1 libpve-access-control (8.0.2) bookworm; urgency=medium
3 * api: users: sort groups to avoid "flapping" text
5 * api: tfa: don't block tokens from viewing and list TFA entries, both are
6 safe to do for anybody with enough permissions to view a user.
8 * api: tfa: add missing links for child-routes
10 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 18:13:54 +0200
12 libpve-access-control (8.0.1) bookworm; urgency=medium
14 * tfa: cope with native versions in cluster version check
16 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 16:12:01 +0200
18 libpve-access-control (8.0.0) bookworm; urgency=medium
20 * api: roles: forbid creating new roles starting with "PVE" namespace
22 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 10:14:28 +0200
24 libpve-access-control (8.0.0~3) bookworm; urgency=medium
26 * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path
28 * access control: add /sdn/zones/<zone>/<vnet>/<vlan> ACL object path
30 * add helper for checking bridge access
32 * add new SDN.Use privilege in PVESDNUser role, allowing one to specify
33 which user are allowed to use a bridge (or vnet, if SDN is installed)
35 * add privileges and paths for cluster resource mapping
37 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 19:06:54 +0200
39 libpve-access-control (8.0.0~2) bookworm; urgency=medium
41 * api: user index: only include existing tfa lock flags
43 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
45 * roles: only include Permissions.Modify in Administrator built-in role.
46 As, depending on the ACL object path, this privilege might allow one to
47 change their own permissions, which was making the distinction between
48 Admin and PVEAdmin irrelevant.
50 * acls: restrict less-privileged ACL modifications. Through allocate
51 permissions in pools, storages and virtual guests one can do some ACL
52 modifications without having the Permissions.Modify privilege, lock those
53 better down to ensure that one can only hand out only the subset of their
54 own privileges, never more. Note that this is mostly future proofing, as
55 the ACL object paths one could give out more permissions where already
58 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
60 libpve-access-control (8.0.0~1) bookworm; urgency=medium
62 * bump pve-rs dependency to 0.8.3
64 * drop old verify_tfa api call (POST /access/tfa)
66 * drop support for old login API:
67 - 'new-format' is now considured to be 1 and ignored by the API
69 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
72 * cli: add 'pveum tfa list'
74 * cli: add 'pveum tfa unlock'
76 * enable lockout of TFA:
77 - too many TOTP attempts will lock out of TOTP
78 - using a recovery key will unlock TOTP
79 - too many TFA attempts will lock a user's TFA auth for an hour
81 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
82 authentication if it was locked by too many wrong 2nd factor login attempts
84 * api: /access/tfa and /access/users now include the tfa lockout status
86 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
88 libpve-access-control (7.99.0) bookworm; urgency=medium
90 * initial re-build for Proxmox VE 8.x series
92 * switch to native versioning
94 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
96 libpve-access-control (7.4-3) bullseye; urgency=medium
98 * use new 2nd factor verification from pve-rs
100 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
102 libpve-access-control (7.4-2) bullseye; urgency=medium
104 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
105 wasn't accepted anymore
107 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
109 libpve-access-control (7.4-1) bullseye; urgency=medium
111 * realm sync: refactor scope/remove-vanished into a standard option
113 * ldap: Allow quoted values for DN attribute values
115 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
117 libpve-access-control (7.3-2) bullseye; urgency=medium
119 * fix #4518: dramatically improve ACL computation performance
121 * userid format: clarify that this is the full name@realm in description
123 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
125 libpve-access-control (7.3-1) bullseye; urgency=medium
127 * realm: sync: allow explicit 'none' for 'remove-vanished' option
129 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
131 libpve-access-control (7.2-5) bullseye; urgency=medium
133 * api: realm sync: avoid separate log line for "remove-vanished" opt
135 * auth ldap/ad: compare group member dn case-insensitively
137 * two factor auth: only lock tfa config for recovery keys
139 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
140 migrations and storage migrations
142 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
144 libpve-access-control (7.2-4) bullseye; urgency=medium
146 * fix #4074: increase API OpenID code size limit to 2048
148 * auth key: protect against rare chance of a double rotation in clusters,
149 leaving the potential that some set of nodes have the earlier key cached,
150 that then got rotated out due to the race, resulting in a possible other
151 set of nodes having the newer key cached. This is a split view of the auth
152 key and may resulting in spurious failures if API requests are made to a
153 different node than the ticket was generated on.
