libpve-access-control (7.0-5) bullseye; urgency=medium * acl: check path: add /sdn/vnets/* path * fix #2302: allow deletion of users when realm enforces TFA * api: delete user: disable user first to avoid surprise on error during the various cleanup action required for user deletion (e.g., TFA, ACL, group) -- Proxmox Support Team Mon, 27 Sep 2021 15:50:47 +0200 libpve-access-control (7.0-4) bullseye; urgency=medium * realm: add OpenID configuration * api: implement OpenID related endpoints * implement opt-in OpenID autocreate user feature * api: user: add 'realm-type' to user list response -- Proxmox Support Team Fri, 02 Jul 2021 13:45:46 +0200 libpve-access-control (7.0-3) bullseye; urgency=medium * api: acl: add missing `/access/realm/`, `/access/group/` and `/sdn/zones/` to allowed ACL paths -- Proxmox Support Team Mon, 21 Jun 2021 10:31:19 +0200 libpve-access-control (7.0-2) bullseye; urgency=medium * fix #3402: add Pool.Audit privilege - custom roles containing Pool.Allocate must be updated to include the new privilege. -- Proxmox Support Team Tue, 1 Jun 2021 11:28:38 +0200 libpve-access-control (7.0-1) bullseye; urgency=medium * re-build for Debian 11 Bullseye based releases -- Proxmox Support Team Sun, 09 May 2021 18:18:23 +0200 libpve-access-control (6.4-1) pve; urgency=medium * fix #1670: change PAM service name to project specific name * fix #1500: permission path syntax check for access control * pveum: add resource pool CLI commands -- Proxmox Support Team Sat, 24 Apr 2021 19:48:21 +0200 libpve-access-control (6.1-3) pve; urgency=medium * partially fix #2825: authkey: rotate if it was generated in the future * fix #2947: add an option to LDAP or AD realm to switch user lookup to case insensitive -- Proxmox Support Team Tue, 29 Sep 2020 08:54:13 +0200 libpve-access-control (6.1-2) pve; urgency=medium * also check SDN permission path when computing coarse permissions heuristic for UIs * add SDN Permissions.Modify * add VM.Config.Cloudinit -- Proxmox Support Team Tue, 30 Jun 2020 13:06:56 +0200 libpve-access-control (6.1-1) pve; urgency=medium * pveum: add tfa delete subcommand for deleting user-TFA * LDAP: don't complain about missing credentials on realm removal * LDAP: skip anonymous bind when client certificate and key is configured -- Proxmox Support Team Fri, 08 May 2020 17:47:41 +0200 libpve-access-control (6.0-7) pve; urgency=medium * fix #2575: die when trying to edit built-in roles * add realm sub commands to pveum CLI tool * api: domains: add user group sync API enpoint * allow one to sync and import users and groups from LDAP/AD based realms * realm: add default-sync-options to config for more convenient sync configuration * api: token create: return also full token id for convenience -- Proxmox Support Team Sat, 25 Apr 2020 19:35:17 +0200 libpve-access-control (6.0-6) pve; urgency=medium * API: add group members to group index * implement API token support and management * pveum: add 'pveum user token add/update/remove/list' * pveum: add permissions sub-commands * API: add 'permissions' API endpoint * user.cfg: skip inexisting roles when parsing ACLs -- Proxmox Support Team Wed, 29 Jan 2020 10:17:27 +0100 libpve-access-control (6.0-5) pve; urgency=medium * pveum: add list command for users, groups, ACLs and roles * add initial permissions for experimental SDN integration -- Proxmox Support Team Tue, 26 Nov 2019 17:56:37 +0100 libpve-access-control (6.0-4) pve; urgency=medium * ticket: use clinfo to get cluster name * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as SSL version -- Proxmox Support Team Mon, 18 Nov 2019 11:55:11 +0100 libpve-access-control (6.0-3) pve; urgency=medium * fix #2433: increase possible TFA secret length * parse user configuration: correctly parse group names in ACLs, for users which begin their name with an @ * sort user.cfg entries alphabetically -- Proxmox Support Team Tue, 29 Oct 2019 08:52:23 +0100 libpve-access-control (6.0-2) pve; urgency=medium * improve CSRF verification compatibility with newer PVE -- Proxmox Support Team Wed, 26 Jun 2019 20:24:35 +0200 libpve-access-control (6.0-1) pve; urgency=medium * ticket: properly verify exactly 5 minute old tickets * use hmac_sha256 instead of sha1 for CSRF token generation -- Proxmox Support Team Mon, 24 Jun 2019 18:14:45 +0200 libpve-access-control (6.0-0+1) pve; urgency=medium * bump for Debian buster * fix #2079: add periodic auth key rotation -- Proxmox Support Team Tue, 21 May 2019 21:31:15 +0200 libpve-access-control (5.1-10) unstable; urgency=medium * add /access/user/{id}/tfa api call to get tfa types -- Proxmox Support Team Wed, 15 May 2019 16:21:10 +0200 libpve-access-control (5.1-9) unstable; urgency=medium * store the tfa type in user.cfg allowing to get it without proxying the call to a higher priviledged daemon. * tfa: realm required TFA should lock out users without TFA configured, as it was done before Proxmox VE 5.4 -- Proxmox Support Team Tue, 30 Apr 2019 14:01:00 +0000 libpve-access-control (5.1-8) unstable; urgency=medium * U2F: ensure we save correct public key on registration -- Proxmox Support Team Tue, 09 Apr 2019 12:47:12 +0200 libpve-access-control (5.1-7) unstable; urgency=medium * verify_ticket: allow general non-challenge tfa to be run as two step call -- Proxmox Support Team Mon, 08 Apr 2019 16:56:14 +0200 libpve-access-control (5.1-6) unstable; urgency=medium * more general 2FA configuration via priv/tfa.cfg * add u2f api endpoints * delete TFA entries when deleting a user * allow users to change their TOTP settings -- Proxmox Support Team Wed, 03 Apr 2019 13:40:26 +0200 libpve-access-control (5.1-5) unstable; urgency=medium * fix vnc ticket verification without authkey lifetime -- Proxmox Support Team Mon, 18 Mar 2019 10:43:17 +0100 libpve-access-control (5.1-4) unstable; urgency=medium * fix #1891: Add zsh command completion for pveum * ground work to fix #2079: add periodic auth key rotation. Not yet enabled to avoid issues on upgrade, will be enabled with 6.0 -- Proxmox Support Team Mon, 18 Mar 2019 09:12:05 +0100 libpve-access-control (5.1-3) unstable; urgency=medium * api/ticket: move getting cluster name into an eval -- Proxmox Support Team Thu, 29 Nov 2018 12:59:36 +0100 libpve-access-control (5.1-2) unstable; urgency=medium * fix #1998: correct return properties for read_role -- Proxmox Support Team Fri, 23 Nov 2018 14:22:40 +0100 libpve-access-control (5.1-1) unstable; urgency=medium * pveum: introduce sub-commands * register userid with completion * fix #233: return cluster name on successful login -- Proxmox Support Team Thu, 15 Nov 2018 09:34:47 +0100 libpve-access-control (5.0-8) unstable; urgency=medium * fix #1612: ldap: make 2nd server work with bind domains again * fix an error message where passing a bad pool id to an API function would make it complain about a wrong group name instead * fix the API-returned permission list so that the GUI knows to show the 'Permissions' tab for a storage to an administrator apart from root@pam -- Proxmox Support Team Thu, 18 Jan 2018 13:34:50 +0100 libpve-access-control (5.0-7) unstable; urgency=medium * VM.Snapshot.Rollback privilege added * api: check for special roles before locking the usercfg * fix #1501: pveum: die when deleting special role * API/ticket: rework coarse grained permission computation -- Proxmox Support Team Thu, 5 Oct 2017 11:27:48 +0200 libpve-access-control (5.0-6) unstable; urgency=medium * Close #1470: Add server ceritifcate verification for AD and LDAP via the 'verify' option. For compatibility reasons this defaults to off for now, but that might change with future updates. * AD, LDAP: Add ability to specify a CA path or file, and a client certificate via the 'capath', 'cert' and 'certkey' options. -- Proxmox Support Team Tue, 08 Aug 2017 11:56:38 +0200 libpve-access-control (5.0-5) unstable; urgency=medium * change from dpkg-deb to dpkg-buildpackage -- Proxmox