[29113] in Kerberos
Re: pam-krb5 3.10 released
daemon@ATHENA.MIT.EDU (Markus Moeller)
Sat Jan 19 12:45:16 2008
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Sat, 19 Jan 2008 17:40:56 -0000
Message-ID: <13p4dhr33jhulb0@corp.supernews.com>
In-Reply-To: <mailman.1.1198952771.5144.kerberos@mit.edu>
MIME-Version: 1.0
X-Complaints-To: abuse@supernews.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ,
I usually don't use the change password feature, but I now checked the pam
help for pam_sm_authenticate and pam_sm_acct_mgmt. On both Linux and Solaris
it states that only pam_acct_mgmt should return PAM_NEW_AUTHTOK_REQD for
exired passwords not pam_sm_authenticate. I haven't yet checked the Openssh
and others sources, but I think you need to save the state you get
inpam_sm_authenticate and use it in pam_sm_acct_mgmt.
Any thoughts ?
Markus
"Russ Allbery" <rra@stanford.edu> wrote in message
news:mailman.1.1198952771.5144.kerberos@mit.edu...
> I'm pleased to announce release 3.10 of pam-krb5.
>
> pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
> It supports ticket refreshing by screen savers, configurable authorization
> handling, authentication of non-local accounts for network services,
> password changing, and password expiration, as well as all the standard
> expected PAM features. It works correctly with OpenSSH, even with
> ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
> supports configuration either by PAM options or in krb5.conf or both.
>
> Changes from previous release:
>
> The workaround for krb5_get_init_creds_opt_alloc problems in MIT
> Kerberos 1.6 broke PKINIT support with Heimdal. Only apply that
> workaround when building against the MIT Kerberos libraries. Thanks
> to Jaakko Pero for the detailed report.
>
> If no_ccache is set, always exit successfully from pam_setcred or
> pam_open_session, even if we couldn't retrieve module data. Thanks,
> Markus Moeller.
>
> When keytab is set, properly handle failure to create a keytab cursor
> and don't assume that the cursor is valid. Thanks, Markus Moeller.
>
> Define _ALL_SOURCE on AIX to get prototypes for snprintf.
>
> Add additional portability glue and Autoconf probes to support
> building against the version of Kerberos bundled with AIX. Support
> for this should be considered alpha in this release. Thanks to Markus
> Moeller for the initial patch.
>
> You can download it from:
>
> <http://www.eyrie.org/~eagle/software/pam-krb5/>
>
> Debian packages have been uploaded to Debian unstable.
>
> Please let me know of any problems or feature requests not already listed
> in the TODO file.
>
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