154 In addition to that, the "keep validity of old tickets if signed in the
155 last two hours before rotation" logic was disabled too in such a case,
156 making such tickets invalid too early.
157 Note that both are cases where Proxmox VE was too strict, so while this
158 had no security implications it can be a nuisance, especially for
159 environments that use the API through an automated or scripted way
161 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
163 libpve-access-control (7.2-3) bullseye; urgency=medium
165 * api: token: use userid-group as API perm check to avoid being overly
166 strict through a misguided use of user id for non-root users.
168 * perm check: forbid undefined/empty ACL path for future proofing of against
171 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
173 libpve-access-control (7.2-2) bullseye; urgency=medium
175 * permissions: merge propagation flag for multiple roles on a path that
176 share privilege in a deterministic way, to avoid that it gets lost
177 depending on perl's random sort, which would result in returing less
178 privileges than an auth-id actually had.
180 * permissions: avoid that token and user privilege intersection is to strict
181 for user permissions that have propagation disabled.
183 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
185 libpve-access-control (7.2-1) bullseye; urgency=medium
187 * user check: fix expiration/enable order
189 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
191 libpve-access-control (7.1-8) bullseye; urgency=medium
193 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
196 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
198 libpve-access-control (7.1-7) bullseye; urgency=medium
200 * userid-group check: distinguish create and update
202 * api: get user: declare token schema
204 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
206 libpve-access-control (7.1-6) bullseye; urgency=medium
208 * fix #3768: warn on bad u2f or webauthn settings
210 * tfa: when modifying others, verify the current user's password
212 * tfa list: account for admin permissions
214 * fix realm sync permissions
216 * fix token permission display bug
218 * include SDN permissions in permission tree
220 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
222 libpve-access-control (7.1-5) bullseye; urgency=medium
224 * openid: fix username-claim fallback
226 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
228 libpve-access-control (7.1-4) bullseye; urgency=medium
230 * set current origin in the webauthn config if no fixed origin was
231 configured, to support webauthn via subdomains
233 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
235 libpve-access-control (7.1-3) bullseye; urgency=medium
237 * openid: allow arbitrary username-claims
239 * openid: support configuring the prompt, scopes and ACR values
241 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
243 libpve-access-control (7.1-2) bullseye; urgency=medium
245 * catch incompatible tfa entries with a nice error
247 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
249 libpve-access-control (7.1-1) bullseye; urgency=medium
251 * tfa: map HTTP 404 error in get_tfa_entry correctly
253 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
255 libpve-access-control (7.0-7) bullseye; urgency=medium
257 * fix #3513: pass configured proxy to OpenID
259 * use rust based parser for TFA config
261 * use PBS-like auth api call flow,
263 * merge old user.cfg keys to tfa config when adding entries
265 * implement version checks for new tfa config writer to ensure all
266 cluster nodes are ready to avoid login issues
268 * tickets: add tunnel ticket
270 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
272 libpve-access-control (7.0-6) bullseye; urgency=medium
274 * fix regression in user deletion when realm does not enforce TFA
276 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
278 libpve-access-control (7.0-5) bullseye; urgency=medium
280 * acl: check path: add /sdn/vnets/* path
282 * fix #2302: allow deletion of users when realm enforces TFA
284 * api: delete user: disable user first to avoid surprise on error during the
285 various cleanup action required for user deletion (e.g., TFA, ACL, group)
