pam-krb5 4.1 released

Russ Allbery rra at stanford.edu
Fri Nov 20 19:25:04 EST 2009


I'm pleased to announce release 4.1 of pam-krb5.

pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features.  It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports extensive configuration either by PAM options or in krb5.conf or
both.  PKINIT is supported with recent versions of both MIT Kerberos and
Heimdal.

This release retrieves more PAM data than before to improve logging and
also includes a replacement for pam_syslog for systems that don't have it,
so I'm particularly interested in test results from non-Linux systems
(since I cannot easily test there myself).  There may be some portability
regressions that will need to be fixed in a follow-on release.  Please let
me know if there are any problems.

Changes from previous release:

    Return PAM_SUCCESS, not PAM_USER_UNKNOWN, for ignored users in
    pam_setcred.  It's safe to return success when doing nothing in
    pam_setcred because the stack has already been frozen after the
    authentication step, and returning an error causes the stack to fail
    on some other Linux PAM implementations.  Thanks, Ian Ward Comfort.

    In the second pass through the password group, prompt for the new
    password and store it in the PAM data even if the user is being
    ignored.  This is required to allow this module to be stacked with
    another module that uses use_authtok.  Without this behavior, the
    second module won't be able to work for any ignored user since it will
    see no saved password and use_authtok will reject the password change.

    Fix return status from pam_sm_acct_mgmt if we were unable to retrieve
    PAM_USER.

    Log successful authentications to syslog with priority LOG_INFO,
    including the Kerberos principal used for authentication.

    Log failed authentication to syslog with priority LOG_NOTICE,
    including roughly the same additional information that the Linux PAM
    pam_unix logs by default.

    Use pam_syslog for logging where available.  This means pam-krb5 log
    messages will look like all other log messages for Linux PAM modules
    on Linux.  Change the format of log messages on all platforms to
    hopefully be somewhat clearer.

    Rationalize logging.  The module should now follow the recommendations
    of the Linux PAM Module Writers' Guide for log levels.  More errors
    are logged at LOG_ERR instead of LOG_DEBUG, and system resource errors
    are now logged at LOG_CRIT instead of LOG_ERR.

    Add additional error and debug logging in places where significant
    actions or failures may happen without previously being logged.  Also
    add failure information from PAM or Kerberos libraries to messages
    where appropriate.

    Add replacement snprintf, vsnprintf, and mkstemp functions for
    pointless portability to ancient systems.

You can download it from:

    <http://www.eyrie.org/~eagle/software/pam-krb5/>

This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list