1 libpve-access-control (8.0.0~2) bookworm; urgency=medium
3 * api: user index: only include existing tfa lock flags
5 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
7 * roles: only include Permissions.Modify in Administrator built-in role.
8 As, depending on the ACL object path, this privilege might allow one to
9 change their own permissions, which was making the distinction between
10 Admin and PVEAdmin irrelevant.
12 * acls: restrict less-privileged ACL modifications. Through allocate
13 permissions in pools, storages and virtual guests one can do some ACL
14 modifications without having the Permissions.Modify privilege, lock those
15 better down to ensure that one can only hand out only the subset of their
16 own privileges, never more. Note that this is mostly future proofing, as
17 the ACL object paths one could give out more permissions where already
20 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
22 libpve-access-control (8.0.0~1) bookworm; urgency=medium
24 * bump pve-rs dependency to 0.8.3
26 * drop old verify_tfa api call (POST /access/tfa)
28 * drop support for old login API:
29 - 'new-format' is now considured to be 1 and ignored by the API
31 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
34 * cli: add 'pveum tfa list'
36 * cli: add 'pveum tfa unlock'
38 * enable lockout of TFA:
39 - too many TOTP attempts will lock out of TOTP
40 - using a recovery key will unlock TOTP
41 - too many TFA attempts will lock a user's TFA auth for an hour
43 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
44 authentication if it was locked by too many wrong 2nd factor login attempts
46 * api: /access/tfa and /access/users now include the tfa lockout status
48 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
50 libpve-access-control (7.99.0) bookworm; urgency=medium
52 * initial re-build for Proxmox VE 8.x series
54 * switch to native versioning
56 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
58 libpve-access-control (7.4-3) bullseye; urgency=medium
60 * use new 2nd factor verification from pve-rs
62 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
64 libpve-access-control (7.4-2) bullseye; urgency=medium
66 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
67 wasn't accepted anymore
69 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
71 libpve-access-control (7.4-1) bullseye; urgency=medium
73 * realm sync: refactor scope/remove-vanished into a standard option
75 * ldap: Allow quoted values for DN attribute values
77 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
79 libpve-access-control (7.3-2) bullseye; urgency=medium
81 * fix #4518: dramatically improve ACL computation performance
83 * userid format: clarify that this is the full name@realm in description
85 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
87 libpve-access-control (7.3-1) bullseye; urgency=medium
89 * realm: sync: allow explicit 'none' for 'remove-vanished' option
91 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
93 libpve-access-control (7.2-5) bullseye; urgency=medium
95 * api: realm sync: avoid separate log line for "remove-vanished" opt
97 * auth ldap/ad: compare group member dn case-insensitively
99 * two factor auth: only lock tfa config for recovery keys
101 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
102 migrations and storage migrations
104 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
106 libpve-access-control (7.2-4) bullseye; urgency=medium
108 * fix #4074: increase API OpenID code size limit to 2048
110 * auth key: protect against rare chance of a double rotation in clusters,
111 leaving the potential that some set of nodes have the earlier key cached,
112 that then got rotated out due to the race, resulting in a possible other
113 set of nodes having the newer key cached. This is a split view of the auth
114 key and may resulting in spurious failures if API requests are made to a
115 different node than the ticket was generated on.
116 In addition to that, the "keep validity of old tickets if signed in the
117 last two hours before rotation" logic was disabled too in such a case,
118 making such tickets invalid too early.
119 Note that both are cases where Proxmox VE was too strict, so while this
120 had no security implications it can be a nuisance, especially for
121 environments that use the API through an automated or scripted way
123 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
125 libpve-access-control (7.2-3) bullseye; urgency=medium
127 * api: token: use userid-group as API perm check to avoid being overly
128 strict through a misguided use of user id for non-root users.
130 * perm check: forbid undefined/empty ACL path for future proofing of against
133 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
135 libpve-access-control (7.2-2) bullseye; urgency=medium
137 * permissions: merge propagation flag for multiple roles on a path that
138 share privilege in a deterministic way, to avoid that it gets lost
139 depending on perl's random sort, which would result in returing less
140 privileges than an auth-id actually had.
142 * permissions: avoid that token and user privilege intersection is to strict
143 for user permissions that have propagation disabled.
