                    1.3.3 Release Notes
                  ------------------------

This file contains a description of the major changes to ProFTPD for the
1.3.3 release cycle, from the 1.3.3rc1 release to the 1.3.3 maintenance
releases.  More information on these changes can be found in the NEWS and
ChangeLog files.

1.3.3rc1
---------

  + Added French, Bulgarian, Korean translations.

  + RPM 4.2 or later is required by the proftpd.spec file provided in the
    distribution.

  + If the --localstatedir configure option is used, proftpd's build system
    used to automatically append "/proftpd" to the configured path.  This
    behavior has been fixed; proftpd's build system will now use the
    configured --localstatedir path as is.

    Note that this may cause issues if you have an existing build script
    for compling proftpd; the expected locations of files under the
    --localstatedir path will change.

  + New command-line options:

    The -S, --serveraddr command-line option has been added.  This option
    can be used to specify the IP address of the host machine.  By
    default, proftpd attempts to resolve the host IP address by using DNS
    resolution of the hostname.  However, in cases where DNS is not
    configured for the host machine, this approach does not work.

    To specify the desired IP address, use -S when starting proftpd, e.g.:

      /usr/local/sbin/proftpd -S 1.2.3.4 ...

    And if you want proftpd to listen on all interfaces, you can specify
    a wildcard socket using an IP address of 0.0.0.0:

      /usr/local/sbin/proftpd -S 0.0.0.0 ...

  + New modules:

    mod_exec

      This module enables execution of external scripts based on actions/events
      during a session.  See doc/contrib/mod_exec.html for details.

    mod_sftp

      This module implements the SSH2, SFTP, and SCP protocols.  See
      doc/contrib/mod_sftp.html for more information.

    mod_sftp_pam

      This module uses PAM to provide a 'keyboard-interactive' SSH2
      authentication method for mod_sftp.  More information can be found in
      the documentation for mod_sftp_pam, in doc/contrib/mod_sftp_pam.html.

    mod_sftp_sql

      This module uses SQL (via mod_sql) for looking up authorized SSH2 
      public keys for user and hostbased authentication.  More information
      is available in doc/contrib/mod_sftp_sql.html.

    mod_shaper

      This module can be used to provide data transfer rate "shaping"
      across the entire server.  See the documentation at
      doc/contrib/mod_shaper.html.

    mod_tls_shmcache

      This module provides an external SSL session cache using shared
      memory; see the TLSSessionCache configuration directive.  More
      information on this module can be found in
      doc/contrib/mod_tls_shmcache.html.

  + New configuration directives:

    RewriteHome

      The RewriteHome directive can be used to support rewriting the
      home directory for a user, based on regular expression rules.
      One such use case is where some portion of the home directory is
      retrieved e.g. from an LDAP directory, but you need to apply some
      custom prefix to the LDAP attribute.

      To enable this feature, first you need to add the following to your
      proftpd.conf:

        RewriteHome on

      Next, you need to configure the mod_rewrite rules for rewriting your home
      directory; this feature depends on mod_rewrite for the rewriting.
      The pseudo-command used by mod_rewrite for rewriting home directories is
      "REWRITE_HOME".  Thus would you use:

        <IfModule mod_rewrite.c>
          RewriteEngine on
          RewrlteLog /path/to/rewrite.log

          RewriteCondition %m REWRITE_HOME
          RewriteRule (.*) /my/new/prefix$1
        </IfModule>

    ScoreboardScrub

      The ScoreboardScrub directive can be used to turn on/off proftpd's
      periodic "scrubbing" of its ScoreboardFile, where the ScoreboardFile
      is scanned for entries of dead sessions:

        ScoreboardScrub on|off|secs

      Note that if scoreboard scrubbing is turned off, the ScoreboardFile
      can still be scrubbed on demand, either by using mod_ctrls_admin's
      "ftpdctl scoreboard scrub" action, or by using the new ftpscrub
      command-line utility.

    TLSControlsACLs

      With the addition of support for external session caches, the
      mod_tls module now supports some ftpdctl actions for interacting
      with those session caches.  The TLSControlsACLs directive can be
      used to configure ACLs for the ftpdctl actions supported by mod_tls,
      and is analogous to other ACLs directives for other modules which
      support ftpdctl actions.

    TLSPKCS12File

      The TLSPKCS12File directive of the mod_tls module is used to
      configure mod_tls to use the certificate and private key contained
      in the indicated PKCS#12 file.  Some sites already use PKCS#12 files
      for containing their other certificates, and thus find it useful to
      have PKCS#12 support in mod_tls.

    TLSSessionCache

      The TLSSessionCache directive configures an external SSL session
      cache, which can be used for storing and shared SSL sessions across
      multiple processes.  An external SSL session cache is an optional
      facility which speeds up parallel FTPS session connections.

      See doc/contrib/mod_tls.html#TLSSessionCache for more information.

