1 User-Visible pam-krb5 Changes 2 3pam-krb5 4.11 (2021-10-17) 4 5 Properly support calling pam_end with PAM_DATA_SILENT by not deleting 6 the underlying ticket cache. This flag is used when the application 7 is closing the PAM session after a fork to free memory resources, but 8 doesn't intend to free resources external to the process because 9 another process may still depend on them. Thanks to Andrew G. Morgan 10 for the report. (GitHub #21) 11 12 Stop attempting to guess the correct PAM module installation path on 13 Linux systems when --prefix is set to /usr and instead document that 14 --libdir will probably need to be set explicitly. The previous logic 15 is now broken on Debian usrmerge systems and the guesswork seems too 16 fragile to maintain. 17 18 Update to rra-c-util 10.0: 19 20 * Support Autoconf 2.71 without warnings. 21 * Tests written in Perl now require Perl 5.10 or later. 22 23pam-krb5 4.10 (2021-03-20) 24 25 When re-retrieving the authenticated principal from the current cache, 26 ensure the stored principal in the authentication context is always 27 either valid or NULL. Otherwise, a failure of krb5_cc_get_principal 28 could result in a double free. Thanks to Michael Muehle for the 29 report. 30 31 Update to rra-c-util 9.0: 32 33 * Check that at least one Kerberos header file was found and works. 34 * Use AS_ECHO in all Autoconf macros in preference to echo. 35 * Fix portability of reallocarray on NetBSD systems. 36 * Stop providing a replacement for a broken snprintf. 37 38 Update to C TAP Harness 4.7: 39 40 * Fix warnings with GCC 10. 41 42pam-krb5 4.9 (2020-03-30) 43 44 SECURITY: All previous versions of this module could overflow the 45 buffer provided by the underlying Kerberos library for the response to 46 a prompt by writing a single nul character past the end of the buffer. 47 (CVE-2020-10595) 48 49 Support use_pkinit with MIT Kerberos. (Debian Bug#871699) 50 51 Reject passwords as long or longer than PAM_MAX_RESP_SIZE (normally 52 512 octets), since extremely long passwords can be used for a denial 53 of service attack via the Kerberos string to key function. Thanks to 54 Florian Best for pointing out this issue and suggesting a good fix. 55 56 Use explicit_bzero instead of memset, where available, to overwrite 57 the memory used by PAM responses before freeing. This reduces the 58 lifetime of passwords and other secrets in memory. 59 60 Return more accurate errors from the Kerberos prompter function if it 61 was unable to prompt for the password. This may translate into better 62 debug log messages and, in some situations, returning the slightly 63 more accurate PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR. 64 65 Fix an edge-case memory leak in pam_chauthtok when prompting for a new 66 password for an ignored user. 67 68 Ensure the module/basic test will run properly when the system 69 krb5.conf file does not specify a default realm. Reported by TBK. 70 71 Update to rra-c-util 8.2: 72 73 * Fix support for configuring the test suite with a krb5.conf file. 74 * Drop support for Perl 5.6. 75 * Reformat all C source using clang-format 10. 76 * Remove bogus snprintf tests. 77 * Fix misplaced va_end in the pam-util putil_log_failure function. 78 * Skip checking for krb5-config on the path if a prefix was given. 79 * Add SPDX-License-Identifier headers to all substantial source files. 80 81 Update to C TAP Harness 4.6: 82 83 * Fixed malloc error checking in bstrndup. 84 * Fix (harmless) allocation error in runtests driver. 85 * Add support for valgrind testing via test list options. 86 * Report test failures as left and right, not wanted and seen. 87 * Fix is_string comparisons involving NULL pointers and "(null)". 88 * Add SPDX-License-Identifier headers to all substantial source files. 89 90pam-krb5 4.8 (2017-12-30) 91 92 When verifying that an expired password can still be used to get 93 kadmin/changepw credentials, correctly set the credential options for 94 getting password change credentials, not for getting initial 95 credentials. This should fix password change issues when, for 96 example, krb5.conf requests that all tickets be proxiable but 97 kadmin/changepw doesn't allow proxiable credentials. Thanks to 98 Florian Best for the bug report. 99 100 When built against recent versions of Heimdal with richer status codes 101 from PKINIT attempts, report to the user the reason for a PKINIT 102 failure. Based on work by Henry Jacques. 103 104 Document the test suite configuration files required to run the PKINIT 105 tests. 106 107 Fix expired password tests to work with Heimdal 7.0.1 and later. 108 109 Better document that the default Kerberos library ticket cache 110 location is not used (and why), and how to set configuration 111 parameters in krb5.conf. Thanks, Matthew Gabeler-Lee. (Debian 112 Bug#872943) 113 114 Compile cleanly under GCC 7 and Clang warnings and Clang's static 115 analyzer. 116 117 Rename the script to bootstrap from a Git checkout to bootstrap, 118 matching the emerging consensus in the Autoconf world. 119 120 Update to rra-c-util 7.0: 121 122 * Fix new warnings in GCC 7. 123 * Support a warning build under Clang. 124 * Avoid zero-length allocations in reallocarray and vector. 125 * Probe for warning flags instead of hard-coding a list. 126 * New test for obsolete URLs and email addresses. 127 * Remove unused portable replacements for strlcpy and strlcat. 128 * Use C_TAP_SOURCE and C_TAP_BUILD environment variables in tests. 129 * Fix portability defines for anonymous principal strings. 130 * Clear errno on pam_modutil_getpwnam to improve other testing. 131 * Add portability defines for macOS's PAM implementation. 132 * Add new Autoconf macro to probe for pam_strerror const usage. 133 * Support Solaris 10's included Kerberos. 134 135 Update to C TAP Harness 4.2: 136 137 * Avoid zero-length allocations in breallocarray. 138 * Add is_blob and is_bool functions. 139 * Use C_TAP_SOURCE and C_TAP_BUILD environment variables in tests. 140 * Fix segfault in runtests with an empty test list. 141 * Display verbose test results with -v or C_TAP_VERBOSE. 142 * Test infrastructure builds cleanly with Clang warnings. 143 144pam-krb5 4.7 (2014-12-25) 145 146 Add a no_update_user option that disables the normal update of the 147 PAM_USER PAM variable after canonicalization of the username. When 148 this is set, pam-krb5 will not convert full principal names to local 149 usernames where possible for the rest of the PAM stack. 150 151 Suppress spurious password prompt from Heimdal when authenticating 152 with PKINIT. 153 154 Map unknown realm errors from the Kerberos libraries to the PAM error 155 code PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR. 156 157 Treat an KRB5_GET_IN_TKT_LOOP error as an incorrect password. Heimdal 158 KDCs sometimes return it, and Heimdal kinit treats it this way. 159 Similarly, treat a KRB5_BAD_ENCTYPE error as an incorrect password, 160 since this error is returned by a Heimdal 1.6-rc2 KDC for incorrect 161 preauth from a MIT Kerberos 1.12.1 client. 