 last two hours before rotation" logic was disabled too in such a case,
266 making such tickets invalid too early.
267 Note that both are cases where Proxmox VE was too strict, so while this
268 had no security implications it can be a nuisance, especially for
269 environments that use the API through an automated or scripted way
271 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
273 libpve-access-control (7.2-3) bullseye; urgency=medium
275 * api: token: use userid-group as API perm check to avoid being overly
276 strict through a misguided use of user id for non-root users.
278 * perm check: forbid undefined/empty ACL path for future proofing of against
281 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
283 libpve-access-control (7.2-2) bullseye; urgency=medium
285 * permissions: merge propagation flag for multiple roles on a path that
286 share privilege in a deterministic way, to avoid that it gets lost
287 depending on perl's random sort, which would result in returing less
288 privileges than an auth-id actually had.
290 * permissions: avoid that token and user privilege intersection is to strict
291 for user permissions that have propagation disabled.
293 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
295 libpve-access-control (7.2-1) bullseye; urgency=medium
297 * user check: fix expiration/enable order
299 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
301 libpve-access-control (7.1-8) bullseye; urgency=medium
303 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
306 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
308 libpve-access-control (7.1-7) bullseye; urgency=medium
310 * userid-group check: distinguish create and update
312 * api: get user: declare token schema
314 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
316 libpve-access-control (7.1-6) bullseye; urgency=medium
318 * fix #3768: warn on bad u2f or webauthn settings
320 * tfa: when modifying others, verify the current user's password
322 * tfa list: account for admin permissions
324 * fix realm sync permissions
326 * fix token permission display bug
328 * include SDN permissions in permission tree
330 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
332 libpve-access-control (7.1-5) bullseye; urgency=medium
334 * openid: fix username-claim fallback
336 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
338 libpve-access-control (7.1-4) bullseye; urgency=medium
340 * set current origin in the webauthn config if no fixed origin was
341 configured, to support webauthn via subdomains
343 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
345 libpve-access-control (7.1-3) bullseye; urgency=medium
347 * openid: allow arbitrary username-claims
349 * openid: support configuring the prompt, scopes and ACR values
351 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
353 libpve-access-control (7.1-2) bullseye; urgency=medium
355 * catch incompatible tfa entries with a nice error
357 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
359 libpve-access-control (7.1-1) bullseye; urgency=medium
361 * tfa: map HTTP 404 error in get_tfa_entry correctly
363 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
365 libpve-access-control (7.0-7) bullseye; urgency=medium
367 * fix #3513: pass configured proxy to OpenID
369 * use rust based parser for TFA config
371 * use PBS-like auth api call flow,
373 * merge old user.cfg keys to tfa config when adding entries
375 * implement version checks for new tfa config writer to ensure all
376 cluster nodes are ready to avoid login issues
378 * tickets: add tunnel ticket
380 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
382 libpve-access-control (7.0-6) bullseye; urgency=medium
384 * fix regression in user deletion when realm does not enforce TFA
386 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
388 libpve-access-control (7.0-5) bullseye; urgency=medium
390 * acl: check path: add /sdn/vnets/* path
392 * fix #2302: allow deletion of users when realm enforces TFA
394 * api: delete user: disable user first to avoid surprise on error during the
395 various cleanup action required for user deletion (e.g., TFA, ACL, group)
