pam-krb5 4.4 released

Russ Allbery rra at
Sat Jan 1 00:17:06 EST 2011

I'm pleased to announce release 4.4 of pam-krb5.

pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features.  It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports extensive configuration either by PAM options or in krb5.conf or
both.  PKINIT is supported with recent versions of both MIT Kerberos and
Heimdal and FAST is supported with recent MIT Kerberos.

Changes from previous release:

    Do not prompt for a password when try_pkinit is set and the module is
    built against MIT Kerberos.  This fixes a spurious password prompt
    introduced in 4.1, but partly reintroduces the bug fixed in 4.1 where
    the user's password is not saved in the PAM data if the authentication
    falls back to password when PKINIT fails.  This requires more work
    to fix and will be addressed in a subsequent release.  Thanks to
    Бранко Мајић (Branko Majic) for the report.

    Reorganize the configuration section of the pam_krb5 man page to
    divide the many PAM module options into sections.

    When probing for <ibm_svc/krb5_svc.h> (part of AIX's bundled Kerberos
    implementation), include <krb5.h> before attempting to include that
    header to quiet confusing Autoconf warnings.  Reported by Wilfried

    Update to rra-c-util 3.0:

    * Fix compilation of the replacement snprintf for old systems.
    * Look for krb5-config in /usr/kerberos/bin for Red Hat systems.
    * Fix compilation with OpenBSD's Heimdal without separate libroken.

You can download it from:


This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian experimental and will be
uploaded to Debian unstable after the squeeze release freeze.

Please let me know of any problems or feature requests not already listed
in the TODO file.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list