162 163 Add the version number at which each module option was added with its 164 current meaning to the documentatation. 165 166 Update to rra-c-util 5.6: 167 168 * Suppress warnings from Kerberos headers in non-system paths. 169 * Fix probing for Heimdal's libroken to work with older versions. 170 * Fix Kerberos header detection if root or include paths are given. 171 * Pass --deps to krb5-config in the non-reduced-dependencies case. 172 * Provide a reallocarray replacement for platforms without it. 173 * Use reallocarray where appropriate. 174 * Drop checks for NULL before freeing pointers. 175 * Drop explicit pointer initialization to NULL and rely on calloc. 176 * Check the return status of snprintf and vsnprintf properly. 177 * Preserve errno if snprintf fails in vasprintf replacement. 178 * Suppress a dummy symbol in the client library that could leak. 179 * Fix syntax errors when building with a C++ compiler. 180 * Avoid test suite failures where tested functions are macros. 181 182 Update to C TAP Harness 3.2: 183 184 * Reopen standard input to /dev/null when running a test list. 185 * Don't leak extraneous file descriptors to tests. 186 * Suppress lazy plans and test summaries if the test failed with bail. 187 * bail and sysbail now exit with status 255 to match Test::More. 188 * runtests now treats the command line as a list of tests by default. 189 * The full test executable path can now be passed to runtests -o. 190 * Improved harness output for tests with lazy plans. 191 * Improved harness output to a terminal for some abort cases. 192 * Flush harness output after each test even when not on a terminal. 193 194pam-krb5 4.6 (2012-06-02) 195 196 Add an anon_fast option that attempts anonymous authentication 197 (generally implemented via anonymous PKINIT inside the Kerberos 198 library) and then, if successful, uses those credentials for FAST 199 armor. If fast_ccache and anon_fast are both specified, anonymous 200 authentication will be used as a fallback if the specified FAST ticket 201 cache doesn't exist. Based on patches from Yair Yarom. 202 203 Add a user_realm option to only set the realm for unqualified user 204 principals. This differs from the existing realm option in that realm 205 also changes the default realm for authorization decisions and for 206 verification of credentials. Update the realm option documentation to 207 clarify the differences and remove incorrect information. Patch from 208 Roland C. Dowdeswell. 209 210 Add a no_prompt option to suppress the PAM module's prompt for the 211 user's password and defer all prompting to the Kerberos library. This 212 allows the Kerberos library to have complete control of the prompting 213 process, which may be desirable if authentication mechanisms other 214 than password are in use. Be aware that, with this option set, the 215 PAM module has no control over the contents of the prompt and cannot 216 store the user's password in the PAM data. Based on a patch by Yair 217 Yarom. 218 219 Add a silent option to force the module to behave as if the 220 application had passed in PAM_SILENT and suppress text messages and 221 errors from the Kerberos library. Patch from Yair Yarom. 222 223 Add preliminary support for Kerberos trace logging via a trace option 224 that enables trace logging if supported by the underlying Kerberos 225 library. The option takes as an argument the file name to which to 226 log trace output. This option does not yet work with any released 227 version of Kerberos, but may work with the next release of MIT 228 Kerberos. 229 230 MIT Kerberos does not add a colon and space to its password prompts, 231 but Heimdal does. pam-krb5 previously unconditionally added a colon 232 and space, resulting in doubled colons with Heimdal. Work around this 233 inconsistency by not adding the colon and space if already present. 234 235 Fix alt_auth_map support to preserve the realm of the authentication 236 identity when forming the alternate authentication principal, matching 237 the documentation. 238 239 Document that the alt_auth_map format may contain a realm to force all 240 mapped principals to be in that realm. In that case, don't add the 241 realm of the authentication identity. Note that this can be used as a 242 simple way to attempt authentication in an alternate realm first and 243 then fall back to the local realm, although any complex attempt at 244 authentication in multiple realms should instead run the module 245 multiple times with different realm settings. 246 247 Avoid a NULL pointer dereference if krb5_init_context fails. 248 249 Fix initialization of time values in the module configuration on 250 platforms (like S/390X) where krb5_deltat is not equivalent to long. 251 252 Close a memory leak when search_k5login is set but the user has no 253 .k5login file. 254 255 Close several memory leaks in alt_auth_map support. 256 257 Suppress bogus error messages about unknown option for the realm 258 option. The option was being parsed and honored despite the error. 259 260 Retry authentication under try_first_pass on several other errors in 261 addition to decrypt integrity check errors to handle a wider array of 262 possible "password incorrect" error messages from the KDC. 263 264 Update to rra-c-util 4.4: 265 266 * Replacement strndup now works with non-nul-terminated strings. 267 * New Kerberos test setup that simplifies writing tests. 268 * Add -D_FORTIFY_SOURCE=2 to the make warnings flags. 269 * Use --deps flag to krb5-config by default. 270 * Suppress __alloc_size__ attribute with older versions of gcc. 271 * Suppress attribute warnings for non-gcc compilers. 272 273 Update to C TAP Harness 1.12: 274 275 * Add bstrndup to the basic C TAP library. 276 * Only use feature-test macros when requested or built with gcc -ansi. 277 * New tests/tap/macros.h header with some common definitions. 278 * Drop is_double from the C TAP library to avoid requiring -lm. 279 * Avoid using local in the shell libtap.sh library. 280 281pam-krb5 4.5 (2011-12-24) 282 283 Suppress the notice that the password is being changed because it's 284 expired if force_first_pass or use_first_pass is set in the password 285 stack, indicating that it's stacked with another module that's also 286 doing password changes. This is arguable, but without this change the 287 notification message of why the password is being changed shows up 288 confusingly in the middle of the password change interaction. Based 289 on a patch by William Yang. 290 291 Some old versions of Heimdal (0.7.2 in OpenBSD 4.9, specifically) 292 reportedly return KRB5KDC_ERR_KEY_EXP for accounts with expired 293 keys even if the supplied password is wrong. Work around this by 294 confirming that the PAM module can obtain tickets for kadmin/changepw 295 before returning a password expiration error instead of an invalid 296 password error. Based on a patch by William Yang. 297 298 The location of the temporary root-owned ticket cache created during 299 the authentication process is now also controlled by the ccache_dir 300 option (but not the ccache option) rather than forced to be in /tmp. 301 This will allow system administrators to configure an alternative 302 cache directory so that pam-krb5 can continue working when /tmp is 303 full. 304 305 Report more specific errors in syslog if authorization checks (such as 306 .k5login checks) fail. 307 308 Pass a NULL principal to krb5_set_password with MIT client libraries 309 to prefer the older change password protocol for compatibility with 310 older KDCs. This is not necessary on Heimdal since Heimdal's 311 krb5_set_password tries both protocols. 