145 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
147 libpve-access-control (7.2-1) bullseye; urgency=medium
149 * user check: fix expiration/enable order
151 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
153 libpve-access-control (7.1-8) bullseye; urgency=medium
155 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
158 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
160 libpve-access-control (7.1-7) bullseye; urgency=medium
162 * userid-group check: distinguish create and update
164 * api: get user: declare token schema
166 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
168 libpve-access-control (7.1-6) bullseye; urgency=medium
170 * fix #3768: warn on bad u2f or webauthn settings
172 * tfa: when modifying others, verify the current user's password
174 * tfa list: account for admin permissions
176 * fix realm sync permissions
178 * fix token permission display bug
180 * include SDN permissions in permission tree
182 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
184 libpve-access-control (7.1-5) bullseye; urgency=medium
186 * openid: fix username-claim fallback
188 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
190 libpve-access-control (7.1-4) bullseye; urgency=medium
192 * set current origin in the webauthn config if no fixed origin was
193 configured, to support webauthn via subdomains
195 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
197 libpve-access-control (7.1-3) bullseye; urgency=medium
199 * openid: allow arbitrary username-claims
201 * openid: support configuring the prompt, scopes and ACR values
203 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
205 libpve-access-control (7.1-2) bullseye; urgency=medium
207 * catch incompatible tfa entries with a nice error
209 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
211 libpve-access-control (7.1-1) bullseye; urgency=medium
213 * tfa: map HTTP 404 error in get_tfa_entry correctly
215 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
217 libpve-access-control (7.0-7) bullseye; urgency=medium
219 * fix #3513: pass configured proxy to OpenID
221 * use rust based parser for TFA config
223 * use PBS-like auth api call flow,
225 * merge old user.cfg keys to tfa config when adding entries
227 * implement version checks for new tfa config writer to ensure all
228 cluster nodes are ready to avoid login issues
230 * tickets: add tunnel ticket
232 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
234 libpve-access-control (7.0-6) bullseye; urgency=medium
236 * fix regression in user deletion when realm does not enforce TFA
238 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
240 libpve-access-control (7.0-5) bullseye; urgency=medium
242 * acl: check path: add /sdn/vnets/* path
244 * fix #2302: allow deletion of users when realm enforces TFA
246 * api: delete user: disable user first to avoid surprise on error during the
247 various cleanup action required for user deletion (e.g., TFA, ACL, group)
249 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
251 libpve-access-control (7.0-4) bullseye; urgency=medium
253 * realm: add OpenID configuration
255 * api: implement OpenID related endpoints
257 * implement opt-in OpenID autocreate user feature
259 * api: user: add 'realm-type' to user list response
261 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
263 libpve-access-control (7.0-3) bullseye; urgency=medium
265 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
266 `/sdn/zones/<zone>` to allowed ACL paths
268 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
270 libpve-access-control (7.0-2) bullseye; urgency=medium
272 * fix #3402: add Pool.Audit privilege - custom roles containing
273 Pool.Allocate must be updated to include the new privilege.
275 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
277 libpve-access-control (7.0-1) bullseye; urgency=medium
279 * re-build for Debian 11 Bullseye based releases
281 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
283 libpve-access-control (6.4-1) pve; urgency=medium
285 * fix #1670: change PAM service name to project specific name
287 * fix #1500: permission path syntax check for access control
289 * pveum: add resource pool CLI commands
291 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
293 libpve-access-control (6.1-3) pve; urgency=medium
295 * partially fix #2825: authkey: rotate if it was generated in the
298 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
301 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
303 libpve-access-control (6.1-2) pve; urgency=medium
305 * also check SDN permission path when computing coarse permissions heuristic
308 * add SDN Permissions.Modify
310 * add VM.Config.Cloudinit
312 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
314 libpve-access-control (6.1-1) pve; urgency=medium
316 * pveum: add tfa delete subcommand for deleting user-TFA
318 * LDAP: don't complain about missing credentials on realm removal
320 * LDAP: skip anonymous bind when client certificate and key is configured
322 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
324 libpve-access-control (6.0-7) pve; urgency=medium
326 * fix #2575: die when trying to edit built-in roles
328 * add realm sub commands to pveum CLI tool
330 * api: domains: add user group sync API endpoint
332 * allow one to sync and import users and groups from LDAP/AD based realms
