1 libpve-access-control (8.1.1) bookworm; urgency=medium
3 * LDAP sync: fix-up assembling valid attribute set
5 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Feb 2024 19:03:26 +0100
7 libpve-access-control (8.1.0) bookworm; urgency=medium
9 * api: user: limit the legacy user-keys option to the depreacated values
10 that could be set in the first limited TFA system, like e.g., 'x!yubico'
11 or base32 encoded secrets.
13 * oidc: enforce generic URI regex for the ACR value to align with OIDC
14 specifications and with Proxmox Backup Server, which was recently changed
15 to actually be less strict.
17 * LDAP sync: improve validation of synced attributes, closely limit the
18 mapped attributes names and their values to avoid glitches through odd
21 * api: user: limit maximum length for first & last name to 1024 characters,
22 email to 254 characters (the maximum actually useable in practice) and
23 comment properties to 2048 characters. This avoid that a few single users
24 bloat the user.cfg to much by mistake, reducing the total amount of users
25 and ACLs that can be set up. Note that only users with User.Modify and
26 realm syncs (setup by admins) can change these in the first place, so this
27 is mostly to avoid mishaps and just to be sure.
29 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Feb 2024 17:50:59 +0100
31 libpve-access-control (8.0.7) bookworm; urgency=medium
33 * fix #1148: allow up to three levels of pool nesting
35 * pools: record parent/subpool information
37 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Nov 2023 12:24:13 +0100
39 libpve-access-control (8.0.6) bookworm; urgency=medium
41 * perms: fix wrong /pools entry in default set of ACL paths
43 * acl: add missing SDN ACL paths to allowed list
45 -- Proxmox Support Team <support@proxmox.com> Fri, 17 Nov 2023 08:27:11 +0100
47 libpve-access-control (8.0.5) bookworm; urgency=medium
49 * fix an issue where setting ldap passwords would refuse to work unless
50 at least one additional property was changed as well
52 * add 'check-connection' parameter to create and update endpoints for ldap
55 -- Proxmox Support Team <support@proxmox.com> Fri, 11 Aug 2023 13:35:23 +0200
57 libpve-access-control (8.0.4) bookworm; urgency=medium
59 * Lookup of second factors is no longer tied to the 'keys' field in the
60 user.cfg. This fixes an issue where certain LDAP/AD sync job settings
61 could disable user-configured 2nd factors.
63 * Existing-but-disabled TFA factors can no longer circumvent realm-mandated
66 -- Proxmox Support Team <support@proxmox.com> Thu, 20 Jul 2023 10:59:21 +0200
68 libpve-access-control (8.0.3) bookworm; urgency=medium
70 * pveum: list tfa: recovery keys have no descriptions
72 * pveum: list tfa: sort by user ID
74 * drop assert_new_tfa_config_available for Proxmox VE 8, as the new format
75 is understood since pve-manager 7.0-15, and users must upgrade to Proxmox
76 VE 7.4 before upgrading to Proxmox VE 8 in addition to that.
78 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 19:45:29 +0200
80 libpve-access-control (8.0.2) bookworm; urgency=medium
82 * api: users: sort groups to avoid "flapping" text
84 * api: tfa: don't block tokens from viewing and list TFA entries, both are
85 safe to do for anybody with enough permissions to view a user.
87 * api: tfa: add missing links for child-routes
89 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 18:13:54 +0200
91 libpve-access-control (8.0.1) bookworm; urgency=medium
93 * tfa: cope with native versions in cluster version check
95 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 16:12:01 +0200
97 libpve-access-control (8.0.0) bookworm; urgency=medium
99 * api: roles: forbid creating new roles starting with "PVE" namespace
101 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 10:14:28 +0200
103 libpve-access-control (8.0.0~3) bookworm; urgency=medium
105 * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path
107 * access control: add /sdn/zones/<zone>/<vnet>/<vlan> ACL object path
109 * add helper for checking bridge access
111 * add new SDN.Use privilege in PVESDNUser role, allowing one to specify
112 which user are allowed to use a bridge (or vnet, if SDN is installed)
114 * add privileges and paths for cluster resource mapping
116 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 19:06:54 +0200
118 libpve-access-control (8.0.0~2) bookworm; urgency=medium
120 * api: user index: only include existing tfa lock flags
122 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
124 * roles: only include Permissions.Modify in Administrator built-in role.
