1 libpve-access-control (8.1.2) bookworm; urgency=medium
3 * add Sys.AccessNetwork privilege
5 -- Proxmox Support Team <support@proxmox.com> Wed, 28 Feb 2024 15:42:12 +0100
7 libpve-access-control (8.1.1) bookworm; urgency=medium
9 * LDAP sync: fix-up assembling valid attribute set
11 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Feb 2024 19:03:26 +0100
13 libpve-access-control (8.1.0) bookworm; urgency=medium
15 * api: user: limit the legacy user-keys option to the depreacated values
16 that could be set in the first limited TFA system, like e.g., 'x!yubico'
17 or base32 encoded secrets.
19 * oidc: enforce generic URI regex for the ACR value to align with OIDC
20 specifications and with Proxmox Backup Server, which was recently changed
21 to actually be less strict.
23 * LDAP sync: improve validation of synced attributes, closely limit the
24 mapped attributes names and their values to avoid glitches through odd
27 * api: user: limit maximum length for first & last name to 1024 characters,
28 email to 254 characters (the maximum actually useable in practice) and
29 comment properties to 2048 characters. This avoid that a few single users
30 bloat the user.cfg to much by mistake, reducing the total amount of users
31 and ACLs that can be set up. Note that only users with User.Modify and
32 realm syncs (setup by admins) can change these in the first place, so this
33 is mostly to avoid mishaps and just to be sure.
35 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Feb 2024 17:50:59 +0100
37 libpve-access-control (8.0.7) bookworm; urgency=medium
39 * fix #1148: allow up to three levels of pool nesting
41 * pools: record parent/subpool information
43 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Nov 2023 12:24:13 +0100
45 libpve-access-control (8.0.6) bookworm; urgency=medium
47 * perms: fix wrong /pools entry in default set of ACL paths
49 * acl: add missing SDN ACL paths to allowed list
51 -- Proxmox Support Team <support@proxmox.com> Fri, 17 Nov 2023 08:27:11 +0100
53 libpve-access-control (8.0.5) bookworm; urgency=medium
55 * fix an issue where setting ldap passwords would refuse to work unless
56 at least one additional property was changed as well
58 * add 'check-connection' parameter to create and update endpoints for ldap
61 -- Proxmox Support Team <support@proxmox.com> Fri, 11 Aug 2023 13:35:23 +0200
63 libpve-access-control (8.0.4) bookworm; urgency=medium
65 * Lookup of second factors is no longer tied to the 'keys' field in the
66 user.cfg. This fixes an issue where certain LDAP/AD sync job settings
67 could disable user-configured 2nd factors.
69 * Existing-but-disabled TFA factors can no longer circumvent realm-mandated
72 -- Proxmox Support Team <support@proxmox.com> Thu, 20 Jul 2023 10:59:21 +0200
74 libpve-access-control (8.0.3) bookworm; urgency=medium
76 * pveum: list tfa: recovery keys have no descriptions
78 * pveum: list tfa: sort by user ID
80 * drop assert_new_tfa_config_available for Proxmox VE 8, as the new format
81 is understood since pve-manager 7.0-15, and users must upgrade to Proxmox
82 VE 7.4 before upgrading to Proxmox VE 8 in addition to that.
84 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 19:45:29 +0200
86 libpve-access-control (8.0.2) bookworm; urgency=medium
88 * api: users: sort groups to avoid "flapping" text
90 * api: tfa: don't block tokens from viewing and list TFA entries, both are
91 safe to do for anybody with enough permissions to view a user.
