pam-krb5 4.10 released
Russ Allbery
eagle at eyrie.org
Sat Mar 20 16:40:18 EDT 2021
I'm pleased to announce release 4.10 of pam-krb5.
This is a small bug-fix release with a possible security fix, although I
don't see a path to exploit the bug. But better safe than sorry.
pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal. It
supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features. It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports extensive configuration either by PAM options or in krb5.conf or
both. PKINIT is supported with recent versions of both MIT Kerberos and
Heimdal and FAST is supported with recent MIT Kerberos.
Changes from previous release:
When re-retrieving the authenticated principal from the current cache,
ensure the stored principal in the authentication context is always
either valid or NULL. Otherwise, a failure of krb5_cc_get_principal
could result in a double free. Thanks to Michael Muehle for the
report.
Update to rra-c-util 9.0:
* Check that at least one Kerberos header file was found and works.
* Use AS_ECHO in all Autoconf macros in preference to echo.
* Fix portability of reallocarray on NetBSD systems.
* Stop providing a replacement for a broken snprintf.
Update to C TAP Harness 4.7:
* Fix warnings with GCC 10.
You can download it from:
<https://www.eyrie.org/~eagle/software/pam-krb5/>
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian experimental, and the bug fix
patch has been backported to 4.9 in Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (eagle at eyrie.org) <https://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list