pam-krb5 3.11 released

Russ Allbery rra at
Thu Jul 10 20:27:05 EDT 2008

I'm pleased to announce release 3.11 of pam-krb5.

pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features.  It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.

Changes from previous release:

    pam_setcred, pam_open_session, and pam_acct_mgmt now return PAM_IGNORE
    for ignored users or non-Kerberos logins rather than PAM_SUCCESS.
    This return code tells the PAM library to continue as if the module
    were not present in the configuration and allows sufficient to be
    meaningful for pam-krb5 in account and session groups.
    pam_authenticate continues to return failure for ignored users;
    PAM_IGNORE would arguably be more correct, but increases the risk of
    security holes through incorrect configuration.

    Support correct password expiration handling according to the PAM
    standard (returning success from pam_authenticate and an error from
    pam_acct_mgmt and completing the authentication after pam_chauthotk).
    This is not the default since it opens security holes with broken
    applications that don't call pam_acct_mgmt or ignore its exit status.
    To enable it, set the PAM option defer_pwchange for applications known
    to make the correct PAM calls and check return codes.

    Add a new option to attempt change of expired passwords during
    pam_authenticate if Kerberos authentication returns a password expired
    error.  Normally, the Kerberos library will do this for you, but some
    Kerberos libraries (notably Solaris) disable that code.  This option
    allows simulation of the normal Kerberos library behavior on those

    Work around an apparent Heimdal bug when krb5_free_cred_contents is
    called on an all-zero credential structure.  It's not clear what's
    going on here and the Heimdal code looks correct, but avoiding the
    call fixes the problem.

    Warn if more than one of use_authtok, use_first_pass, and
    try_first_pass is set and use the strongest of the one set.

    Remove the workaround for versions of MIT Kerberos that didn't
    initialize a krb5_get_init_creds_opt structure on opt_alloc.  This bug
    was only present in early versions of 1.6; the correct fix is to

    Add an additional header check for AIX's bundled Kerberos.

    If KRB5_CONFIG was explicitly set in the environment, don't use a
    different krb5-config based on --with-krb5.  If krb5-config isn't
    executable, don't use it.  This allows one to force library probing by
    setting KRB5_CONFIG to point to a nonexistent file.

    Sanity-check the results of krb5-config before proceeding and error
    out in configure if they don't work.

    For Kerberos libraries without krb5-config, also check for networking
    libraries (-lsocket and friends) before checking for Kerberos
    libraries in case shared library dependencies are broken.

    Fix Autoconf syntax error when probing for libkrb5support.  Thanks,
    Mike Garrison.

    Set an explicit visibility of hidden for all internal functions at
    compile time if gcc is used to permit better optimization.  Hide all
    functions except the official interfaces using a version script on
    Linux.  This protects against leaking symbols into the application
    namespace and provides some mild optimization benefit.

    Fix the probing of PAM headers for const on Mac OS X.  This will
    suppress some harmless compiler warnings there.  Thanks, Markus

You can download it from:


Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list