125 As, depending on the ACL object path, this privilege might allow one to
126 change their own permissions, which was making the distinction between
127 Admin and PVEAdmin irrelevant.
129 * acls: restrict less-privileged ACL modifications. Through allocate
130 permissions in pools, storages and virtual guests one can do some ACL
131 modifications without having the Permissions.Modify privilege, lock those
132 better down to ensure that one can only hand out only the subset of their
133 own privileges, never more. Note that this is mostly future proofing, as
134 the ACL object paths one could give out more permissions where already
137 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
139 libpve-access-control (8.0.0~1) bookworm; urgency=medium
141 * bump pve-rs dependency to 0.8.3
143 * drop old verify_tfa api call (POST /access/tfa)
145 * drop support for old login API:
146 - 'new-format' is now considured to be 1 and ignored by the API
148 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
151 * cli: add 'pveum tfa list'
153 * cli: add 'pveum tfa unlock'
155 * enable lockout of TFA:
156 - too many TOTP attempts will lock out of TOTP
157 - using a recovery key will unlock TOTP
158 - too many TFA attempts will lock a user's TFA auth for an hour
160 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
161 authentication if it was locked by too many wrong 2nd factor login attempts
163 * api: /access/tfa and /access/users now include the tfa lockout status
165 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
167 libpve-access-control (7.99.0) bookworm; urgency=medium
169 * initial re-build for Proxmox VE 8.x series
171 * switch to native versioning
173 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
175 libpve-access-control (7.4-3) bullseye; urgency=medium
177 * use new 2nd factor verification from pve-rs
179 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
181 libpve-access-control (7.4-2) bullseye; urgency=medium
183 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
184 wasn't accepted anymore
186 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
188 libpve-access-control (7.4-1) bullseye; urgency=medium
190 * realm sync: refactor scope/remove-vanished into a standard option
192 * ldap: Allow quoted values for DN attribute values
194 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
196 libpve-access-control (7.3-2) bullseye; urgency=medium
198 * fix #4518: dramatically improve ACL computation performance
200 * userid format: clarify that this is the full name@realm in description
202 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
204 libpve-access-control (7.3-1) bullseye; urgency=medium
206 * realm: sync: allow explicit 'none' for 'remove-vanished' option
208 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
210 libpve-access-control (7.2-5) bullseye; urgency=medium
212 * api: realm sync: avoid separate log line for "remove-vanished" opt
214 * auth ldap/ad: compare group member dn case-insensitively
216 * two factor auth: only lock tfa config for recovery keys
218 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
219 migrations and storage migrations
221 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
223 libpve-access-control (7.2-4) bullseye; urgency=medium
225 * fix #4074: increase API OpenID code size limit to 2048
227 * auth key: protect against rare chance of a double rotation in clusters,
228 leaving the potential that some set of nodes have the earlier key cached,
229 that then got rotated out due to the race, resulting in a possible other
230 set of nodes having the newer key cached. This is a split view of the auth
231 key and may resulting in spurious failures if API requests are made to a
232 different node than the ticket was generated on.
233 In addition to that, the "keep validity of old tickets if signed in the
234 last two hours before rotation" logic was disabled too in such a case,
235 making such tickets invalid too early.
236 Note that both are cases where Proxmox VE was too strict, so while this
237 had no security implications it can be a nuisance, especially for
238 environments that use the API through an automated or scripted way
240 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
242 libpve-access-control (7.2-3) bullseye; urgency=medium
244 * api: token: use userid-group as API perm check to avoid being overly
245 strict through a misguided use of user id for non-root users.
247 * perm check: forbid undefined/empty ACL path for future proofing of against
250 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
252 libpve-access-control (7.2-2) bullseye; urgency=medium
254 * permissions: merge propagation flag for multiple roles on a path that
255 share privilege in a deterministic way, to avoid that it gets lost
256 depending on perl's random sort, which would result in returing less
257 privileges than an auth-id actually had.
259 * permissions: avoid that token and user privilege intersection is to strict
260 for user permissions that have propagation disabled.
