I'm pleased to announce release 4.5 of pam-krb5. pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal. It supports ticket refreshing by screen savers, configurable authorization handling, authentication of non-local accounts for network services, password changing, and password expiration, as well as all the standard expected PAM features. It works correctly with OpenSSH, even with ChallengeResponseAuthentication and PrivilegeSeparation enabled, and supports extensive configuration either by PAM options or in krb5.conf or both. PKINIT is supported with recent versions of both MIT Kerberos and Heimdal and FAST is supported with recent MIT Kerberos.
Changes from previous release: Suppress the notice that the password is being changed because it's expired if force_first_pass or use_first_pass is set in the password stack, indicating that it's stacked with another module that's also doing password changes. This is arguable, but without this change the notification message of why the password is being changed shows up confusingly in the middle of the password change interaction. Based on a patch by William Yang. Some old versions of Heimdal (0.7.2 in OpenBSD 4.9, specifically) reportedly return KRB5KDC_ERR_KEY_EXP for accounts with expired keys even if the supplied password is wrong. Work around this by confirming that the PAM module can obtain tickets for kadmin/changepw before returning a password expiration error instead of an invalid password error. Based on a patch by William Yang. The location of the temporary root-owned ticket cache created during the authentication process is now also controlled by the ccache_dir option (but not the ccache option) rather than forced to be in /tmp. This will allow system administrators to configure an alternative cache directory so that pam-krb5 can continue working when /tmp is full. Report more specific errors in syslog if authorization checks (such as .k5login checks) fail. Pass a NULL principal to krb5_set_password with MIT client libraries to prefer the older change password protocol for compatibility with older KDCs. This is not necessary on Heimdal since Heimdal's krb5_set_password tries both protocols. Improve logging and authorization checks when defer_pwchange is set and a user authenticates with an expired password. When probing for Kerberos libraries, always add any supplemental libraries found to that point to the link command. This will fix configure failures on platforms without working transitive shared library dependencies. Close some memory leaks where unparsed Kerberos principal names were never freed. Restructure the code to work with OpenPAM's default PAM build machinery, which exports a struct containing module entry points rather than public pam_sm_* functions. Thanks to Fredrik Pettai for the information. In debug logging, report symbolic names for PAM flags on PAM function entry rather than the numeric PAM flags. This helps with automated testing and with debugging PAM problems on different operating systems. Include <krb5/krb5.h> if <krb5.h> is missing, which permits finding the header file on NetBSD systems. Thanks to Fredrik Pettai for the report. Replace the Kerberos compatibility layer with equivalent but better-structured code from rra-c-util 4.0. Avoid krb5-config and use manual library probing if --with-krb5-lib or --with-krb5-include were given to configure. This avoids having to point configure at a nonexistent krb5-config to override its results. Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config in configure, to avoid a conflict with the variable used by the Kerberos libraries to find krb5.conf. Change references to Kerberos v5 to just Kerberos in the documentation. Kerberos v5 has been the default version of Kerberos for over ten years now. Update to rra-c-util 4.0: * Add notices to all files copied over from rra-c-util. * Include strings.h for additional POSIX functions where found. * Fix detection of whether PAM uses const on FreeBSD. * Update warning flags for make warnings for GCC 4.6.1. * Limit symbol exports even on systems without GNU ld. * Fix replacement mkstemp to use long long where available. * Improve stripping of /usr/include from krb5-config results. * Use issetugid where available, not the misnamed issetuidgid. Update to C TAP Harness 1.9: * Add bmalloc, bcalloc, brealloc, and bstrdup TAP library functions. * Fix runtests to honor -s even if BUILD and -b aren't given. * Add test_tmpdir and test_tmpdir_free to TAP library. * runtests now frees all allocated resources on exit. This release also features a new automated test suite using a generic PAM testing framework. Other maintainers of PAM modules may want to take a look. You can download it from: <http://www.eyrie.org/~eagle/software/pam-krb5/> This package is maintained using Git; see the instructions on the above page to access the Git repository. Debian packages have been uploaded to Debian unstable. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos