-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathVERSION
922 lines (818 loc) · 41.7 KB
/
VERSION
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
This is MyProxy v6.2.
This version should be protocol compatible with all versions since v0.2.
Binary compatibility of the C API is not guaranteed between releases.
Version History
---------------
v6.2.8
- Update default run directory from /var/run to /run
v6.2.7
- Exit with error if voms-proxy-init fails
v6.2.6
- Remove LICENSE.globus file
- Add BuildRequires perl-interpreter
- Add additional perl dependencies for tests
v6.2.5
- Drop obsolete configure option --with-gpt
- Drop obsolete configure option --with-flavor
- Drop globus_automake_pre and globus_automake_post
- Clean up old GPT references
- Install myproxy-get-trustroots man page
v6.2.4
- Remove usage statistics collection support
v6.2.3
- remove macro overquoting
v6.2.2
- Use 2048 bit CA key for myproxy tests
v6.2.1
- Fix -Werror=format-security errors
v6.2.0
- First Grid Community Toolkit release
- Remove support for openssl101e (RHEL5 is EOL)
- Disable usage statistics reporting by default
- Fix option parsing bug
v6.1.28
- Fix OpenSSL 1.1.0-related typo
v6.1.27
- Remove legacy SSLv3 support
v6.1.26
- Fix error check
v6.1.25
- Don't call ERR_GET_REASON twice #89
v6.1.24
- Fix crash in myproxy_bootstrap_trust() with OpenSSL 1.1.0c
v6.1.23
- Fixes for OpenSSL 1.1.0
v6.1.22
- Check for openssl 101e for epel5
v6.1.21
- Do not overwrite configuration flags
v6.1.20
- Updates for el.5 with openssl101e
v6.1.19
- update myproxy debug/error msgs for accepted_peer_names type change
v6.1.18
- Spelling
v6.1.17
- Handle error returns from OCSP_parse_url
v6.1.16
- Handle invalid proxy_req type
v6.1.15
- GT-616: Myproxy uses resolved IP address when importing names
v6.1.14
- improve rfc2818 name comparison handling
v6.1.13
- Fixed 2 instances of underallocation of memory.
v6.1.12
- Missing -module
v6.1.11
- Fix missing redirect in date detection autoconf
v6.1.10
- Fix version and date string macros
v6.1.9
- Myproxy systemd fix
v6.1.8
- Properly extract MINOR_VERSION from a three digit PACKAGE_VERSION
- Fix undefined symbols in myproxy-voms plugin
- Don't install test wrapper
- Comments are not allowed in tmpfile.d config files
v6.1.7
- Allow TLS in myproxy-get-trustroots and myproxy-logon -T
v6.1.6
- Make VOMS dependency optional
v6.1.5
- Minor packaging fixes
v6.1.4
- Stop patching myproxy.sysconfig
v6.1.3
- Fix incorrect soname change
v6.1.2
- Update arg parsing to Getopt::Long
v6.1.1
- Increment library age
v6.1 Oct 2014
- portability, man page, and build script fixes from Mattias Ellert
- first release from https://github.com/globus/globus-toolkit sources
v6.0 Jul 2014
- disable usage stats collection by default
- make myproxy-server's credential repository storage directory
optional and run in "CA only" mode if no valid storage directory
- update default for certificate_issuer_hashalg from sha1 to sha256
- handle very long usernames (avoiding ENAMETOOLONG) by creating
hashed filename in MyProxy repository when username or credname is
longer than 80 characters - can be overridden by
MYPROXY_CREDS_MAX_NAMELEN environment variable
(https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7275)
- use unbuffered I/O on stdin read of passwords
(http://jira.globus.org/browse/GT-387)
- create files in certificate_out_dir with 0600 mode
- check for out of bounds lifetime values (integer overflows)
(https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7263)
- remove Pubcookie support in myproxy-server
- update build scripts for GT6
v5.9 Jul 2012
- fix a memory error in myproxy-logon --voms
when more than 19 entries in vomses file
(https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7261)
v5.8 Jun 2012
- fixes for myproxy-server VOMS attribute support:
API updates for libvomsapi, fixes for FQAN regex matching
- fix for myproxy-server "Failed to load sub-CA certs from file"
error when using certificate_issuer_subca_certfile
(https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7259)
- update $GLOBUS_LOCATION paths for GT 5.2 in etc.init.d.myproxy
v5.7 May 2012
- add IPv6 support
(https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7252)
- update configure script for platforms where pidfile_open is
defined in libbsd
- support limited proxy certificates in myproxy-logon -voms by
passing -limited option to voms-proxy-init as needed
(https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7250)
- add support for TLS 1.1 and TLS 1.2 using OpenSSL 1.0.1 and later
v5.6 20 Feb 2012
- in myproxy-logon --voms, use voms-proxy-init -valid H:M rather
than voms-proxy-init -hours H so proxy lifetime matches assertion
lifetime
(https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7244)
- on myproxy-server daemon startup, don't exit original process
until daemon child has completed initialization
(https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7240)
- improve myproxy-server pidfile creation: when root, write pidfile
by default to /var/run/myproxy.pid; write pidfile on startup
before detaching from parent process; lock pidfile to avoid
collisions; remove pidfile on SIGTERM shutdown
[LICENSE.pidfile added for pidfile.c from FreeBSD's libutil.]
