Current File : //usr/share/doc/pam_krb5-2.4.8/NEWS
- 2.4.8: * handle when the [libdefaults] default_ccache_name setting is not set
- 2.4.7: * try to read the [libdefaults] default_ccache_name setting, and
handle the %{uid}, %{euid}, %{userid}, and %{username} substitutions
* stop trying to fix ownership on keyring ccaches, since we stopped
having to worry about it around 2.4.0
- 2.4.6: * fix handling of ccaches for users who are mapped to principal
names in a realm other than the configured default realm (#999604)
- 2.4.5: * handle ccname templates that don't include a template suffix
by accepting the location at create-time if the permissions
look right, and not deleting the creds at cleanup-time
* fix some memory leaks
- 2.4.4: * compilation fixes
- 2.4.3: * translation updates
- 2.4.2: * handle different function signatures for krb5_trace_callback
* avoid overriding the primary when updating DIR: caches
- 2.4.1: * handle creation of /run/user/XXX for FILE: and DIR: caches
- 2.4.0: * drop configuration settings that duplicated library settings
* drop the existing_ticket option
* drop krb4 support
* add support for preserving configuration information in ccaches
* add support for creating and cleaning up DIR: ccaches
* finish cleaning up KEYRING: ccaches
* add experimental "armor" and "armor_strategy" options
- 2.3.14:* also drop privileges when reinitializing or refreshing credentials,
for the sake of login (#822493)
- 2.3.13:* don't bother creating a v5 ccache in "external" mode
* add a "trace" option to enable libkrb5 tracing, if available
* avoid trying to get password-change creds twice
* use an in-memory ccache when obtaining tokens using v5 creds
* turn off creds==session in "sshd"
- 2.3.12:* add a "validate_user_user" option to control trying to perform
user-to-user authentication to validate TGTs when a keytab is not
available
* add an "ignore_k5login" option to control whether or not the module
will use the krb5_kuserok() function to perform additional
authorization checks
* turn on validation by default - verify_ap_req_nofail controls how we
treat errors reading keytab files now
* add an "always_allow_localname" option when we can use
krb5_aname_to_localname() to second-guess the krb5_kuserok() check
* prefer krb5_change_password() to krb5_set_password()
- 2.3.11:* create credentials before trying to look up the location of the
user's home directory via krb5_kuserok()
- 2.3.10:* fine-tune the logic for selecting which key we use for validating
credentials
- 2.3.9: * add a "multiple_ccaches" option to allow forcing the previous
behavior of not deleting an old ccache whenever we create a new
one, but saving them until the call that caused us to create
them is reversed
- 2.3.8: * add a "chpw_prompt" option to allow password changes to happen
during what the calling application thinks is just a password
check, to work around applications that don't handle the case
of an expired password correctly (#509092, based on patch from
Olivier Fourdan)
- 2.3.7: * when refreshing credentials, store the new creds in the default
ccache if $KRB5CCNAME isn't set (#507984)
- 2.3.6: * prefer a "host" key, if one is found, when validating TGTs
(#450776)
- 2.3.5: * make prompting behavior for non-existent accounts and users who
just press enter match up with those who aren't/don't (#502602,
CVE-2009-1384)
- 2.3.4: * don't request password-changing credentials using the same options
we use for ticket-granting tickets
- 2.3.3: * close a couple of open pipes to defunct processes, fix a couple
of debug messages
- 2.3.2: * fix ccache permissions bypass when the "existing_ticket" option is
used (CVE-2008-3825, which affects 2.2.0-2.2.25, 2.3.0, and 2.3.1)
- 2.3.1: * make afs5log's -n option actually work the "null_afs" option
* translations for messages!
- 2.3.0: * added the ability to set up tokens in the rxk5 format
* added the "token_strategy" option to control which methods we'll
try to use for setting tokens
* merge "null_afs" functionality from Jan Iven
- 2.2.23: * when we're changing passwords, force at least one attempt to
authenticate using the KDC, even in the pathological case where
there's no previously- entered password and we were told not to ask
for one (#400611)
- 2.2.22: * moved .k5login checks to a subprocess to avoid screwing with the
parent process's tokens and PAG (fallout from #371761)
* all options which took true/false before ("debug", "tokens", and
so on) can now take service names
- 2.2.21: * fix permissions problems on keyring ccaches, so that users can write
to them after we've set them up, and we can still do the cleanup
* fix permission problems accessing .k5login files in home directories
which live in AFS (#371761)
- 2.2.20: * fixes for credential refreshing
* avoid running afoul of SELinux policy when attempting to get tokens
- 2.2.19: * the "keytab" option can now be used to specify a custom location
for a given service from within krb5.conf
* log messages are now logged with facility LOG_AUTHPRIV (or LOG_AUTH
if LOG_AUTHPRIV is not defined) instead of the application's default
or LOG_USER
* added the "pkinit_identity" option to provide a way to specify
where the user's public-key credentials are, and "pkinit_flags" to
specify arbitrary flags for libkrb5 (Heimdal only)
* added the "preauth_options" option to provide a way to specify
arbitrary preauthentication options to libkrb5 (MIT only)
* added the "ccname_template" option to provide a way to specify
where the user's credentials should be stored, so that KEYRING:
credential caches can be deployed at will.
