pam-krb5 3.10 released

Markus Moeller huaraz at moeller.plus.com
Sat Jan 19 12:40:56 EST 2008 

Russ,

I usually don't use the change password feature, but I now checked the pam 
help for pam_sm_authenticate and pam_sm_acct_mgmt. On both Linux and Solaris 
it states that only pam_acct_mgmt should return PAM_NEW_AUTHTOK_REQD for 
exired passwords not pam_sm_authenticate. I haven't yet checked the Openssh 
and others sources, but I think you need to save the state you get 
inpam_sm_authenticate and use it in pam_sm_acct_mgmt.

Any thoughts ?

Markus


"Russ Allbery" <rra at stanford.edu> wrote in message 
news:mailman.1.1198952771.5144.kerberos at mit.edu...
> I'm pleased to announce release 3.10 of pam-krb5.
>
> pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
> It supports ticket refreshing by screen savers, configurable authorization
> handling, authentication of non-local accounts for network services,
> password changing, and password expiration, as well as all the standard
> expected PAM features.  It works correctly with OpenSSH, even with
> ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
> supports configuration either by PAM options or in krb5.conf or both.
>
> Changes from previous release:
>
>    The workaround for krb5_get_init_creds_opt_alloc problems in MIT
>    Kerberos 1.6 broke PKINIT support with Heimdal.  Only apply that
>    workaround when building against the MIT Kerberos libraries.  Thanks
>    to Jaakko Pero for the detailed report.
>
>    If no_ccache is set, always exit successfully from pam_setcred or
>    pam_open_session, even if we couldn't retrieve module data.  Thanks,
>    Markus Moeller.
>
>    When keytab is set, properly handle failure to create a keytab cursor
>    and don't assume that the cursor is valid.  Thanks, Markus Moeller.
>
>    Define _ALL_SOURCE on AIX to get prototypes for snprintf.
>
>    Add additional portability glue and Autoconf probes to support
>    building against the version of Kerberos bundled with AIX.  Support
>    for this should be considered alpha in this release.  Thanks to Markus
>    Moeller for the initial patch.
>
> You can download it from:
>
>    <http://www.eyrie.org/~eagle/software/pam-krb5/>
>
> Debian packages have been uploaded to Debian unstable.
>
> Please let me know of any problems or feature requests not already listed
> in the TODO file.
>
> -- 
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list