(https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7240)
- allow escaping of '.' in regular expressions
(https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7213)
- when converting to POSIX extended regular expressions for DN
matching, wrap the expression inside '^(' and ')$' instead of just
'^' and '$' to ensure matching the entire DN using proper operator
precedence
(https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7215)
- add liblber to link line when using --with-openldap
(https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7217)
- fix section number in myproxy-admin-query man page
(https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7219)
- in myproxy-admin-load-credential, handle the case of running as
root but /var/lib/myproxy owned by non-root by switching to the
non-root user before writing the credential files
(https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7234)
v5.5 5 Sep 2011
- undo escaping of POSIX extended regular expression meta-characters
in myproxy-server authorization policies (introduced in v5.1)
to enable full use of POSIX ERE capabilities. For literal matching
of parentheses and brackets, the characters must again be
explicitly escaped (i.e., '\(' and '\)'). Non-POSIX handling of
wildcard characters ('*' and '?') is maintained for backward
compatibility, so these characters must be escaped if POSIX ERE
behavior is desired.
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7211)
- in MyProxy CA, ensure that any domainComponent or emailAddress
components in the certificate subject are type IA5String per RFC 5280
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7201)
- add myproxy-logon --certreq option, to accept an externally
generated certificate request rather than generating private key
and request internally
(http://bugzilla.ncsa.uiuc.edu/show_bug.cgi?id=347)
- in myproxy-server, fix abort when processing INFO response when
the user has stored credentials both with and without a credential
name; bug was introduced in myproxy-server v4.9
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7209)
- use /var/lib/myproxy as first choice default storage directory,
for Filesystem Hierarchy Standard compliance; still fallback to
/var/myproxy and $GLOBUS_LOCATION/var/myproxy for alternatives
- fix erroneous error message when no VOMS attributes found
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7207)
v5.4 22 Apr 2011
- support disabling reverse DNS lookup of server hostname in MyProxy clients
by setting the environment variable GLOBUS_GSSAPI_NAME_COMPATIBILITY
to STRICT_RFC2818
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6789)
- prefer to link with libvomsapi instead of libvomsc
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7133)
- fix double-free in myproxy_install_trusted_cert_files() on write error
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7135)
- add myproxy-test -generatecerts option and remove dependency on $HOME
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7139)
- myproxy-server trustroots security improvements:
- cert_dir no longer defaults to /etc/grid-security/certificates.
- Server will ignore requests for trustroots if cert_dir is not
defined.
- Server will refuse to start if the trustroots directory set using
cert_dir contains any regular files that are not world-readable.
- Once started, the server will skip (i.e. will not return to client)
any regular files found later to NOT have world-readable permissions.
- fix GPT dependency on globus_proxy_utils package
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7151)
- Allow empty SASL responses. Needed for Moonshot GS2.