334 * realm: add default-sync-options to config for more convenient sync configuration
336 * api: token create: return also full token id for convenience
338 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
340 libpve-access-control (6.0-6) pve; urgency=medium
342 * API: add group members to group index
344 * implement API token support and management
346 * pveum: add 'pveum user token add/update/remove/list'
348 * pveum: add permissions sub-commands
350 * API: add 'permissions' API endpoint
352 * user.cfg: skip inexisting roles when parsing ACLs
354 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
356 libpve-access-control (6.0-5) pve; urgency=medium
358 * pveum: add list command for users, groups, ACLs and roles
360 * add initial permissions for experimental SDN integration
362 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
364 libpve-access-control (6.0-4) pve; urgency=medium
366 * ticket: use clinfo to get cluster name
368 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
371 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
373 libpve-access-control (6.0-3) pve; urgency=medium
375 * fix #2433: increase possible TFA secret length
377 * parse user configuration: correctly parse group names in ACLs, for users
378 which begin their name with an @
380 * sort user.cfg entries alphabetically
382 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
384 libpve-access-control (6.0-2) pve; urgency=medium
386 * improve CSRF verification compatibility with newer PVE
388 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
390 libpve-access-control (6.0-1) pve; urgency=medium
392 * ticket: properly verify exactly 5 minute old tickets
394 * use hmac_sha256 instead of sha1 for CSRF token generation
396 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
398 libpve-access-control (6.0-0+1) pve; urgency=medium
400 * bump for Debian buster
402 * fix #2079: add periodic auth key rotation
404 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
406 libpve-access-control (5.1-10) unstable; urgency=medium
408 * add /access/user/{id}/tfa api call to get tfa types
410 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
412 libpve-access-control (5.1-9) unstable; urgency=medium
414 * store the tfa type in user.cfg allowing to get it without proxying the call
415 to a higher privileged daemon.
417 * tfa: realm required TFA should lock out users without TFA configured, as it
418 was done before Proxmox VE 5.4
420 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
422 libpve-access-control (5.1-8) unstable; urgency=medium
424 * U2F: ensure we save correct public key on registration
426 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
428 libpve-access-control (5.1-7) unstable; urgency=medium
430 * verify_ticket: allow general non-challenge tfa to be run as two step
433 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
435 libpve-access-control (5.1-6) unstable; urgency=medium
437 * more general 2FA configuration via priv/tfa.cfg
439 * add u2f api endpoints
441 * delete TFA entries when deleting a user
443 * allow users to change their TOTP settings
445 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
447 libpve-access-control (5.1-5) unstable; urgency=medium
449 * fix vnc ticket verification without authkey lifetime
451 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
453 libpve-access-control (5.1-4) unstable; urgency=medium
455 * fix #1891: Add zsh command completion for pveum
457 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
458 to avoid issues on upgrade, will be enabled with 6.0
460 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
462 libpve-access-control (5.1-3) unstable; urgency=medium
464 * api/ticket: move getting cluster name into an eval
466 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
468 libpve-access-control (5.1-2) unstable; urgency=medium
470 * fix #1998: correct return properties for read_role
472 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
474 libpve-access-control (5.1-1) unstable; urgency=medium
476 * pveum: introduce sub-commands
478 * register userid with completion
480 * fix #233: return cluster name on successful login
482 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
484 libpve-access-control (5.0-8) unstable; urgency=medium
486 * fix #1612: ldap: make 2nd server work with bind domains again
488 * fix an error message where passing a bad pool id to an API function would
489 make it complain about a wrong group name instead
491 * fix the API-returned permission list so that the GUI knows to show the
492 'Permissions' tab for a storage to an administrator apart from root@pam
494 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
496 libpve-access-control (5.0-7) unstable; urgency=medium
498 * VM.Snapshot.Rollback privilege added
500 * api: check for special roles before locking the usercfg
502 * fix #1501: pveum: die when deleting special role
504 * API/ticket: rework coarse grained permission computation
506 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
508 libpve-access-control (5.0-6) unstable; urgency=medium
510 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
511 'verify' option. For compatibility reasons this defaults to off for now,
512 but that might change with future updates.
514 * AD, LDAP: Add ability to specify a CA path or file, and a client
515 certificate via the 'capath', 'cert' and 'certkey' options.