312 313 Improve logging and authorization checks when defer_pwchange is set 314 and a user authenticates with an expired password. 315 316 When probing for Kerberos libraries, always add any supplemental 317 libraries found to that point to the link command. This will fix 318 configure failures on platforms without working transitive shared 319 library dependencies. 320 321 Close some memory leaks where unparsed Kerberos principal names were 322 never freed. 323 324 Restructure the code to work with OpenPAM's default PAM build 325 machinery, which exports a struct containing module entry points 326 rather than public pam_sm_* functions. Thanks to Fredrik Pettai for 327 the information. 328 329 In debug logging, report symbolic names for PAM flags on PAM function 330 entry rather than the numeric PAM flags. This helps with automated 331 testing and with debugging PAM problems on different operating 332 systems. 333 334 Include <krb5/krb5.h> if <krb5.h> is missing, which permits finding 335 the header file on NetBSD systems. Thanks to Fredrik Pettai for the 336 report. 337 338 Replace the Kerberos compatibility layer with equivalent but 339 better-structured code from rra-c-util 4.0. 340 341 Avoid krb5-config and use manual library probing if --with-krb5-lib or 342 --with-krb5-include were given to configure. This avoids having to 343 point configure at a nonexistent krb5-config to override its results. 344 345 Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config in 346 configure, to avoid a conflict with the variable used by the Kerberos 347 libraries to find krb5.conf. 348 349 Change references to Kerberos v5 to just Kerberos in the 350 documentation. Kerberos v5 has been the default version of Kerberos 351 for over ten years now. 352 353 Update to rra-c-util 4.0: 354 355 * Add notices to all files copied over from rra-c-util. 356 * Include strings.h for additional POSIX functions where found. 357 * Fix detection of whether PAM uses const on FreeBSD. 358 * Update warning flags for make warnings for GCC 4.6.1. 359 * Limit symbol exports even on systems without GNU ld. 360 * Fix replacement mkstemp to use long long where available. 361 * Improve stripping of /usr/include from krb5-config results. 362 * Use issetugid where available, not the misnamed issetuidgid. 363 364 Update to C TAP Harness 1.9: 365 366 * Add bmalloc, bcalloc, brealloc, and bstrdup TAP library functions. 367 * Fix runtests to honor -s even if BUILD and -b aren't given. 368 * Add test_tmpdir and test_tmpdir_free to TAP library. 369 * runtests now frees all allocated resources on exit. 370 371pam-krb5 4.4 (2010-12-31) 372 373 Do not prompt for a password when try_pkinit is set and the module is 374 built against MIT Kerberos. This fixes a spurious password prompt 375 introduced in 4.1, but partly reintroduces the bug fixed in 4.1 where 376 the user's password is not saved in the PAM data if the authentication 377 falls back to password when PKINIT fails. This requires more work 378 to fix and will be addressed in a subsequent release. Thanks to 379 Бранко Мајић (Branko Majic) for the report. 380 381 Reorganize the configuration section of the pam_krb5 man page to 382 divide the many PAM module options into sections. 383 384 When probing for <ibm_svc/krb5_svc.h> (part of AIX's bundled Kerberos 385 implementation), include <krb5.h> before attempting to include that 386 header to quiet confusing Autoconf warnings. Reported by Wilfried 387 Weiss. 388 389 Update to rra-c-util 3.0: 390 391 * Fix compilation of the replacement snprintf for old systems. 392 * Look for krb5-config in /usr/kerberos/bin for Red Hat systems. 393 * Fix compilation with OpenBSD's Heimdal without separate libroken. 394 395pam-krb5 4.3 (2010-06-09) 396 397 Add a fast_ccache option that, if set, points to a Kerberos ticket 398 cache used for Flexible Authentication Secure Tunneling (FAST) to 399 protect the authentication. FAST is a mechanism to protect Kerberos 400 against password guessing attacks and provide other security 401 improvements. This option is only available when built against 402 Kerberos libraries with FAST support (currently only MIT Kerberos 1.7 403 or later). Patch from Sam Hartman. 404 405 Fix error in freeing a previous alt_auth_map setting when parsing 406 configuration options. Patch from Sam Hartman. 407 408 Fix the linker flags for Solaris with the native compiler. Thanks, 409 Kevin Sumner. 410 411pam-krb5 4.2 (2009-11-25) 412 413 Add a new fail_pwchange option, which suppresses password changes for 414 expired passwords and treats expired passwords the same as incorrect 415 passwords. 416 417 Include all the new header files from the portability code so that 418 it will actually compile on non-Linux platforms. 419 420pam-krb5 4.1 (2009-11-20) 421 422 Return PAM_SUCCESS, not PAM_USER_UNKNOWN, for ignored users in 423 pam_setcred. It's safe to return success when doing nothing in 424 pam_setcred because the stack has already been frozen after the 425 authentication step, and returning an error causes the stack to fail 426 on some other Linux PAM implementations. Thanks, Ian Ward Comfort. 427 428 In the second pass through the password group, prompt for the new 429 password and store it in the PAM data even if the user is being 430 ignored. This is required to allow this module to be stacked with 431 another module that uses use_authtok. Without this behavior, the 432 second module won't be able to work for any ignored user since it will 433 see no saved password and use_authtok will reject the password change. 434 435 Fix return status from pam_sm_acct_mgmt if we were unable to retrieve 436 PAM_USER. 437 438 Log successful authentications to syslog with priority LOG_INFO, 439 including the Kerberos principal used for authentication. 440 441 Log failed authentication to syslog with priority LOG_NOTICE, 442 including roughly the same additional information that the Linux PAM 443 pam_unix logs by default. 444 445 Use pam_syslog for logging where available. This means pam-krb5 log 446 messages will look like all other log messages for Linux PAM modules 447 on Linux. Change the format of log messages on all platforms to 448 hopefully be somewhat clearer. 