pam-krb5 3.14

I'd accumulated several fixes in Git to my Kerberos v5 PAM module, some of which had already been separately applied to the Debian libpam-krb5 package, and before fiddling with the build system and trying to bring the package closer to my other packages, it seemed like about time to put out a new release.

This release has a variety of relatively small bug fixes. The main fixes are to return PAM_IGNORED instead of PAM_PERM_DENIED from password changes if the user is ignored, since otherwise stacking the module in the password stack doesn't work as expected. There's also a fix for a crash (NULL-pointer dereference) if the PAM module can't initialize its ticket cache.

As of this release, the module also treats the empty password as an immediate authentication failure rather than passing it to the Kerberos libraries. The Kerberos libraries may treat an empty password the same as a NULL password and prompt internally for the password, which can allow the user to authenticate using a password not known to the PAM stack. This is very surprising to PAM modules that rely on caching passwords from successful authentications and may trick them into thinking that an empty password is valid.

There are also some portability fixes for Heimdal and FreeBSD.

You can get the latest version from the pam-krb5 distribution page.

Posted: 2009-07-18 16:12 — Why no comments?

Last spun 2013-07-01 from thread modified 2013-01-04