262 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
264 libpve-access-control (7.2-1) bullseye; urgency=medium
266 * user check: fix expiration/enable order
268 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
270 libpve-access-control (7.1-8) bullseye; urgency=medium
272 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
275 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
277 libpve-access-control (7.1-7) bullseye; urgency=medium
279 * userid-group check: distinguish create and update
281 * api: get user: declare token schema
283 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
285 libpve-access-control (7.1-6) bullseye; urgency=medium
287 * fix #3768: warn on bad u2f or webauthn settings
289 * tfa: when modifying others, verify the current user's password
291 * tfa list: account for admin permissions
293 * fix realm sync permissions
295 * fix token permission display bug
297 * include SDN permissions in permission tree
299 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
301 libpve-access-control (7.1-5) bullseye; urgency=medium
303 * openid: fix username-claim fallback
305 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
307 libpve-access-control (7.1-4) bullseye; urgency=medium
309 * set current origin in the webauthn config if no fixed origin was
310 configured, to support webauthn via subdomains
312 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
314 libpve-access-control (7.1-3) bullseye; urgency=medium
316 * openid: allow arbitrary username-claims
318 * openid: support configuring the prompt, scopes and ACR values
320 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
322 libpve-access-control (7.1-2) bullseye; urgency=medium
324 * catch incompatible tfa entries with a nice error
326 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
328 libpve-access-control (7.1-1) bullseye; urgency=medium
330 * tfa: map HTTP 404 error in get_tfa_entry correctly
332 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
334 libpve-access-control (7.0-7) bullseye; urgency=medium
336 * fix #3513: pass configured proxy to OpenID
338 * use rust based parser for TFA config
340 * use PBS-like auth api call flow,
342 * merge old user.cfg keys to tfa config when adding entries
344 * implement version checks for new tfa config writer to ensure all
345 cluster nodes are ready to avoid login issues
347 * tickets: add tunnel ticket
349 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
351 libpve-access-control (7.0-6) bullseye; urgency=medium
353 * fix regression in user deletion when realm does not enforce TFA
355 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
357 libpve-access-control (7.0-5) bullseye; urgency=medium
359 * acl: check path: add /sdn/vnets/* path
361 * fix #2302: allow deletion of users when realm enforces TFA
363 * api: delete user: disable user first to avoid surprise on error during the
364 various cleanup action required for user deletion (e.g., TFA, ACL, group)
366 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
368 libpve-access-control (7.0-4) bullseye; urgency=medium
370 * realm: add OpenID configuration
372 * api: implement OpenID related endpoints
374 * implement opt-in OpenID autocreate user feature
376 * api: user: add 'realm-type' to user list response
378 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
380 libpve-access-control (7.0-3) bullseye; urgency=medium
382 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
383 `/sdn/zones/<zone>` to allowed ACL paths
385 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
387 libpve-access-control (7.0-2) bullseye; urgency=medium
389 * fix #3402: add Pool.Audit privilege - custom roles containing
390 Pool.Allocate must be updated to include the new privilege.
392 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
394 libpve-access-control (7.0-1) bullseye; urgency=medium
396 * re-build for Debian 11 Bullseye based releases
398 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
400 libpve-access-control (6.4-1) pve; urgency=medium
402 * fix #1670: change PAM service name to project specific name
404 * fix #1500: permission path syntax check for access control
406 * pveum: add resource pool CLI commands
408 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
410 libpve-access-control (6.1-3) pve; urgency=medium
412 * partially fix #2825: authkey: rotate if it was generated in the
415 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
418 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
420 libpve-access-control (6.1-2) pve; urgency=medium
422 * also check SDN permission path when computing coarse permissions heuristic
425 * add SDN Permissions.Modify
427 * add VM.Config.Cloudinit
429 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
431 libpve-access-control (6.1-1) pve; urgency=medium
433 * pveum: add tfa delete subcommand for deleting user-TFA
435 * LDAP: don't complain about missing credentials on realm removal
437 * LDAP: skip anonymous bind when client certificate and key is configured
439 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
441 libpve-access-control (6.0-7) pve; urgency=medium
443 * fix #2575: die when trying to edit built-in roles
445 * add realm sub commands to pveum CLI tool
447 * api: domains: add user group sync API endpoint
449 * allow one to sync and import users and groups from LDAP/AD based realms
451 * realm: add default-sync-options to config for more convenient sync configuration
453 * api: token create: return also full token id for convenience
455 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
457 libpve-access-control (6.0-6) pve; urgency=medium
459 * API: add group members to group index
461 * implement API token support and management
463 * pveum: add 'pveum user token add/update/remove/list'
465 * pveum: add permissions sub-commands
467 * API: add 'permissions' API endpoint
469 * user.cfg: skip inexisting roles when parsing ACLs
471 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
473 libpve-access-control (6.0-5) pve; urgency=medium
475 * pveum: add list command for users, groups, ACLs and roles
477 * add initial permissions for experimental SDN integration
479 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
481 libpve-access-control (6.0-4) pve; urgency=medium
483 * ticket: use clinfo to get cluster name
485 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
488 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
490 libpve-access-control (6.0-3) pve; urgency=medium
492 * fix #2433: increase possible TFA secret length
494 * parse user configuration: correctly parse group names in ACLs, for users
495 which begin their name with an @
497 * sort user.cfg entries alphabetically
499 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
501 libpve-access-control (6.0-2) pve; urgency=medium
503 * improve CSRF verification compatibility with newer PVE
505 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
507 libpve-access-control (6.0-1) pve; urgency=medium
509 * ticket: properly verify exactly 5 minute old tickets
511 * use hmac_sha256 instead of sha1 for CSRF token generation
513 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
515 libpve-access-control (6.0-0+1) pve; urgency=medium
517 * bump for Debian buster
519 * fix #2079: add periodic auth key rotation
521 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
523 libpve-access-control (5.1-10) unstable; urgency=medium
525 * add /access/user/{id}/tfa api call to get tfa types
527 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
529 libpve-access-control (5.1-9) unstable; urgency=medium
531 * store the tfa type in user.cfg allowing to get it without proxying the call
532 to a higher privileged daemon.
