pam-krb5 3.6 released

Russ Allbery rra at stanford.edu
Tue Sep 18 23:06:39 EDT 2007 

I'm pleased to announce release 3.6 of pam-krb5.

pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features.  It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.

Changes from previous release:

    When the local user doesn't exist and search_k5login is enabled, fall
    back to simple Kerberos authentication just as if the account existed
    with no .k5login file.  This avoids trying to verify an all-zero
    credentials structure, leading to non-expoloitable segfaults on x86_64
    systems.  Be more careful in general about setting error codes in the
    search_k5login implementation.

    Explicitly clear the forwardable and proxiable options and don't ask
    for renewable tickets when getting a ticket for the password changing
    service.  Otherwise, system-wide defaults and PAM configuration will
    apply to those tickets as well and the resulting ticket request may be
    rejected based on KDC configuration.  Based on a patch by Sergio
    Gelato.

    Do username canonicalization earlier so that .k5login checking and
    similar work uses the correct username but only change the PAM
    username if authentication succeeds.  Document that username
    canonicalization won't work with unmodified OpenSSH and with several
    common PAM modules.  Thanks to R. Scott Bailey for the bug report and
    analysis.

    Add a prompt_principal option which, if set, causes the PAM module to
    prompt the user for the Kerberos principal to use for authentication
    before prompting for the password.

    Try to determine whether the PAM headers use const in the prototypes
    of such things as pam_get_item and adjust accordingly.  This should
    address most compiler warnings on Solaris.  Thanks, Markus Moeller.

    Change lib to lib64 on x86_64 Linux to allow for the magical $ISA
    parameter in Red Hat's PAM configuration.  Hopefully this won't cause
    problems elsewhere.

    Support DESTDIR for make install.

You can download it from:

    <http://www.eyrie.org/~eagle/software/pam-krb5/>

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list