pam-krb5 3.10 released - Kerberos

This is a discussion on pam-krb5 3.10 released - Kerberos ; I'm pleased to announce release 3.10 of pam-krb5. pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal. It supports ticket refreshing by screen savers, configurable authorization handling, authentication of non-local accounts for network services, password changing, ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: pam-krb5 3.10 released

  1. pam-krb5 3.10 released

    I'm pleased to announce release 3.10 of pam-krb5.

    pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
    It supports ticket refreshing by screen savers, configurable authorization
    handling, authentication of non-local accounts for network services,
    password changing, and password expiration, as well as all the standard
    expected PAM features. It works correctly with OpenSSH, even with
    ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
    supports configuration either by PAM options or in krb5.conf or both.

    Changes from previous release:

    The workaround for krb5_get_init_creds_opt_alloc problems in MIT
    Kerberos 1.6 broke PKINIT support with Heimdal. Only apply that
    workaround when building against the MIT Kerberos libraries. Thanks
    to Jaakko Pero for the detailed report.

    If no_ccache is set, always exit successfully from pam_setcred or
    pam_open_session, even if we couldn't retrieve module data. Thanks,
    Markus Moeller.

    When keytab is set, properly handle failure to create a keytab cursor
    and don't assume that the cursor is valid. Thanks, Markus Moeller.

    Define _ALL_SOURCE on AIX to get prototypes for snprintf.

    Add additional portability glue and Autoconf probes to support
    building against the version of Kerberos bundled with AIX. Support
    for this should be considered alpha in this release. Thanks to Markus
    Moeller for the initial patch.

    You can download it from:



    Debian packages have been uploaded to Debian unstable.

    Please let me know of any problems or feature requests not already listed
    in the TODO file.

    --
    Russ Allbery (rra@stanford.edu)

  2. Re: pam-krb5 3.10 released

    Russ,

    I usually don't use the change password feature, but I now checked the pam
    help for pam_sm_authenticate and pam_sm_acct_mgmt. On both Linux and Solaris
    it states that only pam_acct_mgmt should return PAM_NEW_AUTHTOK_REQD for
    exired passwords not pam_sm_authenticate. I haven't yet checked the Openssh
    and others sources, but I think you need to save the state you get
    inpam_sm_authenticate and use it in pam_sm_acct_mgmt.

    Any thoughts ?

    Markus


    "Russ Allbery" wrote in message
    news:mailman.1.1198952771.5144.kerberos@mit.edu...
    > I'm pleased to announce release 3.10 of pam-krb5.
    >
    > pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
    > It supports ticket refreshing by screen savers, configurable authorization
    > handling, authentication of non-local accounts for network services,
    > password changing, and password expiration, as well as all the standard
    > expected PAM features. It works correctly with OpenSSH, even with
    > ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
    > supports configuration either by PAM options or in krb5.conf or both.
    >
    > Changes from previous release:
    >
    > The workaround for krb5_get_init_creds_opt_alloc problems in MIT
    > Kerberos 1.6 broke PKINIT support with Heimdal. Only apply that
    > workaround when building against the MIT Kerberos libraries. Thanks
    > to Jaakko Pero for the detailed report.
    >
    > If no_ccache is set, always exit successfully from pam_setcred or
    > pam_open_session, even if we couldn't retrieve module data. Thanks,
    > Markus Moeller.
    >
    > When keytab is set, properly handle failure to create a keytab cursor
    > and don't assume that the cursor is valid. Thanks, Markus Moeller.
    >
    > Define _ALL_SOURCE on AIX to get prototypes for snprintf.
    >
    > Add additional portability glue and Autoconf probes to support
    > building against the version of Kerberos bundled with AIX. Support
    > for this should be considered alpha in this release. Thanks to Markus
    > Moeller for the initial patch.
    >
    > You can download it from:
    >
    >
    >
    > Debian packages have been uploaded to Debian unstable.
    >
    > Please let me know of any problems or feature requests not already listed
    > in the TODO file.
    >
    > --
    > Russ Allbery (rra@stanford.edu)



  3. Re: pam-krb5 3.10 released

    "Markus Moeller" writes:

    > I usually don't use the change password feature, but I now checked the
    > pam help for pam_sm_authenticate and pam_sm_acct_mgmt. On both Linux and
    > Solaris it states that only pam_acct_mgmt should return
    > PAM_NEW_AUTHTOK_REQD for exired passwords not pam_sm_authenticate. I
    > haven't yet checked the Openssh and others sources, but I think you need
    > to save the state you get inpam_sm_authenticate and use it in
    > pam_sm_acct_mgmt.


    Yeah, this is how the documentation claims that PAM should work, but it
    doesn't actually work this way and most applications don't expect it to
    work this way. In practice, pam-krb5 will usually not return
    PAM_NEW_AUTHTOK_REQD anyway since the Kerberos library will handle the
    password change immediately.

    Currently, the module somewhat intentionally doesn't support the way in
    which password changes supposedly work since I've never seen any software
    that needed that behavior, but I suppose it could be added.

    --
    Russ Allbery (rra@stanford.edu)

  4. Re: pam-krb5 3.10 released

    Russ Allbery writes:
    > "Markus Moeller" writes:


    >> I usually don't use the change password feature, but I now checked the
    >> pam help for pam_sm_authenticate and pam_sm_acct_mgmt. On both Linux
    >> and Solaris it states that only pam_acct_mgmt should return
    >> PAM_NEW_AUTHTOK_REQD for exired passwords not pam_sm_authenticate. I
    >> haven't yet checked the Openssh and others sources, but I think you
    >> need to save the state you get inpam_sm_authenticate and use it in
    >> pam_sm_acct_mgmt.


    > Yeah, this is how the documentation claims that PAM should work, but it
    > doesn't actually work this way and most applications don't expect it to
    > work this way. In practice, pam-krb5 will usually not return
    > PAM_NEW_AUTHTOK_REQD anyway since the Kerberos library will handle the
    > password change immediately.


    > Currently, the module somewhat intentionally doesn't support the way in
    > which password changes supposedly work since I've never seen any
    > software that needed that behavior, but I suppose it could be added.


    It's worth noting that the supposedly correct behavior cannot be the
    default behavior, since (broken) applications that call pam_authenticate
    and never call pam_acct_mgmt will then incorrectly grant access to users
    with expired passwords. Such applications are *extremely* common. It
    would have to be an option that one could enable if one was sure that all
    of one's applications correctly followed the documented PAM semantics.

    --
    Russ Allbery (rra@stanford.edu)

+ Reply to Thread