pam-krb5 3.9 released

Markus Moeller huaraz at moeller.plus.com
Tue Dec 25 09:12:19 EST 2007


Russ,

I found another small issue in auth.c  In verify_creds krb5_kt_resolve can 
be successful but krb5_kt_start_seq_get can fail so cursor_valid should stay 
0 otherwise  krb5_kt_end_seq_get crashes with free errors.
.
.
.
        retval = krb5_kt_resolve(c, args->keytab, &keytab);
        if (retval != 0) {
            message = pamk5_compat_get_error(c, retval);
            pamk5_error(args, "cannot open keytab %s: %s", args->keytab,
                        message);
            pamk5_compat_free_error(c, message);
            keytab = NULL;
        }
        if (retval == 0) {
            retval = krb5_kt_start_seq_get(c, keytab, &cursor);
 ==New=>           if (retval == 0)
                cursor_valid = 1;
        }
.
.
.
       if (cursor_valid)
            krb5_kt_end_seq_get(c, keytab, &cursor);


Markus

BTW Merry Christmas

"Russ Allbery" <rra at stanford.edu> wrote in message 
news:87pryfdkmc.fsf at windlord.stanford.edu...
> I'm pleased to announce release 3.9 of pam-krb5.
>
> pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
> It supports ticket refreshing by screen savers, configurable authorization
> handling, authentication of non-local accounts for network services,
> password changing, and password expiration, as well as all the standard
> expected PAM features.  It works correctly with OpenSSH, even with
> ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
> supports configuration either by PAM options or in krb5.conf or both.
>
> Changes from previous release:
>
>    If use_authtok is set, fail even if we can retrieve the stored PAM
>    password if that password is set to NULL.  Apparently that can happen
>    in some cases, such as with pam_cracklib.  Thanks to Christian Holler
>    for the diagnosis and a patch.
>
>    Add a new clear_on_fail option for the password group.  If set, when a
>    password change fails, set PAM_AUTHTOK to NULL so that subsequent
>    modules in the PAM stack with use_authtok set will also fail.  Just
>    returning failure doesn't abort the stack on the second pass when
>    actual password changes are made.  This is not the default since it
>    interferes with other desirable PAM configurations.  It's useful
>    primarily when using the PAM stack to synchronize passwords between
>    multiple environments.  Thanks to Christian Holler and Tomas Mraz for
>    the analysis.
>
>    Fix portability issues with Heimdal, versions of PAM that don't
>    provide pam_modutil_getpwnam, and compiler warnings when building
>    PKINIT support.  Thanks, Martin von Gagern.
>
>    Fix parsing of the keytab PAM option.  Thanks, Markus Moeller.
>
>    Return PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR when unable to
>    resolve the Kerberos realm.  Thanks, Frank Cornelissen.
>
>    Add a new debugging section to the README.
>
> You can download it from:
>
>    <http://www.eyrie.org/~eagle/software/pam-krb5/>
>
> Debian packages have been uploaded to Debian unstable.
>
> Please let me know of any problems or feature requests not already listed
> in the TODO file.
>
> -- 
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 






More information about the Kerberos mailing list