pam-krb5 4.5 released
- From: Russ Allbery <rra@xxxxxxxxxxxx>
- Date: Sat, 24 Dec 2011 20:28:23 -0800
I'm pleased to announce release 4.5 of pam-krb5.
pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal. It
supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features. It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports extensive configuration either by PAM options or in krb5.conf or
both. PKINIT is supported with recent versions of both MIT Kerberos and
Heimdal and FAST is supported with recent MIT Kerberos.
Changes from previous release:
Suppress the notice that the password is being changed because it's
expired if force_first_pass or use_first_pass is set in the password
stack, indicating that it's stacked with another module that's also
doing password changes. This is arguable, but without this change the
notification message of why the password is being changed shows up
confusingly in the middle of the password change interaction. Based
on a patch by William Yang.
Some old versions of Heimdal (0.7.2 in OpenBSD 4.9, specifically)
reportedly return KRB5KDC_ERR_KEY_EXP for accounts with expired
keys even if the supplied password is wrong. Work around this by
confirming that the PAM module can obtain tickets for kadmin/changepw
before returning a password expiration error instead of an invalid
password error. Based on a patch by William Yang.
The location of the temporary root-owned ticket cache created during
the authentication process is now also controlled by the ccache_dir
option (but not the ccache option) rather than forced to be in /tmp.
This will allow system administrators to configure an alternative
cache directory so that pam-krb5 can continue working when /tmp is
Report more specific errors in syslog if authorization checks (such as
.k5login checks) fail.
Pass a NULL principal to krb5_set_password with MIT client libraries
to prefer the older change password protocol for compatibility with
older KDCs. This is not necessary on Heimdal since Heimdal's
krb5_set_password tries both protocols.
Improve logging and authorization checks when defer_pwchange is set
and a user authenticates with an expired password.
When probing for Kerberos libraries, always add any supplemental
libraries found to that point to the link command. This will fix
configure failures on platforms without working transitive shared
Close some memory leaks where unparsed Kerberos principal names were
Restructure the code to work with OpenPAM's default PAM build
machinery, which exports a struct containing module entry points
rather than public pam_sm_* functions. Thanks to Fredrik Pettai for
In debug logging, report symbolic names for PAM flags on PAM function
entry rather than the numeric PAM flags. This helps with automated
testing and with debugging PAM problems on different operating
Include <krb5/krb5.h> if <krb5.h> is missing, which permits finding
the header file on NetBSD systems. Thanks to Fredrik Pettai for the
Replace the Kerberos compatibility layer with equivalent but
better-structured code from rra-c-util 4.0.
Avoid krb5-config and use manual library probing if --with-krb5-lib or
--with-krb5-include were given to configure. This avoids having to
point configure at a nonexistent krb5-config to override its results.
Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config in
configure, to avoid a conflict with the variable used by the Kerberos
libraries to find krb5.conf.
Change references to Kerberos v5 to just Kerberos in the
documentation. Kerberos v5 has been the default version of Kerberos
for over ten years now.
Update to rra-c-util 4.0:
* Add notices to all files copied over from rra-c-util.
* Include strings.h for additional POSIX functions where found.
* Fix detection of whether PAM uses const on FreeBSD.
* Update warning flags for make warnings for GCC 4.6.1.
* Limit symbol exports even on systems without GNU ld.
* Fix replacement mkstemp to use long long where available.
* Improve stripping of /usr/include from krb5-config results.
* Use issetugid where available, not the misnamed issetuidgid.
Update to C TAP Harness 1.9:
* Add bmalloc, bcalloc, brealloc, and bstrdup TAP library functions.
* Fix runtests to honor -s even if BUILD and -b aren't given.
* Add test_tmpdir and test_tmpdir_free to TAP library.
* runtests now frees all allocated resources on exit.
This release also features a new automated test suite using a generic PAM
testing framework. Other maintainers of PAM modules may want to take a
You can download it from:
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
Russ Allbery (rra@xxxxxxxxxxxx) <http://www.eyrie.org/~eagle/>
- Prev by Date: Re: Reachable memory left behind by simple kadmin client?
- Next by Date: MITKRB5-SA-2011-008 buffer overflow in telnetd [CVE-2011-4862]
- Previous by thread: Failure on LDAP authentication module using Kerberos
- Next by thread: MITKRB5-SA-2011-008 buffer overflow in telnetd [CVE-2011-4862]