pam-krb5 4.6

This is the "catch up on external patches" release and has tons of new options.

First, there's a new anon_fast option, thanks to Yair Yarom, which will attempt to obtain anonymous credentials and use them as FAST armor rather than requiring an existing ticket cache. Note that anonymous authentication requires that your Kerberos KDC and client be configured for PKINIT and then support anonymous authentication.

Also from Yair Yarom is a new no_prompt option, which suppresses any PAM prompting and defers prompting to the Kerberos library. This can be helpful with some preauth mechanisms that want something other than passwords.

Finally, Yair Yarom provided a silent option, which forces behavior equivalent to when the application passes in PAM_SILENT, suppressing informational Kerberos library messages.

Roland C. Dowdeswell provided a patch for a new user_realm option, which sets the realm for unqualified user principals (like realm), but doesn't change the default realm for other purposes such as credential validation and principal mapping.

I also added a new trace option, which enables trace logging if the Kerberos libraries support it (which currently requires a very new MIT Kerberos release).

There are several fixes for alt_auth_map support, including fixing realm handling, allowing a realm to be specified in the map, and fixing some memory leaks. I also fixed a doubled colon in password prompts for Heimdal, avoided a segfault (NULL pointer dereference) if krb5_init_context fails, fixed initialization of time values on platforms where krb5_deltat is not a long, closed a memory leak in search_k5login, fixed some bogus error messages from the realm option, and improved the retry logic in try_first_pass.

You can get the latest release from the pam-krb5 distribution page. I'm now distributing both *.tar.gz and *.tar.xz files, since there seems to be significant movement towards xz and it produces substantial space savings (and I wanted to use it as the basis for the Debian packages). I will continue to distribute a *.tar.gz file for the forseeable future.

Posted: 2012-06-02 20:05 — Why no comments?

Last spun 2013-07-01 from thread modified 2013-01-04