Support Team Thu, 22 Jun 2017 09:12:37 +0200 libpve-access-control (5.0-4) unstable; urgency=medium * PVE/CLI/pveum.pm: call setup_default_cli_env() * PVE/Auth/PVE.pm: encode uft8 password before calling crypt * check_api2_permissions: avoid warning about uninitialized value -- Proxmox Support Team Tue, 02 May 2017 11:58:15 +0200 libpve-access-control (5.0-3) unstable; urgency=medium * use new PVE::OTP class from pve-common * use new PVE::Tools::encrypt_pw from pve-common -- Proxmox Support Team Thu, 30 Mar 2017 17:45:55 +0200 libpve-access-control (5.0-2) unstable; urgency=medium * encrypt_pw: avoid '+' for crypt salt -- Proxmox Support Team Thu, 30 Mar 2017 08:54:10 +0200 libpve-access-control (5.0-1) unstable; urgency=medium * rebuild for PVE 5.0 -- Proxmox Support Team Mon, 6 Mar 2017 13:42:01 +0100 libpve-access-control (4.0-23) unstable; urgency=medium * use new PVE::Ticket class -- Proxmox Support Team Thu, 19 Jan 2017 13:42:06 +0100 libpve-access-control (4.0-22) unstable; urgency=medium * RPCEnvironment: removed check_volume_access() to avoid cyclic dependency (moved to PVE::Storage) * PVE::PCEnvironment: use new PVE::RESTEnvironment as base class -- Proxmox Support Team Thu, 19 Jan 2017 09:12:04 +0100 libpve-access-control (4.0-21) unstable; urgency=medium * setup_default_cli_env: expect $class as first parameter -- Proxmox Support Team Thu, 12 Jan 2017 13:54:27 +0100 libpve-access-control (4.0-20) unstable; urgency=medium * PVE/RPCEnvironment.pm: new function setup_default_cli_env * PVE/API2/Domains.pm: fix property description * use new repoman for upload target -- Proxmox Support Team Wed, 11 Jan 2017 12:13:26 +0100 libpve-access-control (4.0-19) unstable; urgency=medium * Close #833: ldap: non-anonymous bind support * don't import 'RFC' from MIME::Base32 -- Proxmox Support Team Fri, 05 Aug 2016 13:09:08 +0200 libpve-access-control (4.0-18) unstable; urgency=medium * fix #1062: recognize base32 otp keys again -- Proxmox Support Team Thu, 21 Jul 2016 08:43:18 +0200 libpve-access-control (4.0-17) unstable; urgency=medium * drop oathtool and libdigest-hmac-perl dependencies -- Proxmox Support Team Mon, 11 Jul 2016 12:03:22 +0200 libpve-access-control (4.0-16) unstable; urgency=medium * use pve-doc-generator to generate man pages -- Proxmox Support Team Fri, 08 Apr 2016 07:06:05 +0200 libpve-access-control (4.0-15) unstable; urgency=medium * Fix uninitialized warning when shadow.cfg does not exist -- Proxmox Support Team Fri, 01 Apr 2016 07:10:57 +0200 libpve-access-control (4.0-14) unstable; urgency=medium * Add is_worker to RPCEnvironment -- Proxmox Support Team Tue, 15 Mar 2016 16:47:34 +0100 libpve-access-control (4.0-13) unstable; urgency=medium * fix #916: allow HTTPS to access custom yubico url -- Proxmox Support Team Mon, 14 Mar 2016 11:39:23 +0100 libpve-access-control (4.0-12) unstable; urgency=medium * Catch certificate errors instead of segfaulting -- Proxmox Support Team Wed, 09 Mar 2016 14:41:01 +0100 libpve-access-control (4.0-11) unstable; urgency=medium * Fix #861: use safer sprintf formatting -- Proxmox Support Team Fri, 08 Jan 2016 12:52:39 +0100 libpve-access-control (4.0-10) unstable; urgency=medium * Auth::LDAP, Auth::AD: ipv6 support -- Proxmox Support Team Thu, 03 Dec 2015 12:09:32 +0100 libpve-access-control (4.0-9) unstable; urgency=medium * pveum: implement bash completion -- Proxmox Support Team Thu, 01 Oct 2015 17:22:52 +0200 libpve-access-control (4.0-8) unstable; urgency=medium * remove_storage_access: cleanup of access permissions for removed storage -- Proxmox Support Team Wed, 19 Aug 2015 15:39:15 +0200 libpve-access-control (4.0-7) unstable; urgency=medium * new helper to remove access permissions for removed VMs -- Proxmox Support Team Fri, 14 Aug 2015 07:57:02 +0200 libpve-access-control (4.0-6) unstable; urgency=medium * improve parse_user_config, parse_shadow_config -- Proxmox Support Team Mon, 27 Jul 2015 13:14:33 +0200 libpve-access-control (4.0-5) unstable; urgency=medium * pveum: check for $cmd being defined -- Proxmox Support Team Wed, 10 Jun 2015 10:40:15 +0200 libpve-access-control (4.0-4) unstable; urgency=medium * use activate-noawait triggers -- Proxmox Support Team Mon, 01 Jun 2015 12:25:31 +0200 libpve-access-control (4.0-3) unstable; urgency=medium * IPv6 fixes * non-root buildfix -- Proxmox Support Team Wed, 27 May 2015 11:15:44 +0200 libpve-access-control (4.0-2) unstable; urgency=medium * trigger pve-api-updates event -- Proxmox Support Team Tue, 05 May 2015 15:06:38 +0200 libpve-access-control (4.0-1) unstable; urgency=medium * bump version for Debian Jessie -- Proxmox Support Team Thu, 26 Feb 2015 11:22:01 +0100 libpve-access-control (3.0-16) unstable; urgency=low * root@pam can now be disabled in GUI. -- Proxmox Support Team Fri, 30 Jan 2015 06:20:22 +0100 libpve-access-control (3.0-15) unstable; urgency=low * oath: add 'step' and 'digits' option -- Proxmox Support Team Wed, 23 Jul 2014 06:59:52 +0200 libpve-access-control (3.0-14) unstable; urgency=low * add oath two factor auth * add oathkeygen binary to generate keys for oath * add yubico two factor auth * dedend on oathtool * depend on libmime-base32-perl * allow to write builtin auth domains config (comment/tfa/default) -- Proxmox Support Team Thu, 17 Jul 2014 13:09:56 +0200 libpve-access-control (3.0-13) unstable; urgency=low * use correct connection string for AD auth -- Proxmox Support Team Thu, 22 May 2014 07:16:09 +0200 libpve-access-control (3.0-12) unstable; urgency=low * add dummy API for GET /access/ticket (useful to generate login pages) -- Proxmox Support Team Wed, 30 Apr 2014 14:47:56 +0200 libpve-access-control (3.0-11) unstable; urgency=low * Sets common hot keys for spice client -- Proxmox Support Team Fri, 31 Jan 2014 10:24:28 +0100 libpve-access-control (3.0-10) unstable; urgency=low * implement helper to generate SPICE remote-viewer configuration * depend on libnet-ssleay-perl -- Proxmox Support Team Tue, 10 Dec 2013 10:45:08 +0100 libpve-access-control (3.0-9) unstable; urgency=low * prevent user enumeration attacks * allow dots in access paths -- Proxmox Support Team Mon, 18 Nov 2013 09:06:38 +0100 libpve-access-control (3.0-8) unstable; urgency=low * spice: use lowercase hostname in ticktet signature -- Proxmox Support Team Mon, 28 Oct 2013 08:11:57 +0100 libpve-access-control (3.0-7) unstable; urgency=low * check_volume_access : use parse_volname instead of path, and remove path related code. * use warnings instead of global -w flag. -- Proxmox Support Team Tue, 01 Oct 2013 12:35:53 +0200 libpve-access-control (3.0-6) unstable; urgency=low * use shorter spiceproxy tickets -- Proxmox Support Team Fri, 19 Jul 2013 12:39:09 +0200 libpve-access-control (3.0-5) unstable; urgency=low * add code to generate tickets for SPICE -- Proxmox Support Team Wed, 26 Jun 2013 13:08:32 +0200 libpve-access-control (3.0-4) unstable; urgency=low * moved add_vm_to_pool/remove_vm_from_pool from qemu-server -- Proxmox Support Team Tue, 14 May 2013 11:56:54 +0200 libpve-access-control (3.0-3) unstable; urgency=low * Add new role PVETemplateUser (and VM.Clone priviledge) -- Proxmox Support Team Mon, 29 Apr 2013 11:42:15 +0200 libpve-access-control (3.0-2) unstable; urgency=low * remove CGI.pm related code (pveproxy does not need that) -- Proxmox Support Team Mon, 15 Apr 2013 12:34:23 +0200 libpve-access-control (3.0-1) unstable; urgency=low * bump version for wheezy release -- Proxmox Support Team Fri, 15 Mar 2013 08:07:06 +0100 libpve-access-control (1.0-26) unstable; urgency=low * check_volume_access: fix access permissions for backup files -- Proxmox Support Team Thu, 28 Feb 2013 10:00:14 +0100 libpve-access-control (1.0-25) unstable; urgency=low * add VM.Snapshot permission -- Proxmox Support Team Mon, 10 Sep 2012 09:23:32 +0200 libpve-access-control (1.0-24) unstable; urgency=low * untaint path (allow root to restore arbitrary paths) -- Proxmox Support Team