1 libpve-access-control (8.0.0~3) bookworm; urgency=medium
3 * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path
5 * access control: add /sdn/zones/<zone>/<vnet>/<vlan> ACL object path
7 * add helper for checking bridge access
9 * add new SDN.Use privilege in PVESDNUser role, allowing one to specify
10 which user are allowed to use a bridge (or vnet, if SDN is installed)
12 * add privileges and paths for cluster resource mapping
14 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 19:06:54 +0200
16 libpve-access-control (8.0.0~2) bookworm; urgency=medium
18 * api: user index: only include existing tfa lock flags
20 * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs
22 * roles: only include Permissions.Modify in Administrator built-in role.
23 As, depending on the ACL object path, this privilege might allow one to
24 change their own permissions, which was making the distinction between
25 Admin and PVEAdmin irrelevant.
27 * acls: restrict less-privileged ACL modifications. Through allocate
28 permissions in pools, storages and virtual guests one can do some ACL
29 modifications without having the Permissions.Modify privilege, lock those
30 better down to ensure that one can only hand out only the subset of their
31 own privileges, never more. Note that this is mostly future proofing, as
32 the ACL object paths one could give out more permissions where already
35 -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 11:34:30 +0200
37 libpve-access-control (8.0.0~1) bookworm; urgency=medium
39 * bump pve-rs dependency to 0.8.3
41 * drop old verify_tfa api call (POST /access/tfa)
43 * drop support for old login API:
44 - 'new-format' is now considured to be 1 and ignored by the API
46 * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote
49 * cli: add 'pveum tfa list'
51 * cli: add 'pveum tfa unlock'
53 * enable lockout of TFA:
54 - too many TOTP attempts will lock out of TOTP
55 - using a recovery key will unlock TOTP
56 - too many TFA attempts will lock a user's TFA auth for an hour
58 * api: add /access/users/<userid>/unlock-tfa to unlock a user's TFA
59 authentication if it was locked by too many wrong 2nd factor login attempts
61 * api: /access/tfa and /access/users now include the tfa lockout status
63 -- Proxmox Support Team <support@proxmox.com> Mon, 05 Jun 2023 14:52:29 +0200
65 libpve-access-control (7.99.0) bookworm; urgency=medium
67 * initial re-build for Proxmox VE 8.x series
69 * switch to native versioning
71 -- Proxmox Support Team <support@proxmox.com> Sun, 21 May 2023 10:34:19 +0200
73 libpve-access-control (7.4-3) bullseye; urgency=medium
75 * use new 2nd factor verification from pve-rs
77 -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 13:31:28 +0200
79 libpve-access-control (7.4-2) bullseye; urgency=medium
81 * fix #4609: fix regression where a valid DN in the ldap/ad realm config
82 wasn't accepted anymore
84 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Mar 2023 15:44:21 +0100
86 libpve-access-control (7.4-1) bullseye; urgency=medium
88 * realm sync: refactor scope/remove-vanished into a standard option
90 * ldap: Allow quoted values for DN attribute values
92 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Mar 2023 17:16:11 +0100
94 libpve-access-control (7.3-2) bullseye; urgency=medium
96 * fix #4518: dramatically improve ACL computation performance
98 * userid format: clarify that this is the full name@realm in description
100 -- Proxmox Support Team <support@proxmox.com> Mon, 06 Mar 2023 11:40:11 +0100
102 libpve-access-control (7.3-1) bullseye; urgency=medium
104 * realm: sync: allow explicit 'none' for 'remove-vanished' option
106 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Dec 2022 13:11:04 +0100
108 libpve-access-control (7.2-5) bullseye; urgency=medium
110 * api: realm sync: avoid separate log line for "remove-vanished" opt
112 * auth ldap/ad: compare group member dn case-insensitively
114 * two factor auth: only lock tfa config for recovery keys
116 * privs: add Sys.Incoming for guarding cross-cluster data streams like guest
117 migrations and storage migrations
119 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 13:09:17 +0100
121 libpve-access-control (7.2-4) bullseye; urgency=medium
123 * fix #4074: increase API OpenID code size limit to 2048
125 * auth key: protect against rare chance of a double rotation in clusters,
126 leaving the potential that some set of nodes have the earlier key cached,
127 that then got rotated out due to the race, resulting in a possible other
128 set of nodes having the newer key cached. This is a split view of the auth
129 key and may resulting in spurious failures if API requests are made to a
130 different node than the ticket was generated on.
131 In addition to that, the "keep validity of old tickets if signed in the
132 last two hours before rotation" logic was disabled too in such a case,
133 making such tickets invalid too early.
134 Note that both are cases where Proxmox VE was too strict, so while this
135 had no security implications it can be a nuisance, especially for
136 environments that use the API through an automated or scripted way
138 -- Proxmox Support Team <support@proxmox.com> Thu, 14 Jul 2022 08:36:51 +0200
140 libpve-access-control (7.2-3) bullseye; urgency=medium
142 * api: token: use userid-group as API perm check to avoid being overly
143 strict through a misguided use of user id for non-root users.
145 * perm check: forbid undefined/empty ACL path for future proofing of against
148 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Jun 2022 15:51:14 +0200
150 libpve-access-control (7.2-2) bullseye; urgency=medium
152 * permissions: merge propagation flag for multiple roles on a path that
153 share privilege in a deterministic way, to avoid that it gets lost
154 depending on perl's random sort, which would result in returing less
155 privileges than an auth-id actually had.
157 * permissions: avoid that token and user privilege intersection is to strict
158 for user permissions that have propagation disabled.
160 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2022 14:02:30 +0200
162 libpve-access-control (7.2-1) bullseye; urgency=medium
164 * user check: fix expiration/enable order
166 -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2022 13:43:37 +0200
168 libpve-access-control (7.1-8) bullseye; urgency=medium
170 * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
173 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Apr 2022 17:02:46 +0200
175 libpve-access-control (7.1-7) bullseye; urgency=medium
177 * userid-group check: distinguish create and update
179 * api: get user: declare token schema
181 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2022 16:15:23 +0100
183 libpve-access-control (7.1-6) bullseye; urgency=medium
185 * fix #3768: warn on bad u2f or webauthn settings
187 * tfa: when modifying others, verify the current user's password
189 * tfa list: account for admin permissions
191 * fix realm sync permissions
193 * fix token permission display bug
195 * include SDN permissions in permission tree
197 -- Proxmox Support Team <support@proxmox.com> Fri, 21 Jan 2022 14:20:42 +0100
199 libpve-access-control (7.1-5) bullseye; urgency=medium
201 * openid: fix username-claim fallback
203 -- Proxmox Support Team <support@proxmox.com> Thu, 25 Nov 2021 07:57:38 +0100
205 libpve-access-control (7.1-4) bullseye; urgency=medium
207 * set current origin in the webauthn config if no fixed origin was
208 configured, to support webauthn via subdomains
210 -- Proxmox Support Team <support@proxmox.com> Mon, 22 Nov 2021 14:04:06 +0100
212 libpve-access-control (7.1-3) bullseye; urgency=medium
214 * openid: allow arbitrary username-claims
216 * openid: support configuring the prompt, scopes and ACR values
218 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Nov 2021 08:11:52 +0100
220 libpve-access-control (7.1-2) bullseye; urgency=medium
222 * catch incompatible tfa entries with a nice error
224 -- Proxmox Support Team <support@proxmox.com> Wed, 17 Nov 2021 13:44:45 +0100
226 libpve-access-control (7.1-1) bullseye; urgency=medium
228 * tfa: map HTTP 404 error in get_tfa_entry correctly
230 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Nov 2021 15:33:22 +0100
232 libpve-access-control (7.0-7) bullseye; urgency=medium
234 * fix #3513: pass configured proxy to OpenID
236 * use rust based parser for TFA config
238 * use PBS-like auth api call flow,
240 * merge old user.cfg keys to tfa config when adding entries
242 * implement version checks for new tfa config writer to ensure all
243 cluster nodes are ready to avoid login issues
245 * tickets: add tunnel ticket
247 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Nov 2021 18:17:49 +0100
249 libpve-access-control (7.0-6) bullseye; urgency=medium
251 * fix regression in user deletion when realm does not enforce TFA
253 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2021 12:28:52 +0200
255 libpve-access-control (7.0-5) bullseye; urgency=medium
