I'm pleased to announce release 4.7 of pam-krb5. pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal. It supports ticket refreshing by screen savers, configurable authorization handling, authentication of non-local accounts for network services, password changing, and password expiration, as well as all the standard expected PAM features. It works correctly with OpenSSH, even with ChallengeResponseAuthentication and PrivilegeSeparation enabled, and supports extensive configuration either by PAM options or in krb5.conf or both. PKINIT is supported with recent versions of both MIT Kerberos and Heimdal and FAST is supported with recent MIT Kerberos.
Changes from previous release: Add a no_update_user option that disables the normal update of the PAM_USER PAM variable after canonicalization of the username. When this is set, pam-krb5 will not convert full principal names to local usernames where possible for the rest of the PAM stack. Suppress spurious password prompt from Heimdal when authenticating with PKINIT. Map unknown realm errors from the Kerberos libraries to the PAM error code PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR. Treat an KRB5_GET_IN_TKT_LOOP error as an incorrect password. Heimdal KDCs sometimes return it, and Heimdal kinit treats it this way. Similarly, treat a KRB5_BAD_ENCTYPE error as an incorrect password, since this error is returned by a Heimdal 1.6-rc2 KDC for incorrect preauth from a MIT Kerberos 1.12.1 client. Add the version number at which each module option was added with its current meaning to the documentatation. Update to rra-c-util 5.6: * Suppress warnings from Kerberos headers in non-system paths. * Fix probing for Heimdal's libroken to work with older versions. * Fix Kerberos header detection if root or include paths are given. * Pass --deps to krb5-config in the non-reduced-dependencies case. * Provide a reallocarray replacement for platforms without it. * Use reallocarray where appropriate. * Drop checks for NULL before freeing pointers. * Drop explicit pointer initialization to NULL and rely on calloc. * Check the return status of snprintf and vsnprintf properly. * Preserve errno if snprintf fails in vasprintf replacement. * Suppress a dummy symbol in the client library that could leak. * Fix syntax errors when building with a C++ compiler. * Avoid test suite failures where tested functions are macros. Update to C TAP Harness 3.2: * Reopen standard input to /dev/null when running a test list. * Don't leak extraneous file descriptors to tests. * Suppress lazy plans and test summaries if the test failed with bail. * bail and sysbail now exit with status 255 to match Test::More. * runtests now treats the command line as a list of tests by default. * The full test executable path can now be passed to runtests -o. * Improved harness output for tests with lazy plans. * Improved harness output to a terminal for some abort cases. * Flush harness output after each test even when not on a terminal. You can download it from: <http://www.eyrie.org/~eagle/software/pam-krb5/> This package is maintained using Git; see the instructions on the above page to access the Git repository. Debian packages have been uploaded to Debian experimental due to the release freeze. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos