I'm pleased to announce release 3.11 of pam-krb5.

pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features. It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.

Changes from previous release:

pam_setcred, pam_open_session, and pam_acct_mgmt now return PAM_IGNORE
for ignored users or non-Kerberos logins rather than PAM_SUCCESS.
This return code tells the PAM library to continue as if the module
were not present in the configuration and allows sufficient to be
meaningful for pam-krb5 in account and session groups.
pam_authenticate continues to return failure for ignored users;
PAM_IGNORE would arguably be more correct, but increases the risk of
security holes through incorrect configuration.

Support correct password expiration handling according to the PAM
standard (returning success from pam_authenticate and an error from
pam_acct_mgmt and completing the authentication after pam_chauthotk).
This is not the default since it opens security holes with broken
applications that don't call pam_acct_mgmt or ignore its exit status.
To enable it, set the PAM option defer_pwchange for applications known
to make the correct PAM calls and check return codes.

Add a new option to attempt change of expired passwords during
pam_authenticate if Kerberos authentication returns a password expired
error. Normally, the Kerberos library will do this for you, but some
Kerberos libraries (notably Solaris) disable that code. This option
allows simulation of the normal Kerberos library behavior on those

Work around an apparent Heimdal bug when krb5_free_cred_contents is
called on an all-zero credential structure. It's not clear what's
going on here and the Heimdal code looks correct, but avoiding the
call fixes the problem.

Warn if more than one of use_authtok, use_first_pass, and
try_first_pass is set and use the strongest of the one set.

Remove the workaround for versions of MIT Kerberos that didn't
initialize a krb5_get_init_creds_opt structure on opt_alloc. This bug
was only present in early versions of 1.6; the correct fix is to

Add an additional header check for AIX's bundled Kerberos.

If KRB5_CONFIG was explicitly set in the environment, don't use a
different krb5-config based on --with-krb5. If krb5-config isn't
executable, don't use it. This allows one to force library probing by
setting KRB5_CONFIG to point to a nonexistent file.

Sanity-check the results of krb5-config before proceeding and error
out in configure if they don't work.

For Kerberos libraries without krb5-config, also check for networking
libraries (-lsocket and friends) before checking for Kerberos
libraries in case shared library dependencies are broken.

Fix Autoconf syntax error when probing for libkrb5support. Thanks,
Mike Garrison.

Set an explicit visibility of hidden for all internal functions at
compile time if gcc is used to permit better optimization. Hide all
functions except the official interfaces using a version script on
Linux. This protects against leaking symbols into the application
namespace and provides some mild optimization benefit.

Fix the probing of PAM headers for const on Mac OS X. This will
suppress some harmless compiler warnings there. Thanks, Markus

You can download it from:

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

Russ Allbery (rra@stanford.edu)