(http://www.project-moonshot.org/devwiki//testing/myproxy/)
v5.3 17 Jan 2011
- fix myproxy-logon bug in versions 5.0-5.2 that disabled
myproxy-server identity verification
(http://grid.ncsa.illinois.edu/myproxy/security/myproxy-adv-2011-01.txt)
- if myproxy-logon GSI mutual authentication with the myproxy-server
fails, try again with client-side anonymous authentication,
in case the client-side GSI credentials are unacceptable to the
myproxy-server (for example, signed by an untrusted CA), but the
myproxy-server would accept an anonymous client
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7103)
- fix configure checks for globus_usage_stats_send,
globus_usage_stats_send_array, and
globus_gsi_proxy_handle_set_extensions when installing without
existing Globus libraries in LD_LIBRARY_PATH
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7098)
- in myproxy-server-setup, look in /sbin and /usr/sbin for chkconfig
or update-rc.d in case they're not in PATH
- add certificate_issuer_subca_certfile option in myproxy-server.config
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7119)
- make all Globus Usage library errors non-fatal
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7111)
- add myproxy-logon support for requesting certificates containing
VOMS assertions from myproxy-servers that have
"allow_voms_attribute_requests true" in myproxy-server.config; if
the myproxy-server does not add the requested VOMS assertion,
myproxy-logon tries to add it by running voms-proxy-init as before
v5.2 22 Jun 2010
- allow specification of port numbers in MYPROXY_SERVER list
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7039)
- support PKCS8 encoded private keys in myproxy-retrieve,
myproxy-store, and myproxy-admin-load-credential
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7033)
- add work-around for Globus libraries blocking signals (SIGTERM,
SIGCHLD, SIGHUP, etc.) when myproxy-server is built with pthr
flavor (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7048)
- increase default RSA key sizes from 1024 bits to 2048 bits per
NIST SP 800-57 and add MYPROXY_KEYBITS environment variable for
setting custom RSA key sizes
- fix configure check for facilitynames structure on Linux to
support myproxy-server.config syslog_facility option mapping of
names to numeric values
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6983)
- add myproxy-admin-adduser -v (verbose) option
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6963)
- bug fix for possible truncation of ca_ldap_connect_passphrase
value from myproxy-server.config
v5.1 9 Mar 2010
- fix configure script check for non-flavored globus_usage and
globus_gsi_proxy_core libraries for Fedora/EPEL RPM compatibility
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6897)
- fix myproxy-logon -T segfault after "removed bad CRL file" message
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6909)
- add server-side support for including VOMS attributes in
retrieved credentials (from the repository); requires setting
"allow_voms_attribute_requests true" in myproxy-server.config
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6882)
- add support for LDAP StartTLS
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6957)
- fix myproxy-test behavior when -startserver is not given
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6959)
- fix parsing of certificate_issuer_hashalg (broken since v4.8)
- treat trustroot file contents as binary data rather than text
in myproxy-logon -T / myproxy-get-trustroots
- fix escaping of POSIX extended regular expression meta-characters
in myproxy-server authorization policies
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6903)
- added support for GT 4.0.8 metrics library, for backward
compatibility, and require linking with globus_usage library;
usage collection can be disabled by setting
"GLOBUS_USAGE_OPTOUT=1" in the environment of the myproxy-server
- fix myproxy.h header dependencies
- changes for compatibility with OpenSSL 1.0.0-beta5
v5.0 4 Dec 2009
- add Globus Usage Metrics to the myproxy-server
- in myproxy-server, atomically update credential files and avoid
unnecessary file copies; NOTE API CHANGE: myproxy_creds_store()
now moves file to the repository, rather than copying it
- add myproxy-server.config request_size_limit parameter to control
myproxy-server network limits, and fix network limit handling to
apply only to myproxy-server (not clients), so clients can handle
large X509_CERT_DIR contents
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6889)
- include extendedKeyUsage=clientAuth in EECs by default per GFD.125
- add myproxy-logon/myproxy-get-trustroots -b option to allow
bootstrapping CA trust even when X509_CERT_DIR exists
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6886)
- myproxy-logon -T / myproxy-get-trustroots fixes/improvements:
- when cleaning bad CRLs, also remove any CRLs we can't parse
- when recovering from CRL errors, allow anonymous authentication
on second attempt, just like first attempt
- when bootstrapping, restrict CA trust to only the one
certificate subject needed, rather than a wildcard
v4.9 2 Nov 2009
- fix support for "check_multiple_credentials true" in
myproxy-server.config, disabled since v4.4
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6878);
changes include:
- limit check_multiple_credentials functionality to GET requests
(myproxy-logon) only
- in authorization failures, give underlying error message rather
than check_multiple_credentials unique error message
- add myproxy-test cases for check_multiple_credentials and
myproxy-admin-query
v4.8 10 Sep 2009
- add myproxy-server.config proxy_extfile and proxy_extapp options
for including custom certificate extensions in proxy certificates
issued from the MyProxy repository (analogous to
certificate_extfile and certificate_extapp for the CA module);
requires GT 4.2.0 libraries (or later)
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6786)
- look for VOMS header files in include/voms directory for