257 * acl: check path: add /sdn/vnets/* path
259 * fix #2302: allow deletion of users when realm enforces TFA
261 * api: delete user: disable user first to avoid surprise on error during the
262 various cleanup action required for user deletion (e.g., TFA, ACL, group)
264 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Sep 2021 15:50:47 +0200
266 libpve-access-control (7.0-4) bullseye; urgency=medium
268 * realm: add OpenID configuration
270 * api: implement OpenID related endpoints
272 * implement opt-in OpenID autocreate user feature
274 * api: user: add 'realm-type' to user list response
276 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Jul 2021 13:45:46 +0200
278 libpve-access-control (7.0-3) bullseye; urgency=medium
280 * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
281 `/sdn/zones/<zone>` to allowed ACL paths
283 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 10:31:19 +0200
285 libpve-access-control (7.0-2) bullseye; urgency=medium
287 * fix #3402: add Pool.Audit privilege - custom roles containing
288 Pool.Allocate must be updated to include the new privilege.
290 -- Proxmox Support Team <support@proxmox.com> Tue, 1 Jun 2021 11:28:38 +0200
292 libpve-access-control (7.0-1) bullseye; urgency=medium
294 * re-build for Debian 11 Bullseye based releases
296 -- Proxmox Support Team <support@proxmox.com> Sun, 09 May 2021 18:18:23 +0200
298 libpve-access-control (6.4-1) pve; urgency=medium
300 * fix #1670: change PAM service name to project specific name
302 * fix #1500: permission path syntax check for access control
304 * pveum: add resource pool CLI commands
306 -- Proxmox Support Team <support@proxmox.com> Sat, 24 Apr 2021 19:48:21 +0200
308 libpve-access-control (6.1-3) pve; urgency=medium
310 * partially fix #2825: authkey: rotate if it was generated in the
313 * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
316 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Sep 2020 08:54:13 +0200
318 libpve-access-control (6.1-2) pve; urgency=medium
320 * also check SDN permission path when computing coarse permissions heuristic
323 * add SDN Permissions.Modify
325 * add VM.Config.Cloudinit
327 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Jun 2020 13:06:56 +0200
329 libpve-access-control (6.1-1) pve; urgency=medium
331 * pveum: add tfa delete subcommand for deleting user-TFA
333 * LDAP: don't complain about missing credentials on realm removal
335 * LDAP: skip anonymous bind when client certificate and key is configured
337 -- Proxmox Support Team <support@proxmox.com> Fri, 08 May 2020 17:47:41 +0200
339 libpve-access-control (6.0-7) pve; urgency=medium
341 * fix #2575: die when trying to edit built-in roles
343 * add realm sub commands to pveum CLI tool
345 * api: domains: add user group sync API endpoint
347 * allow one to sync and import users and groups from LDAP/AD based realms
349 * realm: add default-sync-options to config for more convenient sync configuration
351 * api: token create: return also full token id for convenience
353 -- Proxmox Support Team <support@proxmox.com> Sat, 25 Apr 2020 19:35:17 +0200
355 libpve-access-control (6.0-6) pve; urgency=medium
357 * API: add group members to group index
359 * implement API token support and management
361 * pveum: add 'pveum user token add/update/remove/list'
363 * pveum: add permissions sub-commands
365 * API: add 'permissions' API endpoint
367 * user.cfg: skip inexisting roles when parsing ACLs
369 -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2020 10:17:27 +0100
371 libpve-access-control (6.0-5) pve; urgency=medium
373 * pveum: add list command for users, groups, ACLs and roles
375 * add initial permissions for experimental SDN integration
377 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Nov 2019 17:56:37 +0100
379 libpve-access-control (6.0-4) pve; urgency=medium
381 * ticket: use clinfo to get cluster name
383 * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
386 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 11:55:11 +0100
388 libpve-access-control (6.0-3) pve; urgency=medium
390 * fix #2433: increase possible TFA secret length
392 * parse user configuration: correctly parse group names in ACLs, for users
393 which begin their name with an @
395 * sort user.cfg entries alphabetically
