pam-krb5 release 4.9

Russ Allbery eagle at
Mon Mar 30 23:23:31 EDT 2020

I'm pleased to announce release 4.9 of pam-krb5.

pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal.  It
supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features.  It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports extensive configuration either by PAM options or in krb5.conf or
both.  PKINIT is supported with recent versions of both MIT Kerberos and
Heimdal and FAST is supported with recent MIT Kerberos.

Changes from previous release:

    SECURITY: All previous versions of this module could overflow the
    buffer provided by the underlying Kerberos library for the response to
    a prompt by writing a single nul character past the end of the buffer.

    Support use_pkinit with MIT Kerberos.  (Debian Bug#871699)

    Reject passwords as long or longer than PAM_MAX_RESP_SIZE (normally
    512 octets), since extremely long passwords can be used for a denial
    of service attack via the Kerberos string to key function.  Thanks to
    Florian Best for pointing out this issue and suggesting a good fix.

    Use explicit_bzero instead of memset, where available, to overwrite
    the memory used by PAM responses before freeing.  This reduces the
    lifetime of passwords and other secrets in memory.

    Return more accurate errors from the Kerberos prompter function if it
    was unable to prompt for the password.  This may translate into better
    debug log messages and, in some situations, returning the slightly
    more accurate PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR.

    Fix an edge-case memory leak in pam_chauthtok when prompting for a new
    password for an ignored user.

    Ensure the module/basic test will run properly when the system
    krb5.conf file does not specify a default realm.  Reported by TBK.

    Update to rra-c-util 8.2:

    * Fix support for configuring the test suite with a krb5.conf file.
    * Drop support for Perl 5.6.
    * Reformat all C source using clang-format 10.
    * Remove bogus snprintf tests.
    * Fix misplaced va_end in the pam-util putil_log_failure function.
    * Skip checking for krb5-config on the path if a prefix was given.
    * Add SPDX-License-Identifier headers to all substantial source files.

    Update to C TAP Harness 4.6:

    * Fixed malloc error checking in bstrndup.
    * Fix (harmless) allocation error in runtests driver.
    * Add support for valgrind testing via test list options.
    * Report test failures as left and right, not wanted and seen.
    * Fix is_string comparisons involving NULL pointers and "(null)".
    * Add SPDX-License-Identifier headers to all substantial source files.

You can download it from:


This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

Russ Allbery (eagle at             <>

More information about the Kerberos mailing list