compatibility with Fedora's VOMS package
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6847)
- exit with an error message when --voms and -o - are used together
in myproxy-logon
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6807)
- fix a memory error in myproxy-info/myproxy-destroy error handling
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6849)
- check myproxy-server.config lines for correct number of arguments
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6852)
v4.7 6 May 2009
- in myproxy-get-trustroots and myproxy-logon -T, update files
atomically (using rename) rather than overwriting
- add myproxy-get-trustroots.cron example for keeping
/etc/grid-security/certificates up-to-date
- support linking against flavored VOMS libraries
- fix "self-authorization" check for CA requests
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6713)
- check certificate requests and issued certificates in the CA:
(http://bugzilla.globus.org/globus/show_bug.cgi?id=6648)
- add certificate_request_checker and certificate_issuer_checker
options in myproxy-server.config for specifying call-outs
before and after the MyProxy CA signs certificates
- example myproxy-cert-checker and myproxy-certreq-checker
call-outs are installed in $GLOBUS_LOCATION/share/myproxy
- only accept RSA keys in certificate requests
- don't allow RSA exponents < 65537
- add min_keylen option in myproxy-server.config for specifying a
minimum allowed RSA key length
- add syslog_facility option in myproxy-server.config to configure
the myproxy-server to log to the specified syslog facility; the
default is the "daemon" facility
(http://bugzilla.globus.org/globus/show_bug.cgi?id=6717)
- added an example in myproxy-accepted-credentials-mapapp
of how to ban users
(http://grid.ncsa.illinois.edu/myproxy/blacklist.html)
- added myproxy-admin-query -o option to query by owner DN
- replace fixed-length buffer in read_data_file() (credential
repository file parser) with dynamically-sized buffer to support
credentials with policies longer than 511 characters
(http://bugzilla.globus.org/globus/show_bug.cgi?id=6723)
- added certificate_serial_skip in myproxy-server.config to support
staggered serial numbers across multiple CA instances
- added certificate_issuer_hashalg in myproxy-server.config to
configure the MyProxy CA to issue certificates using SHA-2 hash
algorithms (SHA-224, SHA-256, SHA-384, SHA-512) rather than SHA-1
(the default). Requires OpenSSL 0.9.8 or later.
v4.6 25 Mar 2009
- add myproxy-get-trustroots command to download trusted CA
certificates without client-side authentication
(http://bugzilla.globus.org/globus/show_bug.cgi?id=5899)
- add sasl_mech, sasl_serverFQDN, and sasl_user_realm
options to myproxy-server.config
- include certificate subject in myproxy-admin-adduser output
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6324)
- handle error response message from myproxy-server during delegation
(http://bugzilla.ncsa.uiuc.edu/show_bug.cgi?id=359)
v4.5 12 Feb 2009
- in myproxy-server, disallow release of a credential based only on
authentication with a client credential of the same subject (i.e.,
self-renewal) unless "allow_self_authorization true" is specified
in myproxy-server.config
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6630)
- fix myproxy-logon --voms interaction with --out option
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6612)
- implement stricter checks on myproxy-server storage directory
security using Safefile's safe_is_path_trusted_r()
(http://pages.cs.wisc.edu/~kupsch/safefile/); for now, these
checks result in WARNING messages rather than errors
- added myproxy-server --portfile option, useful when binding to a
random available port via myproxy-server --port 0
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6623)
v4.4 12 Dec 2008
- allow $MYPROXY_SERVER and -s command-line options to be a
comma-separated list of hostnames to try to connect to
- in myproxy-server, fail on startup or reconfig with an "unsafe
policy" error if a policy of trusted_retrievers "*" is specified
without also specifying a restrictive default_trusted_retrievers
policy, to avoid an unsafe policy that could release credentials
to any client without additional authentication.
- in myproxy-server, log info for the received client request before
the authorization check, so we have the request info for
troubleshooting purposes even if the request is denied.
- in myproxy-server, fail on startup if PAM, SASL, or OCSP is
configured in myproxy-server.config but the needed libraries are
not linked in
- fix problem with OpenSSL engine (for HSM support) being shutdown
on child process failures
- fix bug when issuing certificates with subject containing "//"
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6488)
- add support for multiple --voms options to myproxy-init/logon
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6436)
- added myproxy-info --credname option
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6561)
- for myproxy-logon -T, bootstrap the trusted certificates directory
atomically (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6432)
- for myproxy-logon --voms, request the correct proxy type from
voms-proxy-init
- added example myproxy-revoke and myproxy-crl.cron scripts for
revoking certificates issued by the MyProxy CA and generating CRLs
- added max_cred_lifetime option in myproxy-server.config to limit
the lifetime of credentials stored in the repository
v4.3 2 Sep 2008
- improve MyProxy CA error message on incorrect passphrase.
specifically, in myproxy-server, if passphrase in the request is
non-empty, fail immediately if it can't be verified, rather than
trying other methods; this forces other authentication methods
(SASL, renewal) to send an empty passphrase (which current clients
do by default), but it results in a better error message in the
common case when an incorrect passphrase is given. also stop
appending "invalid pass phrase" to the more specific error
message from PAM or OpenSSL.
