pam-krb5 3.7 released
Russ Allbery
rra at stanford.edu
Sun Sep 30 02:41:17 EDT 2007
I'm pleased to announce release 3.7 of pam-krb5.
pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features. It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.
Changes from previous release:
If given an explicit keytab path to use for credential verification,
use the first principal found in that keytab as the principal for
verification rather than the library default (which is normally the
host/* principal for the local system and may not be found in that
keytab).
When authenticating, don't store our context data until after
authentication has succeeded. Otherwise, we may destroy the ticket
cache of a previous successful authentication. This bug would only
affect configurations where pam_krb5 was run multiple times with
different settings, such as multiple realms. Thanks to Dave Botsch
for the report.
Use pam_modutil_getpwnam instead of getpwnam if available for better
thread safety.
Don't store PAM data unless we're saving a ticket cache. All other
calls use it for is to find the ticket cache, so without a cache it's
pointless and means we run the risk of stomping on ourselves in
multithreaded programs.
Still canonicalize the PAM user before returning when not saving a
ticket cache.
Fix determination of linker flags on non-x86_64 Linux. Always link
with -fPIC when using GCC, just in case.
Add compilation options for Mac OS X and HP-UX (untested).
Use pam_krb5 instead of ctx for our PAM data name to reduce the
chances of collision.
You can download it from:
<http://www.eyrie.org/~eagle/software/pam-krb5/>
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list