pam-krb5 2.5 released

David Pullman dpullman at nist.gov
Sat Nov 11 10:01:19 EST 2006 

Russ Allbery wrote:
> I'm pleased to announce release 2.5 of my Kerberos v5 PAM module.
> 
> pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
> It supports ticket refreshing by screen savers, configurable authorization
> handling, authentication of non-local accounts for network services,
> password changing, and password expiration, as well as all the standard
> expected PAM features.  It works correctly with OpenSSH, even with
> ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
> supports configuration either by PAM options or in krb5.conf or both.
> 
> Changes from previous release:
> 
>     Don't free the results of pam_get_item(PAM_AUTHTOK) when changing
>     passwords.  Thanks, Arne Nordmark.
> 
>     Be a bit more thorough when checking authorization in
>     pam_sm_acct_mgmt.  Re-retrieve the value of user in case the
>     application changed it, and if we have a ticket cache (we may not even
>     after a successful authentication if no_ccache was specified),
>     retrieve the principal from it rather than using the principal from
>     the context.
> 
>     Overwrite passwords with 0 before freeing them, just out of paranoia
>     (and because PAM also does this internally).
> 
> You can download it from:
> 
>     <http://www.eyrie.org/~eagle/software/pam-krb5/>
> 
> Debian packages have been uploaded to Debian unstable and will hopefully
> also be in the upcoming etch release.
> 
> Please let me know of any problems or feature requests.
> 

Where I work we are migrating to a Kerberos authentication solution from 
NIS.  The newer systems are doing fine, but we have some "legacy" 
Solaris 8 and 9 boxes that will need to be around for perhaps a couple 
of years.

Our hope is to try and get a decent pam setup on the Solaris boxes so we 
can use them without having to maintain NIS passwd just for them.  In 
testing we found that Solaris pam-krb5 seems to need to have host 
principles, and that it takes 30 to 40 seconds to get through a dt login.

I noticed mention of Solaris in the README and change summary.  Is it 
possible to use this pam-krb5 with S8 or S9?  In some initial attempts 
at this, it would seem that it will only compile with MIT libraries 
available, as if the Solaris krb is not sufficient, at least prior to 
S10?  If anyone has any experience with this, or suggestions, I would be 
most appreciative.

Thanks very much.

--
David Pullman

More information about the Kerberos mailing list