1 libpve-access-control (8.0.4) bookworm; urgency=medium
3 * Lookup of second factors is no longer tied to the 'keys' field in the
4 user.cfg. This fixes an issue where certain LDAP/AD sync job settings
5 could disable user-configured 2nd factors.
7 * Existing-but-disabled TFA factors can no longer circumvent realm-mandated
10 -- Proxmox Support Team <support@proxmox.com> Thu, 20 Jul 2023 10:59:21 +0200
12 libpve-access-control (8.0.3) bookworm; urgency=medium
14 * pveum: list tfa: recovery keys have no descriptions
16 * pveum: list tfa: sort by user ID
18 * drop assert_new_tfa_config_available for Proxmox VE 8, as the new format
19 is understood since pve-manager 7.0-15, and users must upgrade to Proxmox
20 VE 7.4 before upgrading to Proxmox VE 8 in addition to that.
22 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 19:45:29 +0200
24 libpve-access-control (8.0.2) bookworm; urgency=medium
26 * api: users: sort groups to avoid "flapping" text
28 * api: tfa: don't block tokens from viewing and list TFA entries, both are
29 safe to do for anybody with enough permissions to view a user.
31 * api: tfa: add missing links for child-routes
33 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 18:13:54 +0200
35 libpve-access-control (8.0.1) bookworm; urgency=medium
37 * tfa: cope with native versions in cluster version check
39 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 16:12:01 +0200
41 libpve-access-control (8.0.0) bookworm; urgency=medium
43 * api: roles: forbid creating new roles starting with "PVE" namespace
45 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 10:14:28 +0200
47 libpve-access-control (8.0.0~3) bookworm; urgency=medium
49 * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path
51 * access control: add /sdn/zones/<zone>/<vnet>/<vlan> ACL object path
53 * add helper for checking bridge access
55 * add new SDN.Use privilege in PVESDNUser role, allowing one to specify
56 which user are allowed to use a bridge (or vnet, if SDN is installed)
58 * add privileges and paths for cluster resource mapping
60 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 19:06:54 +0200
62 libpve-access-control (8.0.0~2) bookworm; urgency=medium
64 * api: user index: only include existing tfa lock flags
66 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
68 * roles: only include Permissions.Modify in Administrator built-in role.
69 As, depending on the ACL object path, this privilege might allow one to
70 change their own permissions, which was making the distinction between
71 Admin and PVEAdmin irrelevant.
73 * acls: restrict less-privileged ACL modifications. Through allocate
74 permissions in pools, storages and virtual guests one can do some ACL
75 modifications without having the Permissions.Modify privilege, lock those
76 better down to ensure that one can only hand out only the subset of their
77 own privileges, never more. Note that this is mostly future proofing, as
78 the ACL object paths one could give out more permissions where already
81 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
83 libpve-access-control (8.0.0~1) bookworm; urgency=medium
85 * bump pve-rs dependency to 0.8.3
87 * drop old verify_tfa api call (POST /access/tfa)
89 * drop support for old login API:
90 - 'new-format' is now considured to be 1 and ignored by the API
92 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
95 * cli: add 'pveum tfa list'
97 * cli: add 'pveum tfa unlock'
99 * enable lockout of TFA:
100 - too many TOTP attempts will lock out of TOTP
101 - using a recovery key will unlock TOTP
102 - too many TFA attempts will lock a user's TFA auth for an hour
104 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
105 authentication if it was locked by too many wrong 2nd factor login attempts
107 * api: /access/tfa and /access/users now include the tfa lockout status
109 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
111 libpve-access-control (7.99.0) bookworm; urgency=medium
113 * initial re-build for Proxmox VE 8.x series
115 * switch to native versioning
117 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
119 libpve-access-control (7.4-3) bullseye; urgency=medium
121 * use new 2nd factor verification from pve-rs
123 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
125 libpve-access-control (7.4-2) bullseye; urgency=medium
127 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
128 wasn't accepted anymore
130 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
132 libpve-access-control (7.4-1) bullseye; urgency=medium
134 * realm sync: refactor scope/remove-vanished into a standard option
136 * ldap: Allow quoted values for DN attribute values
138 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
140 libpve-access-control (7.3-2) bullseye; urgency=medium
142 * fix #4518: dramatically improve ACL computation performance
144 * userid format: clarify that this is the full name@realm in description
146 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
148 libpve-access-control (7.3-1) bullseye; urgency=medium
150 * realm: sync: allow explicit 'none' for 'remove-vanished' option
152 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
154 libpve-access-control (7.2-5) bullseye; urgency=medium
156 * api: realm sync: avoid separate log line for "remove-vanished" opt
158 * auth ldap/ad: compare group member dn case-insensitively
160 * two factor auth: only lock tfa config for recovery keys
162 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
163 migrations and storage migrations
165 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
167 libpve-access-control (7.2-4) bullseye; urgency=medium
169 * fix #4074: increase API OpenID code size limit to 2048
171 * auth key: protect against rare chance of a double rotation in clusters,
172 leaving the potential that some set of nodes have the earlier key cached,
173 that then got rotated out due to the race, resulting in a possible other
174 set of nodes having the newer key cached. This is a split view of the auth
175 key and may resulting in spurious failures if API requests are made to a
176 different node than the ticket was generated on.