93 * api: tfa: add missing links for child-routes
95 -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 18:13:54 +0200
97 libpve-access-control (8.0.1) bookworm; urgency=medium
99 * tfa: cope with native versions in cluster version check
101 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 16:12:01 +0200
103 libpve-access-control (8.0.0) bookworm; urgency=medium
105 * api: roles: forbid creating new roles starting with "PVE" namespace
107 -- Proxmox Support Team <support@proxmox.com> Fri, 09 Jun 2023 10:14:28 +0200
109 libpve-access-control (8.0.0~3) bookworm; urgency=medium
111 * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path
113 * access control: add /sdn/zones/<zone>/<vnet>/<vlan> ACL object path
115 * add helper for checking bridge access
117 * add new SDN.Use privilege in PVESDNUser role, allowing one to specify
118 which user are allowed to use a bridge (or vnet, if SDN is installed)
120 * add privileges and paths for cluster resource mapping
122 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 19:06:54 +0200
124 libpve-access-control (8.0.0~2) bookworm; urgency=medium
126 * api: user index: only include existing tfa lock flags
128 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
130 * roles: only include Permissions.Modify in Administrator built-in role.
131 As, depending on the ACL object path, this privilege might allow one to
132 change their own permissions, which was making the distinction between
133 Admin and PVEAdmin irrelevant.
135 * acls: restrict less-privileged ACL modifications. Through allocate
136 permissions in pools, storages and virtual guests one can do some ACL
137 modifications without having the Permissions.Modify privilege, lock those
138 better down to ensure that one can only hand out only the subset of their
139 own privileges, never more. Note that this is mostly future proofing, as
140 the ACL object paths one could give out more permissions where already
143 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
145 libpve-access-control (8.0.0~1) bookworm; urgency=medium
147 * bump pve-rs dependency to 0.8.3
149 * drop old verify_tfa api call (POST /access/tfa)
151 * drop support for old login API:
152 - 'new-format' is now considured to be 1 and ignored by the API
154 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
157 * cli: add 'pveum tfa list'
159 * cli: add 'pveum tfa unlock'
161 * enable lockout of TFA:
162 - too many TOTP attempts will lock out of TOTP
163 - using a recovery key will unlock TOTP
164 - too many TFA attempts will lock a user's TFA auth for an hour
166 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
167 authentication if it was locked by too many wrong 2nd factor login attempts
169 * api: /access/tfa and /access/users now include the tfa lockout status
171 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
173 libpve-access-control (7.99.0) bookworm; urgency=medium
175 * initial re-build for Proxmox VE 8.x series
177 * switch to native versioning
179 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
181 libpve-access-control (7.4-3) bullseye; urgency=medium
183 * use new 2nd factor verification from pve-rs
185 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
187 libpve-access-control (7.4-2) bullseye; urgency=medium
189 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
190 wasn't accepted anymore
192 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
194 libpve-access-control (7.4-1) bullseye; urgency=medium
196 * realm sync: refactor scope/remove-vanished into a standard option
198 * ldap: Allow quoted values for DN attribute values
200 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
202 libpve-access-control (7.3-2) bullseye; urgency=medium
204 * fix #4518: dramatically improve ACL computation performance
206 * userid format: clarify that this is the full name@realm in description
208 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
210 libpve-access-control (7.3-1) bullseye; urgency=medium
212 * realm: sync: allow explicit 'none' for 'remove-vanished' option
214 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
216 libpve-access-control (7.2-5) bullseye; urgency=medium
218 * api: realm sync: avoid separate log line for "remove-vanished" opt
220 * auth ldap/ad: compare group member dn case-insensitively
222 * two factor auth: only lock tfa config for recovery keys
224 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
225 migrations and storage migrations
227 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
229 libpve-access-control (7.2-4) bullseye; urgency=medium
231 * fix #4074: increase API OpenID code size limit to 2048
233 * auth key: protect against rare chance of a double rotation in clusters,
234 leaving the potential that some set of nodes have the earlier key cached,
235 that then got rotated out due to the race, resulting in a possible other
236 set of nodes having the newer key cached. This is a split view of the auth
237 key and may resulting in spurious failures if API requests are made to a
238 different node than the ticket was generated on.