449 450 Rationalize logging. The module should now follow the recommendations 451 of the Linux PAM Module Writers' Guide for log levels. More errors 452 are logged at LOG_ERR instead of LOG_DEBUG, and system resource errors 453 are now logged at LOG_CRIT instead of LOG_ERR. 454 455 Add additional error and debug logging in places where significant 456 actions or failures may happen without previously being logged. Also 457 add failure information from PAM or Kerberos libraries to messages 458 where appropriate. 459 460 Add replacement snprintf, vsnprintf, and mkstemp functions for 461 pointless portability to ancient systems. 462 463pam-krb5 4.0 (2009-11-13) 464 465 UPGRADE WARNING: If you were using pam_krb5 with the use_authtok 466 parameter in the password group, you will need to add use_first_pass 467 to your configuration to keep the same behavior. See below for 468 details. 469 470 UPGRADE WARNING: If you used the use_authtok parameter in the 471 authentication group, you should change it to force_first_pass. 472 473 Previous versions of this module incorrectly implemented the standard 474 use_authtok parameter. use_authtok applies only to the password group 475 and says to use the new password stored in the PAM data rather than 476 prompting for a new password. It doesn't imply anything about where 477 to obtain the old password, but it was implemented as requiring both 478 the old and new password be in the PAM stack already. This doesn't 479 work when stacked with pam_cracklib. Change use_authtok to have the 480 correct meaning, which means that password group configurations may 481 need to add use_first_pass to use_authtok to get the desired behavior. 482 483 use_first_pass and try_first_pass no longer affect how the new 484 password is obtained during password changes. To use a password 485 obtained by a previous module, use use_authtok instead. 486 487 A new option, force_first_pass, is now supported for both the 488 authentication and password groups. It tells the module to always get 489 the user's current password from the PAM data and fail without 490 prompting if it isn't already set. This is the meaning that 491 use_authtok previously had for the current password. 492 493 use_authtok no longer has any meaning for the authentication stack. 494 Use force_first_pass instead, which does the same as use_authtok used 495 to do. use_authtok will be temporarily converted to force_first_pass 496 in the authentication group and log a diagnostic, but this will be 497 removed in the future. 498 499 Stop returning PAM_IGNORE from pam_setcred if the user is ignored or 500 didn't log in via Kerberos and instead return PAM_USER_UNKNOWN. This 501 fixes problems with the Linux PAM library where returning PAM_IGNORE 502 would cause pam_setcred to fail even if other modules succeeded. 503 Since pam_authenticate never returned PAM_IGNORE, this change should 504 not cause any differences in behavior. 505 506 Do not use issetugid on Solaris to determine when to avoid refreshing 507 the ticket cache named in KRB5CCNAME during pam_setcred. Instead, 508 compare effective and real UID and GID and permit KRB5CCNAME to be 509 trusted if they match. This allows setuid screensavers on Solaris to 510 refresh ticket caches and makes behavior on Solaris match other 511 platforms. Using issetugid is arguably safer since it protects 512 programs that switch users via setuid to a user other than the calling 513 user but still should not trust the original environment, but such 514 programs are rare in the PAM context and should not be calling 515 pam_setcred anyway unless the calling user is permitted to generally 516 act as the target user. Thanks, William Yang. 517 518 Do the same logging in pam_sm_open_session and pam_sm_close_session as 519 we do with the other functions. This will mean pam_sm_open_session 520 calls will be logged as pam_sm_open_session, not as pam_sm_setcred as 521 before. 522 523 pam-krb5 is now built using Automake and Libtool to bring it more in 524 line with other software packages. This means that it now relies on 525 Libtool to know how to generate a loadable module rather than 526 hand-configured linker rules. This may improve portability on some 527 platforms and may hurt it on other platforms. 528 529 If configured with a prefix of /usr on Linux, use /lib, /lib32, or 530 /lib64 as an installation path based on the size of an integer in the 531 compilation environment rather than based on known 64-bit Linux 532 variants. 533 534 Update to rra-c-util 2.0: 535 536 * Sanity-check the results of krb5-config before proceeding. 537 * Fall back on manual probing if krb5-config results don't work. 538 * Don't break if the user clobbers CPPFLAGS at build time. 539 540pam-krb5 3.15 (2009-07-21) 541 542 Fix a segfault (null pointer dereference) if pam-krb5 is configured 543 with use_first_pass or use_authtok and there is no password stored in 544 the PAM stack. Thanks to Jonathan Guthrie for the bug report. 545 546pam-krb5 3.14 (2009-07-18) 547 548 Return PAM_IGNORE instead of PAM_PERM_DENIED from pam_chauthtok for 549 ignored users. This allows making the Kerberos PAM module mandatory 550 for password changes and still falling back to other PAM modules for 551 ignored users. Thanks, Steve Langasek. 552 553 Always treat the empty password as an authentication failure rather 554 than passing it to the Kerberos libraries. The Kerberos libraries 555 may treat it as equivalent to no password and prompt for a password 556 without our knowledge, leading to the user authenticating with a 557 different password than the one stored in the PAM stack. This could 558 cause unexpected problems with some PAM configurations. It's safer 559 to make the assumption that the empty password is always invalid and 560 reject it outside of the Kerberos libraries. Thanks, Sanjay Sha. 561 562 Fix error handling if ticket cache initialization fails. 563 Authentication will still fail, but this avoids a segfault from a 564 double-free of the ticket cache structure. The most common cause of 565 this problem was having the attempt to initialize the ticket cache 566 be blocked by AppArmor. Thanks to Alex Mauer for the report. 567 568 Call krb5_free_error_string correctly, fixing a portability issue 569 when building against Heimdal. Thanks, Andrew Drake. 570 571 Work around a deficiency in pam_putenv on FreeBSD 7.2 that doesn't 572 allow deleting environment variables, only setting them to empty 573 values. Thanks, Andrew Elble. 574 575pam-krb5 3.13 (2009-02-11) 576 577 SECURITY: When built against MIT Kerberos, if pam_krb5 is called in a 578 setuid context (effective UID or GID doesn't match the real UID or 579 GID), use krb5_init_secure_context instead of krb5_init_context. This 580 ignores environment variable settings for the local Kerberos 581 configuration and keytab. Previous versions could allow a local 582 attacker to point a setuid program that used PAM authentication at a 583 different Kerberos configuration under the attacker's control, 584 possibly resulting in privilege escalation. Heimdal handles this 585 logic within the Kerberos libraries and therefore was not affected. 