pam-krb5 3.14 released
Russ Allbery
rra at stanford.edu
Sat Jul 18 19:17:36 EDT 2009
I'm pleased to announce release 3.14 of pam-krb5.
pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features. It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.
Changes from previous release:
Return PAM_IGNORE instead of PAM_PERM_DENIED from pam_chauthtok for
ignored users. This allows making the Kerberos PAM module mandatory
for password changes and still falling back to other PAM modules for
ignored users. Thanks, Steve Langasek.
Always treat the empty password as an authentication failure rather
than passing it to the Kerberos libraries. The Kerberos libraries
may treat it as equivalent to no password and prompt for a password
without our knowledge, leading to the user authenticating with a
different password than the one stored in the PAM stack. This could
cause unexpected problems with some PAM configurations. It's safer
to make the assumption that the empty password is always invalid and
reject it outside of the Kerberos libraries. Thanks, Sanjay Sha.
Fix error handling if ticket cache initialization fails.
Authentication will still fail, but this avoids a segfault from a
double-free of the ticket cache structure. The most common cause of
this problem was having the attempt to initialize the ticket cache
be blocked by AppArmor. Thanks to Alex Mauer for the report.
Call krb5_free_error_string correctly, fixing a portability issue
when building against Heimdal. Thanks, Andrew Drake.
Work around a deficiency in pam_putenv on FreeBSD 7.2 that doesn't
allow deleting environment variables, only setting them to empty
values. Thanks, Andrew Elble.
You can download it from:
<http://www.eyrie.org/~eagle/software/pam-krb5/>
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list