287 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
289 libpve-access-control (7.0-4) bullseye; urgency=medium
291 * realm: add OpenID configuration
293 * api: implement OpenID related endpoints
295 * implement opt-in OpenID autocreate user feature
297 * api: user: add 'realm-type' to user list response
299 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
301 libpve-access-control (7.0-3) bullseye; urgency=medium
303 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
304 `/sdn/zones/<zone>` to allowed ACL paths
306 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
308 libpve-access-control (7.0-2) bullseye; urgency=medium
310 * fix #3402: add Pool.Audit privilege - custom roles containing
311 Pool.Allocate must be updated to include the new privilege.
313 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
315 libpve-access-control (7.0-1) bullseye; urgency=medium
317 * re-build for Debian 11 Bullseye based releases
319 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
321 libpve-access-control (6.4-1) pve; urgency=medium
323 * fix #1670: change PAM service name to project specific name
325 * fix #1500: permission path syntax check for access control
327 * pveum: add resource pool CLI commands
329 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
331 libpve-access-control (6.1-3) pve; urgency=medium
333 * partially fix #2825: authkey: rotate if it was generated in the
336 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
339 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
341 libpve-access-control (6.1-2) pve; urgency=medium
343 * also check SDN permission path when computing coarse permissions heuristic
346 * add SDN Permissions.Modify
348 * add VM.Config.Cloudinit
350 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
352 libpve-access-control (6.1-1) pve; urgency=medium
354 * pveum: add tfa delete subcommand for deleting user-TFA
356 * LDAP: don't complain about missing credentials on realm removal
358 * LDAP: skip anonymous bind when client certificate and key is configured
360 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
362 libpve-access-control (6.0-7) pve; urgency=medium
364 * fix #2575: die when trying to edit built-in roles
366 * add realm sub commands to pveum CLI tool
368 * api: domains: add user group sync API endpoint
370 * allow one to sync and import users and groups from LDAP/AD based realms
372 * realm: add default-sync-options to config for more convenient sync configuration
374 * api: token create: return also full token id for convenience
376 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
378 libpve-access-control (6.0-6) pve; urgency=medium
380 * API: add group members to group index
382 * implement API token support and management
384 * pveum: add 'pveum user token add/update/remove/list'
386 * pveum: add permissions sub-commands
388 * API: add 'permissions' API endpoint
390 * user.cfg: skip inexisting roles when parsing ACLs
392 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
394 libpve-access-control (6.0-5) pve; urgency=medium
396 * pveum: add list command for users, groups, ACLs and roles
398 * add initial permissions for experimental SDN integration
400 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
402 libpve-access-control (6.0-4) pve; urgency=medium
404 * ticket: use clinfo to get cluster name
406 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
409 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
411 libpve-access-control (6.0-3) pve; urgency=medium
413 * fix #2433: increase possible TFA secret length
415 * parse user configuration: correctly parse group names in ACLs, for users
416 which begin their name with an @
418 * sort user.cfg entries alphabetically
420 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
422 libpve-access-control (6.0-2) pve; urgency=medium
424 * improve CSRF verification compatibility with newer PVE
426 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
428 libpve-access-control (6.0-1) pve; urgency=medium
430 * ticket: properly verify exactly 5 minute old tickets
432 * use hmac_sha256 instead of sha1 for CSRF token generation
434 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
436 libpve-access-control (6.0-0+1) pve; urgency=medium
438 * bump for Debian buster
440 * fix #2079: add periodic auth key rotation
442 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
444 libpve-access-control (5.1-10) unstable; urgency=medium
446 * add /access/user/{id}/tfa api call to get tfa types
448 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
450 libpve-access-control (5.1-9) unstable; urgency=medium
452 * store the tfa type in user.cfg allowing to get it without proxying the call
453 to a higher privileged daemon.