586 (CVE-2009-0360) 587 588 SECURITY: Disable pam_setcred(PAM_REINITIALIZE_CREDS) for setuid 589 applications. If pam_krb5 detects this call in a setuid context, it 590 now logs an error and returns success without doing anything. Solaris 591 su calls pam_setcred with that option rather than PAM_ESTABLISH_CREDS 592 after authentication and without wiping the environment, leading 593 previous versions of pam_krb5 to trust the KRB5CCNAME environment 594 variable for the ticket cache location. This permitted an attacker to 595 use previous versions of pam_krb5 to overwrite arbitrary files with 596 Kerberos credential caches that were left owned by the attacker. 597 Setuid screen lock programs may also be affected. Discovered by Derek 598 Chan and reported by Steven Luo. Thanks to Sam Hartman and Jeffrey 599 Hutzelman for additional analysis. (CVE-2009-0361) 600 601 If a prefix of /usr is requested at configure time, install the PAM 602 module into /lib/security or /lib64/security on Linux, matching the 603 standard Linux-PAM module location. Use lib64 instead of lib on 604 64-bit SPARC, PowerPC, and S390 Linux as well as x86_64. Patch from 605 Peter Breitenlohner. 606 607 Fix a build problem when builddir != srcdir introduced in 3.11. Patch 608 from Peter Breitenlohner. 609 610 Add support for the old Heimdal krb5_get_error_string interface. 611 Thanks, Chaskiel Grundman. 612 613 Add --with-krb5-include and --with-krb5-lib configure options to allow 614 more specific setting of paths if necessary. 615 616 If krb5-config isn't available, attempt to determine if the library 617 directory for the Kerberos libraries is lib32 or lib64 instead of lib 618 and set LDFLAGS accordingly. Based on an idea from the CMU Autoconf 619 macros. 620 621pam-krb5 3.12 (2008-11-13) 622 623 Add alt_auth_map configuration option, which allows mapping of 624 usernames to alternative Kerberos principals, useful primarily for 625 using particular instances for access to a given PAM-authenticated 626 service. Also added force_alt_auth and only_alt_auth options to 627 control when alternative Kerberos principals are used. Patch from 628 Booker Bense. 629 630 Fix incorrect error handling for bad .k5login ownership when 631 search_k5login is set, leading to a NULL pointer dereference and a 632 segfault. Thanks, Andrew Deason. 633 634 Fix double-free of the ticket cache structure if creation of the 635 ticket cache in the session module fails. Thanks, Jens Jorgensen. 636 637 Log all syslog messages to LOG_AUTHPRIV, or LOG_AUTH if the system 638 doesn't define LOG_AUTHPRIV. Thanks, Mark Painter. 639 640 Fix portability to AIX's bundled Kerberos. Thanks, Markus Moeller. 641 642 When debugging is enabled, log an exit status of PAM_IGNORE as ignore 643 rather than failure. 644 645 Document that pam-krb5 must be listed in the session group as well as 646 the auth group for interactive logins or OpenSSH won't set up the 647 user's credential cache properly. 648 649 Document adding ignore=ignore to complex [] action configuration for 650 the session and account groups since the module now returns PAM_IGNORE 651 instead of PAM_SUCCESS for accounts that didn't use Kerberos. 652 653pam-krb5 3.11 (2008-07-10) 654 655 pam_setcred, pam_open_session, and pam_acct_mgmt now return PAM_IGNORE 656 for ignored users or non-Kerberos logins rather than PAM_SUCCESS. 657 This return code tells the PAM library to continue as if the module 658 were not present in the configuration and allows sufficient to be 659 meaningful for pam-krb5 in account and session groups. 660 pam_authenticate continues to return failure for ignored users; 661 PAM_IGNORE would arguably be more correct, but increases the risk of 662 security holes through incorrect configuration. 663 664 Support correct password expiration handling according to the PAM 665 standard (returning success from pam_authenticate and an error from 666 pam_acct_mgmt and completing the authentication after pam_chauthotk). 667 This is not the default since it opens security holes with broken 668 applications that don't call pam_acct_mgmt or ignore its exit status. 669 To enable it, set the PAM option defer_pwchange for applications known 670 to make the correct PAM calls and check return codes. 671 672 Add a new option to attempt change of expired passwords during 673 pam_authenticate if Kerberos authentication returns a password expired 674 error. Normally, the Kerberos library will do this for you, but some 675 Kerberos libraries (notably Solaris) disable that code. This option 676 allows simulation of the normal Kerberos library behavior on those 677 platforms. 678 679 Work around an apparent Heimdal bug when krb5_free_cred_contents is 680 called on an all-zero credential structure. It's not clear what's 681 going on here and the Heimdal code looks correct, but avoiding the 682 call fixes the problem. 683 684 Warn if more than one of use_authtok, use_first_pass, and 685 try_first_pass is set and use the strongest of the one set. 686 687 Remove the workaround for versions of MIT Kerberos that didn't 688 initialize a krb5_get_init_creds_opt structure on opt_alloc. This bug 689 was only present in early versions of 1.6; the correct fix is to 690 upgrade. 691 692 Add an additional header check for AIX's bundled Kerberos. 693 694 If KRB5_CONFIG was explicitly set in the environment, don't use a 695 different krb5-config based on --with-krb5. If krb5-config isn't 696 executable, don't use it. This allows one to force library probing by 697 setting KRB5_CONFIG to point to a nonexistent file. 698 699 Sanity-check the results of krb5-config before proceeding and error 700 out in configure if they don't work. 701 702 For Kerberos libraries without krb5-config, also check for networking 703 libraries (-lsocket and friends) before checking for Kerberos 704 libraries in case shared library dependencies are broken. 705 706 Fix Autoconf syntax error when probing for libkrb5support. Thanks, 707 Mike Garrison. 708 709 Set an explicit visibility of hidden for all internal functions at 710 compile time if gcc is used to permit better optimization. Hide all 711 functions except the official interfaces using a version script on 712 Linux. This protects against leaking symbols into the application 713 namespace and provides some mild optimization benefit. 714 715 Fix the probing of PAM headers for const on Mac OS X. This will 716 suppress some harmless compiler warnings there. Thanks, Markus 717 Moeller. 718 719pam-krb5 3.10 (2007-12-28) 720 721 The workaround for krb5_get_init_creds_opt_alloc problems in MIT 722 Kerberos 1.6 broke PKINIT support with Heimdal. Only apply that 723 workaround when building against the MIT Kerberos libraries. Thanks 724 to Jaakko Pero for the detailed report. 725 726 If no_ccache is set, always exit successfully from pam_setcred or 727 pam_open_session, even if we couldn't retrieve module data. Thanks, 728 Markus Moeller. 729 730 When keytab is set, properly handle failure to create a keytab cursor 731 and don't assume that the cursor is valid. Thanks, Markus Moeller. 732 733 Define _ALL_SOURCE on AIX to get prototypes for snprintf. 734 735 Add additional portability glue and Autoconf probes to support 736 building against the version of Kerberos bundled with AIX. Support 737 for this should be considered alpha in this release. Thanks to Markus 738 Moeller for the initial patch. 739 740pam-krb5 3.9 (2007-11-12) 741 742 If use_authtok is set, fail even if we can retrieve the stored PAM 743 password if that password is set to NULL. Apparently that can happen 744 in some cases, such as with pam_cracklib. Thanks to Christian Holler 745 for the diagnosis and a patch. 746 747 Add a new clear_on_fail option for the password group. If set, when a 748 password change fails, set PAM_AUTHTOK to NULL so that subsequent 749 modules in the PAM stack with use_authtok set will also fail. Just 750 returning failure doesn't abort the stack on the second pass when 751 actual password changes are made. This is not the default since it 752 interferes with other desirable PAM configurations. It's useful 753 primarily when using the PAM stack to synchronize passwords between 754 multiple environments. Thanks to Christian Holler and Tomas Mraz for 755 the analysis. 756 757 Fix portability issues with Heimdal, versions of PAM that don't 758 provide pam_modutil_getpwnam, and compiler warnings when building 759 PKINIT support. Thanks, Martin von Gagern. 760 761 Fix parsing of the keytab PAM option. Thanks, Markus Moeller. 762 763 Return PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR when unable to 764 resolve the Kerberos realm. Thanks, Frank Cornelissen. 765 766 Add a new debugging section to the README. 767 768pam-krb5 3.8 (2007-09-30) 769 770 krb5_get_init_creds_opt_alloc doesn't initialize the returned 771 structure with the default flags in MIT Kerberos 1.6, which meant that 772 users with expired passwords were not being prompted to change their 773 password but just rejected. Fixed by always calling _init before 774 setting the credential flags, regardless of the provenance of the opt 775 structure. Thanks, Michael Richters. 776 777 Fix configure and Makefile glue so that Mac OS X and HP-UX have a 778 chance of working (still untested). 779 780 Add a make warnings target with aggressive gcc warning options. Treat 781 negative minimum UIDs as zero so that UID comparisons can always be 782 done unsigned. Add casts and unused attributes as needed. 783 784pam-krb5 3.7 (2007-09-29) 785 786 If given an explicit keytab path to use for credential verification, 787 use the first principal found in that keytab as the principal for 788 verification rather than the library default (which is normally the 789 host/* principal for the local system and may not be found in that 790 keytab). 791 792 When authenticating, don't store our context data until after 793 authentication has succeeded. Otherwise, we may destroy the ticket 794 cache of a previous successful authentication. This bug would only 795 affect configurations where pam_krb5 was run multiple times with 796 different settings, such as multiple realms. Thanks to Dave Botsch 797 for the report. 798 799 Use pam_modutil_getpwnam instead of getpwnam if available for better 800 thread safety. 801 802 Don't store PAM data unless we're saving a ticket cache. All other 803 calls use it for is to find the ticket cache, so without a cache it's 804 pointless and means we run the risk of stomping on ourselves in 805 multithreaded programs. 806 807 Still canonicalize the PAM user before returning when not saving a 808 ticket cache. 809 810 Fix determination of linker flags on non-x86_64 Linux. Always link 811 with -fPIC when using GCC, just in case. 812 813 Add compilation options for Mac OS X and HP-UX (untested). 814 815 Use pam_krb5 instead of ctx for our PAM data name to reduce the 816 chances of collision. 817 818pam-krb5 3.6 (2007-09-18) 819 820 When the local user doesn't exist and search_k5login is enabled, fall 821 back to simple Kerberos authentication just as if the account existed 822 with no .k5login file. This avoids trying to verify an all-zero 823 credentials structure, leading to non-expoloitable segfaults on x86_64 824 systems. Be more careful in general about setting error codes in the 825 search_k5login implementation. 826 827 Explicitly clear the forwardable and proxiable options and don't ask 828 for renewable tickets when getting a ticket for the password changing 829 service. Otherwise, system-wide defaults and PAM configuration will 830 apply to those tickets as well and the resulting ticket request may be 831 rejected based on KDC configuration. Based on a patch by Sergio 832 Gelato. 833 834 Do username canonicalization earlier so that .k5login checking and 835 similar work uses the correct username but only change the PAM 836 username if authentication succeeds. Document that username 837 canonicalization won't work with unmodified OpenSSH and with several 838 common PAM modules. Thanks to R. Scott Bailey for the bug report and 839 analysis. 840 841 Add a prompt_principal option which, if set, causes the PAM module to 842 prompt the user for the Kerberos principal to use for authentication 843 before prompting for the password. 844 845 Try to determine whether the PAM headers use const in the prototypes 846 of such things as pam_get_item and adjust accordingly. This should 847 address most compiler warnings on Solaris. Thanks, Markus Moeller. 848 849 Change lib to lib64 on x86_64 Linux to allow for the magical $ISA 850 parameter in Red Hat's PAM configuration. Hopefully this won't cause 851 problems elsewhere. 852 853 Support DESTDIR for make install. 854 855pam-krb5 3.5 (2007-04-10) 856 857 Don't try to chown non-FILE ticket caches, which among other things 858 breaks using pam-krb5 with Heimdal KCM caches. Thanks, Jeremy 859 Jackson. 860 861 When logging session deletion via pam_setcred or pam_close_session, 862 don't look for the username in the PAM context after it's been freed. 863 Thanks, Markus Moeller. 864 865 Map more Kerberos status codes to PAM status codes for authentication 866 errors. 867 868pam-krb5 3.4 (2007-01-28) 869 870 More compilation fixes for Heimdal 0.7, which has a pkinit function 871 but takes a different number of arguments. Thanks, Morgan LEFIEUX. 872 873 Never call error_message directly on Heimdal. krb5_get_err_text can 874 cope with a NULL context and krb5-config on Heimdal doesn't include 875 -lcom_err. 876 877 Handle a NULL return from krb5_get_error_message, since that seems 878 possible in some edge cases. 879 880 Call krb5_get_error_message on Heimdal as well if it's available, 881 since it's supported by the 0.8 release candidates. 882 883pam-krb5 3.3 (2007-01-24) 884 885 Support the new MIT Kerberos error message functions. 886 887 Fix compilation errors in the Heimdal PKINIT support and don't be 888 confused by a similar function in the MIT Kerberos PKINIT branch. 889 Thanks to Douglas E. Engert for the testing and patch. 890 891 Fix compilation errors with Heimdal 0.7, which has some of the PKINIT 892 functions but doesn't define the same error codes. Thanks, Morgan 893 LEFIEUX. 