			    RELEASE NOTES

xtacacsd v4.1.2 February 1998
============================
1. xtacacsd.c - now does not exit on recvfrom() error (xtacacs killer)
2. fixed bug in tacping.pl (sockaddr)
3. taclast.c - now does a strcasecmp() for usernames instead of strcmp()
4. malloc() definition deleted in common.h
5. Changed -DDCE to -DOSFDCE since clashing with definition in include file.
6. Added debug messages while comparing host and MASK in perm.c
7. xtacacsd.c - checking pw->pw_expire field in BSDI/FreeBSD
8. perm.c now calls authent_files() only if pwfile[0] non-null 
   (stanonik@nprdc.navy.mil)
9. perm.c- convert secs to days in check_expiration()(felipe@informador.com.mx)

xtacacsd v4.1.1 June 1997
===========================

1. Fixed bug in uwtmp.c if was compiled without XTACUTMP, setlogout()
   was setting logout flag on logins.
2. Fixed 'defines' for AIX compilers.

xtacacsd v4.1  January 1997
===========================

1. Fixed the sys_errlist[] multiple define problem in Getpw.c & common.h
2. Tried to add heuristics in Getpw.c in case reached end of line in SysV
   (try to shift some fields around assuming password file did not have
    age, etc.)
3. If SHADOW_PW, now also considers the shadow password file age.
4. Stopped forcing the tp->pwlen to PASSWD_LENGTH (was causing CHAP
   authentication to fail after Cisco increased the CHAP length to
   16 bytes in v11.1)
5. Added support for HOST xxx MASK xxx (assuming HOST is an IP addresss).
6. Bug in strtodate() which returned 0 in case the password file had
   Jan 1, 1970 (which was then okayed by check_expiration()
7. Better authtoken_stub() parsing of popen() return values in perm.c
8. perm.c authent_system() Now checks if user not in shadow password
   file (sps->passwd if sps was NULL was dumping core)
9. Added SHELL definition in the Makefile since SGI 5.3 was doing its
   own thing.
10. tacupd.c bug where was using wtmpfd instead of fd. Replaced scanf
    with gets + sscanf().
11. cur_login_count()  changed so it does not count the current login
    (thus if a person invokes ppp and a tty_logout is not recieved, atleast
    permission is not denied).
12. Now creates ASCII wtmp files (with extension .ascii).
13. taclast & tacupd modified to handle ASCII wtmp and print out incorrect 
    times.
14. xslipon() puts the GID in the STAT line if available.
15. In uwtmp_entry(), if the line number is 65535 (e.g. in ISDN lines)
    then it compares the username before overwriting the utmp entry.
16. Added 'xpasswd' to the distribution (for changing passwords in 
    alternate password files).
17. Added 'tacping.pl' to the distribution (from Univ Minnesota)
18. Now putting GID or LOGOUT reason in the comment field of WTMP file
    for easier accounting.
19. taclast fixed for bugs where it was giving inaccurate for first time
    users on a particular tty. Added '-d' option in taclast for debug output.
20. More stringent password parsing in perm.c authent_system() to avoid
    problems with OS specific shadow password getspnam(). Unixware's
    getspent() was NOT returning a NULL for an unknown user.
21. Put the arguments of popen() within quotes so that the shell does
    not misbehave when it sees ';' etc. in the arguments (perm.c)
22. Added support for OSF DCE authentication (pbhenson@csupomona.edu)
    Had to rename all md5 routines to xmd5 to prevent clashing with
    the external security library.
23. Added tacacct 'accounting'.

xtacacsd v4.0  April 1996
========================

1. SYSV defines in tacupd.c
2. Added PIDFILE (meyer@uoregon.edu)
3. Fixed '%l' in tacwho output (on some systems).
4. Check for string length in printf() format statement in uwtmp_entry().
5. Can now put line ranges in config file (kissg@sztaki.hu)
6. Fixed parsing of shell and homedir in Getpw.c (kissg@sztaki.hu)
7. perm.c does not overwrite EXPIRING reason with NONE.
8. New -Q option- do not respond if user does not exist. Reply negative if
   user exists and password failed.
9. New ENABLE_LEVELS for setting enable levels for users in the config file
   (used in cisco v10.3 and higher). -kissg@sztaki.hu
10. Support for QI/CSO names database with timeout reads.
11. xtacacsd: Graceful exit on getting SIGHUP
12. taclast enhanced. Checks username and tags all possible INACCURATE entries
13. tacupd enhanced. Support for dumping wtmp into ascii and back.
14. New tacutmp.h  file for adding comments in the utmp/wtmp files.
15. Autodetect of BSDI in Makefile
16. Added support for OSF1 SIA (DEC Enhanced Security)
17. Getpw now uses and can generate DBM files for large databases.
18. Changed (enhanced structure of the wtmp/utmp with comments). Logout
    entries now have '?' as the first character instead of a NULL.
19. Now does not reply if there is any error in the authentication routines
20. Clean rollover of wtmp files in tacupd.

xtacacsd v3.5  Nov  1995
========================

1. Fixed 'lseek()' bug for utmp files on BSDI machines.
2. Added 'tacupd' program for manpulating the wtmp and utmp files.

xtacacsd v3.4  June 1995
========================

This release fixes a large number of bugs that have been reported and also
adds a number of features such as support for 'secondary' user groups.