455 * tfa: realm required TFA should lock out users without TFA configured, as it
456 was done before Proxmox VE 5.4
458 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
460 libpve-access-control (5.1-8) unstable; urgency=medium
462 * U2F: ensure we save correct public key on registration
464 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
466 libpve-access-control (5.1-7) unstable; urgency=medium
468 * verify_ticket: allow general non-challenge tfa to be run as two step
471 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
473 libpve-access-control (5.1-6) unstable; urgency=medium
475 * more general 2FA configuration via priv/tfa.cfg
477 * add u2f api endpoints
479 * delete TFA entries when deleting a user
481 * allow users to change their TOTP settings
483 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
485 libpve-access-control (5.1-5) unstable; urgency=medium
487 * fix vnc ticket verification without authkey lifetime
489 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
491 libpve-access-control (5.1-4) unstable; urgency=medium
493 * fix #1891: Add zsh command completion for pveum
495 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
496 to avoid issues on upgrade, will be enabled with 6.0
498 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
500 libpve-access-control (5.1-3) unstable; urgency=medium
502 * api/ticket: move getting cluster name into an eval
504 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
506 libpve-access-control (5.1-2) unstable; urgency=medium
508 * fix #1998: correct return properties for read_role
510 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
512 libpve-access-control (5.1-1) unstable; urgency=medium
514 * pveum: introduce sub-commands
516 * register userid with completion
518 * fix #233: return cluster name on successful login
520 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
522 libpve-access-control (5.0-8) unstable; urgency=medium
524 * fix #1612: ldap: make 2nd server work with bind domains again
526 * fix an error message where passing a bad pool id to an API function would
527 make it complain about a wrong group name instead
529 * fix the API-returned permission list so that the GUI knows to show the
530 'Permissions' tab for a storage to an administrator apart from root@pam
532 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
534 libpve-access-control (5.0-7) unstable; urgency=medium
536 * VM.Snapshot.Rollback privilege added
538 * api: check for special roles before locking the usercfg
540 * fix #1501: pveum: die when deleting special role
542 * API/ticket: rework coarse grained permission computation
544 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
546 libpve-access-control (5.0-6) unstable; urgency=medium
548 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
549 'verify' option. For compatibility reasons this defaults to off for now,
550 but that might change with future updates.
552 * AD, LDAP: Add ability to specify a CA path or file, and a client
553 certificate via the 'capath', 'cert' and 'certkey' options.
555 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
557 libpve-access-control (5.0-5) unstable; urgency=medium
559 * change from dpkg-deb to dpkg-buildpackage
561 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
563 libpve-access-control (5.0-4) unstable; urgency=medium
565 * PVE/CLI/pveum.pm: call setup_default_cli_env()
567 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
569 * check_api2_permissions: avoid warning about uninitialized value
571 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
573 libpve-access-control (5.0-3) unstable; urgency=medium
575 * use new PVE::OTP class from pve-common
577 * use new PVE::Tools::encrypt_pw from pve-common
579 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
581 libpve-access-control (5.0-2) unstable; urgency=medium
583 * encrypt_pw: avoid '+' for crypt salt
585 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
587 libpve-access-control (5.0-1) unstable; urgency=medium
589 * rebuild for PVE 5.0
591 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
593 libpve-access-control (4.0-23) unstable; urgency=medium
595 * use new PVE::Ticket class
597 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
599 libpve-access-control (4.0-22) unstable; urgency=medium
601 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
602 (moved to PVE::Storage)
604 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
606 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
608 libpve-access-control (4.0-21) unstable; urgency=medium
610 * setup_default_cli_env: expect $class as first parameter
612 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
614 libpve-access-control (4.0-20) unstable; urgency=medium
616 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
618 * PVE/API2/Domains.pm: fix property description
620 * use new repoman for upload target
622 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
624 libpve-access-control (4.0-19) unstable; urgency=medium