894 895 Initial support for the MIT Kerberos PKINIT branch, which uses a 896 different mechanism for configuring PKINIT support than Heimdal. Also 897 support configuration of general preauth parameters for the MIT 898 preauth plugin system via the preauth_opt option. Thanks to Douglas 899 E. Engert for the initial patch. 900 901 If use_pkinit is set in the PAM configuration and PKINIT isn't 902 available or cannot be forced, always fail authentication. 903 904pam-krb5 3.2 (2007-01-16) 905 906 This release fixes numerous bugs all identified by Douglas E. Engert 907 while testing with Heimdal and PKINIT support. Thank you! 908 909 Rewrite the code to drop the credlist data structure since we only 910 ever have one set of credentials, allocate new krb5_creds objects, and 911 do proper memory management, which should plug some memory leaks of 912 the contents of krb5_creds objects. 913 914 Probe for the correct Heimdal function to set default initial 915 credential options. 916 917 Prefix the default cache path with "FILE:" to make the cache type 918 explicit. 919 920 Fix installation of the manual page when building from a different 921 directory than the source directory. 922 923 Fix several compilation errors with the PKINIT support with Heimdal 924 0.8rc1 or later. This code should still be considered alpha-quality. 925 926pam-krb5 3.1 (2007-01-03) 927 928 Fix an infinite loop with failed Kerberos authentication and a doubled 929 colon that causes a syntax error with some compilers. Thanks, Markus 930 Moeller. 931 932 Move the check for users we should ignore to pam_sm_authenticate 933 from pamk5_password_auth so that it's consistently done in the API 934 function. This also avoids bogus log messages when authenticating as 935 an ignored user with debug enabled. 936 937pam-krb5 3.0 (2006-12-18) 938 939 Add preliminary PKINIT support, contributed by Douglas E. Engert. 940 I reorganized and refactored the code extensively and it therefore may 941 not compile; until it has received more testing, it should be 942 considered alpha-quality. Currently, PKINIT support requires Heimdal 943 0.8rc1 or later. 944 945 Add a keytab configuration option to use a different keytab for 946 initial credential validation. 947 948 Add a ticket_lifetime configuration option to set the lifetime of 949 obtained credentials. 950 951 Add the banner and expose_account configuration options, which control 952 the prompts for authentication and password changing. Provide more 953 informative prompts when changing passwords. 954 955 Work around a bug in MIT Kerberos prior to 1.4 causing the library to 956 cache the default realm and assume a particular realm even if the 957 default realm is later changed. This bug prevented running two 958 instances of pam-krb5 with different realm settings in the same PAM 959 stack. Thanks, Dave Botsch. 960 961 Honor PAM_SILENT when the Kerberos library prompts for more 962 information, passing to the application only prompts. 963 964 If PAM_USER is set to a fully-qualified principal that the Kerberos 965 library can map to a local account name, reset PAM_USER to that local 966 account name after authentication. 967 968 Avoid memory leaks in the Kerberos prompter by freeing the PAM 969 response strings. We were already doing this elsewhere and the world 970 didn't end, so assume that it's safe for the PAM module to do this. 971 Also avoid memory leaks in some unusual error conditions. 972 973 Return unknown user rather than internal error when attempting 974 authentication of a user we're supposed to ignore. 975 976 When debug is enabled, report the principal for which we're attempting 977 authentication to help catch realm configuration errors. 978 979 Document the broken behavior of old versions of OpenSSH, which tell 980 PAM to refresh credentials rather than opening a session. Thanks, 981 Michael C. Garrison. 982 983 Add a link to the distribution page to the pam-krb5 man page. 984 985 Extensive refactoring and reorganization of the code. 986 987pam-krb5 2.6 (2006-11-28) 988 989 Don't assume the pointer set by pam_get_user is usable over the life 990 of the PAM module; instead, save a local copy. 991 992 Avoid a use of already freed memory when debugging is enabled. 993 994 Use __func__ instead of __FUNCTION__ and provide a fallback for older 995 versions of gcc and for systems that support neither. Should fix 996 compilation issues with Sun's C compiler. 997 998 On platforms where we know the appropriate compiler flags, try to 999 build the module so that symbols are resolved within the module in 1000 preference to any externally available symbols. Also add the 1001 hopefully correct compiler flags for Sun's C compiler. 1002 1003pam-krb5 2.5 (2006-11-03) 1004 1005 Don't free the results of pam_get_item(PAM_AUTHTOK) when changing 1006 passwords. Thanks, Arne Nordmark. 1007 1008 Be a bit more thorough when checking authorization in 1009 pam_sm_acct_mgmt. Re-retrieve the value of user in case the 1010 application changed it, and if we have a ticket cache (we may not even 1011 after a successful authentication if no_ccache was specified), 1012 retrieve the principal from it rather than using the principal from 1013 the context. 1014 1015 Overwrite passwords with 0 before freeing them, just out of paranoia 1016 (and because PAM also does this internally). 1017 1018pam-krb5 2.4 (2006-10-05) 1019 1020 Fix compilation problems with Heimdal. Thanks, Matthijs Mohlmann and 1021 Douglas Engert. 1022 1023 Check for memory allocation failures when parsing PAM options rather 1024 than segfaulting. 1025 1026 Fix several places where an uninitialized context could have been 1027 passed into the argument parsing function. 1028 1029 Refactor the code to read configuration from krb5.conf to be easier 1030 to read and understand. Parse renew_lifetime immediately and always 1031 report an error rather than deferring time parsing until acquiring 1032 tickets. 1033 1034 Log errors (not just authentication failures) at the LOG_ERR level 1035 to match (some of) the recommendations of the Linux PAM documentation. 1036 1037 Log an error when an unknown option is passed via the PAM 1038 configuration. 1039 1040pam-krb5 2.3 (2006-09-03) 1041 1042 Fix the interface between the Kerberos prompting function and the 1043 PAM conversation function on Linux. Prior to this fix, the PAM module 1044 would only work on Solaris if Kerberos passed multiple prompts, which 1045 happens when an account requires a password change. Solaris and Linux 1046 PAM implementations expect a different structure of pam_message 1047 structs in the conversation function; use a workaround to cater to 1048 both of them. Based on a patch by Joachim Keltsch. 1049 1050 Implement retain_after_close, which specifies that the PAM module 1051 should never destroy the user's ticket cache, even on session end. 1052 1053 Adjust for the differences in Solaris's PAM libraries: Include 1054 pam_appl.h everywhere for structure and type definitions, and add 1055 portability workarounds for the return statuses missing from the 1056 Solaris implementation. 