I'm pleased to announce release 2.5 of my Kerberos v5 PAM module.

pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features. It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.

Changes from previous release:

Don't free the results of pam_get_item(PAM_AUTHTOK) when changing
passwords. Thanks, Arne Nordmark.

Be a bit more thorough when checking authorization in
pam_sm_acct_mgmt. Re-retrieve the value of user in case the
application changed it, and if we have a ticket cache (we may not even
after a successful authentication if no_ccache was specified),
retrieve the principal from it rather than using the principal from
the context.

Overwrite passwords with 0 before freeing them, just out of paranoia
(and because PAM also does this internally).

You can download it from:

Debian packages have been uploaded to Debian unstable and will hopefully
also be in the upcoming etch release.

Please let me know of any problems or feature requests.

Russ Allbery (rra@stanford.edu)