This is MyProxy v6.0 Jul 2014. This version should be protocol compatible with all versions since v0.2. Binary compatibility of the C API is not guaranteed between releases. Version History --------------- v6.0 Jul 2014 - disable usage stats collection by default - make myproxy-server's credential repository storage directory optional and run in "CA only" mode if no valid storage directory - update default for certificate_issuer_hashalg from sha1 to sha256 - handle very long usernames (avoiding ENAMETOOLONG) by creating hashed filename in MyProxy repository when username or credname is longer than 80 characters - can be overridden by MYPROXY_CREDS_MAX_NAMELEN environment variable (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7275) - use unbuffered I/O on stdin read of passwords (http://jira.globus.org/browse/GT-387) - create files in certificate_out_dir with 0600 mode - check for out of bounds lifetime values (integer overflows) (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7263) - remove Pubcookie support in myproxy-server - update build scripts for GT6 v5.9 Jul 2012 - fix a memory error in myproxy-logon --voms when more than 19 entries in vomses file (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7261) v5.8 Jun 2012 - fixes for myproxy-server VOMS attribute support: API updates for libvomsapi, fixes for FQAN regex matching - fix for myproxy-server "Failed to load sub-CA certs from file" error when using certificate_issuer_subca_certfile (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7259) - update $GLOBUS_LOCATION paths for GT 5.2 in etc.init.d.myproxy v5.7 May 2012 - add IPv6 support (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7252) - update configure script for platforms where pidfile_open is defined in libbsd - support limited proxy certificates in myproxy-logon -voms by passing -limited option to voms-proxy-init as needed (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7250) - add support for TLS 1.1 and TLS 1.2 using OpenSSL 1.0.1 and later v5.6 20 Feb 2012 - in myproxy-logon --voms, use voms-proxy-init -valid H:M rather than voms-proxy-init -hours H so proxy lifetime matches assertion lifetime (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7244) - on myproxy-server daemon startup, don't exit original process until daemon child has completed initialization (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7240) - improve myproxy-server pidfile creation: when root, write pidfile by default to /var/run/myproxy.pid; write pidfile on startup before detaching from parent process; lock pidfile to avoid collisions; remove pidfile on SIGTERM shutdown [LICENSE.pidfile added for pidfile.c from FreeBSD's libutil.] (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7240) - allow escaping of '.' in regular expressions (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7213) - when converting to POSIX extended regular expressions for DN matching, wrap the expression inside '^(' and ')$' instead of just '^' and '$' to ensure matching the entire DN using proper operator precedence (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7215) - add liblber to link line when using --with-openldap (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7217) - fix section number in myproxy-admin-query man page (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7219) - in myproxy-admin-load-credential, handle the case of running as root but /var/lib/myproxy owned by non-root by switching to the non-root user before writing the credential files (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7234) v5.5 5 Sep 2011 - undo escaping of POSIX extended regular expression meta-characters in myproxy-server authorization policies (introduced in v5.1) to enable full use of POSIX ERE capabilities. For literal matching of parentheses and brackets, the characters must again be explicitly escaped (i.e., '\(' and '\)'). Non-POSIX handling of wildcard characters ('*' and '?') is maintained for backward compatibility, so these characters must be escaped if POSIX ERE behavior is desired. (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7211) - in MyProxy CA, ensure that any domainComponent or emailAddress components in the certificate subject are type IA5String per RFC 5280 (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7201) - add myproxy-logon --certreq option, to accept an externally generated certificate request rather than generating private key and request internally (http://bugzilla.ncsa.uiuc.edu/show_bug.cgi?id=347) - in myproxy-server, fix abort when processing INFO response when the user has stored credentials both with and without a credential name; bug was introduced in myproxy-server v4.9 (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7209) - use /var/lib/myproxy as first choice default storage directory, for Filesystem Hierarchy Standard compliance; still fallback to /var/myproxy and $GLOBUS_LOCATION/var/myproxy for alternatives - fix erroneous error message when no VOMS attributes found (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7207) v5.4 22 Apr 2011 - support disabling reverse DNS lookup of server hostname in MyProxy clients by setting the environment variable GLOBUS_GSSAPI_NAME_COMPATIBILITY to STRICT_RFC2818 (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6789) - prefer to link with libvomsapi instead of libvomsc (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7133) - fix double-free in myproxy_install_trusted_cert_files() on write error (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7135) - add myproxy-test -generatecerts option and remove dependency on $HOME (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7139) - myproxy-server trustroots security improvements: - cert_dir no longer defaults to /etc/grid-security/certificates. - Server will ignore requests for trustroots if cert_dir is not defined. - Server will refuse to start if the trustroots directory set using cert_dir contains any regular files that are not world-readable. - Once started, the server will skip (i.e. will not return to client) any regular files found later to NOT have world-readable permissions. - fix GPT dependency on globus_proxy_utils package (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7151) - Allow empty SASL responses. Needed for Moonshot GS2. (http://www.project-moonshot.org/devwiki//testing/myproxy/) v5.3 17 Jan 2011 - fix myproxy-logon bug in versions 5.0-5.2 that disabled myproxy-server identity verification (http://grid.ncsa.illinois.edu/myproxy/security/myproxy-adv-2011-01.txt) - if myproxy-logon GSI mutual authentication with the myproxy-server fails, try again with client-side anonymous authentication, in case the client-side GSI credentials are unacceptable to the myproxy-server (for example, signed by an untrusted CA), but the myproxy-server would accept an anonymous client (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7103) - fix configure checks for globus_usage_stats_send, globus_usage_stats_send_array, and globus_gsi_proxy_handle_set_extensions when installing without existing Globus libraries in LD_LIBRARY_PATH (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7098) - in myproxy-server-setup, look in /sbin and /usr/sbin for chkconfig or update-rc.d in case they're not in PATH - add certificate_issuer_subca_certfile option in myproxy-server.config (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7119) - make all Globus Usage library errors non-fatal (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7111) - add myproxy-logon support for requesting certificates containing VOMS assertions from myproxy-servers that have "allow_voms_attribute_requests true" in myproxy-server.config; if the myproxy-server does not add the requested VOMS assertion, myproxy-logon tries to add it by running voms-proxy-init as before v5.2 22 Jun 2010 - allow specification of port numbers in MYPROXY_SERVER list (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7039) - support PKCS8 encoded private keys in myproxy-retrieve, myproxy-store, and myproxy-admin-load-credential (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7033) - add work-around for Globus libraries blocking signals (SIGTERM, SIGCHLD, SIGHUP, etc.) when myproxy-server is built with pthr flavor (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7048) - increase default RSA key sizes from 1024 bits to 2048 bits per NIST SP 800-57 and add MYPROXY_KEYBITS environment variable for setting custom RSA key sizes - fix configure check for facilitynames structure on Linux to support myproxy-server.config syslog_facility option mapping of names to numeric values (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6983) - add myproxy-admin-adduser -v (verbose) option (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6963) - bug fix for possible truncation of ca_ldap_connect_passphrase value from myproxy-server.config v5.1 9 Mar 2010 - fix configure script check for non-flavored globus_usage and globus_gsi_proxy_core libraries for Fedora/EPEL RPM compatibility (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6897) - fix myproxy-logon -T segfault after "removed bad CRL file" message (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6909) - add server-side support for including VOMS attributes in retrieved credentials (from the repository); requires setting "allow_voms_attribute_requests true" in myproxy-server.config (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6882) - add support for LDAP StartTLS (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6957) - fix myproxy-test behavior when -startserver is not given (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6959) - fix parsing of certificate_issuer_hashalg (broken since v4.8) - treat trustroot file contents as binary data rather than text in myproxy-logon -T / myproxy-get-trustroots - fix escaping of POSIX extended regular expression meta-characters in myproxy-server authorization policies (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6903) - added support for GT 4.0.8 metrics library, for backward compatibility, and require linking with globus_usage library; usage collection can be disabled by setting "GLOBUS_USAGE_OPTOUT=1" in the environment of the myproxy-server - fix myproxy.h header dependencies - changes for compatibility with OpenSSL 1.0.0-beta5 v5.0 4 Dec 2009 - add Globus Usage Metrics to the myproxy-server - in myproxy-server, atomically update credential files and avoid unnecessary file copies; NOTE API CHANGE: myproxy_creds_store() now moves file to the repository, rather than copying it - add myproxy-server.config request_size_limit parameter to control myproxy-server network limits, and fix network limit handling to apply only to myproxy-server (not clients), so clients can handle large X509_CERT_DIR contents (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6889) - include extendedKeyUsage=clientAuth in EECs by default per GFD.125 - add myproxy-logon/myproxy-get-trustroots -b option to allow bootstrapping CA trust even when X509_CERT_DIR exists (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6886) - myproxy-logon -T / myproxy-get-trustroots fixes/improvements: - when cleaning bad CRLs, also remove any CRLs we can't parse - when recovering from CRL errors, allow anonymous authentication on second attempt, just like first attempt - when bootstrapping, restrict CA trust to only the one certificate subject needed, rather than a wildcard v4.9 2 Nov 2009 - fix support for "check_multiple_credentials true" in myproxy-server.config, disabled since v4.4 (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6878); changes include: - limit check_multiple_credentials functionality to GET requests (myproxy-logon) only - in authorization failures, give underlying error message rather than check_multiple_credentials unique error message - add myproxy-test cases for check_multiple_credentials and myproxy-admin-query v4.8 10 Sep 2009 - add myproxy-server.config proxy_extfile and proxy_extapp options for including custom certificate extensions in proxy certificates issued from the MyProxy repository (analogous to certificate_extfile and certificate_extapp for the CA module); requires GT 4.2.0 libraries (or later) (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6786) - look for VOMS header files in include/voms directory for compatibility with Fedora's VOMS package (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6847) - exit with an error message when --voms and -o - are used together in myproxy-logon (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6807) - fix a memory error in myproxy-info/myproxy-destroy error handling (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6849) - check myproxy-server.config lines for correct number of arguments (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6852) v4.7 6 May 2009 - in myproxy-get-trustroots and myproxy-logon -T, update files atomically (using rename) rather than overwriting - add myproxy-get-trustroots.cron example for keeping /etc/grid-security/certificates up-to-date - support linking against flavored VOMS libraries - fix "self-authorization" check for CA requests (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6713) - check certificate requests and issued certificates in the CA: (http://bugzilla.globus.org/globus/show_bug.cgi?id=6648) - add certificate_request_checker and certificate_issuer_checker options in myproxy-server.config for specifying call-outs before and after the MyProxy CA signs certificates - example myproxy-cert-checker and myproxy-certreq-checker call-outs are installed in $GLOBUS_LOCATION/share/myproxy - only accept RSA keys in certificate requests - don't allow RSA exponents < 65537 - add min_keylen option in myproxy-server.config for specifying a minimum allowed RSA key length - add syslog_facility option in myproxy-server.config to configure the myproxy-server to log to the specified syslog facility; the default is the "daemon" facility (http://bugzilla.globus.org/globus/show_bug.cgi?id=6717) - added an example in myproxy-accepted-credentials-mapapp of how to ban users (http://myproxy.ncsa.uiuc.edu/blacklist.html) - added myproxy-admin-query -o option to query by owner DN - replace fixed-length