177 In addition to that, the "keep validity of old tickets if signed in the
178 last two hours before rotation" logic was disabled too in such a case,
179 making such tickets invalid too early.
180 Note that both are cases where Proxmox VE was too strict, so while this
181 had no security implications it can be a nuisance, especially for
182 environments that use the API through an automated or scripted way
184 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
186 libpve-access-control (7.2-3) bullseye; urgency=medium
188 * api: token: use userid-group as API perm check to avoid being overly
189 strict through a misguided use of user id for non-root users.
191 * perm check: forbid undefined/empty ACL path for future proofing of against
194 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
196 libpve-access-control (7.2-2) bullseye; urgency=medium
198 * permissions: merge propagation flag for multiple roles on a path that
199 share privilege in a deterministic way, to avoid that it gets lost
200 depending on perl's random sort, which would result in returing less
201 privileges than an auth-id actually had.
203 * permissions: avoid that token and user privilege intersection is to strict
204 for user permissions that have propagation disabled.
206 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
208 libpve-access-control (7.2-1) bullseye; urgency=medium
210 * user check: fix expiration/enable order
212 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
214 libpve-access-control (7.1-8) bullseye; urgency=medium
216 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
219 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
221 libpve-access-control (7.1-7) bullseye; urgency=medium
223 * userid-group check: distinguish create and update
225 * api: get user: declare token schema
227 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
229 libpve-access-control (7.1-6) bullseye; urgency=medium
231 * fix #3768: warn on bad u2f or webauthn settings
233 * tfa: when modifying others, verify the current user's password
235 * tfa list: account for admin permissions
237 * fix realm sync permissions
239 * fix token permission display bug
241 * include SDN permissions in permission tree
243 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
245 libpve-access-control (7.1-5) bullseye; urgency=medium
247 * openid: fix username-claim fallback
249 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
251 libpve-access-control (7.1-4) bullseye; urgency=medium
253 * set current origin in the webauthn config if no fixed origin was
254 configured, to support webauthn via subdomains
256 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
258 libpve-access-control (7.1-3) bullseye; urgency=medium
260 * openid: allow arbitrary username-claims
262 * openid: support configuring the prompt, scopes and ACR values
264 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
266 libpve-access-control (7.1-2) bullseye; urgency=medium
268 * catch incompatible tfa entries with a nice error
270 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
272 libpve-access-control (7.1-1) bullseye; urgency=medium
274 * tfa: map HTTP 404 error in get_tfa_entry correctly
276 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
278 libpve-access-control (7.0-7) bullseye; urgency=medium
280 * fix #3513: pass configured proxy to OpenID
282 * use rust based parser for TFA config
284 * use PBS-like auth api call flow,
286 * merge old user.cfg keys to tfa config when adding entries
288 * implement version checks for new tfa config writer to ensure all
289 cluster nodes are ready to avoid login issues
291 * tickets: add tunnel ticket
293 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
295 libpve-access-control (7.0-6) bullseye; urgency=medium
297 * fix regression in user deletion when realm does not enforce TFA
299 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
301 libpve-access-control (7.0-5) bullseye; urgency=medium
303 * acl: check path: add /sdn/vnets/* path
305 * fix #2302: allow deletion of users when realm enforces TFA
307 * api: delete user: disable user first to avoid surprise on error during the
308 various cleanup action required for user deletion (e.g., TFA, ACL, group)