- fix -m command-line option for myproxy-init and myproxy-logon
- fix myproxy-init --voms with GT_PROXY_MODE="old"
- in myproxy-init --voms, use voms-proxy-init -vomslife so VOMS AC
lifetime matches proxy lifetime
- if myproxy-init --local_proxy and --voms options are used
together, only call voms-proxy-init once, and use that proxy to
create the local proxy (via grid-proxy-init)
- add a default timeout of 120 seconds for myproxy-server child
processes to service requests before aborting, customizable via
the myproxy-server.config request_timeout parameter
- in myproxy-server, read incoming messages up to 1MB maximum to
avoid memory exhaustion under heavy load
- on myproxy-server startup, perform more sanity checks before fork
to become daemon so exit status of original process is set to 1 on
errors (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6325)
- in myproxy-server, don't re-read config file automatically on
changes (i.e., undo change in v4.2); instead, re-read on SIGHUP
(http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=5627)
- add reconfig method to etc.init.d.myproxy
- make myproxy-admin-adduser less verbose by only showing the output
of grid-cert-request on errors
- added myproxy-admin-adduser -p option for specifying the CA
private key password using openssl format (see the PASS PHRASE
ARGUMENTS section in the openssl(1) man page)
- associate "Connection from xxx.xxx.xxx.xxx" syslog message with
child pid so it matches up with other syslog messages for that
client
v4.2 10 Jan 2008
- add support for $GT_PROXY_MODE="rfc" in myproxy-init
- in the myproxy-server, no longer default to issuing a "legacy
globus proxy" from an end-entity certificate; instead, issue
the default proxy type according to the GSI library version
- drop support for $GT_PROXY_MODE="old" in myproxy-logon;
however, myproxy-init still supports $GT_PROXY_MODE="old"
- in myproxy-server, re-read config file automatically on changes
- fixes for newer OpenSSL versions used in GT 4.2
- fixes for MIT Kerberos 1.6 support (via SASL)
v4.1 10 Sep 2007
- in myproxy-server, listen on $MYPROXY_SERVER_PORT if defined
- for myproxy-logon/myproxy-retrieve -T, fix handling of zero length
files and process only regular files (not subdirectories)
v4.0 11 Jul 2007
- add myproxy-server-setup script for simple server install
- fix myproxy-logon/myproxy-retrieve -T bug that caused trust
bootstrap to fail when no certificates directory exists
- add myproxy-admin-load-credential --retrieve_key and
--retrievable_by_cert options
- add myproxy-admin-addservice for distributing host/service
credentials
v3.9 12 Jun 2007
- update myproxy-logon/myproxy-retrieve -T behavior:
- if no certificates directory exists, install the
myproxy-server's CA certificate to bootstrap trust
- if authentication to the myproxy-server fails due to a CRL
error, remove problematic CRL file(s) and retry
- if running as root, store trust roots in
/etc/grid-security/certificates rather than
~root/.globus/certificates and credentials in
/etc/grid-security/hostcert.pem/hostkey.pem
- add --voms options to myproxy-init and myproxy-logon to add VOMS
attributes, analogous to voms-proxy-init -voms; requires
voms-proxy-init to be installed and configured
- add myproxy-admin-query --config option
v3.8 13 Apr 2007
- drop support for Globus Toolkit versions 3.0 and 2.4
- fix myproxy-replicate errors for credentials with usernames or
crednames containing spaces
- fix server-side problem when linking against globus_gssapi_gsi
version 4.12 and later that causes "no shared cipher" errors
- return more concise error messages to clients for common errors,
with additional diagnostics written to the server log
- fix configure check for OCSP functions in OpenSSL for enabling
OCSP support
- for --help, --usage, and --version options, exit with status 0
after printing help/usage/version information
- add OpenSSL Engine support in the MyProxy CA to enable the use of
hardware tokens via new myproxy-server.config
certificate_openssl_engine options
- check if client authenticates with a limited proxy, and if so,
only allow the client to obtain another limited proxy, unless
ignore_globus_limited_proxy_flag is set in myproxy-server.config
- optionally store all certificates issued by the MyProxy CA in a
directory via the certificate_out_dir myproxy-server.config option
v3.7 12 Dec 2006
- fix handling of usernames containing '/', '-', and '.' characters;
note this required a change to the myproxy-server repository
format, so credential data files written by a new myproxy-server
won't be readable by an older myproxy-server
- verify that credentials in the myproxy-server repository are still
valid (i.e., not revoked) before performing delegation
- added myproxy-admin-query --invalid option for listing, locking,
or removing invalid credentials from repository
- optionally check OCSP status of stored credentials before
performing delegation via myproxy-server.config ocsp settings;
requires GT 3.2 (OpenSSL 0.9.7) or later
