pam-krb5 3.6 released
Russ Allbery
rra at stanford.edu
Tue Sep 18 23:06:39 EDT 2007
I'm pleased to announce release 3.6 of pam-krb5.
pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features. It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.
Changes from previous release:
When the local user doesn't exist and search_k5login is enabled, fall
back to simple Kerberos authentication just as if the account existed
with no .k5login file. This avoids trying to verify an all-zero
credentials structure, leading to non-expoloitable segfaults on x86_64
systems. Be more careful in general about setting error codes in the
search_k5login implementation.
Explicitly clear the forwardable and proxiable options and don't ask
for renewable tickets when getting a ticket for the password changing
service. Otherwise, system-wide defaults and PAM configuration will
apply to those tickets as well and the resulting ticket request may be
rejected based on KDC configuration. Based on a patch by Sergio
Gelato.
Do username canonicalization earlier so that .k5login checking and
similar work uses the correct username but only change the PAM
username if authentication succeeds. Document that username
canonicalization won't work with unmodified OpenSSH and with several
common PAM modules. Thanks to R. Scott Bailey for the bug report and
analysis.
Add a prompt_principal option which, if set, causes the PAM module to
prompt the user for the Kerberos principal to use for authentication
before prompting for the password.
Try to determine whether the PAM headers use const in the prototypes
of such things as pam_get_item and adjust accordingly. This should
address most compiler warnings on Solaris. Thanks, Markus Moeller.
Change lib to lib64 on x86_64 Linux to allow for the magical $ISA
parameter in Red Hat's PAM configuration. Hopefully this won't cause
problems elsewhere.
Support DESTDIR for make install.
You can download it from:
<http://www.eyrie.org/~eagle/software/pam-krb5/>
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list