pam-krb5 3.7 released

Russ Allbery rra at stanford.edu
Sun Sep 30 02:41:17 EDT 2007


I'm pleased to announce release 3.7 of pam-krb5.

pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features.  It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.

Changes from previous release:

    If given an explicit keytab path to use for credential verification,
    use the first principal found in that keytab as the principal for
    verification rather than the library default (which is normally the
    host/* principal for the local system and may not be found in that
    keytab).

    When authenticating, don't store our context data until after
    authentication has succeeded.  Otherwise, we may destroy the ticket
    cache of a previous successful authentication.  This bug would only
    affect configurations where pam_krb5 was run multiple times with
    different settings, such as multiple realms.  Thanks to Dave Botsch
    for the report.

    Use pam_modutil_getpwnam instead of getpwnam if available for better
    thread safety.

    Don't store PAM data unless we're saving a ticket cache.  All other
    calls use it for is to find the ticket cache, so without a cache it's
    pointless and means we run the risk of stomping on ourselves in
    multithreaded programs.

    Still canonicalize the PAM user before returning when not saving a
    ticket cache.

    Fix determination of linker flags on non-x86_64 Linux.  Always link
    with -fPIC when using GCC, just in case.

    Add compilation options for Mac OS X and HP-UX (untested).

    Use pam_krb5 instead of ctx for our PAM data name to reduce the
    chances of collision.

You can download it from:

    <http://www.eyrie.org/~eagle/software/pam-krb5/>

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list