                      User-Visible pam-krb5 Changes

pam-krb5 3.5 (2007-04-10)

    Don't try to chown non-FILE ticket caches, which among other things
    breaks using pam-krb5 with Heimdal KCM caches.  Thanks, Jeremy
    Jackson.

    When logging session deletion via pam_setcred or pam_close_session,
    don't look for the username in the PAM context after it's been freed.
    Thanks, Markus Moeller.

    Map more Kerberos status codes to PAM status codes for authentication
    errors.

pam-krb5 3.4 (2007-01-28)

    More compilation fixes for Heimdal 0.7, which has a pkinit function
    but takes a different number of arguments.  Thanks, Morgan LEFIEUX.

    Never call error_message directly on Heimdal.  krb5_get_err_text can
    cope with a NULL context and krb5-config on Heimdal doesn't include
    -lcom_err.

    Handle a NULL return from krb5_get_error_message, since that seems
    possible in some edge cases.

    Call krb5_get_error_message on Heimdal as well if it's available,
    since it's supported by the 0.8 release candidates.

pam-krb5 3.3 (2007-01-24)

    Support the new MIT Kerberos error message functions.

    Fix compilation errors in the Heimdal PKINIT support and don't be
    confused by a similar function in the MIT Kerberos PKINIT branch.
    Thanks to Douglas E. Engert for the testing and patch.

    Fix compilation errors with Heimdal 0.7, which has some of the PKINIT
    functions but doesn't define the same error codes.  Thanks, Morgan
    LEFIEUX.

    Initial support for the MIT Kerberos PKINIT branch, which uses a
    different mechanism for configuring PKINIT support than Heimdal.  Also
    support configuration of general preauth parameters for the MIT
    preauth plugin system via the preauth_opt option.  Thanks to Douglas
    E. Engert for the initial patch.

    If use_pkinit is set in the PAM configuration and PKINIT isn't
    available or cannot be forced, always fail authentication.

pam-krb5 3.2 (2007-01-16)

    This release fixes numerous bugs all identified by Douglas E. Engert
    while testing with Heimdal and PKINIT support.  Thank you!

    Rewrite the code to drop the credlist data structure since we only
    ever have one set of credentials, allocate new krb5_creds objects, and
    do proper memory management, which should plug some memory leaks of
    the contents of krb5_creds objects.

    Probe for the correct Heimdal function to set default initial
    credential options.

    Prefix the default cache path with "FILE:" to make the cache type
    explicit.

    Fix installation of the manual page when building from a different
    directory than the source directory.

    Fix several compilation errors with the PKINIT support with Heimdal
    0.8rc1 or later.  This code should still be considered alpha-quality.

pam-krb5 3.1 (2007-01-03)

    Fix an infinite loop with failed Kerberos authentication and a doubled
    colon that causes a syntax error with some compilers.  Thanks, Markus
    Moeller.

    Move the check for users we should ignore to pam_sm_authenticate
    from pamk5_password_auth so that it's consistently done in the API
    function.  This also avoids bogus log messages when authenticating as
    an ignored user with debug enabled.

pam-krb5 3.0 (2006-12-18)

    Add preliminary PKINIT support, contributed by Douglas E. Engert.
    I reorganized and refactored the code extensively and it therefore may
    not compile; until it has received more testing, it should be
    considered alpha-quality.  Currently, PKINIT support requires Heimdal
    0.8rc1 or later.

    Add a keytab configuration option to use a different keytab for
    initial credential validation.

    Add a ticket_lifetime configuration option to set the lifetime of
    obtained credentials.

    Add the banner and expose_account configuration options, which control
    the prompts for authentication and password changing.  Provide more
    informative prompts when changing passwords.

    Work around a bug in MIT Kerberos prior to 1.4 causing the library to
    cache the default realm and assume a particular realm even if the
    default realm is later changed.  This bug prevented running two
    instances of pam-krb5 with different realm settings in the same PAM
    stack.  Thanks, Dave Botsch.

    Honor PAM_SILENT when the Kerberos library prompts for more
    information, passing to the application only prompts.

    If PAM_USER is set to a fully-qualified principal that the Kerberos
    library can map to a local account name, reset PAM_USER to that local
    account name after authentication.

    Avoid memory leaks in the Kerberos prompter by freeing the PAM
    response strings.  We were already doing this elsewhere and the world
    didn't end, so assume that it's safe for the PAM module to do this.
    Also avoid memory leaks in some unusual error conditions.

