I'm pleased to announce release 3.2 of pam-krb5.

pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features. It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.

Changes from previous release:

This release fixes numerous bugs all identified by Douglas E. Engert
while testing with Heimdal and PKINIT support. Thank you!

Rewrite the code to drop the credlist data structure since we only
ever have one set of credentials, allocate new krb5_creds objects, and
do proper memory management, which should plug some memory leaks of
the contents of krb5_creds objects.

Probe for the correct Heimdal function to set default initial
credential options.

Prefix the default cache path with "FILE:" to make the cache type

Fix installation of the manual page when building from a different
directory than the source directory.

Fix several compilation errors with the PKINIT support with Heimdal
0.8rc1 or later. This code should still be considered alpha-quality.

You can download it from:

Debian packages will be uploaded to Debian unstable after the etch

Please let me know of any problems or feature requests not already listed
in the TODO file.

Russ Allbery (rra@stanford.edu)
Kerberos mailing list Kerberos@mit.edu