397 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Oct 2019 08:52:23 +0100
399 libpve-access-control (6.0-2) pve; urgency=medium
401 * improve CSRF verification compatibility with newer PVE
403 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2019 20:24:35 +0200
405 libpve-access-control (6.0-1) pve; urgency=medium
407 * ticket: properly verify exactly 5 minute old tickets
409 * use hmac_sha256 instead of sha1 for CSRF token generation
411 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 18:14:45 +0200
413 libpve-access-control (6.0-0+1) pve; urgency=medium
415 * bump for Debian buster
417 * fix #2079: add periodic auth key rotation
419 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 21:31:15 +0200
421 libpve-access-control (5.1-10) unstable; urgency=medium
423 * add /access/user/{id}/tfa api call to get tfa types
425 -- Proxmox Support Team <support@proxmox.com> Wed, 15 May 2019 16:21:10 +0200
427 libpve-access-control (5.1-9) unstable; urgency=medium
429 * store the tfa type in user.cfg allowing to get it without proxying the call
430 to a higher privileged daemon.
432 * tfa: realm required TFA should lock out users without TFA configured, as it
433 was done before Proxmox VE 5.4
435 -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2019 14:01:00 +0000
437 libpve-access-control (5.1-8) unstable; urgency=medium
439 * U2F: ensure we save correct public key on registration
441 -- Proxmox Support Team <support@proxmox.com> Tue, 09 Apr 2019 12:47:12 +0200
443 libpve-access-control (5.1-7) unstable; urgency=medium
445 * verify_ticket: allow general non-challenge tfa to be run as two step
448 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Apr 2019 16:56:14 +0200
450 libpve-access-control (5.1-6) unstable; urgency=medium
452 * more general 2FA configuration via priv/tfa.cfg
454 * add u2f api endpoints
456 * delete TFA entries when deleting a user
458 * allow users to change their TOTP settings
460 -- Proxmox Support Team <support@proxmox.com> Wed, 03 Apr 2019 13:40:26 +0200
462 libpve-access-control (5.1-5) unstable; urgency=medium
464 * fix vnc ticket verification without authkey lifetime
466 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 10:43:17 +0100
468 libpve-access-control (5.1-4) unstable; urgency=medium
470 * fix #1891: Add zsh command completion for pveum
472 * ground work to fix #2079: add periodic auth key rotation. Not yet enabled
473 to avoid issues on upgrade, will be enabled with 6.0
475 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Mar 2019 09:12:05 +0100
477 libpve-access-control (5.1-3) unstable; urgency=medium
479 * api/ticket: move getting cluster name into an eval
481 -- Proxmox Support Team <support@proxmox.com> Thu, 29 Nov 2018 12:59:36 +0100
483 libpve-access-control (5.1-2) unstable; urgency=medium
485 * fix #1998: correct return properties for read_role
487 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:22:40 +0100
489 libpve-access-control (5.1-1) unstable; urgency=medium
491 * pveum: introduce sub-commands
493 * register userid with completion
495 * fix #233: return cluster name on successful login
497 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Nov 2018 09:34:47 +0100
499 libpve-access-control (5.0-8) unstable; urgency=medium
501 * fix #1612: ldap: make 2nd server work with bind domains again
503 * fix an error message where passing a bad pool id to an API function would
504 make it complain about a wrong group name instead
506 * fix the API-returned permission list so that the GUI knows to show the
507 'Permissions' tab for a storage to an administrator apart from root@pam
509 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jan 2018 13:34:50 +0100
511 libpve-access-control (5.0-7) unstable; urgency=medium
513 * VM.Snapshot.Rollback privilege added
515 * api: check for special roles before locking the usercfg
517 * fix #1501: pveum: die when deleting special role
519 * API/ticket: rework coarse grained permission computation
521 -- Proxmox Support Team <support@proxmox.com> Thu, 5 Oct 2017 11:27:48 +0200
523 libpve-access-control (5.0-6) unstable; urgency=medium
525 * Close #1470: Add server ceritifcate verification for AD and LDAP via the
526 'verify' option. For compatibility reasons this defaults to off for now,
527 but that might change with future updates.