239 In addition to that, the "keep validity of old tickets if signed in the
240 last two hours before rotation" logic was disabled too in such a case,
241 making such tickets invalid too early.
242 Note that both are cases where Proxmox VE was too strict, so while this
243 had no security implications it can be a nuisance, especially for
244 environments that use the API through an automated or scripted way
246 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
248 libpve-access-control (7.2-3) bullseye; urgency=medium
250 * api: token: use userid-group as API perm check to avoid being overly
251 strict through a misguided use of user id for non-root users.
253 * perm check: forbid undefined/empty ACL path for future proofing of against
256 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
258 libpve-access-control (7.2-2) bullseye; urgency=medium
260 * permissions: merge propagation flag for multiple roles on a path that
261 share privilege in a deterministic way, to avoid that it gets lost
262 depending on perl's random sort, which would result in returing less
263 privileges than an auth-id actually had.
265 * permissions: avoid that token and user privilege intersection is to strict
266 for user permissions that have propagation disabled.
268 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
270 libpve-access-control (7.2-1) bullseye; urgency=medium
272 * user check: fix expiration/enable order
274 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
276 libpve-access-control (7.1-8) bullseye; urgency=medium
278 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
281 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
283 libpve-access-control (7.1-7) bullseye; urgency=medium
285 * userid-group check: distinguish create and update
287 * api: get user: declare token schema
289 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
291 libpve-access-control (7.1-6) bullseye; urgency=medium
293 * fix #3768: warn on bad u2f or webauthn settings
295 * tfa: when modifying others, verify the current user's password
297 * tfa list: account for admin permissions
299 * fix realm sync permissions
301 * fix token permission display bug
303 * include SDN permissions in permission tree
305 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
307 libpve-access-control (7.1-5) bullseye; urgency=medium
309 * openid: fix username-claim fallback
311 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
313 libpve-access-control (7.1-4) bullseye; urgency=medium
315 * set current origin in the webauthn config if no fixed origin was
316 configured, to support webauthn via subdomains
318 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
320 libpve-access-control (7.1-3) bullseye; urgency=medium
322 * openid: allow arbitrary username-claims
324 * openid: support configuring the prompt, scopes and ACR values
326 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
328 libpve-access-control (7.1-2) bullseye; urgency=medium
330 * catch incompatible tfa entries with a nice error
332 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
334 libpve-access-control (7.1-1) bullseye; urgency=medium
336 * tfa: map HTTP 404 error in get_tfa_entry correctly
338 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
340 libpve-access-control (7.0-7) bullseye; urgency=medium
342 * fix #3513: pass configured proxy to OpenID
344 * use rust based parser for TFA config
346 * use PBS-like auth api call flow,
348 * merge old user.cfg keys to tfa config when adding entries
350 * implement version checks for new tfa config writer to ensure all
351 cluster nodes are ready to avoid login issues
353 * tickets: add tunnel ticket
355 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
357 libpve-access-control (7.0-6) bullseye; urgency=medium
359 * fix regression in user deletion when realm does not enforce TFA
361 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
363 libpve-access-control (7.0-5) bullseye; urgency=medium
365 * acl: check path: add /sdn/vnets/* path
367 * fix #2302: allow deletion of users when realm enforces TFA
369 * api: delete user: disable user first to avoid surprise on error during the
370 various cleanup action required for user deletion (e.g., TFA, ACL, group)