534 * tfa: realm required TFA should lock out users without TFA configured, as it
535 was done before Proxmox VE 5.4
537 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
539 libpve-access-control (5.1-8) unstable; urgency=medium
541 * U2F: ensure we save correct public key on registration
543 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
545 libpve-access-control (5.1-7) unstable; urgency=medium
547 * verify_ticket: allow general non-challenge tfa to be run as two step
550 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
552 libpve-access-control (5.1-6) unstable; urgency=medium
554 * more general 2FA configuration via priv/tfa.cfg
556 * add u2f api endpoints
558 * delete TFA entries when deleting a user
560 * allow users to change their TOTP settings
562 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
564 libpve-access-control (5.1-5) unstable; urgency=medium
566 * fix vnc ticket verification without authkey lifetime
568 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
570 libpve-access-control (5.1-4) unstable; urgency=medium
572 * fix #1891: Add zsh command completion for pveum
574 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
575 to avoid issues on upgrade, will be enabled with 6.0
577 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
579 libpve-access-control (5.1-3) unstable; urgency=medium
581 * api/ticket: move getting cluster name into an eval
583 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
585 libpve-access-control (5.1-2) unstable; urgency=medium
587 * fix #1998: correct return properties for read_role
589 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
591 libpve-access-control (5.1-1) unstable; urgency=medium
593 * pveum: introduce sub-commands
595 * register userid with completion
597 * fix #233: return cluster name on successful login
599 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
601 libpve-access-control (5.0-8) unstable; urgency=medium
603 * fix #1612: ldap: make 2nd server work with bind domains again
605 * fix an error message where passing a bad pool id to an API function would
606 make it complain about a wrong group name instead
608 * fix the API-returned permission list so that the GUI knows to show the
609 'Permissions' tab for a storage to an administrator apart from root@pam
611 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
613 libpve-access-control (5.0-7) unstable; urgency=medium
615 * VM.Snapshot.Rollback privilege added
617 * api: check for special roles before locking the usercfg
619 * fix #1501: pveum: die when deleting special role
621 * API/ticket: rework coarse grained permission computation
623 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
625 libpve-access-control (5.0-6) unstable; urgency=medium
627 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
628 'verify' option. For compatibility reasons this defaults to off for now,
629 but that might change with future updates.
631 * AD, LDAP: Add ability to specify a CA path or file, and a client
632 certificate via the 'capath', 'cert' and 'certkey' options.
