[30445] in Kerberos
pam-krb5 3.12 released
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu Nov 13 14:22:22 2008
To: kerberos@mit.edu
From: Russ Allbery <rra@stanford.edu>
Date: Thu, 13 Nov 2008 11:20:36 -0800
Message-ID: <87skpv77qz.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I'm pleased to announce release 3.12 of pam-krb5.
pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features. It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.
Changes from previous release:
Add alt_auth_map configuration option, which allows mapping of
usernames to alternative Kerberos principals, useful primarily for
using particular instances for access to a given PAM-authenticated
service. Also added force_alt_auth and only_alt_auth options to
control when alternative Kerberos principals are used. Patch from
Booker Bense.
Fix incorrect error handling for bad .k5login ownership when
search_k5login is set, leading to a NULL pointer dereference and a
segfault. Thanks, Andrew Deason.
Fix double-free of the ticket cache structure if creation of the
ticket cache in the session module fails. Thanks, Jens Jorgensen.
Log all syslog messages to LOG_AUTHPRIV, or LOG_AUTH if the system
doesn't define LOG_AUTHPRIV. Thanks, Mark Painter.
Fix portability to AIX's bundled Kerberos. Thanks, Markus Moeller.
When debugging is enabled, log an exit status of PAM_IGNORE as ignore
rather than failure.
Document that pam-krb5 must be listed in the session group as well as
the auth group for interactive logins or OpenSSH won't set up the
user's credential cache properly.
Document adding ignore=ignore to complex [] action configuration for
the session and account groups since the module now returns PAM_IGNORE
instead of PAM_SUCCESS for accounts that didn't use Kerberos.
You can download it from:
<http://www.eyrie.org/~eagle/software/pam-krb5/>
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian experimental to not interfere
with the upcoming lenny release. They will be uploaded to Debian unstable
after the release. (The significant bug fixes mentioned above have
already been fixed in Debian unstable for the lenny release.)
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
