pam-krb5 3.3 released

Russ Allbery rra at stanford.edu
Wed Jan 24 20:52:29 EST 2007


I'm pleased to announce release 3.3 of pam-krb5.

pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features.  It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.

Changes from previous release:

    Support the new MIT Kerberos error message functions.

    Fix compilation errors in the Heimdal PKINIT support and don't be
    confused by a similar function in the MIT Kerberos PKINIT branch.
    Thanks to Douglas E. Engert for the testing and patch.

    Fix compilation errors with Heimdal 0.7, which has some of the PKINIT
    functions but doesn't define the same error codes.  Thanks, Morgan
    LEFIEUX.

    Initial support for the MIT Kerberos PKINIT branch, which uses a
    different mechanism for configuring PKINIT support than Heimdal.  Also
    support configuration of general preauth parameters for the MIT
    preauth plugin system via the preauth_opt option.  Thanks to Douglas
    E. Engert for the initial patch.

    If use_pkinit is set in the PAM configuration and PKINIT isn't
    available or cannot be forced, always fail authentication.

Hopefully we're now converging on good PKINIT support.  The code should
still be considered alpha until it can be verified by people who have the
necessary hardware.  I am to a degree working blind, since I am using
neither libraries with the necessary support nor hardware required to do
interesting things, and with the error handling changes and the new
options here, there may still be some compilation problems.

You can download it from:

    <http://www.eyrie.org/~eagle/software/pam-krb5/>

Debian packages will be uploaded to Debian unstable after etch releases.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list