| < pam-afs-session 2.0 | Russ Allbery > Eagle's Path > December 2010 |
I had accumulated some fixes and felt like doing one more software release before the new year. It starts the year off on a good note.
The main change in this version is a bug fix (and, unfortunately, a bug reintroduction) in the PKINIT support for MIT Kerberos. In trying to fix an issue where the user's password wasn't saved in the PAM stack if PKINIT failed and the module fell back on prompting, I added a password prompt in all cases, even if try_pkinit was set. Since with PKINIT the user may not have a password, that's confusing to say the least.
This release fixes that at the cost of reintroducing the problem of not saving the user's password in the PAM stack if PKINIT fails. I know how to fix this, but it will require a substantial reworking of the control flow for doing PKINIT authentications under MIT Kerberos. It's something that I've wanted to do anyway, since it will make the code more analogous to the Heimdal code and easier to maintain, but that will have to wait for another release.
This issue only affects MIT Kerberos. Heimdal has a much nicer (at least for my purposes) interface for PKINIT authentication that doesn't present the same problem.
This release also reorganizes the pam_krb5 man page to break the configuration directives up into sections. It's still a bit hard to follow since there are so many options at this point, but this will hopefully make it a bit more readable. Finally, there are some additional portability fixes.
You can get the latest version from the pam-krb5 distribution page.
Posted: 2010-12-31 21:09 — Why no comments?
| < pam-afs-session 2.0 | Russ Allbery > Eagle's Path > December 2010 |