pam-krb5 4.8 released

Russ Allbery eagle at eyrie.org
Sun Dec 31 00:40:27 EST 2017


I'm pleased to announce release 4.8 of pam-krb5.

pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal.  It
supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features.  It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports extensive configuration either by PAM options or in krb5.conf or
both.  PKINIT is supported with recent versions of both MIT Kerberos and
Heimdal and FAST is supported with recent MIT Kerberos.

Changes from previous release:

    When verifying that an expired password can still be used to get
    kadmin/changepw credentials, correctly set the credential options for
    getting password change credentials, not for getting initial
    credentials.  This should fix password change issues when, for
    example, krb5.conf requests that all tickets be proxiable but
    kadmin/changepw doesn't allow proxiable credentials.  Thanks to
    Florian Best for the bug report.

    When built against recent versions of Heimdal with richer status codes
    from PKINIT attempts, report to the user the reason for a PKINIT
    failure.  Based on work by Henry Jacques.

    Document the test suite configuration files required to run the PKINIT
    tests.

    Fix expired password tests to work with Heimdal 7.0.1 and later.

    Better document that the default Kerberos library ticket cache
    location is not used (and why), and how to set configuration
    parameters in krb5.conf.  Thanks, Matthew Gabeler-Lee.  (Debian
    Bug#872943)

    Compile cleanly under GCC 7 and Clang warnings and Clang's static
    analyzer.

    Rename the script to bootstrap from a Git checkout to bootstrap,
    matching the emerging consensus in the Autoconf world.

    Update to rra-c-util 7.0:

    * Fix new warnings in GCC 7.
    * Support a warning build under Clang.
    * Avoid zero-length allocations in reallocarray and vector.
    * Probe for warning flags instead of hard-coding a list.
    * New test for obsolete URLs and email addresses.
    * Remove unused portable replacements for strlcpy and strlcat.
    * Use C_TAP_SOURCE and C_TAP_BUILD environment variables in tests.
    * Fix portability defines for anonymous principal strings.
    * Clear errno on pam_modutil_getpwnam to improve other testing.
    * Add portability defines for macOS's PAM implementation.
    * Add new Autoconf macro to probe for pam_strerror const usage.
    * Support Solaris 10's included Kerberos.

    Update to C TAP Harness 4.2:

    * Avoid zero-length allocations in breallocarray.
    * Add is_blob and is_bool functions.
    * Use C_TAP_SOURCE and C_TAP_BUILD environment variables in tests.
    * Fix segfault in runtests with an empty test list.
    * Display verbose test results with -v or C_TAP_VERBOSE.
    * Test infrastructure builds cleanly with Clang warnings.

You can download it from:

    <https://www.eyrie.org/~eagle/software/pam-krb5/>

This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list