529 * AD, LDAP: Add ability to specify a CA path or file, and a client
530 certificate via the 'capath', 'cert' and 'certkey' options.
532 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Aug 2017 11:56:38 +0200
534 libpve-access-control (5.0-5) unstable; urgency=medium
536 * change from dpkg-deb to dpkg-buildpackage
538 -- Proxmox Support Team <support@proxmox.com> Thu, 22 Jun 2017 09:12:37 +0200
540 libpve-access-control (5.0-4) unstable; urgency=medium
542 * PVE/CLI/pveum.pm: call setup_default_cli_env()
544 * PVE/Auth/PVE.pm: encode uft8 password before calling crypt
546 * check_api2_permissions: avoid warning about uninitialized value
548 -- Proxmox Support Team <support@proxmox.com> Tue, 02 May 2017 11:58:15 +0200
550 libpve-access-control (5.0-3) unstable; urgency=medium
552 * use new PVE::OTP class from pve-common
554 * use new PVE::Tools::encrypt_pw from pve-common
556 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 17:45:55 +0200
558 libpve-access-control (5.0-2) unstable; urgency=medium
560 * encrypt_pw: avoid '+' for crypt salt
562 -- Proxmox Support Team <support@proxmox.com> Thu, 30 Mar 2017 08:54:10 +0200
564 libpve-access-control (5.0-1) unstable; urgency=medium
566 * rebuild for PVE 5.0
568 -- Proxmox Support Team <support@proxmox.com> Mon, 6 Mar 2017 13:42:01 +0100
570 libpve-access-control (4.0-23) unstable; urgency=medium
572 * use new PVE::Ticket class
574 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 13:42:06 +0100
576 libpve-access-control (4.0-22) unstable; urgency=medium
578 * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
579 (moved to PVE::Storage)
581 * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
583 -- Proxmox Support Team <support@proxmox.com> Thu, 19 Jan 2017 09:12:04 +0100
585 libpve-access-control (4.0-21) unstable; urgency=medium
587 * setup_default_cli_env: expect $class as first parameter
589 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jan 2017 13:54:27 +0100
591 libpve-access-control (4.0-20) unstable; urgency=medium
593 * PVE/RPCEnvironment.pm: new function setup_default_cli_env
595 * PVE/API2/Domains.pm: fix property description
597 * use new repoman for upload target
599 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2017 12:13:26 +0100
601 libpve-access-control (4.0-19) unstable; urgency=medium
603 * Close #833: ldap: non-anonymous bind support
605 * don't import 'RFC' from MIME::Base32
607 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Aug 2016 13:09:08 +0200
609 libpve-access-control (4.0-18) unstable; urgency=medium
611 * fix #1062: recognize base32 otp keys again
613 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jul 2016 08:43:18 +0200
615 libpve-access-control (4.0-17) unstable; urgency=medium
617 * drop oathtool and libdigest-hmac-perl dependencies
619 -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jul 2016 12:03:22 +0200
621 libpve-access-control (4.0-16) unstable; urgency=medium
