pam-krb5 3.10 released
Markus Moeller
huaraz at moeller.plus.com
Sat Jan 19 12:40:56 EST 2008
Russ,
I usually don't use the change password feature, but I now checked the pam
help for pam_sm_authenticate and pam_sm_acct_mgmt. On both Linux and Solaris
it states that only pam_acct_mgmt should return PAM_NEW_AUTHTOK_REQD for
exired passwords not pam_sm_authenticate. I haven't yet checked the Openssh
and others sources, but I think you need to save the state you get
inpam_sm_authenticate and use it in pam_sm_acct_mgmt.
Any thoughts ?
Markus
"Russ Allbery" <rra at stanford.edu> wrote in message
news:mailman.1.1198952771.5144.kerberos at mit.edu...
> I'm pleased to announce release 3.10 of pam-krb5.
>
> pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
> It supports ticket refreshing by screen savers, configurable authorization
> handling, authentication of non-local accounts for network services,
> password changing, and password expiration, as well as all the standard
> expected PAM features. It works correctly with OpenSSH, even with
> ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
> supports configuration either by PAM options or in krb5.conf or both.
>
> Changes from previous release:
>
> The workaround for krb5_get_init_creds_opt_alloc problems in MIT
> Kerberos 1.6 broke PKINIT support with Heimdal. Only apply that
> workaround when building against the MIT Kerberos libraries. Thanks
> to Jaakko Pero for the detailed report.
>
> If no_ccache is set, always exit successfully from pam_setcred or
> pam_open_session, even if we couldn't retrieve module data. Thanks,
> Markus Moeller.
>
> When keytab is set, properly handle failure to create a keytab cursor
> and don't assume that the cursor is valid. Thanks, Markus Moeller.
>
> Define _ALL_SOURCE on AIX to get prototypes for snprintf.
>
> Add additional portability glue and Autoconf probes to support
> building against the version of Kerberos bundled with AIX. Support
> for this should be considered alpha in this release. Thanks to Markus
> Moeller for the initial patch.
>
> You can download it from:
>
> <http://www.eyrie.org/~eagle/software/pam-krb5/>
>
> Debian packages have been uploaded to Debian unstable.
>
> Please let me know of any problems or feature requests not already listed
> in the TODO file.
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list