buffer in read_data_file() (credential repository file parser) with dynamically-sized buffer to support credentials with policies longer than 511 characters (http://bugzilla.globus.org/globus/show_bug.cgi?id=6723) - added certificate_serial_skip in myproxy-server.config to support staggered serial numbers across multiple CA instances - added certificate_issuer_hashalg in myproxy-server.config to configure the MyProxy CA to issue certificates using SHA-2 hash algorithms (SHA-224, SHA-256, SHA-384, SHA-512) rather than SHA-1 (the default). Requires OpenSSL 0.9.8 or later. v4.6 25 Mar 2009 - add myproxy-get-trustroots command to download trusted CA certificates without client-side authentication (http://bugzilla.globus.org/globus/show_bug.cgi?id=5899) - add sasl_mech, sasl_serverFQDN, and sasl_user_realm options to myproxy-server.config - include certificate subject in myproxy-admin-adduser output (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6324) - handle error response message from myproxy-server during delegation (http://bugzilla.ncsa.uiuc.edu/show_bug.cgi?id=359) v4.5 12 Feb 2009 - in myproxy-server, disallow release of a credential based only on authentication with a client credential of the same subject (i.e., self-renewal) unless "allow_self_authorization true" is specified in myproxy-server.config (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6630) - fix myproxy-logon --voms interaction with --out option (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6612) - implement stricter checks on myproxy-server storage directory security using Safefile's safe_is_path_trusted_r() (http://pages.cs.wisc.edu/~kupsch/safefile/); for now, these checks result in WARNING messages rather than errors - added myproxy-server --portfile option, useful when binding to a random available port via myproxy-server --port 0 (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6623) v4.4 12 Dec 2008 - allow $MYPROXY_SERVER and -s command-line options to be a comma-separated list of hostnames to try to connect to - in myproxy-server, fail on startup or reconfig with an "unsafe policy" error if a policy of trusted_retrievers "*" is specified without also specifying a restrictive default_trusted_retrievers policy, to avoid an unsafe policy that could release credentials to any client without additional authentication. - in myproxy-server, log info for the received client request before the authorization check, so we have the request info for troubleshooting purposes even if the request is denied. - in myproxy-server, fail on startup if PAM, SASL, or OCSP is configured in myproxy-server.config but the needed libraries are not linked in - fix problem with OpenSSL engine (for HSM support) being shutdown on child process failures - fix bug when issuing certificates with subject containing "//" (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6488) - add support for multiple --voms options to myproxy-init/logon (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6436) - added myproxy-info --credname option (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6561) - for myproxy-logon -T, bootstrap the trusted certificates directory atomically (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6432) - for myproxy-logon --voms, request the correct proxy type from voms-proxy-init - added example myproxy-revoke and myproxy-crl.cron scripts for revoking certificates issued by the MyProxy CA and generating CRLs - added max_cred_lifetime option in myproxy-server.config to limit the lifetime of credentials stored in the repository v4.3 2 Sep 2008 - improve MyProxy CA error message on incorrect passphrase. specifically, in myproxy-server, if passphrase in the request is non-empty, fail immediately if it can't be verified, rather than trying other methods; this forces other authentication methods (SASL, renewal) to send an empty passphrase (which current clients do by default), but it results in a better error message in the common case when an incorrect passphrase is given. also stop appending "invalid pass phrase" to the more specific error message from PAM or OpenSSL. - fix -m command-line option for myproxy-init and myproxy-logon - fix myproxy-init --voms with GT_PROXY_MODE="old" - in myproxy-init --voms, use voms-proxy-init -vomslife so VOMS AC lifetime matches proxy lifetime - if myproxy-init --local_proxy and --voms options are used together, only call voms-proxy-init once, and use that proxy to create the local proxy (via grid-proxy-init) - add a default timeout of 120 seconds for myproxy-server child processes to service requests before aborting, customizable via the myproxy-server.config request_timeout parameter - in myproxy-server, read incoming messages up to 1MB maximum to