pam-krb5 4.0

When I introduced use_authtok in pam-krb5 2.0, I misunderstood the intention of the option. I thought it was intended to say to always use the stored authentication credentials in the PAM stack for any credential, either the current or the new one for password changes. So I implemented it for both the auth group and the password group, and for the latter it applied to both the current and new password.

use_authtok is actually supposed to only apply to the password group and there only to the new password. Otherwise, you can't stack the module with use_authtok with a module like pam_cracklib, since pam_cracklib will only ever prompt for the new password, not the old one.

This release corrects my mistake and changes the meaning of use_authtok to only apply to the new password in the password group. I introduced a new option, force_first_pass, which does what use_authtok used to do for the old password. It's like use_first_pass but will fail if there's no password already stored instead of prompt. (This may be what use_first_pass is supposed to do, and other modules implement it that way, but I find it nicer to allow use_first_pass to prompt if there's no password at all; it makes it easier to stack modules without fiddling with the options.)

Therefore, on upgrade, if you have use_authtok in the auth group, you should change it to force_first_pass. If you have it in the password group, you should add one of try_first_pass, use_first_pass, or force_first_pass as well, depending on what you want.

This release also stops ever returning PAM_IGNORE from pam_setcred, since this confused older versions of the Linux PAM libraries, such as the one shipped with RHEL5. In order to do this, I had to significantly refactor the way setcred was handled, so I also fixed the logging for pam_open_session and pam_close_session. It also stops using issetugid on Solaris to determine when to avoid refreshing the ticket cache, since this breaks screen savers.

Finally, since I was going to a 4.0 release anyway due to the incompatible change in the meaning of some options, I went ahead and switched to Automake and Libtool (which is why the size of the distribution doubled). This brings it closer to my other packages and I think will save maintenace work down the road. Hopefully this doesn't break the build on any platforms where it was previously working.

You can get the latest version from the pam-krb5 distribution page.

Posted: 2009-11-13 19:56 — Why no comments?

Last spun 2022-02-06 from thread modified 2013-01-04