634 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
636 libpve-access-control (5.0-5) unstable; urgency=medium
638 * change from dpkg-deb to dpkg-buildpackage
640 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
642 libpve-access-control (5.0-4) unstable; urgency=medium
644 * PVE/CLI/pveum.pm: call setup_default_cli_env()
646 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
648 * check_api2_permissions: avoid warning about uninitialized value
650 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
652 libpve-access-control (5.0-3) unstable; urgency=medium
654 * use new PVE::OTP class from pve-common
656 * use new PVE::Tools::encrypt_pw from pve-common
658 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
660 libpve-access-control (5.0-2) unstable; urgency=medium
662 * encrypt_pw: avoid '+' for crypt salt
664 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
666 libpve-access-control (5.0-1) unstable; urgency=medium
668 * rebuild for PVE 5.0
670 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
672 libpve-access-control (4.0-23) unstable; urgency=medium
674 * use new PVE::Ticket class
676 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
678 libpve-access-control (4.0-22) unstable; urgency=medium
680 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
681 (moved to PVE::Storage)
683 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
685 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
687 libpve-access-control (4.0-21) unstable; urgency=medium
689 * setup_default_cli_env: expect $class as first parameter
691 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
693 libpve-access-control (4.0-20) unstable; urgency=medium
695 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
697 * PVE/API2/Domains.pm: fix property description
699 * use new repoman for upload target
701 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
703 libpve-access-control (4.0-19) unstable; urgency=medium
705 * Close #833: ldap: non-anonymous bind support
707 * don't import 'RFC' from MIME::Base32
709 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
711 libpve-access-control (4.0-18) unstable; urgency=medium
713 * fix #1062: recognize base32 otp keys again
715 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
717 libpve-access-control (4.0-17) unstable; urgency=medium
719 * drop oathtool and libdigest-hmac-perl dependencies
721 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
723 libpve-access-control (4.0-16) unstable; urgency=medium
725 * use pve-doc-generator to generate man pages
727 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
729 libpve-access-control (4.0-15) unstable; urgency=medium
731 * Fix uninitialized warning when shadow.cfg does not exist
733 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
735 libpve-access-control (4.0-14) unstable; urgency=medium
737 * Add is_worker to RPCEnvironment
739 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
741 libpve-access-control (4.0-13) unstable; urgency=medium
743 * fix #916: allow HTTPS to access custom yubico url
745 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
747 libpve-access-control (4.0-12) unstable; urgency=medium
749 * Catch certificate errors instead of segfaulting
751 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
753 libpve-access-control (4.0-11) unstable; urgency=medium
755 * Fix #861: use safer sprintf formatting
757 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
759 libpve-access-control (4.0-10) unstable; urgency=medium
761 * Auth::LDAP, Auth::AD: ipv6 support
763 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
765 libpve-access-control (4.0-9) unstable; urgency=medium
767 * pveum: implement bash completion
769 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
771 libpve-access-control (4.0-8) unstable; urgency=medium
773 * remove_storage_access: cleanup of access permissions for removed storage
775 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
777 libpve-access-control (4.0-7) unstable; urgency=medium
779 * new helper to remove access permissions for removed VMs
781 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
783 libpve-access-control (4.0-6) unstable; urgency=medium
785 * improve parse_user_config, parse_shadow_config
787 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
789 libpve-access-control (4.0-5) unstable; urgency=medium
791 * pveum: check for $cmd being defined
793 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
795 libpve-access-control (4.0-4) unstable; urgency=medium
797 * use activate-noawait triggers
799 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
801 libpve-access-control (4.0-3) unstable; urgency=medium
807 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
809 libpve-access-control (4.0-2) unstable; urgency=medium
811 * trigger pve-api-updates event
813 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
815 libpve-access-control (4.0-1) unstable; urgency=medium
817 * bump version for Debian Jessie
819 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
821 libpve-access-control (3.0-16) unstable; urgency=low
823 * root@pam can now be disabled in GUI.
825 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
827 libpve-access-control (3.0-15) unstable; urgency=low
829 * oath: add 'step' and 'digits' option
831 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
833 libpve-access-control (3.0-14) unstable; urgency=low
835 * add oath two factor auth
837 * add oathkeygen binary to generate keys for oath
839 * add yubico two factor auth
843 * depend on libmime-base32-perl
845 * allow to write builtin auth domains config (comment/tfa/default)
847 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
849 libpve-access-control (3.0-13) unstable; urgency=low
851 * use correct connection string for AD auth
853 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
855 libpve-access-control (3.0-12) unstable; urgency=low
857 * add dummy API for GET /access/ticket (useful to generate login pages)
859 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
861 libpve-access-control (3.0-11) unstable; urgency=low
863 * Sets common hot keys for spice client
865 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
867 libpve-access-control (3.0-10) unstable; urgency=low
869 * implement helper to generate SPICE remote-viewer configuration
871 * depend on libnet-ssleay-perl
873 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
875 libpve-access-control (3.0-9) unstable; urgency=low
877 * prevent user enumeration attacks
879 * allow dots in access paths
881 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
883 libpve-access-control (3.0-8) unstable; urgency=low
885 * spice: use lowercase hostname in ticktet signature
887 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
889 libpve-access-control (3.0-7) unstable; urgency=low
891 * check_volume_access : use parse_volname instead of path, and remove
894 * use warnings instead of global -w flag.