397 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
399 libpve-access-control (7.0-4) bullseye; urgency=medium
401 * realm: add OpenID configuration
403 * api: implement OpenID related endpoints
405 * implement opt-in OpenID autocreate user feature
407 * api: user: add 'realm-type' to user list response
409 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
411 libpve-access-control (7.0-3) bullseye; urgency=medium
413 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
414 `/sdn/zones/<zone>` to allowed ACL paths
416 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
418 libpve-access-control (7.0-2) bullseye; urgency=medium
420 * fix #3402: add Pool.Audit privilege - custom roles containing
421 Pool.Allocate must be updated to include the new privilege.
423 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
425 libpve-access-control (7.0-1) bullseye; urgency=medium
427 * re-build for Debian 11 Bullseye based releases
429 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
431 libpve-access-control (6.4-1) pve; urgency=medium
433 * fix #1670: change PAM service name to project specific name
435 * fix #1500: permission path syntax check for access control
437 * pveum: add resource pool CLI commands
439 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
441 libpve-access-control (6.1-3) pve; urgency=medium
443 * partially fix #2825: authkey: rotate if it was generated in the
446 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
449 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
451 libpve-access-control (6.1-2) pve; urgency=medium
453 * also check SDN permission path when computing coarse permissions heuristic
456 * add SDN Permissions.Modify
458 * add VM.Config.Cloudinit
460 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
462 libpve-access-control (6.1-1) pve; urgency=medium
464 * pveum: add tfa delete subcommand for deleting user-TFA
466 * LDAP: don't complain about missing credentials on realm removal
468 * LDAP: skip anonymous bind when client certificate and key is configured
470 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
472 libpve-access-control (6.0-7) pve; urgency=medium
474 * fix #2575: die when trying to edit built-in roles
476 * add realm sub commands to pveum CLI tool
478 * api: domains: add user group sync API endpoint
480 * allow one to sync and import users and groups from LDAP/AD based realms
482 * realm: add default-sync-options to config for more convenient sync configuration
484 * api: token create: return also full token id for convenience
486 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
488 libpve-access-control (6.0-6) pve; urgency=medium
490 * API: add group members to group index
492 * implement API token support and management
494 * pveum: add 'pveum user token add/update/remove/list'
496 * pveum: add permissions sub-commands
498 * API: add 'permissions' API endpoint
500 * user.cfg: skip inexisting roles when parsing ACLs
502 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
504 libpve-access-control (6.0-5) pve; urgency=medium
506 * pveum: add list command for users, groups, ACLs and roles
508 * add initial permissions for experimental SDN integration
510 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
512 libpve-access-control (6.0-4) pve; urgency=medium
514 * ticket: use clinfo to get cluster name
516 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
519 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
521 libpve-access-control (6.0-3) pve; urgency=medium
523 * fix #2433: increase possible TFA secret length
525 * parse user configuration: correctly parse group names in ACLs, for users
526 which begin their name with an @
528 * sort user.cfg entries alphabetically
530 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
532 libpve-access-control (6.0-2) pve; urgency=medium
534 * improve CSRF verification compatibility with newer PVE
536 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
538 libpve-access-control (6.0-1) pve; urgency=medium
540 * ticket: properly verify exactly 5 minute old tickets
542 * use hmac_sha256 instead of sha1 for CSRF token generation
544 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
546 libpve-access-control (6.0-0+1) pve; urgency=medium
548 * bump for Debian buster
550 * fix #2079: add periodic auth key rotation
552 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
554 libpve-access-control (5.1-10) unstable; urgency=medium
556 * add /access/user/{id}/tfa api call to get tfa types
558 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
560 libpve-access-control (5.1-9) unstable; urgency=medium
562 * store the tfa type in user.cfg allowing to get it without proxying the call
563 to a higher privileged daemon.
