pam-krb5 4.1

The 4.0 release, which moved away from using PAM_IGNORE as a return status for pam_setcred, returned an error instead. I had forgotten that I tried to do this once before and discovered that it didn't work with PAM configurations that use jumps, such as the recommended configuration with pam_afs_session. Whoops. Thanks to Ian Ward Comfort for pointing out the problem. pam_setcred now just returns PAM_SUCCESS if there's nothing for it to do.

This version also changes the password change implementation to always prompt for and store the new password even if pam_krb5 is going to ignore the user. This is required to allow the module to be stacked with other modules using use_authtok, which is the default configuration in Debian. Thanks to Steve Langasek for explaining why this is needed.

Finally, I added a bunch of new logging functions and rationalized and improved the logging throughout pam-krb5. It now uses pam_syslog where available, with a fallback for other systems, so that the logging looks like all the other Linux PAM modules. Successful authentications and failed authentications are now logged and should look much closer to what pam_unix does. I also increased the priority of a bunch of errors that were previously only logged at LOG_DEBUG to LOG_ERR so that the system administrator can see them. I suspect I'll need to fine-tune the logging levels a bit more in subsequent releases.

You can get the latest version from the pam-krb5 distribution page.

Posted: 2009-11-20 16:19 — Why no comments?

Last spun 2013-07-01 from thread modified 2013-01-04