- 2.2.18: * fix permissions-related problems creating v4 ticket files
- 2.2.17: * corrected a typo in the pam_krb5(8) man page
* clarified that the "tokens" flag should only be needed for
applications which are not using PAM correctly
* clarified COPYING and .spec file to better reflect licensing as
indicated in the source files
- 2.2.16: * don't bother using a helper for creating v4 ticket files when we're
just getting tokens
* clean up the debug message which we emit when we do v5->v4
principal name conversion
* compilation fixes
- 2.2.15: * let default "external" and "use_shmem" settings be specified at
compile-time
* correctly return a "unknown user" error when attempting to change
a password for a user who has no corresponding principal (#235020)
* don't bother using a helper for creating ccache files, which we're
just going to delete, when we need to get tokens
- 2.2.14: * handle "client revoked" errors
- 2.2.13: * make it possible to have more than one ccache (and tktfile) at a
time to work around apps which open a session, set the environment,
and initialize creds (when we previously created a ccache, removing
the one which was named in the environment) (#204939)
- 2.2.12: * add a "pwhelp" option. Display the KDC error to users.
- 2.2.11: * return success from our account management callback in cases where
our authentication callback simply failed to authenticate (#207410)
* fix setting of items for password-changing modules which get called
after us (Michael Calmer)
- 2.2.10: * add the "no_subsequent_prompt" option, to force the module to
always answer a libkrb5 prompt with the PAM_AUTHTOK value
* add the "debug_sensitive" option, which actually logs passwords
* add the --with-os-distribution option to configure to override
"Red Hat Linux" in the man pages
* if the server returns an error message during password-changing,
let the user see it
- 2.2.9: * return PAM_IGNORE instead of PAM_SERVICE_ERR when we're called in
an unsafe situation and told to refresh credentials
* fix a race condition in how the ccache creation helper is invoked
* properly handle "external" cases where the forwarded creds belong
to someone other than the principal name we guessed for the user
- 2.2.8: * skip attempts to set non-"2b" tokens when use of v4 credentials
has been completely disabled
- 2.2.7: * do 524 conversion for the "external" cases, too
- 2.2.6: * add "krb4_use_as_req" to completely disallow any attempts to get
v4 credentials (along with "krb4_convert_524", which was already
there)
* don't try to convert v5 creds to v4 creds for AFS when
"krb4_convert_524" is disabled, either
- 2.2.5: * fix a couple of cases where a debug message would be logged even if
debugging wasn't enabled
- 2.2.4: * fix reporting of the reasons for password change failures
- 2.2.3: * fix a compilation error
- 2.2.2: * when validating user credentials, don't leak the keytab file
descriptor
- 2.2.1: * fix a thinko which broke afs5log on systems where the AFS syscall
isn't available
- 2.2: * refreshing of preexisting credentials works, so unlocking your
screensaver should fetch new credentials and tokens. Be careful that
you don't invoke the authentication function with the "tokens" flag,
which creates a new PAG, if you want this to be useful.
As of this writing, at least xscreensaver calls pam_setcred() with the
proper flag to signal that credentials should be refreshed. Other
screen saver applications may not.
* new "external" option for use with OpenSSH's GSSAPI authentication
with credential delegation and AFS, *should* work with anything which
uses GSSAPI, accepts delegated credentials, and sets KRB5CCNAME in
the PAM environment
* new "use_shmem" option for use with OpenSSH's privilege separation mode
* credential and renewal lifetimes can now be given either as krb5-style
times or as numbers of seconds
* new "ignore_unknown_principal"/"ignore_unknown_spn" option
* new "krb4_convert_524" option
* configure can now set the default location of the system keytab
* configure disables AFS support except on Linux and Solaris (for now),
but can be overridden either way (needs testing on Solaris)
* can now specify a principal name for AFS cells, to save guesswork
* should now correctly work with SAM authentication, needs testing
* "tokens" now behaves like "external" and "use_shmem", in that it
can be specified in the configuration as a list of service names
- 2.1: switch to a minikafs implementation to flush out lurking ABI differences
between the krb4 interface the kafs library used and the one which libkrb4
provides. Also, we support "2b" tokens now.
- 2.0: more or less complete rewrite.
Jettison our own krb5.conf parsing code in favor of the supported API.
This means that configuration settings which look like this:
[pam]
forwardable = yes
are no longer recognized, and must be changed to:
[appdefaults]
pam = {
forwardable = yes
}
Mini Shell