pam-krb5 4.7 released

Russ Allbery eagle at
Thu Dec 25 23:24:23 EST 2014

I'm pleased to announce release 4.7 of pam-krb5.

pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal.  It
supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features.  It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports extensive configuration either by PAM options or in krb5.conf or
both.  PKINIT is supported with recent versions of both MIT Kerberos and
Heimdal and FAST is supported with recent MIT Kerberos.

Changes from previous release:

    Add a no_update_user option that disables the normal update of the
    PAM_USER PAM variable after canonicalization of the username.  When
    this is set, pam-krb5 will not convert full principal names to local
    usernames where possible for the rest of the PAM stack.

    Suppress spurious password prompt from Heimdal when authenticating
    with PKINIT.

    Map unknown realm errors from the Kerberos libraries to the PAM error

    Treat an KRB5_GET_IN_TKT_LOOP error as an incorrect password.  Heimdal
    KDCs sometimes return it, and Heimdal kinit treats it this way.
    Similarly, treat a KRB5_BAD_ENCTYPE error as an incorrect password,
    since this error is returned by a Heimdal 1.6-rc2 KDC for incorrect
    preauth from a MIT Kerberos 1.12.1 client.

    Add the version number at which each module option was added with its
    current meaning to the documentatation.

    Update to rra-c-util 5.6:

    * Suppress warnings from Kerberos headers in non-system paths.
    * Fix probing for Heimdal's libroken to work with older versions.
    * Fix Kerberos header detection if root or include paths are given.
    * Pass --deps to krb5-config in the non-reduced-dependencies case.
    * Provide a reallocarray replacement for platforms without it.
    * Use reallocarray where appropriate.
    * Drop checks for NULL before freeing pointers.
    * Drop explicit pointer initialization to NULL and rely on calloc.
    * Check the return status of snprintf and vsnprintf properly.
    * Preserve errno if snprintf fails in vasprintf replacement.
    * Suppress a dummy symbol in the client library that could leak.
    * Fix syntax errors when building with a C++ compiler.
    * Avoid test suite failures where tested functions are macros.

    Update to C TAP Harness 3.2:

    * Reopen standard input to /dev/null when running a test list.
    * Don't leak extraneous file descriptors to tests.
    * Suppress lazy plans and test summaries if the test failed with bail.
    * bail and sysbail now exit with status 255 to match Test::More.
    * runtests now treats the command line as a list of tests by default.
    * The full test executable path can now be passed to runtests -o.
    * Improved harness output for tests with lazy plans.
    * Improved harness output to a terminal for some abort cases.
    * Flush harness output after each test even when not on a terminal.

You can download it from:


This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian experimental due to the
release freeze.

Please let me know of any problems or feature requests not already listed
in the TODO file.

Russ Allbery (eagle at              <>

More information about the Kerberos mailing list