1057 1058pam-krb5 2.2 (2006-08-28) 1059 1060 Allow the default realm to be overridden in the PAM options. 1061 1062 Use the realm, default or otherwise, when reading options from 1063 krb5.conf so that realm-specific sections in [appdefaults] work 1064 correctly. 1065 1066 Update the build and installation documentation for the new 1067 Autoconf-based build system. This should have been in the last 1068 release but was missed. 1069 1070 Initialize ticket options correctly when built with Heimdal. 1071 1072 Fix a typo that caused the Heimdal support not to compile. Thanks, 1073 Matthijs Mohlmann. 1074 1075pam-krb5 2.1 (2006-08-26) 1076 1077 Strip off a FILE: prefix from the cache path before creating it in 1078 case the user set ccache or ccache_dir with a cache type prefix. 1079 Thanks to Björn Torkelsson for the patch. 1080 1081 Added an Autoconf script to distinguish between Heimdal and MIT 1082 Kerberos and take care of other portability issues. Rewrote the 1083 Makefile accordingly. 1084 1085 Added portability and error reporting fixes for Heimdal, thanks to 1086 Matthijs Mohlmann. 1087 1088pam-krb5 2.0 (2006-08-11) 1089 1090 Always use a disk cache for temporary storage of credentials between 1091 authentication and setcred or session initialization. This allows the 1092 module to work correctly with OpenSSH ChallengeResponseAuthentication. 1093 1094 Add support for some PAM options that were supported by the 1095 Sourceforge K5 PAM module, most notably minimum_uid and 1096 renew_lifetime. 1097 1098 Support setting many PAM options from krb5.conf as well as on the PAM 1099 command line, using the same application section as the Sourceforge 1100 PAM module. Use the profile reading functions provided by the 1101 Kerberos libraries. 1102 1103 Add support for use_authtok, which is like use_first_pass except that 1104 it will never prompt even if no password is currently set. 1105 1106 Add a search_k5login option to check the user's password against every 1107 principal listed in .k5login, to support use of this module to 1108 authenticate user access to shared accounts. 1109 1110 Add an ignore_k5login option that bypasses all checks of .k5login 1111 files entirely and relies solely on krb5_aname_to_localname checks. 1112 1113 Re-add the ccache option to specify the exact file name of the ticket 1114 cache, and allow for randomization using mkstemp even when this option 1115 is used. 1116 1117 Only call krb5_kuserok (the .k5login check) when the account to which 1118 the user is authenticating is a local account. It's up to the 1119 application to handle authorization checks for non-local accounts. 1120 1121 Support preliminary checks for password changing by using that to 1122 obtain the user's current credentials. Correctly handle saved 1123 passwords from previous authentications or password changes when 1124 changing passwords, and correctly set the saved passwords for 1125 subsequent password changes in the PAM stack. 1126 1127 Only initialize the ticket cache once, no matter how many times 1128 setcred is called. This saves duplicate work and works around a bug 1129 in X.org xdm that otherwise causes it to lose the PAM environment. 1130 1131 When reinitializing a ticket cache, never reinitialize the temporary 1132 cache created by the authentication call. Instead, fall back to the 1133 default ticket cache name if KRB5CCNAME isn't set. 1134 1135 Improve support for no_ccache. Now, it doesn't even generate a 1136 temporary ticket cache during authentication but only uses an 1137 in-memory credential list. 1138 1139 Do user ticket validation using the standard Kerberos library call 1140 rather than rolling our own code. This means that the user can now 1141 set options in krb5.conf to control whether that call should fail if 1142 the local keytab isn't readable or contains no usable keys. 1143 1144 Completely rewrite the man page. Clean it up and make it more 1145 readable and fully document all of the options. Also rewrite the 1146 README file and clean up the rest of the package documentation. 1147 1148 Don't create a ticket cache until after successful authentication. 1149 1150 Understand the FILE: prefix to Kerberos ticket cache names and compare 1151 and chown ticket caches properly with that prefix. 1152 1153 Add a trailing nul to the password in the Kerberos prompter function, 1154 since some code relies on it being there. 1155 1156 Review the return status of each PAM function and ensure that we only 1157 return failure statuses that are supported for that function. 1158 1159 Rename all internal functions with a pamk5_* prefix to avoid 1160 conflicting with any application or system library functions. 1161 1162 Eliminate global variables in the PAM module and do a better job at 1163 cleaning up memory usage. There are still a few places where the PAM 1164 conversation functions may leak memory due to an incomplete 1165 specification in the PAM API on who should free what memory. 1166 1167 The logging messages produced when debug is set should now be more 1168 consistent and more complete. 1169 1170pam-krb5 1.2 (2005-09-27) 1171 1172 Don't reinitialize the ticket cache if the old and new cache have the 1173 same name, since otherwise we end up destroying it. 1174 1175 Always set KRB5CCNAME, even when reinitializing. 1176 1177 When reinitializing, look for the ticket cache in the saved context 1178 even if KRB5CCNAME isn't set. OpenSSH calls it this way. 1179 1180 Drop the ccache option and add ccache_dir instead, which only 1181 specifies the directory for ticket caches and is therefore easier to 1182 implement. 1183 1184pam-krb5 1.1 (2005-08-31) 1185 1186 Add support for reinitialization/refreshing of credentials in 1187 pam_sm_setcred. 1188 1189 Set PAM_AUTHTOK and PAM_OLDAUTHTOK when authenticating to better 1190 support stacking this module with others. 1191 1192 Add an ignore_root option to not do anything when the account to which 1193 the user is authenticating is root. This allows one to log in via 1194 console as root even when the network is down (thereby breaking the 1195 PAM module in ways that login doesn't like due to timeouts in the 1196 Kerberos libraries). 1197 1198 Store the entire context structure in PAM's memory rather than just 1199 the name of the ticket cache so that we can pass around more data to 1200 ourself. 1201 1202 Bring errors more in line with the official PAM specification. 1203 1204 Move prompt generation into the PAM module rather than letting the 1205 Kerberos library generate the prompt. This way we don't leak 1206 principal information to the caller, and the non-standard prompt also 1207 broke some applications like gksudo. 1208 1209 Support session management and destruction of the ticket cache on 1210 close of session. 1211 1212 Don't require that the user have a local account on the system. 1213 1214 Include the user UID in the default ticket cache name so that rpc.gssd 1215 and similar programs can find it. 1216