pam-krb5 3.8 released

Russ Allbery rra at stanford.edu
Sun Sep 30 15:12:04 EDT 2007


It's always right after a release that someone reports a major bug that's
been present for a while.

I'm pleased to announce release 3.8 of pam-krb5.

pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features.  It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.

Changes from previous release:

    krb5_get_init_creds_opt_alloc doesn't initialize the returned
    structure with the default flags in MIT Kerberos 1.6, which meant that
    users with expired passwords were not being prompted to change their
    password but just rejected.  Fixed by always calling _init before
    setting the credential flags, regardless of the provenance of the opt
    structure.  Thanks, Michael Richters.

    Fix configure and Makefile glue so that Mac OS X and HP-UX have a
    chance of working (still untested).

    Add a make warnings target with aggressive gcc warning options.  Treat
    negative minimum UIDs as zero so that UID comparisons can always be
    done unsigned.  Add casts and unused attributes as needed.

You can download it from:

    <http://www.eyrie.org/~eagle/software/pam-krb5/>

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list