626 * Close #833: ldap: non-anonymous bind support
628 * don't import 'RFC' from MIME::Base32
630 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
632 libpve-access-control (4.0-18) unstable; urgency=medium
634 * fix #1062: recognize base32 otp keys again
636 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
638 libpve-access-control (4.0-17) unstable; urgency=medium
640 * drop oathtool and libdigest-hmac-perl dependencies
642 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
644 libpve-access-control (4.0-16) unstable; urgency=medium
646 * use pve-doc-generator to generate man pages
648 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
650 libpve-access-control (4.0-15) unstable; urgency=medium
652 * Fix uninitialized warning when shadow.cfg does not exist
654 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
656 libpve-access-control (4.0-14) unstable; urgency=medium
658 * Add is_worker to RPCEnvironment
660 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
662 libpve-access-control (4.0-13) unstable; urgency=medium
664 * fix #916: allow HTTPS to access custom yubico url
666 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
668 libpve-access-control (4.0-12) unstable; urgency=medium
670 * Catch certificate errors instead of segfaulting
672 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
674 libpve-access-control (4.0-11) unstable; urgency=medium
676 * Fix #861: use safer sprintf formatting
678 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
680 libpve-access-control (4.0-10) unstable; urgency=medium
682 * Auth::LDAP, Auth::AD: ipv6 support
684 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
686 libpve-access-control (4.0-9) unstable; urgency=medium
688 * pveum: implement bash completion
690 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
692 libpve-access-control (4.0-8) unstable; urgency=medium
694 * remove_storage_access: cleanup of access permissions for removed storage
696 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
698 libpve-access-control (4.0-7) unstable; urgency=medium
700 * new helper to remove access permissions for removed VMs
702 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
704 libpve-access-control (4.0-6) unstable; urgency=medium
706 * improve parse_user_config, parse_shadow_config
708 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
710 libpve-access-control (4.0-5) unstable; urgency=medium
712 * pveum: check for $cmd being defined
714 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
716 libpve-access-control (4.0-4) unstable; urgency=medium
718 * use activate-noawait triggers
720 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
722 libpve-access-control (4.0-3) unstable; urgency=medium
728 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
730 libpve-access-control (4.0-2) unstable; urgency=medium
732 * trigger pve-api-updates event
734 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
736 libpve-access-control (4.0-1) unstable; urgency=medium
738 * bump version for Debian Jessie
740 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
742 libpve-access-control (3.0-16) unstable; urgency=low
744 * root@pam can now be disabled in GUI.
746 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
748 libpve-access-control (3.0-15) unstable; urgency=low
750 * oath: add 'step' and 'digits' option
752 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
754 libpve-access-control (3.0-14) unstable; urgency=low
756 * add oath two factor auth
758 * add oathkeygen binary to generate keys for oath
760 * add yubico two factor auth
764 * depend on libmime-base32-perl
766 * allow to write builtin auth domains config (comment/tfa/default)
768 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
770 libpve-access-control (3.0-13) unstable; urgency=low
772 * use correct connection string for AD auth
774 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
776 libpve-access-control (3.0-12) unstable; urgency=low
778 * add dummy API for GET /access/ticket (useful to generate login pages)
780 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
782 libpve-access-control (3.0-11) unstable; urgency=low
784 * Sets common hot keys for spice client
786 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
788 libpve-access-control (3.0-10) unstable; urgency=low
790 * implement helper to generate SPICE remote-viewer configuration
792 * depend on libnet-ssleay-perl
794 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
796 libpve-access-control (3.0-9) unstable; urgency=low
798 * prevent user enumeration attacks
800 * allow dots in access paths
802 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
804 libpve-access-control (3.0-8) unstable; urgency=low
806 * spice: use lowercase hostname in ticktet signature
808 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
810 libpve-access-control (3.0-7) unstable; urgency=low
812 * check_volume_access : use parse_volname instead of path, and remove
815 * use warnings instead of global -w flag.
