pam-krb5 3.6 released

Markus Moeller huaraz at moeller.plus.com
Wed Sep 19 15:06:42 EDT 2007


Hi Russ,

 Did you have a chance to look at the keytab verification problem I 
mentioned some time ago ?  Right now you need to have a host/fqdn entry to 
verify the tickets, but this means the application needs to run as root 
(Assuming verify_ap_req_nofail is set to true which I think should be the 
default for pam anyway)

Thank you
Markus

"Russ Allbery" <rra at stanford.edu> wrote in message 
news:87ps0fbbgg.fsf at windlord.stanford.edu...
> I'm pleased to announce release 3.6 of pam-krb5.
>
> pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
> It supports ticket refreshing by screen savers, configurable authorization
> handling, authentication of non-local accounts for network services,
> password changing, and password expiration, as well as all the standard
> expected PAM features.  It works correctly with OpenSSH, even with
> ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
> supports configuration either by PAM options or in krb5.conf or both.
>
> Changes from previous release:
>
>    When the local user doesn't exist and search_k5login is enabled, fall
>    back to simple Kerberos authentication just as if the account existed
>    with no .k5login file.  This avoids trying to verify an all-zero
>    credentials structure, leading to non-expoloitable segfaults on x86_64
>    systems.  Be more careful in general about setting error codes in the
>    search_k5login implementation.
>
>    Explicitly clear the forwardable and proxiable options and don't ask
>    for renewable tickets when getting a ticket for the password changing
>    service.  Otherwise, system-wide defaults and PAM configuration will
>    apply to those tickets as well and the resulting ticket request may be
>    rejected based on KDC configuration.  Based on a patch by Sergio
>    Gelato.
>
>    Do username canonicalization earlier so that .k5login checking and
>    similar work uses the correct username but only change the PAM
>    username if authentication succeeds.  Document that username
>    canonicalization won't work with unmodified OpenSSH and with several
>    common PAM modules.  Thanks to R. Scott Bailey for the bug report and
>    analysis.
>
>    Add a prompt_principal option which, if set, causes the PAM module to
>    prompt the user for the Kerberos principal to use for authentication
>    before prompting for the password.
>
>    Try to determine whether the PAM headers use const in the prototypes
>    of such things as pam_get_item and adjust accordingly.  This should
>    address most compiler warnings on Solaris.  Thanks, Markus Moeller.
>
>    Change lib to lib64 on x86_64 Linux to allow for the magical $ISA
>    parameter in Red Hat's PAM configuration.  Hopefully this won't cause
>    problems elsewhere.
>
>    Support DESTDIR for make install.
>
> You can download it from:
>
>    <http://www.eyrie.org/~eagle/software/pam-krb5/>
>
> Debian packages have been uploaded to Debian unstable.
>
> Please let me know of any problems or feature requests not already listed
> in the TODO file.
>
> -- 
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 






More information about the Kerberos mailing list