623 * use pve-doc-generator to generate man pages
625 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Apr 2016 07:06:05 +0200
627 libpve-access-control (4.0-15) unstable; urgency=medium
629 * Fix uninitialized warning when shadow.cfg does not exist
631 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:10:57 +0200
633 libpve-access-control (4.0-14) unstable; urgency=medium
635 * Add is_worker to RPCEnvironment
637 -- Proxmox Support Team <support@proxmox.com> Tue, 15 Mar 2016 16:47:34 +0100
639 libpve-access-control (4.0-13) unstable; urgency=medium
641 * fix #916: allow HTTPS to access custom yubico url
643 -- Proxmox Support Team <support@proxmox.com> Mon, 14 Mar 2016 11:39:23 +0100
645 libpve-access-control (4.0-12) unstable; urgency=medium
647 * Catch certificate errors instead of segfaulting
649 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Mar 2016 14:41:01 +0100
651 libpve-access-control (4.0-11) unstable; urgency=medium
653 * Fix #861: use safer sprintf formatting
655 -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:52:39 +0100
657 libpve-access-control (4.0-10) unstable; urgency=medium
659 * Auth::LDAP, Auth::AD: ipv6 support
661 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Dec 2015 12:09:32 +0100
663 libpve-access-control (4.0-9) unstable; urgency=medium
665 * pveum: implement bash completion
667 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Oct 2015 17:22:52 +0200
669 libpve-access-control (4.0-8) unstable; urgency=medium
671 * remove_storage_access: cleanup of access permissions for removed storage
673 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:39:15 +0200
675 libpve-access-control (4.0-7) unstable; urgency=medium
677 * new helper to remove access permissions for removed VMs
679 -- Proxmox Support Team <support@proxmox.com> Fri, 14 Aug 2015 07:57:02 +0200
681 libpve-access-control (4.0-6) unstable; urgency=medium
683 * improve parse_user_config, parse_shadow_config
685 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:14:33 +0200
687 libpve-access-control (4.0-5) unstable; urgency=medium
689 * pveum: check for $cmd being defined
691 -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:40:15 +0200
693 libpve-access-control (4.0-4) unstable; urgency=medium
695 * use activate-noawait triggers
697 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:25:31 +0200
699 libpve-access-control (4.0-3) unstable; urgency=medium
705 -- Proxmox Support Team <support@proxmox.com> Wed, 27 May 2015 11:15:44 +0200
707 libpve-access-control (4.0-2) unstable; urgency=medium
709 * trigger pve-api-updates event
711 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:06:38 +0200
713 libpve-access-control (4.0-1) unstable; urgency=medium
715 * bump version for Debian Jessie
717 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Feb 2015 11:22:01 +0100
719 libpve-access-control (3.0-16) unstable; urgency=low
721 * root@pam can now be disabled in GUI.