372 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
374 libpve-access-control (7.0-4) bullseye; urgency=medium
376 * realm: add OpenID configuration
378 * api: implement OpenID related endpoints
380 * implement opt-in OpenID autocreate user feature
382 * api: user: add 'realm-type' to user list response
384 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
386 libpve-access-control (7.0-3) bullseye; urgency=medium
388 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
389 `/sdn/zones/<zone>` to allowed ACL paths
391 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
393 libpve-access-control (7.0-2) bullseye; urgency=medium
395 * fix #3402: add Pool.Audit privilege - custom roles containing
396 Pool.Allocate must be updated to include the new privilege.
398 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
400 libpve-access-control (7.0-1) bullseye; urgency=medium
402 * re-build for Debian 11 Bullseye based releases
404 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
406 libpve-access-control (6.4-1) pve; urgency=medium
408 * fix #1670: change PAM service name to project specific name
410 * fix #1500: permission path syntax check for access control
412 * pveum: add resource pool CLI commands
414 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
416 libpve-access-control (6.1-3) pve; urgency=medium
418 * partially fix #2825: authkey: rotate if it was generated in the
421 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
424 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
426 libpve-access-control (6.1-2) pve; urgency=medium
428 * also check SDN permission path when computing coarse permissions heuristic
431 * add SDN Permissions.Modify
433 * add VM.Config.Cloudinit
435 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
437 libpve-access-control (6.1-1) pve; urgency=medium
439 * pveum: add tfa delete subcommand for deleting user-TFA
441 * LDAP: don't complain about missing credentials on realm removal
443 * LDAP: skip anonymous bind when client certificate and key is configured
445 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
447 libpve-access-control (6.0-7) pve; urgency=medium
449 * fix #2575: die when trying to edit built-in roles
451 * add realm sub commands to pveum CLI tool
453 * api: domains: add user group sync API endpoint
455 * allow one to sync and import users and groups from LDAP/AD based realms
457 * realm: add default-sync-options to config for more convenient sync configuration
459 * api: token create: return also full token id for convenience
461 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
463 libpve-access-control (6.0-6) pve; urgency=medium
465 * API: add group members to group index
467 * implement API token support and management
469 * pveum: add 'pveum user token add/update/remove/list'
471 * pveum: add permissions sub-commands
473 * API: add 'permissions' API endpoint
475 * user.cfg: skip inexisting roles when parsing ACLs
477 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
479 libpve-access-control (6.0-5) pve; urgency=medium
481 * pveum: add list command for users, groups, ACLs and roles
483 * add initial permissions for experimental SDN integration
485 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
487 libpve-access-control (6.0-4) pve; urgency=medium
489 * ticket: use clinfo to get cluster name
491 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
494 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
496 libpve-access-control (6.0-3) pve; urgency=medium
498 * fix #2433: increase possible TFA secret length
500 * parse user configuration: correctly parse group names in ACLs, for users
501 which begin their name with an @
503 * sort user.cfg entries alphabetically
505 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
507 libpve-access-control (6.0-2) pve; urgency=medium
509 * improve CSRF verification compatibility with newer PVE
511 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
513 libpve-access-control (6.0-1) pve; urgency=medium
515 * ticket: properly verify exactly 5 minute old tickets
517 * use hmac_sha256 instead of sha1 for CSRF token generation
519 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
521 libpve-access-control (6.0-0+1) pve; urgency=medium
523 * bump for Debian buster
525 * fix #2079: add periodic auth key rotation
527 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
529 libpve-access-control (5.1-10) unstable; urgency=medium
531 * add /access/user/{id}/tfa api call to get tfa types
533 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
535 libpve-access-control (5.1-9) unstable; urgency=medium
537 * store the tfa type in user.cfg allowing to get it without proxying the call
538 to a higher privileged daemon.
