pam-krb5 2.3 released
Russ Allbery
rra at stanford.edu
Sun Sep 3 23:31:33 EDT 2006
Hello all,
I have just released version 2.3 of my pam-krb5 module and consider it
stable enough to warrant announcing here. This module started life as
Frank Cusak's Kerberos v5 PAM module and has been for some years the
default Debian Kerberos PAM module. In its life as a Debian package, it
acquired many patches and new features to the point where it became its
own fork. Andres Salomon then started making new releases outside of
Debian and I took over maintenance from him.
This module has a completely different pedigree than the Sourceforge
Kerberos PAM module. See below for more details.
This PAM module is available from:
<http://www.eyrie.org/~eagle/software/pam-krb5/>
That page includes pointers to the documentation and to the bzr source
repository. Highlights of this PAM module are:
* Options can be set on either the PAM "command line" or in krb5.conf.
Reading options from krb5.conf uses the native krb5_appdefaults_*
interface of your Kerberos libraries and works with both MIT and
Heimdal.
* Support for attempting authentication against each principal listed in
a .k5login file to support password authentication against a shared
account. Yes, this isn't a good account model, but some of us are
stuck with it.
* Organized, commented, and hopefully readable source. PAM has a lot of
twisty special cases and weird edge conditions, so I'm placing a high
priority on keeping the source readable and the workarounds clearly
documented, including implementation notes in the README file.
This module should work with either Heimdal or MIT and with either Linux
or Solaris PAM. I have not attempted to port it to IRIX or HP-UX PAM; it
likely will not work on those platforms. I don't know about other
PAM-using platforms.
Compared to the Sourceforge PAM module, it has the following differences:
* This module contains no support for Kerberos v4 or 5-to-4 translation
services and won't. I've intentionally omitted that support because
sites should be moving away from Kerberos v4, I don't need it, and
omitting it makes the source much simpler.
* This module contains no AFS support. I'm planning on writing a
separate AFS PAM module that can be stacked with this one. AFS really
doesn't have anything to do with Kerberos v5; I'd rather write a good
AFS PAM module and let people use the Kerberos module of their choice
(and vice versa).
* Some additional options are supported (search_k5login, ignore_k5login,
and use_authtok are the main ones).
* Some other minor options are not supported.
* I find the code easier to read and more maintainable. Your mileage may
vary.
I am very interested in information about any features in the Sourceforge
PAM module that are missing from this module and are actively used (other
than Kerberos v4 or AFS support). I've already added several that seemed
useful; it normally only takes 15 to 30 minutes to add another simple
option if someone wants it.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list