avoid memory exhaustion under heavy load - on myproxy-server startup, perform more sanity checks before fork to become daemon so exit status of original process is set to 1 on errors (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6325) - in myproxy-server, don't re-read config file automatically on changes (i.e., undo change in v4.2); instead, re-read on SIGHUP (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=5627) - add reconfig method to etc.init.d.myproxy - make myproxy-admin-adduser less verbose by only showing the output of grid-cert-request on errors - added myproxy-admin-adduser -p option for specifying the CA private key password using openssl format (see the PASS PHRASE ARGUMENTS section in the openssl(1) man page) - associate "Connection from xxx.xxx.xxx.xxx" syslog message with child pid so it matches up with other syslog messages for that client v4.2 10 Jan 2008 - add support for $GT_PROXY_MODE="rfc" in myproxy-init - in the myproxy-server, no longer default to issuing a "legacy globus proxy" from an end-entity certificate; instead, issue the default proxy type according to the GSI library version - drop support for $GT_PROXY_MODE="old" in myproxy-logon; however, myproxy-init still supports $GT_PROXY_MODE="old" - in myproxy-server, re-read config file automatically on changes - fixes for newer OpenSSL versions used in GT 4.2 - fixes for MIT Kerberos 1.6 support (via SASL) v4.1 10 Sep 2007 - in myproxy-server, listen on $MYPROXY_SERVER_PORT if defined - for myproxy-logon/myproxy-retrieve -T, fix handling of zero length files and process only regular files (not subdirectories) v4.0 11 Jul 2007 - add myproxy-server-setup script for simple server install - fix myproxy-logon/myproxy-retrieve -T bug that caused trust bootstrap to fail when no certificates directory exists - add myproxy-admin-load-credential --retrieve_key and --retrievable_by_cert options - add myproxy-admin-addservice for distributing host/service credentials v3.9 12 Jun 2007 - update myproxy-logon/myproxy-retrieve -T behavior: - if no certificates directory exists, install the myproxy-server's CA certificate to bootstrap trust - if authentication to the myproxy-server fails due to a CRL error, remove problematic CRL file(s) and retry - if running as root, store trust roots in /etc/grid-security/certificates rather than ~root/.globus/certificates and credentials in /etc/grid-security/hostcert.pem/hostkey.pem - add --voms options to myproxy-init and myproxy-logon to add VOMS attributes, analogous to voms-proxy-init -voms; requires voms-proxy-init to be installed and configured - add myproxy-admin-query --config option v3.8 13 Apr 2007 - drop support for Globus Toolkit versions 3.0 and 2.4 - fix myproxy-replicate errors for credentials with usernames or crednames containing spaces - fix server-side problem when linking against globus_gssapi_gsi version 4.12 and later that causes "no shared cipher" errors - return more concise error messages to clients for common errors, with additional diagnostics written to the server log - fix configure check for OCSP functions in OpenSSL for enabling OCSP support - for --help, --usage, and --version options, exit with status 0 after printing help/usage/version information - add OpenSSL Engine support in the MyProxy CA to enable the use of hardware tokens via new myproxy-server.config certificate_openssl_engine options - check if client authenticates with a limited proxy, and if so, only allow the client to obtain another limited proxy, unless ignore_globus_limited_proxy_flag is set in myproxy-server.config - optionally store all certificates issued by the MyProxy CA in a directory via the certificate_out_dir myproxy-server.config option v3.7 12 Dec 2006 - fix handling of usernames containing '/', '-', and '.' characters; note this required a change to the myproxy-server repository format, so credential data files written by a new myproxy-server won't be readable by an older myproxy-server - verify that credentials in the myproxy-server repository are still valid (i.e., not revoked) before performing delegation - added myproxy-admin-query --invalid option for listing, locking, or removing invalid credentials from repository - optionally check OCSP status of stored credentials before performing delegation via myproxy-server.config ocsp settings; requires GT 3.2 (OpenSSL 0.9.7) or later - update etc.init.d.myproxy script to use pidfile to locate server to stop (rather than searching ps output), include a restart option, and exit with error if $GLOBUS_LOCATION isn't set - if the myproxy-server hostname given by $MYPROXY_SERVER or the -s option resolves to multiple IP addresses, clients will connect to each address until a connection is established or all fail - added