540 * tfa: realm required TFA should lock out users without TFA configured, as it
541 was done before Proxmox VE 5.4
543 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
545 libpve-access-control (5.1-8) unstable; urgency=medium
547 * U2F: ensure we save correct public key on registration
549 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
551 libpve-access-control (5.1-7) unstable; urgency=medium
553 * verify_ticket: allow general non-challenge tfa to be run as two step
556 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
558 libpve-access-control (5.1-6) unstable; urgency=medium
560 * more general 2FA configuration via priv/tfa.cfg
562 * add u2f api endpoints
564 * delete TFA entries when deleting a user
566 * allow users to change their TOTP settings
568 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
570 libpve-access-control (5.1-5) unstable; urgency=medium
572 * fix vnc ticket verification without authkey lifetime
574 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
576 libpve-access-control (5.1-4) unstable; urgency=medium
578 * fix #1891: Add zsh command completion for pveum
580 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
581 to avoid issues on upgrade, will be enabled with 6.0
583 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
585 libpve-access-control (5.1-3) unstable; urgency=medium
587 * api/ticket: move getting cluster name into an eval
589 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
591 libpve-access-control (5.1-2) unstable; urgency=medium
593 * fix #1998: correct return properties for read_role
595 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
597 libpve-access-control (5.1-1) unstable; urgency=medium
599 * pveum: introduce sub-commands
601 * register userid with completion
603 * fix #233: return cluster name on successful login
605 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
607 libpve-access-control (5.0-8) unstable; urgency=medium
609 * fix #1612: ldap: make 2nd server work with bind domains again
611 * fix an error message where passing a bad pool id to an API function would
612 make it complain about a wrong group name instead
614 * fix the API-returned permission list so that the GUI knows to show the
615 'Permissions' tab for a storage to an administrator apart from root@pam
617 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
619 libpve-access-control (5.0-7) unstable; urgency=medium
621 * VM.Snapshot.Rollback privilege added
623 * api: check for special roles before locking the usercfg
625 * fix #1501: pveum: die when deleting special role
627 * API/ticket: rework coarse grained permission computation
629 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
631 libpve-access-control (5.0-6) unstable; urgency=medium
633 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
634 'verify' option. For compatibility reasons this defaults to off for now,
635 but that might change with future updates.
637 * AD, LDAP: Add ability to specify a CA path or file, and a client
638 certificate via the 'capath', 'cert' and 'certkey' options.
640 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
642 libpve-access-control (5.0-5) unstable; urgency=medium
644 * change from dpkg-deb to dpkg-buildpackage
646 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
648 libpve-access-control (5.0-4) unstable; urgency=medium
650 * PVE/CLI/pveum.pm: call setup_default_cli_env()
652 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
654 * check_api2_permissions: avoid warning about uninitialized value
656 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
658 libpve-access-control (5.0-3) unstable; urgency=medium
660 * use new PVE::OTP class from pve-common
662 * use new PVE::Tools::encrypt_pw from pve-common
664 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
666 libpve-access-control (5.0-2) unstable; urgency=medium
668 * encrypt_pw: avoid '+' for crypt salt
670 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
672 libpve-access-control (5.0-1) unstable; urgency=medium
674 * rebuild for PVE 5.0
676 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
678 libpve-access-control (4.0-23) unstable; urgency=medium
680 * use new PVE::Ticket class
682 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
684 libpve-access-control (4.0-22) unstable; urgency=medium
686 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
687 (moved to PVE::Storage)
689 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
691 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
693 libpve-access-control (4.0-21) unstable; urgency=medium
695 * setup_default_cli_env: expect $class as first parameter
697 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
699 libpve-access-control (4.0-20) unstable; urgency=medium
701 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
703 * PVE/API2/Domains.pm: fix property description
705 * use new repoman for upload target
707 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
709 libpve-access-control (4.0-19) unstable; urgency=medium