    Return unknown user rather than internal error when attempting
    authentication of a user we're supposed to ignore.

    When debug is enabled, report the principal for which we're attempting
    authentication to help catch realm configuration errors.

    Document the broken behavior of old versions of OpenSSH, which tell
    PAM to refresh credentials rather than opening a session.  Thanks,
    Michael C. Garrison.

    Add a link to the distribution page to the pam-krb5 man page.

    Extensive refactoring and reorganization of the code.

pam-krb5 2.6 (2006-11-28)

    Don't assume the pointer set by pam_get_user is usable over the life
    of the PAM module; instead, save a local copy.

    Avoid a use of already freed memory when debugging is enabled.

    Use __func__ instead of __FUNCTION__ and provide a fallback for older
    versions of gcc and for systems that support neither.  Should fix
    compilation issues with Sun's C compiler.

    On platforms where we know the appropriate compiler flags, try to
    build the module so that symbols are resolved within the module in
    preference to any externally available symbols.  Also add the
    hopefully correct compiler flags for Sun's C compiler.

pam-krb5 2.5 (2006-11-03)

    Don't free the results of pam_get_item(PAM_AUTHTOK) when changing
    passwords.  Thanks, Arne Nordmark.

    Be a bit more thorough when checking authorization in
    pam_sm_acct_mgmt.  Re-retrieve the value of user in case the
    application changed it, and if we have a ticket cache (we may not even
    after a successful authentication if no_ccache was specified),
    retrieve the principal from it rather than using the principal from
    the context.

    Overwrite passwords with 0 before freeing them, just out of paranoia
    (and because PAM also does this internally).

pam-krb5 2.4 (2006-10-05)

    Fix compilation problems with Heimdal.  Thanks, Matthijs Mohlmann and
    Douglas Engert.

    Check for memory allocation failures when parsing PAM options rather
    than segfaulting.

    Fix several places where an uninitialized context could have been
    passed into the argument parsing function.

    Refactor the code to read configuration from krb5.conf to be easier
    to read and understand.  Parse renew_lifetime immediately and always
    report an error rather than deferring time parsing until acquiring
    tickets.

    Log errors (not just authentication failures) at the LOG_ERR level
    to match (some of) the recommendations of the Linux PAM documentation.

    Log an error when an unknown option is passed via the PAM
    configuration.

pam-krb5 2.3 (2006-09-03)

    Fix the interface between the Kerberos prompting function and the
    PAM conversation function on Linux.  Prior to this fix, the PAM module
    would only work on Solaris if Kerberos passed multiple prompts, which
    happens when an account requires a password change.  Solaris and Linux
    PAM implementations expect a different structure of pam_message
    structs in the conversation function; use a workaround to cater to
    both of them.  Based on a patch by Joachim Keltsch.

    Implement retain_after_close, which specifies that the PAM module
    should never destroy the user's ticket cache, even on session end.

    Adjust for the differences in Solaris's PAM libraries:  Include
    pam_appl.h everywhere for structure and type definitions, and add
    portability workarounds for the return statuses missing from the
    Solaris implementation.

pam-krb5 2.2 (2006-08-28)

    Allow the default realm to be overridden in the PAM options.

    Use the realm, default or otherwise, when reading options from
    krb5.conf so that realm-specific sections in [appdefaults] work
    correctly.

    Update the build and installation documentation for the new
    Autoconf-based build system.  This should have been in the last
    release but was missed.

    Initialize ticket options correctly when built with Heimdal.

    Fix a typo that caused the Heimdal support not to compile.  Thanks,
    Matthijs Mohlmann.

pam-krb5 2.1 (2006-08-26)

    Strip off a FILE: prefix from the cache path before creating it in
    case the user set ccache or ccache_dir with a cache type prefix.
    Thanks to Björn Torkelsson for the patch.

    Added an Autoconf script to distinguish between Heimdal and MIT
    Kerberos and take care of other portability issues.  Rewrote the
    Makefile accordingly.

    Added portability and error reporting fixes for Heimdal, thanks to
    Matthijs Mohlmann.

pam-krb5 2.0 (2006-08-11)

    Always use a disk cache for temporary storage of credentials between
    authentication and setcred or session initialization.  This allows the
    module to work correctly with OpenSSH ChallengeResponseAuthentication.

