pam-krb5 4.5

The big news in this release isn't very user-visible, but it will be a huge help for further maintenance. pam-krb5 has finally been switched over to the generic PAM utility layer that I originally developed for pam-afs-session and now has a test suite that tests all the major functionality. It's not comprehensive by any stretch, but now I can add a few more tests with each release and slowly improve it. This release also imports the Kerberos portability layer from rra-c-util and uses it rather than rolling its own, which should produce better results.

In terms of user-visible changes, this release suppresses the password expired notice in the password stack if force_first_pass or use_first_pass are in use, since the output was otherwise confusing. It also checks to be sure it can obtain kadmin/changepw credentials before returning a password expiration error instead of incorrect password error to work around an issue with older Heimdal.

The location of the temporary root-owned ticket cache is now created relative to ccache_dir instead of forced to be in /tmp.

pam-krb5 now tells the MIT Kerberos library to prefer the older (and hence more compatible with older KDCs) change password protocol instead of the set password protocol. This isn't needed on Heimdal, since it's function always tries both.

There's a first pass at attempting to support the default OpenPAM build system, which makes all the module entry points static and instead exports a struct. I can't test, though, so I suspect this will need more work.

Logging has been improved, particularly around authorization checks and with defer_pwchange, and several minor memory leaks have been plugged.

Finally, there are some improvements and minor changes to the build system and other improvements for portability to BSD systems.

You can get the latest release from the pam-krb5 distribution page.