pam-krb5 4.5 released

Russ Allbery rra at stanford.edu
Sat Dec 24 23:28:23 EST 2011 

I'm pleased to announce release 4.5 of pam-krb5.

pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal.  It
supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features.  It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports extensive configuration either by PAM options or in krb5.conf or
both.  PKINIT is supported with recent versions of both MIT Kerberos and
Heimdal and FAST is supported with recent MIT Kerberos.

Changes from previous release:

    Suppress the notice that the password is being changed because it's
    expired if force_first_pass or use_first_pass is set in the password
    stack, indicating that it's stacked with another module that's also
    doing password changes.  This is arguable, but without this change the
    notification message of why the password is being changed shows up
    confusingly in the middle of the password change interaction.  Based
    on a patch by William Yang.

    Some old versions of Heimdal (0.7.2 in OpenBSD 4.9, specifically)
    reportedly return KRB5KDC_ERR_KEY_EXP for accounts with expired
    keys even if the supplied password is wrong.  Work around this by
    confirming that the PAM module can obtain tickets for kadmin/changepw
    before returning a password expiration error instead of an invalid
    password error.  Based on a patch by William Yang.

    The location of the temporary root-owned ticket cache created during
    the authentication process is now also controlled by the ccache_dir
    option (but not the ccache option) rather than forced to be in /tmp.
    This will allow system administrators to configure an alternative
    cache directory so that pam-krb5 can continue working when /tmp is
    full.

    Report more specific errors in syslog if authorization checks (such as
    .k5login checks) fail.

    Pass a NULL principal to krb5_set_password with MIT client libraries
    to prefer the older change password protocol for compatibility with
    older KDCs.  This is not necessary on Heimdal since Heimdal's
    krb5_set_password tries both protocols.

    Improve logging and authorization checks when defer_pwchange is set
    and a user authenticates with an expired password.

    When probing for Kerberos libraries, always add any supplemental
    libraries found to that point to the link command.  This will fix
    configure failures on platforms without working transitive shared
    library dependencies.

    Close some memory leaks where unparsed Kerberos principal names were
    never freed.

    Restructure the code to work with OpenPAM's default PAM build
    machinery, which exports a struct containing module entry points
    rather than public pam_sm_* functions.  Thanks to Fredrik Pettai for
    the information.

    In debug logging, report symbolic names for PAM flags on PAM function
    entry rather than the numeric PAM flags.  This helps with automated
    testing and with debugging PAM problems on different operating
    systems.

    Include <krb5/krb5.h> if <krb5.h> is missing, which permits finding
    the header file on NetBSD systems.  Thanks to Fredrik Pettai for the
    report.

    Replace the Kerberos compatibility layer with equivalent but
    better-structured code from rra-c-util 4.0.

    Avoid krb5-config and use manual library probing if --with-krb5-lib or
    --with-krb5-include were given to configure.  This avoids having to
    point configure at a nonexistent krb5-config to override its results.

    Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config in
    configure, to avoid a conflict with the variable used by the Kerberos
    libraries to find krb5.conf.

    Change references to Kerberos v5 to just Kerberos in the
    documentation.  Kerberos v5 has been the default version of Kerberos
    for over ten years now.

    Update to rra-c-util 4.0:

    * Add notices to all files copied over from rra-c-util.
    * Include strings.h for additional POSIX functions where found.
    * Fix detection of whether PAM uses const on FreeBSD.
    * Update warning flags for make warnings for GCC 4.6.1.
    * Limit symbol exports even on systems without GNU ld.
    * Fix replacement mkstemp to use long long where available.
    * Improve stripping of /usr/include from krb5-config results.
    * Use issetugid where available, not the misnamed issetuidgid.

    Update to C TAP Harness 1.9:

    * Add bmalloc, bcalloc, brealloc, and bstrdup TAP library functions.
    * Fix runtests to honor -s even if BUILD and -b aren't given.
    * Add test_tmpdir and test_tmpdir_free to TAP library.
    * runtests now frees all allocated resources on exit.

This release also features a new automated test suite using a generic PAM
testing framework.  Other maintainers of PAM modules may want to take a
look.

You can download it from:

    <http://www.eyrie.org/~eagle/software/pam-krb5/>

This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list