pam-krb5 4.1 released
Russ Allbery
rra at stanford.edu
Fri Nov 20 19:25:04 EST 2009
I'm pleased to announce release 4.1 of pam-krb5.
pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features. It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports extensive configuration either by PAM options or in krb5.conf or
both. PKINIT is supported with recent versions of both MIT Kerberos and
Heimdal.
This release retrieves more PAM data than before to improve logging and
also includes a replacement for pam_syslog for systems that don't have it,
so I'm particularly interested in test results from non-Linux systems
(since I cannot easily test there myself). There may be some portability
regressions that will need to be fixed in a follow-on release. Please let
me know if there are any problems.
Changes from previous release:
Return PAM_SUCCESS, not PAM_USER_UNKNOWN, for ignored users in
pam_setcred. It's safe to return success when doing nothing in
pam_setcred because the stack has already been frozen after the
authentication step, and returning an error causes the stack to fail
on some other Linux PAM implementations. Thanks, Ian Ward Comfort.
In the second pass through the password group, prompt for the new
password and store it in the PAM data even if the user is being
ignored. This is required to allow this module to be stacked with
another module that uses use_authtok. Without this behavior, the
second module won't be able to work for any ignored user since it will
see no saved password and use_authtok will reject the password change.
Fix return status from pam_sm_acct_mgmt if we were unable to retrieve
PAM_USER.
Log successful authentications to syslog with priority LOG_INFO,
including the Kerberos principal used for authentication.
Log failed authentication to syslog with priority LOG_NOTICE,
including roughly the same additional information that the Linux PAM
pam_unix logs by default.
Use pam_syslog for logging where available. This means pam-krb5 log
messages will look like all other log messages for Linux PAM modules
on Linux. Change the format of log messages on all platforms to
hopefully be somewhat clearer.
Rationalize logging. The module should now follow the recommendations
of the Linux PAM Module Writers' Guide for log levels. More errors
are logged at LOG_ERR instead of LOG_DEBUG, and system resource errors
are now logged at LOG_CRIT instead of LOG_ERR.
Add additional error and debug logging in places where significant
actions or failures may happen without previously being logged. Also
add failure information from PAM or Kerberos libraries to messages
where appropriate.
Add replacement snprintf, vsnprintf, and mkstemp functions for
pointless portability to ancient systems.
You can download it from:
<http://www.eyrie.org/~eagle/software/pam-krb5/>
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list