CHANGE THE WTMP/UTMP FILE LOCATIONS TO SOMETHING TEMPORARY SO THAT YOU
DO NOT WRITE IN YOUR EXISTING USER RECORDS WITH THE NEW utmp STRUCT.

1. Byte ordering problems fixed for DEC alpha, BSDI machines.
2. New 'taclast' program for parsing utmp & wtmp files.

	taclast -w -f UTMPFILE
	taclast -f WTMPFILE

  I have stopped using the system '/usr/include/utmp.h' file. Yes, that
  means that your old utmp/wtmp files might not be readable (if it is a
  non-BSD architecture).

3. New 'old' config keyword for old request types (in addition to login,
   connect, slipon, etc.). Only the permit action is permitted for the
   old request types. <Robert.Kiessling@rrze.uni-erlangen.de>
4. Was missing a 'p' in getopt(). Hence was not executing the system 
   password routines even when specified. Affected YP/NIS password
   processing. <Craig.Strickland@corp.wrgrace.com>
5. gethostbyaddr() returns static() and wasn't saving the value
   before another call in xslipon, xconnect, xslipoff. <guenther@gac.edu>
6. Fixed processing of lineno code in check_perm(). <john@gulfa.kuwait.net>
7. Fixed 'numlogins' processing (earlier denied slip request if the numlogins
   was set to 1 and user tried to invoke slip). <bk@galaxy.net>
8. Now checks for a user's supplementary groups also (and not just the
   primary group). <steph@candide.uchicago.edu>
9. Changed 'define SYSV' etc. to more generic defines.
10. Invalid namelen and pwlen values in CHAP reponses.
11. New keywords in the config file:
	LOGGING
	QUIET
	DEBUGLEVEL x



xtacacsd v3.3  December 15, 1994
===============================

1. Added CHAP and ARAP support (brisco@rutgers.edu). Note that this xtacacsd
   software is different from the Cisco version in that it uses the password
   file syntax for storing the secrets instead of a separate secrets file.
2. Fixed bug in creation of utmp file.
3. Now creates individual host wtmp.<host> files if specified in command line
   options. Needed for 'last' to process things properly.
4. Fixed bug in xslipon- was working on the tacacs packet directly
   instead of copying the username + password over.
5. Wrote Getpw.c routines and added a 'PASSWORD DEFAULT' flag for searching
   names using the 'getpwnam()' call. If you are using YP or Shadow passwords,
   specify this option in the config file. Searching using this system call
   will NOT be in case insensitive manner (you can always list the file
   directly for searching using the Getpw routines). Also, NIS style entries
   in alternate password files will not work (since alternate password
   files are parsed using the simple Getpw routines).

   Essentially, I got sick of getpwent and setpwent not working on most
   machines.


xtacacsd v3.2  October 28, 1994
===============================

(3.2 fixes a small bug in release 3.1 in the Getpwnam() routine).

1. Added support for permitting or denying SLIP access for 'slip default'
   requests also  (modified xslipon procedure).

2. Support for SLIP ACL in/out lists (merged changes from Cisco's new 
   release). Have NOT incorporated the CHAP and the ARAP authentication
   types yet (short on time :-)

	GROUP  10  HOST all  slip  acl  10-15    (10 in, 15 out)

3. Support for Solaris shadow password files (rozycki@oeto.pk.edu.pl).
   Define SHADOW_PW while compiling.

4. More command line options moved into the config file. Also support
   for specifying LINE numbers as part of the config lines (in addition
   to the HOST keyword). (from Robert.Kiessling@rrze.uni-erlangen.de)

	USER unrzh5  HOST 131.188.254.50   LINE 4,5,6   all   acl 100

5. Patch to the SDI (Security Dynamics) sdcheck.c program that filters
   duplicate tries from the terminal server (jposner@saratoga.dcrt.nih.gov).

6. New 'tacstats.pl' perl script for parsing the STAT lines in the syslog
   (jposner@saratoga.dcrt.nih.gov).


xtacacsd v3.0  Aug 29, 1994
=============

1. Supports Enigma Logic, Security Dynamics SDI cards (and any other password
   authentication program).

2. Ported to Solaris 2.x
   IF USING gcc on Solaris 2.x, MAKE SURE THAT YOU HAVE RUN 'fix includes'
   THAT COMES WITH gcc (else it cannot handle variable length argument lists
   and might have syslog() discrepancies from report()).

3. Case insensitive username matches (better than converting all to lowercase).

4. External program verification after password checks for finer control over
   the user's host, line, etc.

5. Colon formatted logging at the syslog NOTICE level.

	STAT:Service:Username:UID:GID @ From-host:line Line:TransID: \
		action-specific:service-specific

6. Bug fixes in utmp and wtmp creations (strlen replaced by sizeof)

xtacacsd v2.0  May 1994
=============

1. Support for config file.

2. Customizable responses based on username, group-id and geco string.

3. Inactvity timer when running under inetd (server hangs around after
   servicing requests for faster responses).

4. Updates and maintains a 'utmp' file also.

5. Can execute any Unix program in response to a query (for initiating
   dialback, etc.).