723 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Jan 2015 06:20:22 +0100
725 libpve-access-control (3.0-15) unstable; urgency=low
727 * oath: add 'step' and 'digits' option
729 -- Proxmox Support Team <support@proxmox.com> Wed, 23 Jul 2014 06:59:52 +0200
731 libpve-access-control (3.0-14) unstable; urgency=low
733 * add oath two factor auth
735 * add oathkeygen binary to generate keys for oath
737 * add yubico two factor auth
741 * depend on libmime-base32-perl
743 * allow to write builtin auth domains config (comment/tfa/default)
745 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
747 libpve-access-control (3.0-13) unstable; urgency=low
749 * use correct connection string for AD auth
751 -- Proxmox Support Team <support@proxmox.com> Thu, 22 May 2014 07:16:09 +0200
753 libpve-access-control (3.0-12) unstable; urgency=low
755 * add dummy API for GET /access/ticket (useful to generate login pages)
757 -- Proxmox Support Team <support@proxmox.com> Wed, 30 Apr 2014 14:47:56 +0200
759 libpve-access-control (3.0-11) unstable; urgency=low
761 * Sets common hot keys for spice client
763 -- Proxmox Support Team <support@proxmox.com> Fri, 31 Jan 2014 10:24:28 +0100
765 libpve-access-control (3.0-10) unstable; urgency=low
767 * implement helper to generate SPICE remote-viewer configuration
769 * depend on libnet-ssleay-perl
771 -- Proxmox Support Team <support@proxmox.com> Tue, 10 Dec 2013 10:45:08 +0100
773 libpve-access-control (3.0-9) unstable; urgency=low
775 * prevent user enumeration attacks
777 * allow dots in access paths
779 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2013 09:06:38 +0100
781 libpve-access-control (3.0-8) unstable; urgency=low
783 * spice: use lowercase hostname in ticktet signature
785 -- Proxmox Support Team <support@proxmox.com> Mon, 28 Oct 2013 08:11:57 +0100
787 libpve-access-control (3.0-7) unstable; urgency=low
789 * check_volume_access : use parse_volname instead of path, and remove
792 * use warnings instead of global -w flag.
794 -- Proxmox Support Team <support@proxmox.com> Tue, 01 Oct 2013 12:35:53 +0200
796 libpve-access-control (3.0-6) unstable; urgency=low
798 * use shorter spiceproxy tickets
800 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 12:39:09 +0200
802 libpve-access-control (3.0-5) unstable; urgency=low
804 * add code to generate tickets for SPICE
806 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Jun 2013 13:08:32 +0200
808 libpve-access-control (3.0-4) unstable; urgency=low
810 * moved add_vm_to_pool/remove_vm_from_pool from qemu-server
812 -- Proxmox Support Team <support@proxmox.com> Tue, 14 May 2013 11:56:54 +0200
814 libpve-access-control (3.0-3) unstable; urgency=low
816 * Add new role PVETemplateUser (and VM.Clone privilege)
818 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Apr 2013 11:42:15 +0200
820 libpve-access-control (3.0-2) unstable; urgency=low
822 * remove CGI.pm related code (pveproxy does not need that)
824 -- Proxmox Support Team <support@proxmox.com> Mon, 15 Apr 2013 12:34:23 +0200
826 libpve-access-control (3.0-1) unstable; urgency=low
828 * bump version for wheezy release
830 -- Proxmox Support Team <support@proxmox.com> Fri, 15 Mar 2013 08:07:06 +0100
832 libpve-access-control (1.0-26) unstable; urgency=low
834 * check_volume_access: fix access permissions for backup files
836 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Feb 2013 10:00:14 +0100
838 libpve-access-control (1.0-25) unstable; urgency=low
840 * add VM.Snapshot permission
842 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Sep 2012 09:23:32 +0200
844 libpve-access-control (1.0-24) unstable; urgency=low
846 * untaint path (allow root to restore arbitrary paths)
848 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2012 13:06:34 +0200
850 libpve-access-control (1.0-23) unstable; urgency=low
852 * correctly compute GUI capabilities (consider pools)
854 -- Proxmox Support Team <support@proxmox.com> Wed, 30 May 2012 08:47:23 +0200
856 libpve-access-control (1.0-22) unstable; urgency=low
858 * new plugin architecture for Auth modules, minor API change for Auth
859 domains (new 'delete' parameter)
861 -- Proxmox Support Team <support@proxmox.com> Wed, 16 May 2012 07:21:44 +0200