310 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
312 libpve-access-control (7.0-4) bullseye; urgency=medium
314 * realm: add OpenID configuration
316 * api: implement OpenID related endpoints
318 * implement opt-in OpenID autocreate user feature
320 * api: user: add 'realm-type' to user list response
322 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
324 libpve-access-control (7.0-3) bullseye; urgency=medium
326 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
327 `/sdn/zones/<zone>` to allowed ACL paths
329 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
331 libpve-access-control (7.0-2) bullseye; urgency=medium
333 * fix #3402: add Pool.Audit privilege - custom roles containing
334 Pool.Allocate must be updated to include the new privilege.
336 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
338 libpve-access-control (7.0-1) bullseye; urgency=medium
340 * re-build for Debian 11 Bullseye based releases
342 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
344 libpve-access-control (6.4-1) pve; urgency=medium
346 * fix #1670: change PAM service name to project specific name
348 * fix #1500: permission path syntax check for access control
350 * pveum: add resource pool CLI commands
352 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
354 libpve-access-control (6.1-3) pve; urgency=medium
356 * partially fix #2825: authkey: rotate if it was generated in the
359 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
362 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
364 libpve-access-control (6.1-2) pve; urgency=medium
366 * also check SDN permission path when computing coarse permissions heuristic
369 * add SDN Permissions.Modify
371 * add VM.Config.Cloudinit
373 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
375 libpve-access-control (6.1-1) pve; urgency=medium
377 * pveum: add tfa delete subcommand for deleting user-TFA
379 * LDAP: don't complain about missing credentials on realm removal
381 * LDAP: skip anonymous bind when client certificate and key is configured
383 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
385 libpve-access-control (6.0-7) pve; urgency=medium
387 * fix #2575: die when trying to edit built-in roles
389 * add realm sub commands to pveum CLI tool
391 * api: domains: add user group sync API endpoint
393 * allow one to sync and import users and groups from LDAP/AD based realms
395 * realm: add default-sync-options to config for more convenient sync configuration
397 * api: token create: return also full token id for convenience
399 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
401 libpve-access-control (6.0-6) pve; urgency=medium
403 * API: add group members to group index
405 * implement API token support and management
407 * pveum: add 'pveum user token add/update/remove/list'
409 * pveum: add permissions sub-commands
411 * API: add 'permissions' API endpoint
413 * user.cfg: skip inexisting roles when parsing ACLs
415 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
417 libpve-access-control (6.0-5) pve; urgency=medium
419 * pveum: add list command for users, groups, ACLs and roles
421 * add initial permissions for experimental SDN integration
423 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
425 libpve-access-control (6.0-4) pve; urgency=medium
427 * ticket: use clinfo to get cluster name
429 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
432 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
434 libpve-access-control (6.0-3) pve; urgency=medium
436 * fix #2433: increase possible TFA secret length
438 * parse user configuration: correctly parse group names in ACLs, for users
439 which begin their name with an @
441 * sort user.cfg entries alphabetically
443 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
445 libpve-access-control (6.0-2) pve; urgency=medium
447 * improve CSRF verification compatibility with newer PVE
449 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
451 libpve-access-control (6.0-1) pve; urgency=medium
453 * ticket: properly verify exactly 5 minute old tickets
455 * use hmac_sha256 instead of sha1 for CSRF token generation
457 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
459 libpve-access-control (6.0-0+1) pve; urgency=medium
461 * bump for Debian buster
463 * fix #2079: add periodic auth key rotation
465 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
467 libpve-access-control (5.1-10) unstable; urgency=medium
469 * add /access/user/{id}/tfa api call to get tfa types
471 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
473 libpve-access-control (5.1-9) unstable; urgency=medium
475 * store the tfa type in user.cfg allowing to get it without proxying the call
476 to a higher privileged daemon.
