pam-krb5 3.9 released

Russ Allbery rra at stanford.edu
Mon Nov 12 20:01:15 EST 2007


I'm pleased to announce release 3.9 of pam-krb5.

pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features.  It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.

Changes from previous release:

    If use_authtok is set, fail even if we can retrieve the stored PAM
    password if that password is set to NULL.  Apparently that can happen
    in some cases, such as with pam_cracklib.  Thanks to Christian Holler
    for the diagnosis and a patch.

    Add a new clear_on_fail option for the password group.  If set, when a
    password change fails, set PAM_AUTHTOK to NULL so that subsequent
    modules in the PAM stack with use_authtok set will also fail.  Just
    returning failure doesn't abort the stack on the second pass when
    actual password changes are made.  This is not the default since it
    interferes with other desirable PAM configurations.  It's useful
    primarily when using the PAM stack to synchronize passwords between
    multiple environments.  Thanks to Christian Holler and Tomas Mraz for
    the analysis.

    Fix portability issues with Heimdal, versions of PAM that don't
    provide pam_modutil_getpwnam, and compiler warnings when building
    PKINIT support.  Thanks, Martin von Gagern.

    Fix parsing of the keytab PAM option.  Thanks, Markus Moeller.

    Return PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR when unable to
    resolve the Kerberos realm.  Thanks, Frank Cornelissen.

    Add a new debugging section to the README.

You can download it from:

    <http://www.eyrie.org/~eagle/software/pam-krb5/>

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list