Repository: incubator-guacamole-website Updated Branches: refs/heads/master bd10100b7 -> dfdae081e
Add draft release notes for 0.9.11-incubating. Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-website/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-website/commit/32af0f4a Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-website/tree/32af0f4a Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-website/diff/32af0f4a Branch: refs/heads/master Commit: 32af0f4a4f72ccf7671ad404adefce4fa5f426c7 Parents: bd10100 Author: Michael Jumper <[email protected]> Authored: Sun Jan 22 13:50:39 2017 -0800 Committer: Michael Jumper <[email protected]> Committed: Sun Jan 22 23:00:11 2017 -0800 ---------------------------------------------------------------------- _releases/0.9.11-incubating.md | 145 ++++++++++++++++++++++++++++++++++++ 1 file changed, 145 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-website/blob/32af0f4a/_releases/0.9.11-incubating.md ---------------------------------------------------------------------- diff --git a/_releases/0.9.11-incubating.md b/_releases/0.9.11-incubating.md new file mode 100644 index 0000000..63b2aa3 --- /dev/null +++ b/_releases/0.9.11-incubating.md @@ -0,0 +1,145 @@ +--- + +released: false +title: 0.9.11-incubating +date: 2017-01-22 23:00:00 -0800 +summary: > + Two-factor authentication, password policies, improvements to Docker and + LDAP. + +artifact-root: "https://dist.apache.org/repos/dist/dev/"; +checksum-root: "https://dist.apache.org/repos/dist/dev/"; +download-path: "incubator/guacamole/0.9.11-incubating-RC1/" + +source-dist: + - "source/guacamole-client-0.9.11-incubating.tar.gz" + - "source/guacamole-server-0.9.11-incubating.tar.gz" + +binary-dist: + - "binary/guacamole-0.9.11-incubating.war" + - "binary/guacamole-auth-jdbc-0.9.11-incubating.tar.gz" + - "binary/guacamole-auth-ldap-0.9.11-incubating.tar.gz" + - "binary/guacamole-auth-noauth-0.9.11-incubating.tar.gz" + +documentation: + "Manual" : "/doc/0.9.11-incubating/gug" + "guacamole-common" : "/doc/0.9.10-incubating/guacamole-common" + "guacamole-common-js" : "/doc/0.9.10-incubating/guacamole-common-js" + "guacamole-ext" : "/doc/0.9.11-incubating/guacamole-ext" + "libguac" : "/doc/0.9.11-incubating/libguac" + +--- + + +The 0.9.11-incubating release features support for two-factor authentication, +password policies (complexity rules, preventing password reuse, etc.), and +the ability to use the Docker images with arbitrary Guacamole extensions, not +just MySQL, PostgreSQL, and LDAP. If using both a database and LDAP, new +settings allow you to restrict access to only those users which exist in the +database, rather than allowing any LDAP user access. + +**This release contains changes which break compatibility with past releases.** +Please see the [deprecation / compatibility +notes](#deprecation--compatibility-notes) section for more information. + + +Two-factor authentication +------------------------- + +Guacamole now provides support for two-factor authentication, and includes +a new extension which integrates with Duo using their "Auth API". Users who use +the Duo authentication service can add Guacamole to their list of applications. +Once configured, Guacamole will then require confirmation from Duo before +allowing an otherwise successful authentication attempt to proceed. + +With this first implementation of two-factor authentication completed, support +for other two-factor authentication services is expected to follow. + + * [GUACAMOLE-136](https://issues.apache.org/jira/browse/GUACAMOLE-136) - Add support for TFA - initially Duo + +Password policies +----------------- + +The database authentication extensions can now be configured to enforce +password complexity rules, including requiring specific classes of characters, +disallowing passwords containing the user's username, and preventing previous +passwords from being reused. Users can also now be required to change their +password regularly, or prevented from changing their password too frequently. + + * [GUACAMOLE-36](https://issues.apache.org/jira/browse/GUACAMOLE-36) - Add support for password policies + +Docker improvements +------------------- + +The Guacamole Docker image previously only supported the official MySQL, +PostgreSQL, and LDAP extensions, with configuration automatically generated +based on environment variables. No support for deploying other extensions was +provided. As of 0.9.11-incubating, arbitrary extensions and their configuration +files can be deployed through providing a template `GUACAMOLE_HOME` directory. + +The requirement that the Guacamole Docker image be linked to the guacd Docker +image has also been lifted. Though Guacamole still requires a connection to +guacd, that connection can now be described using the `GUACD_HOSTNAME` and +`GUACD_PORT` environment variables. + + * [GUACAMOLE-99](https://issues.apache.org/jira/browse/GUACAMOLE-99) - Do not require Docker link for guacd + * [GUACAMOLE-100](https://issues.apache.org/jira/browse/GUACAMOLE-100) - Support arbitrary extensions within Guacamole Docker image + +LDAP improvements +----------------- + +For the common case where Guacamole's LDAP support is used purely for +authentication, with an MySQL or PostgreSQL database used to house connection +data, it is now possible to configure the database authentication extensions +to reject authentication attempts for users which are not defined in the +database. For those whose LDAP directories contain many users that will never +be granted access to Guacamole, these new settings mean that such users can +be denied access immediately, rather than presenting them with an empty and +useless Guacamole home screen. + +In addition, if your LDAP directory was so extensive that it exceeded the +default query size limit of 1000 records, the query size limit can now be +manually increased within `guacamole.properties`. + + * [GUACAMOLE-70](https://issues.apache.org/jira/browse/GUACAMOLE-70) - Add option to restrict access to users within database + * [GUACAMOLE-79](https://issues.apache.org/jira/browse/GUACAMOLE-79) - Add an option to allow the default LDAP result size limit (1000) to be overridden + +Capacity regression from 0.9.10-incubating +------------------------------------------ + +The new screen sharing support added in 0.9.10-incubating lead to a regression +which could cause connections to fail when the maximum number of file +descriptors supported by `select()` was exceeded. This effectively limited the +maximum number of connections a Guacamole server could support, regardless of +how powerful the server might otherwise be. This has been fixed, and Guacamole +has been refactored to use `poll()` instead of `select()`. + + * [GUACAMOLE-118](https://issues.apache.org/jira/browse/GUACAMOLE-118) - Migrate from select() to poll() + +Miscellaneous fixes / improvements +---------------------------------- + +This latest release of Guacamole also addresses potential resource leaks in the +use of SSL/TLS by guacd, segfaults in the built-in terminal emulator and VNC +client, and adds a Norwegian translation for the Guacamole interface. + + * [GUACAMOLE-86](https://issues.apache.org/jira/browse/GUACAMOLE-86) - Connection closed when printing large content in SSH + * [GUACAMOLE-117](https://issues.apache.org/jira/browse/GUACAMOLE-117) - File descriptor leak if SSL/TLS negotiation fails + * [GUACAMOLE-130](https://issues.apache.org/jira/browse/GUACAMOLE-130) - Merge contributed Norwegian translation + * [GUACAMOLE-157](https://issues.apache.org/jira/browse/GUACAMOLE-157) - Connecting to unavailable VNC endpoint causes SIGSEGV in SSH SSL lock free + + +Deprecation / Compatibility notes +================================= + +As of 0.9.11-incubating, the following changes have been made which affect +compatibility with past releases: + + +Database schema changes +----------------------- + +The MySQL and PostgreSQL schemas have changed to facilitate support for +password policies. Users of the database authentication will need to run the +`upgrade-pre-0.9.11.sql` script specific to their chosen database. +