    Add support for some PAM options that were supported by the
    Sourceforge K5 PAM module, most notably minimum_uid and
    renew_lifetime.

    Support setting many PAM options from krb5.conf as well as on the PAM
    command line, using the same application section as the Sourceforge
    PAM module.  Use the profile reading functions provided by the
    Kerberos libraries.

    Add support for use_authtok, which is like use_first_pass except that
    it will never prompt even if no password is currently set.

    Add a search_k5login option to check the user's password against every
    principal listed in .k5login, to support use of this module to
    authenticate user access to shared accounts.

    Add an ignore_k5login option that bypasses all checks of .k5login
    files entirely and relies solely on krb5_aname_to_localname checks.

    Re-add the ccache option to specify the exact file name of the ticket
    cache, and allow for randomization using mkstemp even when this option
    is used.

    Only call krb5_kuserok (the .k5login check) when the account to which
    the user is authenticating is a local account.  It's up to the
    application to handle authorization checks for non-local accounts.

    Support preliminary checks for password changing by using that to
    obtain the user's current credentials.  Correctly handle saved
    passwords from previous authentications or password changes when
    changing passwords, and correctly set the saved passwords for
    subsequent password changes in the PAM stack.

    Only initialize the ticket cache once, no matter how many times
    setcred is called.  This saves duplicate work and works around a bug
    in X.org xdm that otherwise causes it to lose the PAM environment.

    When reinitializing a ticket cache, never reinitialize the temporary
    cache created by the authentication call.  Instead, fall back to the
    default ticket cache name if KRB5CCNAME isn't set.

    Improve support for no_ccache.  Now, it doesn't even generate a
    temporary ticket cache during authentication but only uses an
    in-memory credential list.

    Do user ticket validation using the standard Kerberos library call
    rather than rolling our own code.  This means that the user can now
    set options in krb5.conf to control whether that call should fail if
    the local keytab isn't readable or contains no usable keys.

    Completely rewrite the man page.  Clean it up and make it more
    readable and fully document all of the options.  Also rewrite the
    README file and clean up the rest of the package documentation.

    Don't create a ticket cache until after successful authentication.

    Understand the FILE: prefix to Kerberos ticket cache names and compare
    and chown ticket caches properly with that prefix.

    Add a trailing nul to the password in the Kerberos prompter function,
    since some code relies on it being there.

    Review the return status of each PAM function and ensure that we only
    return failure statuses that are supported for that function.

    Rename all internal functions with a pamk5_* prefix to avoid
    conflicting with any application or system library functions.

    Eliminate global variables in the PAM module and do a better job at
    cleaning up memory usage.  There are still a few places where the PAM
    conversation functions may leak memory due to an incomplete
    specification in the PAM API on who should free what memory.

    The logging messages produced when debug is set should now be more
    consistent and more complete.

pam-krb5 1.2 (2005-09-27)

    Don't reinitialize the ticket cache if the old and new cache have the
    same name, since otherwise we end up destroying it.

    Always set KRB5CCNAME, even when reinitializing.

    When reinitializing, look for the ticket cache in the saved context
    even if KRB5CCNAME isn't set.  OpenSSH calls it this way.

    Drop the ccache option and add ccache_dir instead, which only
    specifies the directory for ticket caches and is therefore easier to
    implement.

pam-krb5 1.1 (2005-08-31)

    Add support for reinitialization/refreshing of credentials in
    pam_sm_setcred.

    Set PAM_AUTHTOK and PAM_OLDAUTHTOK when authenticating to better
    support stacking this module with others.

    Add an ignore_root option to not do anything when the account to which
    the user is authenticating is root.  This allows one to log in via
    console as root even when the network is down (thereby breaking the
    PAM module in ways that login doesn't like due to timeouts in the
    Kerberos libraries).

    Store the entire context structure in PAM's memory rather than just
    the name of the ticket cache so that we can pass around more data to
    ourself.

    Bring errors more in line with the official PAM specification.

    Move prompt generation into the PAM module rather than letting the
    Kerberos library generate the prompt.  This way we don't leak
    principal information to the caller, and the non-standard prompt also
    broke some applications like gksudo.

    Support session management and destruction of the ticket cache on
    close of session.

    Don't require that the user have a local account on the system.

    Include the user UID in the default ticket cache name so that rpc.gssd
    and similar programs can find it.