478 * tfa: realm required TFA should lock out users without TFA configured, as it
479 was done before Proxmox VE 5.4
481 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
483 libpve-access-control (5.1-8) unstable; urgency=medium
485 * U2F: ensure we save correct public key on registration
487 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
489 libpve-access-control (5.1-7) unstable; urgency=medium
491 * verify_ticket: allow general non-challenge tfa to be run as two step
494 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
496 libpve-access-control (5.1-6) unstable; urgency=medium
498 * more general 2FA configuration via priv/tfa.cfg
500 * add u2f api endpoints
502 * delete TFA entries when deleting a user
504 * allow users to change their TOTP settings
506 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
508 libpve-access-control (5.1-5) unstable; urgency=medium
510 * fix vnc ticket verification without authkey lifetime
512 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
514 libpve-access-control (5.1-4) unstable; urgency=medium
516 * fix #1891: Add zsh command completion for pveum
518 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
519 to avoid issues on upgrade, will be enabled with 6.0
521 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
523 libpve-access-control (5.1-3) unstable; urgency=medium
525 * api/ticket: move getting cluster name into an eval
527 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
529 libpve-access-control (5.1-2) unstable; urgency=medium
531 * fix #1998: correct return properties for read_role
533 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
535 libpve-access-control (5.1-1) unstable; urgency=medium
537 * pveum: introduce sub-commands
539 * register userid with completion
541 * fix #233: return cluster name on successful login
543 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
545 libpve-access-control (5.0-8) unstable; urgency=medium
547 * fix #1612: ldap: make 2nd server work with bind domains again
549 * fix an error message where passing a bad pool id to an API function would
550 make it complain about a wrong group name instead
552 * fix the API-returned permission list so that the GUI knows to show the
553 'Permissions' tab for a storage to an administrator apart from root@pam
555 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
557 libpve-access-control (5.0-7) unstable; urgency=medium
559 * VM.Snapshot.Rollback privilege added
561 * api: check for special roles before locking the usercfg
563 * fix #1501: pveum: die when deleting special role
565 * API/ticket: rework coarse grained permission computation
567 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
569 libpve-access-control (5.0-6) unstable; urgency=medium
571 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
572 'verify' option. For compatibility reasons this defaults to off for now,
573 but that might change with future updates.
575 * AD, LDAP: Add ability to specify a CA path or file, and a client
576 certificate via the 'capath', 'cert' and 'certkey' options.
578 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
580 libpve-access-control (5.0-5) unstable; urgency=medium
582 * change from dpkg-deb to dpkg-buildpackage
584 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
586 libpve-access-control (5.0-4) unstable; urgency=medium
588 * PVE/CLI/pveum.pm: call setup_default_cli_env()
590 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
592 * check_api2_permissions: avoid warning about uninitialized value
594 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
596 libpve-access-control (5.0-3) unstable; urgency=medium
598 * use new PVE::OTP class from pve-common
600 * use new PVE::Tools::encrypt_pw from pve-common
602 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
604 libpve-access-control (5.0-2) unstable; urgency=medium
606 * encrypt_pw: avoid '+' for crypt salt
608 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
610 libpve-access-control (5.0-1) unstable; urgency=medium
612 * rebuild for PVE 5.0
614 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
616 libpve-access-control (4.0-23) unstable; urgency=medium
618 * use new PVE::Ticket class
620 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
622 libpve-access-control (4.0-22) unstable; urgency=medium
624 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
625 (moved to PVE::Storage)
627 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
629 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
631 libpve-access-control (4.0-21) unstable; urgency=medium
633 * setup_default_cli_env: expect $class as first parameter
635 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
637 libpve-access-control (4.0-20) unstable; urgency=medium
639 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
641 * PVE/API2/Domains.pm: fix property description
643 * use new repoman for upload target
645 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
647 libpve-access-control (4.0-19) unstable; urgency=medium
649 * Close #833: ldap: non-anonymous bind support
651 * don't import 'RFC' from MIME::Base32
653 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
655 libpve-access-control (4.0-18) unstable; urgency=medium
657 * fix #1062: recognize base32 otp keys again
659 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
661 libpve-access-control (4.0-17) unstable; urgency=medium
663 * drop oathtool and libdigest-hmac-perl dependencies
665 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
667 libpve-access-control (4.0-16) unstable; urgency=medium
669 * use pve-doc-generator to generate man pages
671 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
673 libpve-access-control (4.0-15) unstable; urgency=medium
675 * Fix uninitialized warning when shadow.cfg does not exist
677 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
679 libpve-access-control (4.0-14) unstable; urgency=medium
681 * Add is_worker to RPCEnvironment
683 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
685 libpve-access-control (4.0-13) unstable; urgency=medium
687 * fix #916: allow HTTPS to access custom yubico url
689 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
691 libpve-access-control (4.0-12) unstable; urgency=medium
693 * Catch certificate errors instead of segfaulting
695 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
697 libpve-access-control (4.0-11) unstable; urgency=medium
699 * Fix #861: use safer sprintf formatting
701 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
703 libpve-access-control (4.0-10) unstable; urgency=medium
705 * Auth::LDAP, Auth::AD: ipv6 support
707 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
709 libpve-access-control (4.0-9) unstable; urgency=medium
711 * pveum: implement bash completion
713 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
715 libpve-access-control (4.0-8) unstable; urgency=medium
717 * remove_storage_access: cleanup of access permissions for removed storage
719 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
721 libpve-access-control (4.0-7) unstable; urgency=medium
723 * new helper to remove access permissions for removed VMs
725 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
727 libpve-access-control (4.0-6) unstable; urgency=medium
729 * improve parse_user_config, parse_shadow_config
731 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
733 libpve-access-control (4.0-5) unstable; urgency=medium
735 * pveum: check for $cmd being defined
737 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
739 libpve-access-control (4.0-4) unstable; urgency=medium
741 * use activate-noawait triggers
743 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
745 libpve-access-control (4.0-3) unstable; urgency=medium
751 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
753 libpve-access-control (4.0-2) unstable; urgency=medium
755 * trigger pve-api-updates event
757 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
759 libpve-access-control (4.0-1) unstable; urgency=medium
761 * bump version for Debian Jessie
763 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
765 libpve-access-control (3.0-16) unstable; urgency=low
767 * root@pam can now be disabled in GUI.
769 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
771 libpve-access-control (3.0-15) unstable; urgency=low
773 * oath: add 'step' and 'digits' option
775 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
777 libpve-access-control (3.0-14) unstable; urgency=low
779 * add oath two factor auth
781 * add oathkeygen binary to generate keys for oath
783 * add yubico two factor auth
787 * depend on libmime-base32-perl
789 * allow to write builtin auth domains config (comment/tfa/default)
791 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
793 libpve-access-control (3.0-13) unstable; urgency=low
795 * use correct connection string for AD auth
797 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
799 libpve-access-control (3.0-12) unstable; urgency=low
801 * add dummy API for GET /access/ticket (useful to generate login pages)
803 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
805 libpve-access-control (3.0-11) unstable; urgency=low
807 * Sets common hot keys for spice client
809 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
811 libpve-access-control (3.0-10) unstable; urgency=low
813 * implement helper to generate SPICE remote-viewer configuration
815 * depend on libnet-ssleay-perl
817 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
819 libpve-access-control (3.0-9) unstable; urgency=low
821 * prevent user enumeration attacks
823 * allow dots in access paths
825 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
827 libpve-access-control (3.0-8) unstable; urgency=low
829 * spice: use lowercase hostname in ticktet signature
831 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
833 libpve-access-control (3.0-7) unstable; urgency=low
835 * check_volume_access : use parse_volname instead of path, and remove
838 * use warnings instead of global -w flag.
840 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
842 libpve-access-control (3.0-6) unstable; urgency=low
844 * use shorter spiceproxy tickets
846 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
848 libpve-access-control (3.0-5) unstable; urgency=low
850 * add code to generate tickets for SPICE
852 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
854 libpve-access-control (3.0-4) unstable; urgency=low
856 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
858 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
860 libpve-access-control (3.0-3) unstable; urgency=low
862 * Add new role PVETemplateUser (and VM.Clone privilege)
864 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
866 libpve-access-control (3.0-2) unstable; urgency=low
868 * remove CGI.pm related code (pveproxy does not need that)
870 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
872 libpve-access-control (3.0-1) unstable; urgency=low
874 * bump version for wheezy release
876 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
878 libpve-access-control (1.0-26) unstable; urgency=low
880 * check_volume_access: fix access permissions for backup files
882 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
884 libpve-access-control (1.0-25) unstable; urgency=low
886 * add VM.Snapshot permission
888 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
890 libpve-access-control (1.0-24) unstable; urgency=low
892 * untaint path (allow root to restore arbitrary paths)
894 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
896 libpve-access-control (1.0-23) unstable; urgency=low
898 * correctly compute GUI capabilities (consider pools)
900 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
902 libpve-access-control (1.0-22) unstable; urgency=low
904 * new plugin architecture for Auth modules, minor API change for Auth
905 domains (new 'delete' parameter)
907 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
909 libpve-access-control (1.0-21) unstable; urgency=low
911 * do not allow user names including slash
913 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
915 libpve-access-control (1.0-20) unstable; urgency=low
917 * add ability to fork cli workers in background
919 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
921 libpve-access-control (1.0-19) unstable; urgency=low
923 * return set of privileges on login - can be used to adopt GUI
925 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
927 libpve-access-control (1.0-18) unstable; urgency=low
929 * fix bug #151: correctly parse username inside ticket
931 * fix bug #152: allow user to change his own password
933 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
935 libpve-access-control (1.0-17) unstable; urgency=low
937 * set propagate flag by default
939 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
941 libpve-access-control (1.0-16) unstable; urgency=low
943 * add 'pveum passwd' method
945 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
947 libpve-access-control (1.0-15) unstable; urgency=low
949 * Add VM.Config.CDROM privilege to PVEVMUser rule
951 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
953 libpve-access-control (1.0-14) unstable; urgency=low
955 * fix buf in userid-param permission check
957 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
959 libpve-access-control (1.0-13) unstable; urgency=low
961 * allow more characters in ldap base_dn attribute
963 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
965 libpve-access-control (1.0-12) unstable; urgency=low
967 * allow more characters with realm IDs
969 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
971 libpve-access-control (1.0-11) unstable; urgency=low
973 * fix bug in exec_api2_perm_check
975 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
977 libpve-access-control (1.0-10) unstable; urgency=low
979 * fix ACL group name parser
981 * changed 'pveum aclmod' command line arguments
983 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
985 libpve-access-control (1.0-9) unstable; urgency=low
987 * fix bug in check_volume_access (fixes vzrestore)
989 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
991 libpve-access-control (1.0-8) unstable; urgency=low
993 * fix return value for empty ACL list.
995 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
997 libpve-access-control (1.0-7) unstable; urgency=low
999 * fix bug #85: allow root@pam to generate tickets for other users
1001 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
1003 libpve-access-control (1.0-6) unstable; urgency=low
1005 * API change: allow to filter enabled/disabled users.
1007 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
1009 libpve-access-control (1.0-5) unstable; urgency=low
1011 * add a way to return file changes (diffs): set_result_changes()
1013 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
1015 libpve-access-control (1.0-4) unstable; urgency=low
1017 * new environment type for ha agents
1019 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
1021 libpve-access-control (1.0-3) unstable; urgency=low
1023 * add support for delayed parameter parsing - We need that to disable
1024 file upload for normal API request (avoid DOS attacks)
1026 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
1028 libpve-access-control (1.0-2) unstable; urgency=low
1030 * fix bug in fork_worker
1032 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
1034 libpve-access-control (1.0-1) unstable; urgency=low
1036 * allow '-' in permission paths
1038 * bump version to 1.0
1040 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
1042 libpve-access-control (0.1) unstable; urgency=low
1044 * first dummy package - no functionality
1046 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200