pam-krb5 4.0 released

Russ Allbery rra at stanford.edu
Fri Nov 13 23:25:48 EST 2009 

I'm pleased to announce release 4.0 of pam-krb5.

pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features.  It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.

This upgrade has two non-backward-compatible changes to the option parsing
that may need your attention during upgrades:

 * If you were using pam_krb5 with the use_authtok parameter in the
   password group, you will need to add use_first_pass to your
   configuration to keep the same behavior.  See below for details.

 * If you used the use_authtok parameter in the authentication group, you
   should change it to force_first_pass.

Changes from previous release:

    Previous versions of this module incorrectly implemented the standard
    use_authtok parameter.  use_authtok applies only to the password group
    and says to use the new password stored in the PAM data rather than
    prompting for a new password.  It doesn't imply anything about where
    to obtain the old password, but it was implemented as requiring both
    the old and new password be in the PAM stack already.  This doesn't
    work when stacked with pam_cracklib.  Change use_authtok to have the
    correct meaning, which means that password group configurations may
    need to add use_first_pass to use_authtok to get the desired behavior.

    use_first_pass and try_first_pass no longer affect how the new
    password is obtained during password changes.  To use a password
    obtained by a previous module, use use_authtok instead.

    A new option, force_first_pass, is now supported for both the
    authentication and password groups.  It tells the module to always get
    the user's current password from the PAM data and fail without
    prompting if it isn't already set.  This is the meaning that
    use_authtok previously had for the current password.

    use_authtok no longer has any meaning for the authentication stack.
    Use force_first_pass instead, which does the same as use_authtok used
    to do.  use_authtok will be temporarily converted to force_first_pass
    in the authentication group and log a diagnostic, but this will be
    removed in the future.

    Stop returning PAM_IGNORE from pam_setcred if the user is ignored or
    didn't log in via Kerberos and instead return PAM_USER_UNKNOWN.  This
    works around a bug in older versions of the Linux PAM library where
    returning PAM_IGNORE would cause pam_setcred to fail even if other
    modules succeeded.  Since pam_authenticate never returned PAM_IGNORE,
    this change should not cause any differences in behavior.

    Do not use issetugid on Solaris to determine when to avoid refreshing
    the ticket cache named in KRB5CCNAME during pam_setcred.  Instead,
    compare effective and real UID and GID and permit KRB5CCNAME to be
    trusted if they match.  This allows setuid screensavers on Solaris to
    refresh ticket caches and makes behavior on Solaris match other
    platforms.  Using issetugid is arguably safer since it protects
    programs that switch users via setuid to a user other than the calling
    user but still should not trust the original environment, but such
    programs are rare in the PAM context and should not be calling
    pam_setcred anyway unless the calling user is permitted to generally
    act as the target user.  Thanks, William Yang.

    Do the same logging in pam_sm_open_session and pam_sm_close_session as
    we do with the other functions.  This will mean pam_sm_open_session
    calls will be logged as pam_sm_open_session, not as pam_sm_setcred as
    before.

    pam-krb5 is now built using Automake and Libtool to bring it more in
    line with other software packages.  This means that it now relies on
    Libtool to know how to generate a loadable module rather than
    hand-configured linker rules.  This may improve portability on some
    platforms and may hurt it on other platforms.

    If configured with a prefix of /usr on Linux, use /lib, /lib32, or
    /lib64 as an installation path based on the size of an integer in the
    compilation environment rather than based on known 64-bit Linux
    variants.

    Update to rra-c-util 2.0:

    * Sanity-check the results of krb5-config before proceeding.
    * Fall back on manual probing if krb5-config results don't work.
    * Don't break if the user clobbers CPPFLAGS at build time.

You can download it from:

    <http://www.eyrie.org/~eagle/software/pam-krb5/>

This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list