711 * Close #833: ldap: non-anonymous bind support
713 * don't import 'RFC' from MIME::Base32
715 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
717 libpve-access-control (4.0-18) unstable; urgency=medium
719 * fix #1062: recognize base32 otp keys again
721 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
723 libpve-access-control (4.0-17) unstable; urgency=medium
725 * drop oathtool and libdigest-hmac-perl dependencies
727 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
729 libpve-access-control (4.0-16) unstable; urgency=medium
731 * use pve-doc-generator to generate man pages
733 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
735 libpve-access-control (4.0-15) unstable; urgency=medium
737 * Fix uninitialized warning when shadow.cfg does not exist
739 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
741 libpve-access-control (4.0-14) unstable; urgency=medium
743 * Add is_worker to RPCEnvironment
745 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
747 libpve-access-control (4.0-13) unstable; urgency=medium
749 * fix #916: allow HTTPS to access custom yubico url
751 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
753 libpve-access-control (4.0-12) unstable; urgency=medium
755 * Catch certificate errors instead of segfaulting
757 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
759 libpve-access-control (4.0-11) unstable; urgency=medium
761 * Fix #861: use safer sprintf formatting
763 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
765 libpve-access-control (4.0-10) unstable; urgency=medium
767 * Auth::LDAP, Auth::AD: ipv6 support
769 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
771 libpve-access-control (4.0-9) unstable; urgency=medium
773 * pveum: implement bash completion
775 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
777 libpve-access-control (4.0-8) unstable; urgency=medium
779 * remove_storage_access: cleanup of access permissions for removed storage
781 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
783 libpve-access-control (4.0-7) unstable; urgency=medium
785 * new helper to remove access permissions for removed VMs
787 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
789 libpve-access-control (4.0-6) unstable; urgency=medium
791 * improve parse_user_config, parse_shadow_config
793 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
795 libpve-access-control (4.0-5) unstable; urgency=medium
797 * pveum: check for $cmd being defined
799 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
801 libpve-access-control (4.0-4) unstable; urgency=medium
803 * use activate-noawait triggers
805 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
807 libpve-access-control (4.0-3) unstable; urgency=medium
813 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
815 libpve-access-control (4.0-2) unstable; urgency=medium
817 * trigger pve-api-updates event
819 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
821 libpve-access-control (4.0-1) unstable; urgency=medium
823 * bump version for Debian Jessie
825 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
827 libpve-access-control (3.0-16) unstable; urgency=low
829 * root@pam can now be disabled in GUI.
831 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
833 libpve-access-control (3.0-15) unstable; urgency=low
835 * oath: add 'step' and 'digits' option
837 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
839 libpve-access-control (3.0-14) unstable; urgency=low
841 * add oath two factor auth
843 * add oathkeygen binary to generate keys for oath
845 * add yubico two factor auth
849 * depend on libmime-base32-perl
851 * allow to write builtin auth domains config (comment/tfa/default)
853 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
855 libpve-access-control (3.0-13) unstable; urgency=low
857 * use correct connection string for AD auth
859 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
861 libpve-access-control (3.0-12) unstable; urgency=low
863 * add dummy API for GET /access/ticket (useful to generate login pages)
865 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
867 libpve-access-control (3.0-11) unstable; urgency=low
869 * Sets common hot keys for spice client
871 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
873 libpve-access-control (3.0-10) unstable; urgency=low
875 * implement helper to generate SPICE remote-viewer configuration
877 * depend on libnet-ssleay-perl
879 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
881 libpve-access-control (3.0-9) unstable; urgency=low
883 * prevent user enumeration attacks
885 * allow dots in access paths
887 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
889 libpve-access-control (3.0-8) unstable; urgency=low
891 * spice: use lowercase hostname in ticktet signature
893 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
895 libpve-access-control (3.0-7) unstable; urgency=low
897 * check_volume_access : use parse_volname instead of path, and remove
900 * use warnings instead of global -w flag.
