pam-krb5 3.10 released

Russ Allbery rra at stanford.edu
Sat Dec 29 01:09:11 EST 2007


I'm pleased to announce release 3.10 of pam-krb5.

pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features.  It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.

Changes from previous release:

    The workaround for krb5_get_init_creds_opt_alloc problems in MIT
    Kerberos 1.6 broke PKINIT support with Heimdal.  Only apply that
    workaround when building against the MIT Kerberos libraries.  Thanks
    to Jaakko Pero for the detailed report.

    If no_ccache is set, always exit successfully from pam_setcred or
    pam_open_session, even if we couldn't retrieve module data.  Thanks,
    Markus Moeller.

    When keytab is set, properly handle failure to create a keytab cursor
    and don't assume that the cursor is valid.  Thanks, Markus Moeller.

    Define _ALL_SOURCE on AIX to get prototypes for snprintf.

    Add additional portability glue and Autoconf probes to support
    building against the version of Kerberos bundled with AIX.  Support
    for this should be considered alpha in this release.  Thanks to Markus
    Moeller for the initial patch.

You can download it from:

    <http://www.eyrie.org/~eagle/software/pam-krb5/>

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list