- update etc.init.d.myproxy script to use pidfile to locate server
to stop (rather than searching ps output), include a restart
option, and exit with error if $GLOBUS_LOCATION isn't set
- if the myproxy-server hostname given by $MYPROXY_SERVER or the -s
option resolves to multiple IP addresses, clients will connect to
each address until a connection is established or all fail
- added accepted_credentials_mapapp call-out version of
accepted_credentials_mapfile in myproxy-server.config
- support unencrypted, although still signed, Pubcookie granting
cookies as passwords
- added myproxy-server.config syslog_ident option
- improved MyProxy CA logging
- added myproxy-server --listen to specify host/ip to bind to
v3.6 10 Aug 2006
- support credential renewal via the MyProxy CA using
myproxy-server.config authorized_renewers/default_renewers options
- provide an access control list for storing credentials via the
myproxy-server.config accepted_credentials_mapfile option
- fix insecure temporary file handling in myproxy-admin-adduser
- fix insecure input handling in myproxy-get-delegation.cgi example
- support VOMS attributes in myproxy-server.config policies
- in CA, issue certificates valid starting 5 minutes in the past to
account for possible clock skew between hosts
- add check_multiple_credentials option in myproxy-server.config
to allow clients to retrieve a credential for a given username
even if the associated "credential name" isn't provided (via
myproxy-logon --credname)
v3.5 14 Mar 2006
- dropped support for certificate_issuer option in
myproxy-server.config; use certificate_issuer_cert instead
- added myproxy_accept_delegation_ex() to retrieve credentials to a
buffer rather than a file
- in myproxy-logon, added support for writing credential to standard
output via '-o -' option; also added --quiet option
- added myproxy-logon --no_credentials option to authenticate
without retrieving credentials
- added certificate_mapapp call-out for mapping usernames to
certificate subject distinguished names for the CA module
- added certificate_extfile and certificate_extapp (call-out) for
setting extensions in certificates issued by CA module
- do not indicate in info command error output whether credentials
owned by someone else exist, to avoid giving potentially useful
information to an attacker
- delegate credentials with minimum lifetime of 5 minutes to avoid
problems with clock skew
- fixed build problem with GT 2.4/3.0 introduced in v3.4:
EVP_MD_CTX_cleanup() wasn't in OpenSSL 0.9.6
v3.4 19 Dec 2005
- added myproxy-test -valgrind option for detecting memory errors
- fixed memory errors found with myproxy-test -valgrind
- fixed handling of lifetime=0 requests in myproxy-server
v3.3 2 Dec 2005
- API changes: new trusted_retrievers member for
struct myproxy_creds and struct myproxy_request_t
- generate 1024 bit keys instead of 512 bit keys
- add support for certificate-only authentication to the
myproxy-server via myproxy-init -Z and myproxy-server.config
trusted_retrievers options
- add support for CA username to DN resolution via LDAP using
myproxy-server.config ca_ldap options
- add myproxy-server authentication support for Pubcookie
(http://www.pubcookie.org/) granting cookie via
pubcookie_granting_cert and pubcookie_app_server_key
myproxy-server.config options
- add myproxy-init --local_proxy option to create a local proxy
credential after storing a credential on the myproxy-server
- add myproxy-init --keyfile/--certfile options
- fix segmentation fault on reverse lookup in client
- fix SASL build problems on Darwin
- fix client-side memory leak in GSI_SOCKET_authentication_init()
- in CA, use SHA1 instead of MD5 digest algorithm, set CA:FALSE in
X509v3 Basic Constraints, include X509v3 Subject Key Identifier,
and optionally set email X509v3 Subject Alternative Name using
certificate_issuer_email_domain in myproxy-server.config
- support alternate syntax "min max" for GLOBUS_TCP_PORT_RANGE and
improve error handling and documentation for this environment
variable
v3.2 11 Oct 2005
- fix fd_set compiler error introduced in v3.1
v3.1 11 Oct 2005
- fix compilation problem on platforms without setenv()
v3.0 28 Sep 2005
- add ability for myproxy-server to act as a CA by setting
certificate_issuer options in myproxy-server.config
- fix for static builds using 'gpt-build -static'
- fixes for SASL support
- increased myproxy-server's listen(2) backlog for improved
scalability
- modify myproxy-test to use "$LOGNAME.myproxy-test" for a username
to avoid overwriting any existing credentials
- include configured trusted certificate directory in debug/verbose
output
- install example myproxy-server.config to
$GLOBUS_LOCATION/share/myproxy instead of potentially overwriting
existing version in $GLOBUS_LOCATION/etc
- warn on unknown directives in myproxy-server.config
v2.3 28 Jul 2005
- fix AIX compliation problems in PAM module
v2.2 14 Jul 2005
- fix TRU64 compilation problem
- for --dn_as_username option, get DN from user proxy if available