517 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
519 libpve-access-control (5.0-5) unstable; urgency=medium
521 * change from dpkg-deb to dpkg-buildpackage
523 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
525 libpve-access-control (5.0-4) unstable; urgency=medium
527 * PVE/CLI/pveum.pm: call setup_default_cli_env()
529 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
531 * check_api2_permissions: avoid warning about uninitialized value
533 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
535 libpve-access-control (5.0-3) unstable; urgency=medium
537 * use new PVE::OTP class from pve-common
539 * use new PVE::Tools::encrypt_pw from pve-common
541 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
543 libpve-access-control (5.0-2) unstable; urgency=medium
545 * encrypt_pw: avoid '+' for crypt salt
547 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
549 libpve-access-control (5.0-1) unstable; urgency=medium
551 * rebuild for PVE 5.0
553 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
555 libpve-access-control (4.0-23) unstable; urgency=medium
557 * use new PVE::Ticket class
559 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
561 libpve-access-control (4.0-22) unstable; urgency=medium
563 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
564 (moved to PVE::Storage)
566 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
568 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
570 libpve-access-control (4.0-21) unstable; urgency=medium
572 * setup_default_cli_env: expect $class as first parameter
574 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
576 libpve-access-control (4.0-20) unstable; urgency=medium
578 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
580 * PVE/API2/Domains.pm: fix property description
582 * use new repoman for upload target
584 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
586 libpve-access-control (4.0-19) unstable; urgency=medium
588 * Close #833: ldap: non-anonymous bind support
590 * don't import 'RFC' from MIME::Base32
592 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
594 libpve-access-control (4.0-18) unstable; urgency=medium
596 * fix #1062: recognize base32 otp keys again
598 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
600 libpve-access-control (4.0-17) unstable; urgency=medium
602 * drop oathtool and libdigest-hmac-perl dependencies
604 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
606 libpve-access-control (4.0-16) unstable; urgency=medium
608 * use pve-doc-generator to generate man pages
610 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
612 libpve-access-control (4.0-15) unstable; urgency=medium
614 * Fix uninitialized warning when shadow.cfg does not exist
616 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
618 libpve-access-control (4.0-14) unstable; urgency=medium
620 * Add is_worker to RPCEnvironment
622 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
624 libpve-access-control (4.0-13) unstable; urgency=medium
626 * fix #916: allow HTTPS to access custom yubico url
628 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
630 libpve-access-control (4.0-12) unstable; urgency=medium
632 * Catch certificate errors instead of segfaulting
634 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
636 libpve-access-control (4.0-11) unstable; urgency=medium
638 * Fix #861: use safer sprintf formatting
640 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
642 libpve-access-control (4.0-10) unstable; urgency=medium
644 * Auth::LDAP, Auth::AD: ipv6 support
646 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
648 libpve-access-control (4.0-9) unstable; urgency=medium
650 * pveum: implement bash completion
652 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
654 libpve-access-control (4.0-8) unstable; urgency=medium
656 * remove_storage_access: cleanup of access permissions for removed storage
658 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
660 libpve-access-control (4.0-7) unstable; urgency=medium
662 * new helper to remove access permissions for removed VMs
664 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
666 libpve-access-control (4.0-6) unstable; urgency=medium
668 * improve parse_user_config, parse_shadow_config
670 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
672 libpve-access-control (4.0-5) unstable; urgency=medium
674 * pveum: check for $cmd being defined
676 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
678 libpve-access-control (4.0-4) unstable; urgency=medium
680 * use activate-noawait triggers
682 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
684 libpve-access-control (4.0-3) unstable; urgency=medium
690 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
692 libpve-access-control (4.0-2) unstable; urgency=medium
694 * trigger pve-api-updates event
696 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
698 libpve-access-control (4.0-1) unstable; urgency=medium
700 * bump version for Debian Jessie
702 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
704 libpve-access-control (3.0-16) unstable; urgency=low
706 * root@pam can now be disabled in GUI.
708 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
710 libpve-access-control (3.0-15) unstable; urgency=low
712 * oath: add 'step' and 'digits' option
714 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
716 libpve-access-control (3.0-14) unstable; urgency=low
718 * add oath two factor auth
720 * add oathkeygen binary to generate keys for oath
722 * add yubico two factor auth
726 * depend on libmime-base32-perl
728 * allow to write builtin auth domains config (comment/tfa/default)
730 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
732 libpve-access-control (3.0-13) unstable; urgency=low
734 * use correct connection string for AD auth
736 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
738 libpve-access-control (3.0-12) unstable; urgency=low
740 * add dummy API for GET /access/ticket (useful to generate login pages)
742 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
744 libpve-access-control (3.0-11) unstable; urgency=low
746 * Sets common hot keys for spice client
748 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
750 libpve-access-control (3.0-10) unstable; urgency=low
752 * implement helper to generate SPICE remote-viewer configuration
754 * depend on libnet-ssleay-perl
756 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
758 libpve-access-control (3.0-9) unstable; urgency=low
760 * prevent user enumeration attacks
762 * allow dots in access paths
764 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
766 libpve-access-control (3.0-8) unstable; urgency=low
768 * spice: use lowercase hostname in ticktet signature
770 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
772 libpve-access-control (3.0-7) unstable; urgency=low
774 * check_volume_access : use parse_volname instead of path, and remove
777 * use warnings instead of global -w flag.