896 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
898 libpve-access-control (3.0-6) unstable; urgency=low
900 * use shorter spiceproxy tickets
902 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
904 libpve-access-control (3.0-5) unstable; urgency=low
906 * add code to generate tickets for SPICE
908 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
910 libpve-access-control (3.0-4) unstable; urgency=low
912 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
914 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
916 libpve-access-control (3.0-3) unstable; urgency=low
918 * Add new role PVETemplateUser (and VM.Clone privilege)
920 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
922 libpve-access-control (3.0-2) unstable; urgency=low
924 * remove CGI.pm related code (pveproxy does not need that)
926 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
928 libpve-access-control (3.0-1) unstable; urgency=low
930 * bump version for wheezy release
932 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
934 libpve-access-control (1.0-26) unstable; urgency=low
936 * check_volume_access: fix access permissions for backup files
938 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
940 libpve-access-control (1.0-25) unstable; urgency=low
942 * add VM.Snapshot permission
944 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
946 libpve-access-control (1.0-24) unstable; urgency=low
948 * untaint path (allow root to restore arbitrary paths)
950 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
952 libpve-access-control (1.0-23) unstable; urgency=low
954 * correctly compute GUI capabilities (consider pools)
956 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
958 libpve-access-control (1.0-22) unstable; urgency=low
960 * new plugin architecture for Auth modules, minor API change for Auth
961 domains (new 'delete' parameter)
963 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
965 libpve-access-control (1.0-21) unstable; urgency=low
967 * do not allow user names including slash
969 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
971 libpve-access-control (1.0-20) unstable; urgency=low
973 * add ability to fork cli workers in background
975 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
977 libpve-access-control (1.0-19) unstable; urgency=low
979 * return set of privileges on login - can be used to adopt GUI
981 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
983 libpve-access-control (1.0-18) unstable; urgency=low
985 * fix bug #151: correctly parse username inside ticket
987 * fix bug #152: allow user to change his own password
989 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
991 libpve-access-control (1.0-17) unstable; urgency=low
993 * set propagate flag by default
995 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
997 libpve-access-control (1.0-16) unstable; urgency=low
999 * add 'pveum passwd' method
1001 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
1003 libpve-access-control (1.0-15) unstable; urgency=low
1005 * Add VM.Config.CDROM privilege to PVEVMUser rule
1007 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
1009 libpve-access-control (1.0-14) unstable; urgency=low
1011 * fix buf in userid-param permission check
1013 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
1015 libpve-access-control (1.0-13) unstable; urgency=low
1017 * allow more characters in ldap base_dn attribute
1019 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
1021 libpve-access-control (1.0-12) unstable; urgency=low
1023 * allow more characters with realm IDs
1025 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
1027 libpve-access-control (1.0-11) unstable; urgency=low
1029 * fix bug in exec_api2_perm_check
1031 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
1033 libpve-access-control (1.0-10) unstable; urgency=low
1035 * fix ACL group name parser
1037 * changed 'pveum aclmod' command line arguments
1039 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
1041 libpve-access-control (1.0-9) unstable; urgency=low
1043 * fix bug in check_volume_access (fixes vzrestore)
1045 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
1047 libpve-access-control (1.0-8) unstable; urgency=low
1049 * fix return value for empty ACL list.
1051 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
1053 libpve-access-control (1.0-7) unstable; urgency=low
1055 * fix bug #85: allow root@pam to generate tickets for other users
1057 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
1059 libpve-access-control (1.0-6) unstable; urgency=low
1061 * API change: allow to filter enabled/disabled users.
1063 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
1065 libpve-access-control (1.0-5) unstable; urgency=low
1067 * add a way to return file changes (diffs): set_result_changes()
1069 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
1071 libpve-access-control (1.0-4) unstable; urgency=low
1073 * new environment type for ha agents
1075 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
1077 libpve-access-control (1.0-3) unstable; urgency=low
1079 * add support for delayed parameter parsing - We need that to disable
1080 file upload for normal API request (avoid DOS attacks)
1082 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
1084 libpve-access-control (1.0-2) unstable; urgency=low
1086 * fix bug in fork_worker
1088 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
1090 libpve-access-control (1.0-1) unstable; urgency=low
1092 * allow '-' in permission paths
1094 * bump version to 1.0
1096 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
1098 libpve-access-control (0.1) unstable; urgency=low
1100 * first dummy package - no functionality
1102 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200