accepted_credentials_mapapp call-out version of accepted_credentials_mapfile in myproxy-server.config - support unencrypted, although still signed, Pubcookie granting cookies as passwords - added myproxy-server.config syslog_ident option - improved MyProxy CA logging - added myproxy-server --listen to specify host/ip to bind to v3.6 10 Aug 2006 - support credential renewal via the MyProxy CA using myproxy-server.config authorized_renewers/default_renewers options - provide an access control list for storing credentials via the myproxy-server.config accepted_credentials_mapfile option - fix insecure temporary file handling in myproxy-admin-adduser - fix insecure input handling in myproxy-get-delegation.cgi example - support VOMS attributes in myproxy-server.config policies - in CA, issue certificates valid starting 5 minutes in the past to account for possible clock skew between hosts - add check_multiple_credentials option in myproxy-server.config to allow clients to retrieve a credential for a given username even if the associated "credential name" isn't provided (via myproxy-logon --credname) v3.5 14 Mar 2006 - dropped support for certificate_issuer option in myproxy-server.config; use certificate_issuer_cert instead - added myproxy_accept_delegation_ex() to retrieve credentials to a buffer rather than a file - in myproxy-logon, added support for writing credential to standard output via '-o -' option; also added --quiet option - added myproxy-logon --no_credentials option to authenticate without retrieving credentials - added certificate_mapapp call-out for mapping usernames to certificate subject distinguished names for the CA module - added certificate_extfile and certificate_extapp (call-out) for setting extensions in certificates issued by CA module - do not indicate in info command error output whether credentials owned by someone else exist, to avoid giving potentially useful information to an attacker - delegate credentials with minimum lifetime of 5 minutes to avoid problems with clock skew - fixed build problem with GT 2.4/3.0 introduced in v3.4: EVP_MD_CTX_cleanup() wasn't in OpenSSL 0.9.6 v3.4 19 Dec 2005 - added myproxy-test -valgrind option for detecting memory errors - fixed memory errors found with myproxy-test -valgrind - fixed handling of lifetime=0 requests in myproxy-server v3.3 2 Dec 2005 - API changes: new trusted_retrievers member for struct myproxy_creds and struct myproxy_request_t - generate 1024 bit keys instead of 512 bit keys - add support for certificate-only authentication to the myproxy-server via myproxy-init -Z and myproxy-server.config trusted_retrievers options - add support for CA username to DN resolution via LDAP using myproxy-server.config ca_ldap options - add myproxy-server authentication support for Pubcookie (http://www.pubcookie.org/) granting cookie via pubcookie_granting_cert and pubcookie_app_server_key myproxy-server.config options - add myproxy-init --local_proxy option to create a local proxy credential after storing a credential on the myproxy-server - add myproxy-init --keyfile/--certfile options - fix segmentation fault on reverse lookup in client - fix SASL build problems on Darwin - fix client-side memory leak in GSI_SOCKET_authentication_init() - in CA, use SHA1 instead of MD5 digest algorithm, set CA:FALSE in X509v3 Basic Constraints, include X509v3 Subject Key Identifier, and optionally set email X509v3 Subject Alternative Name using certificate_issuer_email_domain in myproxy-server.config - support alternate syntax "min max" for GLOBUS_TCP_PORT_RANGE and improve error handling and documentation for this environment variable v3.2 11 Oct 2005 - fix fd_set compiler error introduced in v3.1 v3.1 11 Oct 2005 - fix compilation problem on platforms without setenv() v3.0 28 Sep 2005 - add ability for myproxy-server to act as a CA by setting certificate_issuer options in myproxy-server.config - fix for static builds using 'gpt-build -static' - fixes for SASL support - increased myproxy-server's listen(2) backlog for improved scalability - modify myproxy-test to use "$LOGNAME.myproxy-test" for a username to avoid overwriting any existing credentials - include configured trusted certificate directory in debug/verbose output - install example myproxy-server.config to $GLOBUS_LOCATION/share/myproxy instead of potentially overwriting existing version in $GLOBUS_LOCATION/etc - warn on unknown directives in myproxy-server.config v2.3 28 Jul 2005 - fix AIX compliation problems in PAM module v2.2 14 Jul 2005 - fix TRU64 compilation problem - for --dn_as_username option, get DN from user proxy if available rather than requiring access to user certificate v2.1 6 Jul 2005 - fix compilation problem for ISO C89 compilers - fix myproxy-init compatibility with