863 libpve-access-control (1.0-21) unstable; urgency=low
865 * do not allow user names including slash
867 -- Proxmox Support Team <support@proxmox.com> Tue, 24 Apr 2012 10:07:47 +0200
869 libpve-access-control (1.0-20) unstable; urgency=low
871 * add ability to fork cli workers in background
873 -- Proxmox Support Team <support@proxmox.com> Wed, 18 Apr 2012 08:28:20 +0200
875 libpve-access-control (1.0-19) unstable; urgency=low
877 * return set of privileges on login - can be used to adopt GUI
879 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Apr 2012 10:25:10 +0200
881 libpve-access-control (1.0-18) unstable; urgency=low
883 * fix bug #151: correctly parse username inside ticket
885 * fix bug #152: allow user to change his own password
887 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2012 09:40:15 +0200
889 libpve-access-control (1.0-17) unstable; urgency=low
891 * set propagate flag by default
893 -- Proxmox Support Team <support@proxmox.com> Thu, 01 Mar 2012 12:40:19 +0100
895 libpve-access-control (1.0-16) unstable; urgency=low
897 * add 'pveum passwd' method
899 -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 12:05:25 +0100
901 libpve-access-control (1.0-15) unstable; urgency=low
903 * Add VM.Config.CDROM privilege to PVEVMUser rule
905 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 11:44:23 +0100
907 libpve-access-control (1.0-14) unstable; urgency=low
909 * fix buf in userid-param permission check
911 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 10:52:35 +0100
913 libpve-access-control (1.0-13) unstable; urgency=low
915 * allow more characters in ldap base_dn attribute
917 -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 06:17:02 +0100
919 libpve-access-control (1.0-12) unstable; urgency=low
921 * allow more characters with realm IDs
923 -- Proxmox Support Team <support@proxmox.com> Mon, 20 Feb 2012 08:50:33 +0100
925 libpve-access-control (1.0-11) unstable; urgency=low
927 * fix bug in exec_api2_perm_check
929 -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 07:06:30 +0100
931 libpve-access-control (1.0-10) unstable; urgency=low
933 * fix ACL group name parser
935 * changed 'pveum aclmod' command line arguments
937 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Feb 2012 12:08:02 +0100
939 libpve-access-control (1.0-9) unstable; urgency=low
941 * fix bug in check_volume_access (fixes vzrestore)
943 -- Proxmox Support Team <support@proxmox.com> Mon, 13 Feb 2012 09:56:37 +0100
945 libpve-access-control (1.0-8) unstable; urgency=low
947 * fix return value for empty ACL list.
949 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2012 11:25:04 +0100
951 libpve-access-control (1.0-7) unstable; urgency=low
953 * fix bug #85: allow root@pam to generate tickets for other users
955 -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jan 2012 06:40:18 +0100
957 libpve-access-control (1.0-6) unstable; urgency=low
959 * API change: allow to filter enabled/disabled users.
961 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Jan 2012 12:30:37 +0100
963 libpve-access-control (1.0-5) unstable; urgency=low
965 * add a way to return file changes (diffs): set_result_changes()
967 -- Proxmox Support Team <support@proxmox.com> Tue, 20 Dec 2011 11:18:48 +0100
969 libpve-access-control (1.0-4) unstable; urgency=low
971 * new environment type for ha agents
973 -- Proxmox Support Team <support@proxmox.com> Tue, 13 Dec 2011 10:08:53 +0100
975 libpve-access-control (1.0-3) unstable; urgency=low
977 * add support for delayed parameter parsing - We need that to disable
978 file upload for normal API request (avoid DOS attacks)
980 -- Proxmox Support Team <support@proxmox.com> Fri, 02 Dec 2011 09:56:10 +0100
982 libpve-access-control (1.0-2) unstable; urgency=low
984 * fix bug in fork_worker
986 -- Proxmox Support Team <support@proxmox.com> Tue, 11 Oct 2011 08:37:05 +0200
988 libpve-access-control (1.0-1) unstable; urgency=low
990 * allow '-' in permission paths
992 * bump version to 1.0
994 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jun 2011 13:51:48 +0200
996 libpve-access-control (0.1) unstable; urgency=low
998 * first dummy package - no functionality
1000 -- Proxmox Support Team <support@proxmox.com> Thu, 09 Jul 2009 16:03:00 +0200