pam-krb5 3.0 released

Russ Allbery rra at stanford.edu
Mon Dec 18 20:40:28 EST 2006


I'm pleased to announce release 3.0 of pam-krb5.  This release features
PKINIT support for the current Heimdal release candidates, based on code
contributed by Douglas Engert (which I probably broke in the process of
integrating it).  Quite a bit of code has changed in this release, so
please test carefully and be cautious before deploying it in a production
environment.

pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features.  It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.

Changes from previous release:

    Add preliminary PKINIT support, contributed by Douglas E. Engert.
    I reorganized and refactored the code extensively and it therefore may
    not compile; until it has received more testing, it should be
    considered alpha-quality.  Currently, PKINIT support requires Heimdal
    0.8rc1 or later.

    Add a keytab configuration option to use a different keytab for
    initial credential validation.

    Add a ticket_lifetime configuration option to set the lifetime of
    obtained credentials.

    Add the banner and expose_account configuration options, which control
    the prompts for authentication and password changing.  Provide more
    informative prompts when changing passwords.

    Work around a bug in MIT Kerberos prior to 1.4 causing the library to
    cache the default realm and assume a particular realm even if the
    default realm is later changed.  This bug prevented running two
    instances of pam-krb5 with different realm settings in the same PAM
    stack.  Thanks, Dave Botsch.

    Honor PAM_SILENT when the Kerberos library prompts for more
    information, passing to the application only prompts.

    If PAM_USER is set to a fully-qualified principal that the Kerberos
    library can map to a local account name, reset PAM_USER to that local
    account name after authentication.

    Avoid memory leaks in the Kerberos prompter by freeing the PAM
    response strings.  We were already doing this elsewhere and the world
    didn't end, so assume that it's safe for the PAM module to do this.
    Also avoid memory leaks in some unusual error conditions.

    Return unknown user rather than internal error when attempting
    authentication of a user we're supposed to ignore.

    When debug is enabled, report the principal for which we're attempting
    authentication to help catch realm configuration errors.

    Document the broken behavior of old versions of OpenSSH, which tell
    PAM to refresh credentials rather than opening a session.  Thanks,
    Michael C. Garrison.

    Add a link to the distribution page to the pam-krb5 man page.

    Extensive refactoring and reorganization of the code.

You can download it from:

    <http://www.eyrie.org/~eagle/software/pam-krb5/>

Debian packages will be uploaded to Debian unstable after the etch
release.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list