Java CoG grid-proxy-init in PATH (use grid-proxy-init -hours instead of -valid) - improve PAM error messages - fix error message on server-side authorized_renewers check - perform reverse lookup on server IP address for authorization consistency with other GSI clients - removed myproxy_resolve_hostname() from API v2.0 8 Jun 2005 - unified versioning with GPT packaging - added native PAM support (not requiring SASL) - added support for managing trusted CA certificates using myproxy-logon/myproxy-retrieve -T option - added the myproxy-replicate utility for managing multiple myproxy-server repository replicas for high availability - added myproxy_version() and myproxy_check_version() functions to verify headers match the shared library in use - fixed bug in previous version that caused myproxy-get-delegation not to be included in binary GPT installs - use system getopt_long() if available; otherwise, use included getopt_long from NetBSD instead of GNU version as previous - fixed server side bug where the default_key_retrievers policy was always applied even if the credential had a key retriever policy - fixed myproxy-test GT 2.4 compatibility problem in v0.6.5 - fixed myproxy_get_delegation() signature, erroneously changed in v0.6.2, to maintain API-level compatibility - added dynamic buffer management for improved handling of large messages v0.6.5 8 Apr 2005 (GPT package version 1.17) - added support for RFC 3820 proxy certificate format - renamed myproxy-get-delegation to myproxy-logon; kept myproxy-get-delegation symlink for backward compatibility - added myproxy-store and myproxy-retrieve commands for storing and retrieving credentials directly to/from the repository; note myproxy-retrieve support must be explicitly enabled by setting authorized_key_retrievers in myproxy-server.config - write temp proxy to /tmp/myproxy-proxy.. instead of /tmp/myproxy-proxy. so we can run more than one myproxy-init in an account at a time - added myproxy-test -performance option for performance testing - fixed potential logging race condition when running myproxy-server in verbose mode - fixed potential network race condition in myproxy-init - for myproxy-admin-change-pass, only prompt for existing password if existing credential is encrypted - check for invalid options passed to myproxy commands - fixed a myproxy-admin-change-pass segmentation fault when the storage directory is invalid - improve error messages for too-short passphrases (6 character minimum) v0.6.4 4 Jan 2005 (GPT package version 1.16) - fixed file permission bug in myproxy-admin-load-credential v0.6.3 22 Nov 2004 (GPT package version 1.15) - updated GPT packaging for compatibility with GT 3.9.3 (globus_gssapi_gsi-4.0) - added support for $GT_PROXY_MODE="old" in myproxy-get-delegation, to retrieve a "legacy globus proxy" from an end-entity certificate stored in the MyProxy repository. - modified client tools to attempt connecting to the server first, before prompting for user input, to catch server problems early. - added initial experimental support for Kerberos authentication via the SASL/GSSAPI mechanism. - removed dependency on perl Expect package in myproxy-test - added myproxy-test -startserver option - added myproxy-server --pidfile option to ease myproxy-server shutdown v0.6.2 21 Jun 2004 (GPT package version 1.14) - added initial experimental support for PAM authentication via the SASL/PLAIN mechanism. - changed myproxy-admin-change-pass so an empty pass phrase can be used for unencrypted keys (for example, for renewal keys) - fixed myproxy-admin-adduser to not depend on nonexistent myproxy-admin-adduser-config command - removed pass phrase functions from myproxy-admin-load-credential, so the existing pass phrase on the source key is kept as is. Use myproxy-admin-change-pass to change the pass phrase of a credential after loading. - fixed GT 2.2 and Java CoG incompatibility introduced in v0.6.1. Note: if repository contains end-entity credentials, Java CoG will retrieve old-style (legacy) proxies because the Java CoG certificate request doesn't specify the proxy type. - changed signature of myproxy_get_delegation() method. original signature is restored in v2.0. v0.6.1 30 Mar 2004 (GPT package version 1.13) Fixed a bug where the myproxy-server would always delegate new-style proxy credentials from end-entity credentials in repository. The myproxy-server now respects proxy type in the certificate request when end-entity credentials are stored in repository. However, if the repository contains proxy credentials, the server will delegate a proxy of the same type as stored in the repository irrespective of the certificate request, because new-style and old-style proxies can't be mixed. This bug fix resulted in an incompatibility