| < Powell's haul | Russ Allbery > Eagle's Path > November 2007 | The Gashlycrumb Tinies > |
I think people have beaten the bugs out of other parts of my Kerberos PAM module and have finally turned to password changes. This is the part I don't use personally, so I'm not surprised there were some problems.
It turns out that some modules, like pam_cracklib, set PAM_AUTHTOK to NULL when they want to reject a password. Previously, when we retrieved the password for the use_authtok option, we only checked the return value of pam_get_item, but it happily returns success in this case. Then, since the password was NULL, we'd go on to prompt for it. This has been fixed.
pam-krb5 has also acquired the ability to set the password to NULL itself on password change failure (such as when the KDC rejects the password as insecure) so that subsequent modules with use_authtok set will fail. Just returning failure doesn't work due to PAM internals, even if the module is listed as requisite. This isn't the default since it breaks other things, but the option is now available.
There were also a variety of portability bugs in the last release in environments I don't personally use, which should now be cleaned up, and I started adding a debugging section to the README.
You can get the latest version from the pam-krb5 distribution page.
Posted: 2007-11-12 17:10 — Why no comments?
| < Powell's haul | Russ Allbery > Eagle's Path > November 2007 | The Gashlycrumb Tinies > |