pam-krb5 3.12 released

Russ Allbery rra at stanford.edu
Thu Nov 13 14:20:36 EST 2008 

I'm pleased to announce release 3.12 of pam-krb5.

pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features.  It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.

Changes from previous release:

    Add alt_auth_map configuration option, which allows mapping of
    usernames to alternative Kerberos principals, useful primarily for
    using particular instances for access to a given PAM-authenticated
    service.  Also added force_alt_auth and only_alt_auth options to
    control when alternative Kerberos principals are used.  Patch from
    Booker Bense.

    Fix incorrect error handling for bad .k5login ownership when
    search_k5login is set, leading to a NULL pointer dereference and a
    segfault.  Thanks, Andrew Deason.

    Fix double-free of the ticket cache structure if creation of the
    ticket cache in the session module fails.  Thanks, Jens Jorgensen.

    Log all syslog messages to LOG_AUTHPRIV, or LOG_AUTH if the system
    doesn't define LOG_AUTHPRIV.  Thanks, Mark Painter.

    Fix portability to AIX's bundled Kerberos.  Thanks, Markus Moeller.

    When debugging is enabled, log an exit status of PAM_IGNORE as ignore
    rather than failure.

    Document that pam-krb5 must be listed in the session group as well as
    the auth group for interactive logins or OpenSSH won't set up the
    user's credential cache properly.

    Document adding ignore=ignore to complex [] action configuration for
    the session and account groups since the module now returns PAM_IGNORE
    instead of PAM_SUCCESS for accounts that didn't use Kerberos.

You can download it from:

    <http://www.eyrie.org/~eagle/software/pam-krb5/>

This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian experimental to not interfere
with the upcoming lenny release.  They will be uploaded to Debian unstable
after the release.  (The significant bug fixes mentioned above have
already been fixed in Debian unstable for the lenny release.)

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list