pam-krb5 3.6 released
Markus Moeller
huaraz at moeller.plus.com
Wed Sep 19 15:06:42 EDT 2007
Hi Russ,
Did you have a chance to look at the keytab verification problem I
mentioned some time ago ? Right now you need to have a host/fqdn entry to
verify the tickets, but this means the application needs to run as root
(Assuming verify_ap_req_nofail is set to true which I think should be the
default for pam anyway)
Thank you
Markus
"Russ Allbery" <rra at stanford.edu> wrote in message
news:87ps0fbbgg.fsf at windlord.stanford.edu...
> I'm pleased to announce release 3.6 of pam-krb5.
>
> pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
> It supports ticket refreshing by screen savers, configurable authorization
> handling, authentication of non-local accounts for network services,
> password changing, and password expiration, as well as all the standard
> expected PAM features. It works correctly with OpenSSH, even with
> ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
> supports configuration either by PAM options or in krb5.conf or both.
>
> Changes from previous release:
>
> When the local user doesn't exist and search_k5login is enabled, fall
> back to simple Kerberos authentication just as if the account existed
> with no .k5login file. This avoids trying to verify an all-zero
> credentials structure, leading to non-expoloitable segfaults on x86_64
> systems. Be more careful in general about setting error codes in the
> search_k5login implementation.
>
> Explicitly clear the forwardable and proxiable options and don't ask
> for renewable tickets when getting a ticket for the password changing
> service. Otherwise, system-wide defaults and PAM configuration will
> apply to those tickets as well and the resulting ticket request may be
> rejected based on KDC configuration. Based on a patch by Sergio
> Gelato.
>
> Do username canonicalization earlier so that .k5login checking and
> similar work uses the correct username but only change the PAM
> username if authentication succeeds. Document that username
> canonicalization won't work with unmodified OpenSSH and with several
> common PAM modules. Thanks to R. Scott Bailey for the bug report and
> analysis.
>
> Add a prompt_principal option which, if set, causes the PAM module to
> prompt the user for the Kerberos principal to use for authentication
> before prompting for the password.
>
> Try to determine whether the PAM headers use const in the prototypes
> of such things as pam_get_item and adjust accordingly. This should
> address most compiler warnings on Solaris. Thanks, Markus Moeller.
>
> Change lib to lib64 on x86_64 Linux to allow for the magical $ISA
> parameter in Red Hat's PAM configuration. Hopefully this won't cause
> problems elsewhere.
>
> Support DESTDIR for make install.
>
> You can download it from:
>
> <http://www.eyrie.org/~eagle/software/pam-krb5/>
>
> Debian packages have been uploaded to Debian unstable.
>
> Please let me know of any problems or feature requests not already listed
> in the TODO file.
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list