rather than requiring access to user certificate
v2.1 6 Jul 2005
- fix compilation problem for ISO C89 compilers
- fix myproxy-init compatibility with Java CoG grid-proxy-init in
PATH (use grid-proxy-init -hours instead of -valid)
- improve PAM error messages
- fix error message on server-side authorized_renewers check
- perform reverse lookup on server IP address for authorization
consistency with other GSI clients
- removed myproxy_resolve_hostname() from API
v2.0 8 Jun 2005
- unified versioning with GPT packaging
- added native PAM support (not requiring SASL)
- added support for managing trusted CA certificates using
myproxy-logon/myproxy-retrieve -T option
- added the myproxy-replicate utility for managing multiple
myproxy-server repository replicas for high availability
- added myproxy_version() and myproxy_check_version() functions
to verify headers match the shared library in use
- fixed bug in previous version that caused myproxy-get-delegation
not to be included in binary GPT installs
- use system getopt_long() if available; otherwise, use included
getopt_long from NetBSD instead of GNU version as previous
- fixed server side bug where the default_key_retrievers policy was
always applied even if the credential had a key retriever policy
- fixed myproxy-test GT 2.4 compatibility problem in v0.6.5
- fixed myproxy_get_delegation() signature, erroneously changed in
v0.6.2, to maintain API-level compatibility
- added dynamic buffer management for improved handling of large
messages
v0.6.5 8 Apr 2005 (GPT package version 1.17)
- added support for RFC 3820 proxy certificate format
- renamed myproxy-get-delegation to myproxy-logon;
kept myproxy-get-delegation symlink for backward compatibility
- added myproxy-store and myproxy-retrieve commands for storing and
retrieving credentials directly to/from the repository;
note myproxy-retrieve support must be explicitly enabled by
setting authorized_key_retrievers in myproxy-server.config
- write temp proxy to /tmp/myproxy-proxy.<uid>.<pid> instead of
/tmp/myproxy-proxy.<uid> so we can run more than one myproxy-init
in an account at a time
- added myproxy-test -performance option for performance testing
- fixed potential logging race condition when running myproxy-server
in verbose mode
- fixed potential network race condition in myproxy-init
- for myproxy-admin-change-pass, only prompt for existing password
if existing credential is encrypted
- check for invalid options passed to myproxy commands
- fixed a myproxy-admin-change-pass segmentation fault when the
storage directory is invalid
- improve error messages for too-short passphrases (6 character minimum)
v0.6.4 4 Jan 2005 (GPT package version 1.16)
- fixed file permission bug in myproxy-admin-load-credential
v0.6.3 22 Nov 2004 (GPT package version 1.15)
- updated GPT packaging for compatibility with GT 3.9.3
(globus_gssapi_gsi-4.0)
- added support for $GT_PROXY_MODE="old" in myproxy-get-delegation,
to retrieve a "legacy globus proxy" from an end-entity certificate
stored in the MyProxy repository.
- modified client tools to attempt connecting to the server first,
before prompting for user input, to catch server problems early.
- added initial experimental support for Kerberos authentication via
the SASL/GSSAPI mechanism.
- removed dependency on perl Expect package in myproxy-test
- added myproxy-test -startserver option
- added myproxy-server --pidfile option to ease myproxy-server
shutdown
v0.6.2 21 Jun 2004 (GPT package version 1.14)
- added initial experimental support for PAM authentication via
the SASL/PLAIN mechanism.
- changed myproxy-admin-change-pass so an empty pass phrase
can be used for unencrypted keys (for example, for renewal keys)
- fixed myproxy-admin-adduser to not depend on nonexistent
myproxy-admin-adduser-config command
- removed pass phrase functions from myproxy-admin-load-credential,
so the existing pass phrase on the source key is kept as is.
Use myproxy-admin-change-pass to change the pass phrase of a
credential after loading.
- fixed GT 2.2 and Java CoG incompatibility introduced in v0.6.1.
Note: if repository contains end-entity credentials, Java CoG
will retrieve old-style (legacy) proxies because the Java CoG
certificate request doesn't specify the proxy type.
- changed signature of myproxy_get_delegation() method.
original signature is restored in v2.0.
v0.6.1 30 Mar 2004 (GPT package version 1.13)
Fixed a bug where the myproxy-server would always delegate new-style
proxy credentials from end-entity credentials in repository. The
myproxy-server now respects proxy type in the certificate request
when end-entity credentials are stored in repository. However, if
the repository contains proxy credentials, the server will delegate
a proxy of the same type as stored in the repository irrespective of
the certificate request, because new-style and old-style proxies
can't be mixed. This bug fix resulted in an incompatibility with GT
2.2 and Java CoG clients, fixed in v0.6.2.