565 * tfa: realm required TFA should lock out users without TFA configured, as it
566 was done before Proxmox VE 5.4
568 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
570 libpve-access-control (5.1-8) unstable; urgency=medium
572 * U2F: ensure we save correct public key on registration
574 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
576 libpve-access-control (5.1-7) unstable; urgency=medium
578 * verify_ticket: allow general non-challenge tfa to be run as two step
581 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
583 libpve-access-control (5.1-6) unstable; urgency=medium
585 * more general 2FA configuration via priv/tfa.cfg
587 * add u2f api endpoints
589 * delete TFA entries when deleting a user
591 * allow users to change their TOTP settings
593 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
595 libpve-access-control (5.1-5) unstable; urgency=medium
597 * fix vnc ticket verification without authkey lifetime
599 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
601 libpve-access-control (5.1-4) unstable; urgency=medium
603 * fix #1891: Add zsh command completion for pveum
605 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
606 to avoid issues on upgrade, will be enabled with 6.0
608 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
610 libpve-access-control (5.1-3) unstable; urgency=medium
612 * api/ticket: move getting cluster name into an eval
614 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
616 libpve-access-control (5.1-2) unstable; urgency=medium
618 * fix #1998: correct return properties for read_role
620 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
622 libpve-access-control (5.1-1) unstable; urgency=medium
624 * pveum: introduce sub-commands
626 * register userid with completion
628 * fix #233: return cluster name on successful login
630 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
632 libpve-access-control (5.0-8) unstable; urgency=medium
634 * fix #1612: ldap: make 2nd server work with bind domains again
636 * fix an error message where passing a bad pool id to an API function would
637 make it complain about a wrong group name instead
639 * fix the API-returned permission list so that the GUI knows to show the
640 'Permissions' tab for a storage to an administrator apart from root@pam
642 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
644 libpve-access-control (5.0-7) unstable; urgency=medium
646 * VM.Snapshot.Rollback privilege added
648 * api: check for special roles before locking the usercfg
650 * fix #1501: pveum: die when deleting special role
652 * API/ticket: rework coarse grained permission computation
654 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
656 libpve-access-control (5.0-6) unstable; urgency=medium
658 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
659 'verify' option. For compatibility reasons this defaults to off for now,
660 but that might change with future updates.
662 * AD, LDAP: Add ability to specify a CA path or file, and a client
663 certificate via the 'capath', 'cert' and 'certkey' options.
665 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
667 libpve-access-control (5.0-5) unstable; urgency=medium
669 * change from dpkg-deb to dpkg-buildpackage
671 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
673 libpve-access-control (5.0-4) unstable; urgency=medium
675 * PVE/CLI/pveum.pm: call setup_default_cli_env()
677 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
679 * check_api2_permissions: avoid warning about uninitialized value
681 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
683 libpve-access-control (5.0-3) unstable; urgency=medium
685 * use new PVE::OTP class from pve-common
687 * use new PVE::Tools::encrypt_pw from pve-common
689 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
691 libpve-access-control (5.0-2) unstable; urgency=medium
693 * encrypt_pw: avoid '+' for crypt salt
695 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
697 libpve-access-control (5.0-1) unstable; urgency=medium
699 * rebuild for PVE 5.0
701 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
703 libpve-access-control (4.0-23) unstable; urgency=medium
705 * use new PVE::Ticket class
707 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
709 libpve-access-control (4.0-22) unstable; urgency=medium
711 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
712 (moved to PVE::Storage)
714 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
716 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
718 libpve-access-control (4.0-21) unstable; urgency=medium
720 * setup_default_cli_env: expect $class as first parameter
722 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
724 libpve-access-control (4.0-20) unstable; urgency=medium
726 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
728 * PVE/API2/Domains.pm: fix property description
730 * use new repoman for upload target
732 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
734 libpve-access-control (4.0-19) unstable; urgency=medium