  + Changed configuration directives:

    AllowOverride

      This directive no longer supports the optional user/group/class
      parameters.  If you wish to have per-user/group/class conditional
      use of the AllowOverride directive, you will need to use the
      mod_ifsession module.  For example, instead of:

        AllowOverride off user !admin

      you will need to use:

        <IfUser admin>
          AllowOverride on
        </IfUser>

        <IfUser !admin>
          AllowOverride off
        </IfUser>

      Note that the "!admin" section is necessary.  If you set
      "AllowOverride off" unconditionally, then use a mod_ifsession context,
      you would end up with two AllowOverride settings, and the code might not
      be able to distinguish properly which setting to use.  Thus you need to
      make both the "on" and "off" cases conditional, and mutually exclusive.

      Configurations which use the user/group/class conditional parameters
      to AllowOverride will now generate configuration errors.

    BanOnEvent

      The BanOnEvent directive of the mod_ban module now supports
      TimeoutLogin events.

    <VirtualHost>

      You can now specify an IP address of "0.0.0.0" in a <VirtualHost>
      definition.

    IdentLookups

      The default IdentLookups value is now 'off'.  The RFC1413 IDENT lookup
      adds latency to the login process, so much so that it is a FAQ to
      configure "IdentLookups off".  In addition, the IDENT protocol is not
      secure; it can easily be spoofed using man-in-the-middle attacks.  Sites
      that require IDENT lookups must now explicitly configure
      "IdentLookups on".

      Note that in order to use IdentLookups, you must compile proftpd with
      the mod_ident module.  If you use the --disable-ident configure
      option, then proftpd will not recognize the IdentLookups directive.
      Thus in your proftpd.conf, you should use something like:

        <IfModule mod_ident.c>
          IdentLookups on
        </IfModule>

      if you want to use RFC1413 lookups.

    LogFormat, SQLNamedQuery

      There is a new variable, %{protocol}, which describes the protocol
      that the client is using.  This variable can have values of "ftp",
      "ftps", "ssh2", "sftp", and "scp".

      Note that for SSH2 connections, the value will be "ssh2" until SFTP or
      SCP channels are opened; this means that during login, the %{protocol}
      value will be "ssh2".

      There is also a new %w variable which is only valid for RNTO commands.
      The %w value will be the original name of the file being renamed
      (mnemonic: "whence" a renamed file comes).

    RewriteCondition, RewriteRule

      Use of environment variables in mod_rewrite rules is now supported
      via the "%{ENV:var}" syntax.

    SQLGroupInfo

      The SQLGroupInfo now supports custom queries for retrieve group
      information.  Note that instead of a single custom query, several
      different queries are needed; different lookups are called for
      depending on the situation and configuration of mod_sql (e.g.
      using the 'groupset' or 'groupsetfast' SQLAuthenticate parameters).

      See doc/contrib/mod_sql.html#SQLGroupInfo and
      doc/howto/SQL.html#SQLUsersetfast for more details.

    SQLUserInfo

      The support for custom SQLUserInfo queries has been extended to
      support custom queries to be used when the 'userset' or 'usersetfast'
      SQLAuthenticate parameters are used.

      For more information, see doc/contrib/mod_sql.html#SQLUserInfo and 
      doc/howto/SQL.html#SQLUsersetfast.

    TLSOptions

      The NoSessionReuseRequired option has been added.  As of
      ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
      that reuse the SSL session of the control connection, as a security
      measure.  Unfortunately, there are some clients (e.g. curl) which
      do not reuse SSL sessions.

      To relax the requirement that the SSL session from the control
      connection be reused for data connections, use the following in the
      proftpd.conf:

        <IfModule mod_tls.c>
          ...
          TLSOptions NoSessionReuseRequired
          ...
        </IfModule>

    TLSRequired

      The TLSRequired directive can now be used in <Directory> sections and
      in .ftpaccess files.  When used in these configuration contexts, only
      the TLSRequired values that require SSL/TLS protection on data transfers
      are honored.  With this, it is now possible to mark specific files or
      directories as requiring SSL/TLS protection to be accessed via data
      transfer.

    TransferLog

      The "service-name" field of the TransferLog usually contains just
      "ftp".  In order to support TransferLogs for SFTP and SCP transfers,
      the service-name field of the TransferLog format may now show
      "sftp" or "scp".  It may also show "ftps" instead of "ftp", if the
      data transfer occurred while the client is using FTP over SSL/TLS.

      NOTE: This change, while correct, may cause issues for log parsers.

  + Deprecated configuration directives:

    AnonymousGroup

      Support for this directive has been removed.

  + Developer Notes

    If you are a module developer, then you will want to know of the following
    API/internals changes:

      * The original USER value sent by the client is no longer stored in
        the config tree.  That is, the following no longer works:

          user = get_param_ptr(main_server->conf, C_USER, FALSE);

        Instead, the original USER value is stashes in the session.notes
        table.  Thus the above line of code can be replaced with:

          user = pr_table_get(session.notes, "mod_auth.orig-user", NULL);

        A similar change occurred for the anonymous "password" sent, but
        this will probably not apply to most modules.

 
Last Updated: $Date: 2009/07/01 02:50:04 $