v0.6.0 22 Mar 2004 (GPT package version 1.12)
- added max_proxy_lifetime server configuration option for limiting
the lifetime of retrieved credentials
v0.5.9 28 Jan 2004 (GPT package version 1.11)
- removed requirement for /dev/urandom and instead let OpenSSL seed
its random number generator itself using its standard methods
- added myproxy-admin-change-pass command
- changed myproxy-get-delegation -d option to have effect even when
-a option is not given
- added support for OpenSSL 0.9.7
v0.5.8 23 Sep 2003 (GPT package version 1.10)
- fixed networking problem with v0.5.7 on some platforms
v0.5.7 25 Aug 2003 (GPT package version 1.9)
- fixed additional problems with handling large credentials
- bugfix: myproxy-admin-load-credential fails to prompt for
passphrase of source credential in versions 0.5.4-0.5.6.
v0.5.6 31 Jul 2003 (GPT package version 1.8)
- added support for Globus Toolkit 3.0 libraries
- added support for new GSI proxy certificate format
- fixed 'myproxy-info -d'
- fixed credential problem when using Globus Toolkit 2.4 libraries
- removed buffer length restriction in credential renewal protocol
v0.5.5 30 May 2003 (GPT package version 1.7)
- added support for Globus Toolkit 2.4 libraries
- added support for external passphrase quality enforcement with
passphrase_policy_program command in myproxy-server.config
- added support for locking credentials via myproxy-admin-query
- included example myproxy.cron script for removing expired credentials
- fixed problems with installed headers
- added MYPROXY_SERVER_PORT environment variable
v0.5.4 2 May 2003 (GPT package version 1.6)
- myproxy-admin-adduser command added
- default lifetime of delegated proxies changed to 12 hours instead of 2
- --passphrase option added to myproxy-admin-load-credential
- new options (including remove option) added to myproxy-admin-query
- compatibility problem with v0.2 (introduced in v0.5.0) fixed
- OSX build problem fixed
- support for delegating proxies with maximum lifetime added
v0.5.3 19 Mar 2003 (GPT package version 1.5)
This version fixes a build problem on AIX.
v0.5.2 10 Mar 2003 (GPT package version 1.4)
This version adds the myproxy-admin-query and
myproxy-admin-load-credential commands and adds support for running
the myproxy-server with a /CN=myproxy/fqhn credential.
v0.5.1 12 Feb 2003 (GPT package version 1.3)
This release fixes a bug where the X509_USER_CERT and X509_USER_KEY
environment variables would confuse myproxy-init.
v0.5.0 15 Nov 2002 (GPT package version 1.2)
This is the first version for Globus Toolkit 2.2. It adds support
for storing multiple credentials per username, stores private keys
encrypted with the credential's passphrase (if set), and adds the
myproxy-change-pass-phrase command. It is also the first version to
be released unter the NCSA Open Source license. Note that due to
version incompatibilities with Globus Toolkit 2.2 libraries and the
Java CoG (not specific to MyProxy), this and future versions of
MyProxy are not compatible with Java CoG versions before 1.0.
v0.4.6 3 Sep 2002 (GPT package version 1.1)
This version adds sample init.d and xinetd entries in the GPT
package.
v0.4.5 28 Aug 2002 (GPT package version 1.0)
This is the first version packaged with GPT. In addition to changes
for GPT compatibility, it contains minor changes to some MyProxy
debug messages.
v0.4.4 22 Mar 2002
This version adds the myproxy-info command.
v0.4.3 6 Mar 2002
This version adds support for per-credential authorization. Users
can specify retrieval/renewal policies for a credential on upload
using myproxy-init.
v0.4.2 4 Feb 2002
This version includes the GSI distinguished name matching logic that
was removed in v0.4.0, so for example host/fqhn will now match fqhn
again. It also adds support for restricting the TCP port ranges of
the clients.
v0.4.1 4 Dec 2001
This version adds support for Globus 2.0 and optionally using the
distinguished name from the proxy certificate as the default myproxy
username.
v0.4.0 20 Nov 2001
This version adds support for anonymous X.509 client authentication,
to allow users to retrieve a credential using their myproxy
passphrase when they don't already have a credential. The myproxy
server configuration file can enable or disable anonymous and
certificate-based (from v0.3) authentication.
v0.3 5 Oct 2001
This version adds support for certificate-based authentication in
addition to passphrase based authentication, to enable credential
renewal. It was developed by Daniel Kouril and Miroslav Ruda for
the European DataGrid project.
v0.2alpha3 11 Oct 2000
This version was used by many grid portals.
v0.2alpha1 27 Sep 2000
v0.2 20 Sep 2000
v0.1b3 30 June 2000
v0.1b2 08 May 2000
v0.1b1 05 May 2000
v0.1 03 Apr 2000