736 * Close #833: ldap: non-anonymous bind support
738 * don't import 'RFC' from MIME::Base32
740 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
742 libpve-access-control (4.0-18) unstable; urgency=medium
744 * fix #1062: recognize base32 otp keys again
746 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
748 libpve-access-control (4.0-17) unstable; urgency=medium
750 * drop oathtool and libdigest-hmac-perl dependencies
752 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
754 libpve-access-control (4.0-16) unstable; urgency=medium
756 * use pve-doc-generator to generate man pages
758 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
760 libpve-access-control (4.0-15) unstable; urgency=medium
762 * Fix uninitialized warning when shadow.cfg does not exist
764 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
766 libpve-access-control (4.0-14) unstable; urgency=medium
768 * Add is_worker to RPCEnvironment
770 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
772 libpve-access-control (4.0-13) unstable; urgency=medium
774 * fix #916: allow HTTPS to access custom yubico url
776 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
778 libpve-access-control (4.0-12) unstable; urgency=medium
780 * Catch certificate errors instead of segfaulting
782 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
784 libpve-access-control (4.0-11) unstable; urgency=medium
786 * Fix #861: use safer sprintf formatting
788 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
790 libpve-access-control (4.0-10) unstable; urgency=medium
792 * Auth::LDAP, Auth::AD: ipv6 support
794 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
796 libpve-access-control (4.0-9) unstable; urgency=medium
798 * pveum: implement bash completion
800 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
802 libpve-access-control (4.0-8) unstable; urgency=medium
804 * remove_storage_access: cleanup of access permissions for removed storage
806 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
808 libpve-access-control (4.0-7) unstable; urgency=medium
810 * new helper to remove access permissions for removed VMs
812 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
814 libpve-access-control (4.0-6) unstable; urgency=medium
816 * improve parse_user_config, parse_shadow_config
818 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
820 libpve-access-control (4.0-5) unstable; urgency=medium
822 * pveum: check for $cmd being defined
824 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
826 libpve-access-control (4.0-4) unstable; urgency=medium
828 * use activate-noawait triggers
830 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
832 libpve-access-control (4.0-3) unstable; urgency=medium
838 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
840 libpve-access-control (4.0-2) unstable; urgency=medium
842 * trigger pve-api-updates event
844 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
846 libpve-access-control (4.0-1) unstable; urgency=medium
848 * bump version for Debian Jessie
850 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
852 libpve-access-control (3.0-16) unstable; urgency=low
854 * root@pam can now be disabled in GUI.
856 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
858 libpve-access-control (3.0-15) unstable; urgency=low
860 * oath: add 'step' and 'digits' option
862 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
864 libpve-access-control (3.0-14) unstable; urgency=low
866 * add oath two factor auth
868 * add oathkeygen binary to generate keys for oath
870 * add yubico two factor auth
874 * depend on libmime-base32-perl
876 * allow to write builtin auth domains config (comment/tfa/default)
878 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
880 libpve-access-control (3.0-13) unstable; urgency=low
882 * use correct connection string for AD auth
884 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
886 libpve-access-control (3.0-12) unstable; urgency=low
888 * add dummy API for GET /access/ticket (useful to generate login pages)
890 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
892 libpve-access-control (3.0-11) unstable; urgency=low
894 * Sets common hot keys for spice client
896 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
898 libpve-access-control (3.0-10) unstable; urgency=low
900 * implement helper to generate SPICE remote-viewer configuration
902 * depend on libnet-ssleay-perl
904 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
906 libpve-access-control (3.0-9) unstable; urgency=low
908 * prevent user enumeration attacks
910 * allow dots in access paths
912 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
914 libpve-access-control (3.0-8) unstable; urgency=low
916 * spice: use lowercase hostname in ticktet signature
918 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
920 libpve-access-control (3.0-7) unstable; urgency=low
922 * check_volume_access : use parse_volname instead of path, and remove
925 * use warnings instead of global -w flag.