817 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
819 libpve-access-control (3.0-6) unstable; urgency=low
821 * use shorter spiceproxy tickets
823 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
825 libpve-access-control (3.0-5) unstable; urgency=low
827 * add code to generate tickets for SPICE
829 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
831 libpve-access-control (3.0-4) unstable; urgency=low
833 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
835 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
837 libpve-access-control (3.0-3) unstable; urgency=low
839 * Add new role PVETemplateUser (and VM.Clone privilege)
841 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
843 libpve-access-control (3.0-2) unstable; urgency=low
845 * remove CGI.pm related code (pveproxy does not need that)
847 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
849 libpve-access-control (3.0-1) unstable; urgency=low
851 * bump version for wheezy release
853 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
855 libpve-access-control (1.0-26) unstable; urgency=low
857 * check_volume_access: fix access permissions for backup files
859 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
861 libpve-access-control (1.0-25) unstable; urgency=low
863 * add VM.Snapshot permission
865 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
867 libpve-access-control (1.0-24) unstable; urgency=low
869 * untaint path (allow root to restore arbitrary paths)
871 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
873 libpve-access-control (1.0-23) unstable; urgency=low
875 * correctly compute GUI capabilities (consider pools)
877 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
879 libpve-access-control (1.0-22) unstable; urgency=low
881 * new plugin architecture for Auth modules, minor API change for Auth
882 domains (new 'delete' parameter)
884 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
886 libpve-access-control (1.0-21) unstable; urgency=low
888 * do not allow user names including slash
890 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
892 libpve-access-control (1.0-20) unstable; urgency=low
894 * add ability to fork cli workers in background
896 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
898 libpve-access-control (1.0-19) unstable; urgency=low
900 * return set of privileges on login - can be used to adopt GUI
902 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
904 libpve-access-control (1.0-18) unstable; urgency=low
906 * fix bug #151: correctly parse username inside ticket
908 * fix bug #152: allow user to change his own password
910 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
912 libpve-access-control (1.0-17) unstable; urgency=low
914 * set propagate flag by default
916 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
918 libpve-access-control (1.0-16) unstable; urgency=low
920 * add 'pveum passwd' method
922 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
924 libpve-access-control (1.0-15) unstable; urgency=low
926 * Add VM.Config.CDROM privilege to PVEVMUser rule
928 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
930 libpve-access-control (1.0-14) unstable; urgency=low
932 * fix buf in userid-param permission check
934 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
936 libpve-access-control (1.0-13) unstable; urgency=low
938 * allow more characters in ldap base_dn attribute
940 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
942 libpve-access-control (1.0-12) unstable; urgency=low
944 * allow more characters with realm IDs
946 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
948 libpve-access-control (1.0-11) unstable; urgency=low
950 * fix bug in exec_api2_perm_check
952 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
954 libpve-access-control (1.0-10) unstable; urgency=low
956 * fix ACL group name parser
958 * changed 'pveum aclmod' command line arguments
960 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
962 libpve-access-control (1.0-9) unstable; urgency=low
964 * fix bug in check_volume_access (fixes vzrestore)
966 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
968 libpve-access-control (1.0-8) unstable; urgency=low
970 * fix return value for empty ACL list.
972 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
974 libpve-access-control (1.0-7) unstable; urgency=low
976 * fix bug #85: allow root@pam to generate tickets for other users
978 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
980 libpve-access-control (1.0-6) unstable; urgency=low
982 * API change: allow to filter enabled/disabled users.
984 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
986 libpve-access-control (1.0-5) unstable; urgency=low
988 * add a way to return file changes (diffs): set_result_changes()
990 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
992 libpve-access-control (1.0-4) unstable; urgency=low
994 * new environment type for ha agents
996 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
998 libpve-access-control (1.0-3) unstable; urgency=low
1000 * add support for delayed parameter parsing - We need that to disable
1001 file upload for normal API request (avoid DOS attacks)
1003 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
1005 libpve-access-control (1.0-2) unstable; urgency=low
1007 * fix bug in fork_worker
1009 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
1011 libpve-access-control (1.0-1) unstable; urgency=low
1013 * allow '-' in permission paths
1015 * bump version to 1.0
1017 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
1019 libpve-access-control (0.1) unstable; urgency=low
1021 * first dummy package - no functionality
1023 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200