902 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
904 libpve-access-control (3.0-6) unstable; urgency=low
906 * use shorter spiceproxy tickets
908 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
910 libpve-access-control (3.0-5) unstable; urgency=low
912 * add code to generate tickets for SPICE
914 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
916 libpve-access-control (3.0-4) unstable; urgency=low
918 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
920 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
922 libpve-access-control (3.0-3) unstable; urgency=low
924 * Add new role PVETemplateUser (and VM.Clone privilege)
926 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
928 libpve-access-control (3.0-2) unstable; urgency=low
930 * remove CGI.pm related code (pveproxy does not need that)
932 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
934 libpve-access-control (3.0-1) unstable; urgency=low
936 * bump version for wheezy release
938 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
940 libpve-access-control (1.0-26) unstable; urgency=low
942 * check_volume_access: fix access permissions for backup files
944 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
946 libpve-access-control (1.0-25) unstable; urgency=low
948 * add VM.Snapshot permission
950 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
952 libpve-access-control (1.0-24) unstable; urgency=low
954 * untaint path (allow root to restore arbitrary paths)
956 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
958 libpve-access-control (1.0-23) unstable; urgency=low
960 * correctly compute GUI capabilities (consider pools)
962 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
964 libpve-access-control (1.0-22) unstable; urgency=low
966 * new plugin architecture for Auth modules, minor API change for Auth
967 domains (new 'delete' parameter)
969 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
971 libpve-access-control (1.0-21) unstable; urgency=low
973 * do not allow user names including slash
975 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
977 libpve-access-control (1.0-20) unstable; urgency=low
979 * add ability to fork cli workers in background
981 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
983 libpve-access-control (1.0-19) unstable; urgency=low
985 * return set of privileges on login - can be used to adopt GUI
987 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
989 libpve-access-control (1.0-18) unstable; urgency=low
991 * fix bug #151: correctly parse username inside ticket
993 * fix bug #152: allow user to change his own password
995 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
997 libpve-access-control (1.0-17) unstable; urgency=low
999 * set propagate flag by default
1001 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
1003 libpve-access-control (1.0-16) unstable; urgency=low
1005 * add 'pveum passwd' method
1007 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
1009 libpve-access-control (1.0-15) unstable; urgency=low
1011 * Add VM.Config.CDROM privilege to PVEVMUser rule
1013 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
1015 libpve-access-control (1.0-14) unstable; urgency=low
1017 * fix buf in userid-param permission check
1019 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
1021 libpve-access-control (1.0-13) unstable; urgency=low
1023 * allow more characters in ldap base_dn attribute
1025 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
1027 libpve-access-control (1.0-12) unstable; urgency=low
1029 * allow more characters with realm IDs
1031 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
1033 libpve-access-control (1.0-11) unstable; urgency=low
1035 * fix bug in exec_api2_perm_check
1037 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
1039 libpve-access-control (1.0-10) unstable; urgency=low
1041 * fix ACL group name parser
1043 * changed 'pveum aclmod' command line arguments
1045 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
1047 libpve-access-control (1.0-9) unstable; urgency=low
1049 * fix bug in check_volume_access (fixes vzrestore)
1051 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
1053 libpve-access-control (1.0-8) unstable; urgency=low
1055 * fix return value for empty ACL list.
1057 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
1059 libpve-access-control (1.0-7) unstable; urgency=low
1061 * fix bug #85: allow root@pam to generate tickets for other users
1063 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
1065 libpve-access-control (1.0-6) unstable; urgency=low
1067 * API change: allow to filter enabled/disabled users.
1069 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
1071 libpve-access-control (1.0-5) unstable; urgency=low
1073 * add a way to return file changes (diffs): set_result_changes()
1075 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
1077 libpve-access-control (1.0-4) unstable; urgency=low
1079 * new environment type for ha agents
1081 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
1083 libpve-access-control (1.0-3) unstable; urgency=low
1085 * add support for delayed parameter parsing - We need that to disable
1086 file upload for normal API request (avoid DOS attacks)
1088 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
1090 libpve-access-control (1.0-2) unstable; urgency=low
1092 * fix bug in fork_worker
1094 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
1096 libpve-access-control (1.0-1) unstable; urgency=low
1098 * allow '-' in permission paths
1100 * bump version to 1.0
1102 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
1104 libpve-access-control (0.1) unstable; urgency=low
1106 * first dummy package - no functionality
1108 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200