927 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
929 libpve-access-control (3.0-6) unstable; urgency=low
931 * use shorter spiceproxy tickets
933 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
935 libpve-access-control (3.0-5) unstable; urgency=low
937 * add code to generate tickets for SPICE
939 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
941 libpve-access-control (3.0-4) unstable; urgency=low
943 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
945 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
947 libpve-access-control (3.0-3) unstable; urgency=low
949 * Add new role PVETemplateUser (and VM.Clone privilege)
951 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
953 libpve-access-control (3.0-2) unstable; urgency=low
955 * remove CGI.pm related code (pveproxy does not need that)
957 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
959 libpve-access-control (3.0-1) unstable; urgency=low
961 * bump version for wheezy release
963 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
965 libpve-access-control (1.0-26) unstable; urgency=low
967 * check_volume_access: fix access permissions for backup files
969 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
971 libpve-access-control (1.0-25) unstable; urgency=low
973 * add VM.Snapshot permission
975 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
977 libpve-access-control (1.0-24) unstable; urgency=low
979 * untaint path (allow root to restore arbitrary paths)
981 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
983 libpve-access-control (1.0-23) unstable; urgency=low
985 * correctly compute GUI capabilities (consider pools)
987 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
989 libpve-access-control (1.0-22) unstable; urgency=low
991 * new plugin architecture for Auth modules, minor API change for Auth
992 domains (new 'delete' parameter)
994 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
996 libpve-access-control (1.0-21) unstable; urgency=low
998 * do not allow user names including slash
1000 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
1002 libpve-access-control (1.0-20) unstable; urgency=low
1004 * add ability to fork cli workers in background
1006 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
1008 libpve-access-control (1.0-19) unstable; urgency=low
1010 * return set of privileges on login - can be used to adopt GUI
1012 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
1014 libpve-access-control (1.0-18) unstable; urgency=low
1016 * fix bug #151: correctly parse username inside ticket
1018 * fix bug #152: allow user to change his own password
1020 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
1022 libpve-access-control (1.0-17) unstable; urgency=low
1024 * set propagate flag by default
1026 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
1028 libpve-access-control (1.0-16) unstable; urgency=low
1030 * add 'pveum passwd' method
1032 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
1034 libpve-access-control (1.0-15) unstable; urgency=low
1036 * Add VM.Config.CDROM privilege to PVEVMUser rule
1038 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
1040 libpve-access-control (1.0-14) unstable; urgency=low
1042 * fix buf in userid-param permission check
1044 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
1046 libpve-access-control (1.0-13) unstable; urgency=low
1048 * allow more characters in ldap base_dn attribute
1050 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
1052 libpve-access-control (1.0-12) unstable; urgency=low
1054 * allow more characters with realm IDs
1056 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
1058 libpve-access-control (1.0-11) unstable; urgency=low
1060 * fix bug in exec_api2_perm_check
1062 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
1064 libpve-access-control (1.0-10) unstable; urgency=low
1066 * fix ACL group name parser
1068 * changed 'pveum aclmod' command line arguments
1070 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
1072 libpve-access-control (1.0-9) unstable; urgency=low
1074 * fix bug in check_volume_access (fixes vzrestore)
1076 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
1078 libpve-access-control (1.0-8) unstable; urgency=low
1080 * fix return value for empty ACL list.
1082 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
1084 libpve-access-control (1.0-7) unstable; urgency=low
1086 * fix bug #85: allow root@pam to generate tickets for other users
1088 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
1090 libpve-access-control (1.0-6) unstable; urgency=low
1092 * API change: allow to filter enabled/disabled users.
1094 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
1096 libpve-access-control (1.0-5) unstable; urgency=low
1098 * add a way to return file changes (diffs): set_result_changes()
1100 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
1102 libpve-access-control (1.0-4) unstable; urgency=low
1104 * new environment type for ha agents
1106 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
1108 libpve-access-control (1.0-3) unstable; urgency=low
1110 * add support for delayed parameter parsing - We need that to disable
1111 file upload for normal API request (avoid DOS attacks)
1113 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
1115 libpve-access-control (1.0-2) unstable; urgency=low
1117 * fix bug in fork_worker
1119 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
1121 libpve-access-control (1.0-1) unstable; urgency=low
1123 * allow '-' in permission paths
1125 * bump version to 1.0
1127 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
1129 libpve-access-control (0.1) unstable; urgency=low
1131 * first dummy package - no functionality
1133 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200