Wed, 06 Jun 2012 13:06:34 +0200 libpve-access-control (1.0-23) unstable; urgency=low * correctly compute GUI capabilities (consider pools) -- Proxmox Support Team Wed, 30 May 2012 08:47:23 +0200 libpve-access-control (1.0-22) unstable; urgency=low * new plugin architecture for Auth modules, minor API change for Auth domains (new 'delete' parameter) -- Proxmox Support Team Wed, 16 May 2012 07:21:44 +0200 libpve-access-control (1.0-21) unstable; urgency=low * do not allow user names including slash -- Proxmox Support Team Tue, 24 Apr 2012 10:07:47 +0200 libpve-access-control (1.0-20) unstable; urgency=low * add ability to fork cli workers in background -- Proxmox Support Team Wed, 18 Apr 2012 08:28:20 +0200 libpve-access-control (1.0-19) unstable; urgency=low * return set of privileges on login - can be used to adopt GUI -- Proxmox Support Team Tue, 17 Apr 2012 10:25:10 +0200 libpve-access-control (1.0-18) unstable; urgency=low * fix bug #151: corretly parse username inside ticket * fix bug #152: allow user to change his own password -- Proxmox Support Team Wed, 11 Apr 2012 09:40:15 +0200 libpve-access-control (1.0-17) unstable; urgency=low * set propagate flag by default -- Proxmox Support Team Thu, 01 Mar 2012 12:40:19 +0100 libpve-access-control (1.0-16) unstable; urgency=low * add 'pveum passwd' method -- Proxmox Support Team Thu, 23 Feb 2012 12:05:25 +0100 libpve-access-control (1.0-15) unstable; urgency=low * Add VM.Config.CDROM privilege to PVEVMUser rule -- Proxmox Support Team Wed, 22 Feb 2012 11:44:23 +0100 libpve-access-control (1.0-14) unstable; urgency=low * fix buf in userid-param permission check -- Proxmox Support Team Wed, 22 Feb 2012 10:52:35 +0100 libpve-access-control (1.0-13) unstable; urgency=low * allow more characters in ldap base_dn attribute -- Proxmox Support Team Wed, 22 Feb 2012 06:17:02 +0100 libpve-access-control (1.0-12) unstable; urgency=low * allow more characters with realm IDs -- Proxmox Support Team Mon, 20 Feb 2012 08:50:33 +0100 libpve-access-control (1.0-11) unstable; urgency=low * fix bug in exec_api2_perm_check -- Proxmox Support Team Wed, 15 Feb 2012 07:06:30 +0100 libpve-access-control (1.0-10) unstable; urgency=low * fix ACL group name parser * changed 'pveum aclmod' command line arguments -- Proxmox Support Team Tue, 14 Feb 2012 12:08:02 +0100 libpve-access-control (1.0-9) unstable; urgency=low * fix bug in check_volume_access (fixes vzrestore) -- Proxmox Support Team Mon, 13 Feb 2012 09:56:37 +0100 libpve-access-control (1.0-8) unstable; urgency=low * fix return value for empty ACL list. -- Proxmox Support Team Fri, 10 Feb 2012 11:25:04 +0100 libpve-access-control (1.0-7) unstable; urgency=low * fix bug #85: allow root@pam to generate tickets for other users -- Proxmox Support Team Tue, 17 Jan 2012 06:40:18 +0100 libpve-access-control (1.0-6) unstable; urgency=low * API change: allow to filter enabled/disabled users. -- Proxmox Support Team Wed, 11 Jan 2012 12:30:37 +0100 libpve-access-control (1.0-5) unstable; urgency=low * add a way to return file changes (diffs): set_result_changes() -- Proxmox Support Team Tue, 20 Dec 2011 11:18:48 +0100 libpve-access-control (1.0-4) unstable; urgency=low * new environment type for ha agents -- Proxmox Support Team Tue, 13 Dec 2011 10:08:53 +0100 libpve-access-control (1.0-3) unstable; urgency=low * add support for delayed parameter parsing - We need that to disable file upload for normal API request (avoid DOS attacs) -- Proxmox Support Team Fri, 02 Dec 2011 09:56:10 +0100 libpve-access-control (1.0-2) unstable; urgency=low * fix bug in fork_worker -- Proxmox Support Team Tue, 11 Oct 2011 08:37:05 +0200 libpve-access-control (1.0-1) unstable; urgency=low * allow '-' in permission paths * bump version to 1.0 -- Proxmox Support Team Mon, 27 Jun 2011 13:51:48 +0200 libpve-access-control (0.1) unstable; urgency=low * first dummy package - no functionality -- Proxmox Support Team Thu, 09 Jul 2009 16:03:00 +0200