with GT 2.2 and Java CoG clients, fixed in v0.6.2. v0.6.0 22 Mar 2004 (GPT package version 1.12) - added max_proxy_lifetime server configuration option for limiting the lifetime of retrieved credentials v0.5.9 28 Jan 2004 (GPT package version 1.11) - removed requirement for /dev/urandom and instead let OpenSSL seed its random number generator itself using its standard methods - added myproxy-admin-change-pass command - changed myproxy-get-delegation -d option to have effect even when -a option is not given - added support for OpenSSL 0.9.7 v0.5.8 23 Sep 2003 (GPT package version 1.10) - fixed networking problem with v0.5.7 on some platforms v0.5.7 25 Aug 2003 (GPT package version 1.9) - fixed additional problems with handling large credentials - bugfix: myproxy-admin-load-credential fails to prompt for passphrase of source credential in versions 0.5.4-0.5.6. v0.5.6 31 Jul 2003 (GPT package version 1.8) - added support for Globus Toolkit 3.0 libraries - added support for new GSI proxy certificate format - fixed 'myproxy-info -d' - fixed credential problem when using Globus Toolkit 2.4 libraries - removed buffer length restriction in credential renewal protocol v0.5.5 30 May 2003 (GPT package version 1.7) - added support for Globus Toolkit 2.4 libraries - added support for external passphrase quality enforcement with passphrase_policy_program command in myproxy-server.config - added support for locking credentials via myproxy-admin-query - included example myproxy.cron script for removing expired credentials - fixed problems with installed headers - added MYPROXY_SERVER_PORT environment variable v0.5.4 2 May 2003 (GPT package version 1.6) - myproxy-admin-adduser command added - default lifetime of delegated proxies changed to 12 hours instead of 2 - --passphrase option added to myproxy-admin-load-credential - new options (including remove option) added to myproxy-admin-query - compatibility problem with v0.2 (introduced in v0.5.0) fixed - OSX build problem fixed - support for delegating proxies with maximum lifetime added v0.5.3 19 Mar 2003 (GPT package version 1.5) This version fixes a build problem on AIX. v0.5.2 10 Mar 2003 (GPT package version 1.4) This version adds the myproxy-admin-query and myproxy-admin-load-credential commands and adds support for running the myproxy-server with a /CN=myproxy/fqhn credential. v0.5.1 12 Feb 2003 (GPT package version 1.3) This release fixes a bug where the X509_USER_CERT and X509_USER_KEY environment variables would confuse myproxy-init. v0.5.0 15 Nov 2002 (GPT package version 1.2) This is the first version for Globus Toolkit 2.2. It adds support for storing multiple credentials per username, stores private keys encrypted with the credential's passphrase (if set), and adds the myproxy-change-pass-phrase command. It is also the first version to be released unter the NCSA Open Source license. Note that due to version incompatibilities with Globus Toolkit 2.2 libraries and the Java CoG (not specific to MyProxy), this and future versions of MyProxy are not compatible with Java CoG versions before 1.0. v0.4.6 3 Sep 2002 (GPT package version 1.1) This version adds sample init.d and xinetd entries in the GPT package. v0.4.5 28 Aug 2002 (GPT package version 1.0) This is the first version packaged with GPT. In addition to changes for GPT compatibility, it contains minor changes to some MyProxy debug messages. v0.4.4 22 Mar 2002 This version adds the myproxy-info command. v0.4.3 6 Mar 2002 This version adds support for per-credential authorization. Users can specify retrieval/renewal policies for a credential on upload using myproxy-init. v0.4.2 4 Feb 2002 This version includes the GSI distinguished name matching logic that was removed in v0.4.0, so for example host/fqhn will now match fqhn again. It also adds support for restricting the TCP port ranges of the clients. v0.4.1 4 Dec 2001 This version adds support for Globus 2.0 and optionally using the distinguished name from the proxy certificate as the default myproxy username. v0.4.0 20 Nov 2001 This version adds support for anonymous X.509 client authentication, to allow users to retrieve a credential using their myproxy passphrase when they don't already have a credential. The myproxy server configuration file can enable or disable anonymous and certificate-based (from v0.3) authentication. v0.3 5 Oct 2001 This version adds support for certificate-based authentication in addition to passphrase based authentication, to enable credential renewal. It was developed by Daniel Kouril and Miroslav Ruda for the European DataGrid project. v0.2alpha3 11 Oct 2000 This version was used by many grid portals. v0.2alpha1 27 Sep 2000 v0.2 20 Sep 2000 v0.1b3 30 June 2000 v0.1b2 08 May 2000 v0.1b1 05 May 2000 v0.1 03 Apr 2000