forked from duosecurity/duo_unix
-
Notifications
You must be signed in to change notification settings - Fork 1
/
CHANGES
270 lines (169 loc) · 6.89 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
duo_unix-2.0.3:
- Fixed AIX compilation bug
- Support script now fetches correct log and PAM files for Solaris and AIX
- Removed support for Fedora 37
- Removed support for Fedora 34
duo_unix-2.0.2:
- Make check now successfully runs on Solaris
- Removed support for Ubuntu 18
- Removed support for Debian 9
- Added support for Debian 12
- Added support for Fedora 37
- Added support for Fedora 38
duo_unix-2.0.1:
- The support script collects a few additional files for troubleshooting
- Duo API calls now use SHA512 instead of SHA1 as the HMAC algorithm
duo_unix-2.0.0:
- Changed the behavior of `su` when the target user is not root. The target user will need to complete 2FA rather than the original user.
- login_duo resets the SIGPIPE handler when it closes its connection.
- Added logging when Duo is invoked, to assist troubleshooting.
- Updated package signing to SHA512
duo_unix-1.12.1:
- Updated Unity to 2.5.2
- Added support for Fedora 34
- Removed support for Centos 8
- Added support for Centos Stream 8
- Added support for Centos Stream 9
- Added support for Ubuntu 22.04
duo_unix-1.12.0:
- Switched from BSON to JSON as a data interchange format
- Switched from Cram to python `unittest` for testing
duo_unix-1.11.5:
- Added support for Debian 11
- Removed support for Debian 8
- Removed support for CentOS 6
- Fixed MOTD display for non-interactive sessions
- The support tool now also collects the sudo PAM configuration file
- Updated pinned certificates
duo_unix-1.11.4:
- Added support for Ubuntu 20.04
- Added support tool to collect information (e.g. logs and PAM stacks) for debugging purposes
duo_unix-1.11.3:
- Added support for RedHat 8, CentOS 8, and Debian 10
- Improved validation of BSON messages
duo_unix-1.11.2:
- Added recommended Kerberos configuration for Duo Unix to our documentation, found at https://help.duo.com/s/article/5085. Thanks to Neal Poole at Facebook for bringing expertise and attention to this topic.
- Updated SELinux policy to allow local logins to use the pam_duo PAM module and made sshd configurable
- Added support for spaces in group names when escaped with backslashes in pam_duo.conf and login_duo.conf
- Test infrastructure updates
duo_unix-1.11.1:
- Fixed bug causing console login to fail on certain systems
duo_unix-1.11.0:
- Added support for GECOS field parsing based on user-supplied delimiter
- Updated README to include development/testing steps
- Minor test infrastructure updates
duo_unix-1.10.5:
- Fixed an accidental null pointer free on systems where getaddrinfo() is unsuccessful
duo_unix-1.10.4:
- Removed failmode decision from auth endpoint and moved it to only preauth according to standards in our other integrations
- Updated Duo Unix to speak up to TLS 1.2
- Support for LibreSSL 2.7.0 and up
- Minor memory leak fixes
- Output message when user is locked out
duo_unix-1.10.3:
- Added support for http_proxy with SELinux enabled
duo_unix-1.10.2:
- Added default failmode values in config files
duo_unix-1.10.1:
- Fixed bug causing automated tests to fail on OSX
- Addressed an issue which kept configuration secrets in memory for longer than necessary
duo_unix-1.10.0:
- Added LibreSSL support
- Added additional GECOS parsing support
- Increased OSX group count
duo_unix-1.9.21:
- PSA-2017-002: Only allow http_proxy to be defined in configuration file instead of environment
duo_unix-1.9.20:
- Fix installation on AIX systems
- Add support for using OpenSSL 1.1.0
- Link libduo statically to address issues with the ldconfig cache and incompatibilities between versions
- Fixed a bug that produced incorrect SNI when using a proxy
duo_unix-1.9.19:
- Restore the http_proxy environment variable after Duo is done
- Added https_timeout config option to pam_duo
- Handles missing shell and adds default if not specified in getpwuid
- Add SNI support and a guard for systems that don't support SNI
- Bug fixes for timeouts and fallback ip addresses
duo_unix-1.9.18:
- Added HTTP proxy connection error handling
- Improved compatibility with Solaris and AIX
duo_unix-1.9.17:
- Fixed PAM return code issue
duo_unix-1.9.16:
- Test fixes
- Compilation fixes
duo_unix-1.9.15:
- SELinux policy module package support
- PAM module improvements
- Removed deprecated SHA1 Entrust CA
duo_unix-1.9.14:
- Added SELinux policy module
- Improve poll(2) error handling
duo_unix-1.9.13:
- Bugfixes for signal handling
duo_unix-1.9.12:
- Include https_timeout configuration parameter
- IPv6 support on systems that have getaddrinfo
duo_unix-1.9.11:
- Improve compatibility with FreeBSD 10.
duo_unix-1.9.10:
- Use the correct timeout when polling.
duo_unix-1.9.9:
- Use poll(2) instead of select(2) for timeouts to support busy
systems with many open file descriptors.
- Send User-Agent header with each request.
duo_unix-1.9.8:
- Improve support for SHA2 in HTTPS.
duo_unix-1.9.7:
- Allow using accept_env_factor with SSH.
- Allow using autopush with PAM on Mac OS X.
duo_unix-1.9.6:
- Update HTTPS CA certificates.
duo_unix-1.9.5:
- Fix issues running 'make check'
- Remove accept_env_factor from pam_duo manpage, as it will not work
duo_unix-1.9.4:
- Send codes / push requests using $DUO_PASSCODE environment variable
- Fix error in 1.9.3 changelog :)
- pam_duo is feature-par with login_duo (autopush, prompts)
- Internal refactoring
- Configuration option for falling back to the local IP if the client
IP cannot be detected.
duo_unix-1.9.3:
- Autopush is more user friendly
- Add prompts option to the config file
- Various build and test fixups
duo_unix-1.9.2:
- Restore compatability with Mac OS X <= 10.6
duo_unix-1.9.1:
- Add motd option to the config file
- Add autopush option to the config file
duo_unix-1.9:
- Add multilib support to auto-detect lib/lib64 libdirs
- Added http_proxy option to the config file
- Various build fixups
- Documentation cleanups
duo_unix-1.8:
- Fixed authenticated HTTP_PROXY support
- Better handling of HTTP response status codes
- Include server IP address in pushinfo
duo_unix-1.7:
- Replaced libcurl (and its problematic axTLS, GnuTLS, NSS, polarssl,
Cyassl, etc. dependencies) with a minimal OpenSSL-based libhttps
- Replaced 'minuid' config option with more flexible 'groups' matching
- Added automated tests using cram.py for "make {dist}check"
- Added 'cafile' configuration option to override CA cert for testing
- Added login_duo -h option to specify remote host manually
- Added duo_unix.spec from S. Zachariah Sprackett <[email protected]>
- Fixed issue #5: add implicit 'safe' failmode for local config errors
- Title-cased "Command" in pushinfo
duo_unix-1.6:
- Added 'pushinfo' configuration option
- Fixed Duo enrollment on FreeBSD
- Pedantic GPL + OpenSSL license handling
duo_unix-1.5:
- Changed 'noconn' (allow, deny) option in login_duo and pam_duo to
the clearer 'failmode' (safe, secure), e.g.
http://en.wikipedia.org/wiki/Fail-safe
- Fixed curl_easy_setopt() of User-Agent for libcurl < 7.17.0
- Added CHANGES :-)