779 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
781 libpve-access-control (3.0-6) unstable; urgency=low
783 * use shorter spiceproxy tickets
785 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
787 libpve-access-control (3.0-5) unstable; urgency=low
789 * add code to generate tickets for SPICE
791 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
793 libpve-access-control (3.0-4) unstable; urgency=low
795 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
797 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
799 libpve-access-control (3.0-3) unstable; urgency=low
801 * Add new role PVETemplateUser (and VM.Clone privilege)
803 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
805 libpve-access-control (3.0-2) unstable; urgency=low
807 * remove CGI.pm related code (pveproxy does not need that)
809 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
811 libpve-access-control (3.0-1) unstable; urgency=low
813 * bump version for wheezy release
815 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
817 libpve-access-control (1.0-26) unstable; urgency=low
819 * check_volume_access: fix access permissions for backup files
821 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
823 libpve-access-control (1.0-25) unstable; urgency=low
825 * add VM.Snapshot permission
827 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
829 libpve-access-control (1.0-24) unstable; urgency=low
831 * untaint path (allow root to restore arbitrary paths)
833 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
835 libpve-access-control (1.0-23) unstable; urgency=low
837 * correctly compute GUI capabilities (consider pools)
839 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
841 libpve-access-control (1.0-22) unstable; urgency=low
843 * new plugin architecture for Auth modules, minor API change for Auth
844 domains (new 'delete' parameter)
846 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
848 libpve-access-control (1.0-21) unstable; urgency=low
850 * do not allow user names including slash
852 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
854 libpve-access-control (1.0-20) unstable; urgency=low
856 * add ability to fork cli workers in background
858 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
860 libpve-access-control (1.0-19) unstable; urgency=low
862 * return set of privileges on login - can be used to adopt GUI
864 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
866 libpve-access-control (1.0-18) unstable; urgency=low
868 * fix bug #151: correctly parse username inside ticket
870 * fix bug #152: allow user to change his own password
872 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
874 libpve-access-control (1.0-17) unstable; urgency=low
876 * set propagate flag by default
878 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
880 libpve-access-control (1.0-16) unstable; urgency=low
882 * add 'pveum passwd' method
884 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
886 libpve-access-control (1.0-15) unstable; urgency=low
888 * Add VM.Config.CDROM privilege to PVEVMUser rule
890 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
892 libpve-access-control (1.0-14) unstable; urgency=low
894 * fix buf in userid-param permission check
896 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
898 libpve-access-control (1.0-13) unstable; urgency=low
900 * allow more characters in ldap base_dn attribute
902 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
904 libpve-access-control (1.0-12) unstable; urgency=low
906 * allow more characters with realm IDs
908 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
910 libpve-access-control (1.0-11) unstable; urgency=low
912 * fix bug in exec_api2_perm_check
914 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
916 libpve-access-control (1.0-10) unstable; urgency=low
918 * fix ACL group name parser
920 * changed 'pveum aclmod' command line arguments
922 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
924 libpve-access-control (1.0-9) unstable; urgency=low
926 * fix bug in check_volume_access (fixes vzrestore)
928 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
930 libpve-access-control (1.0-8) unstable; urgency=low
932 * fix return value for empty ACL list.
934 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
936 libpve-access-control (1.0-7) unstable; urgency=low
938 * fix bug #85: allow root@pam to generate tickets for other users
940 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
942 libpve-access-control (1.0-6) unstable; urgency=low
944 * API change: allow to filter enabled/disabled users.
946 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
948 libpve-access-control (1.0-5) unstable; urgency=low
950 * add a way to return file changes (diffs): set_result_changes()
952 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
954 libpve-access-control (1.0-4) unstable; urgency=low
956 * new environment type for ha agents
958 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
960 libpve-access-control (1.0-3) unstable; urgency=low
962 * add support for delayed parameter parsing - We need that to disable
963 file upload for normal API request (avoid DOS attacks)
965 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
967 libpve-access-control (1.0-2) unstable; urgency=low
969 * fix bug in fork_worker
971 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
973 libpve-access-control (1.0-1) unstable; urgency=low
975 * allow '-' in permission paths
977 * bump version to 1.0
979 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
981 libpve-access-control (0.1) unstable; urgency=low
983 * first dummy package - no functionality
985 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200