pam-krb5 3.11

This release involves quite a bit of code restructuring so that pam-krb5 can finally properly support account expiration the way that it's supposed to work in the PAM API documentation. pam_authenticate is supposed to return success, pam_acct_mgmt is supposed to return the error indicating that the account is expired, and then the application is supposed to call pam_chauthtok. There are a couple of hard parts to this: with Kerberos, you find out the account is expired during authentication and have to stash that error somewhere, and pam_chauthtok has to do a regular Kerberos authentication after changing the password so that the application can continue on to pam_setcred without calling pam_authenticate again (which they don't do). This can't be the default, alas, because of the applications that don't ever call pam_acct_mgmt or ignore the return status.

Normally you don't need to use this, since normally the Kerberos libraries will try to do password change at the time of authentication if it's expired. But the Solaris Kerberos libraries have this mechanism disabled and expect the PAM module to implement the fully correct password change method.

I also added force_pwchange, which is similar but does the password change at authentication time, simulating the library behavior that may be disabled. This can be used with broken programs that mishandle the calling sequence for a PAM authentication.

In other changes, setcred, open_session, and acct_mgmt now return PAM_IGNORE instead of PAM_SUCCESS for non-Kerberos logins, now that I'm aware of that option. pam-krb5 now doesn't leak functions into the application namespace at least on Linux. I implemented both the gcc attribute to set visibility on all the symbols and a version script to suppress anything else other than the PAM interfaces. I also removed a workaround for early versions of MIT Kerberos 1.6 that was causing PKINIT problems in current versions (the bug has since been fixed) and updated the Kerberos Autoconf macros.

pam-krb5 is now maintained in Git, and I added the Debian packaging to my repository alongside the upstream development along the lines I documented in my Git notes page. Git's documentation isn't horribly coherent about how to set up remotes and selectively push things to a repository, but I tried the obvious for pushing only the packaging branches to Alioth and renaming them in the process and it actually worked (with a bit of tweaking). I was very impressed.

You can get the latest version from the pam-krb5 distribution page.

Posted: 2008-07-10 19:33 — Why no comments?

Last spun 2013-07-01 from thread modified 2013-01-04