Posts for December 2014

2014-12-08: wallet 1.2

wallet is a system for secure credential management and distribution.

This release renames the duo object type to duo-pam (since it really only handles PAM integrations) and adds new object types duo-radius, duo-ldap, and duo-rdp to handle other types of Duo Security integrations.

It also adds a rename command, which can be used to rename existing objects without destroying them and recreating them. Currently, this only supports file objects.

My only role in this release was to do the final release management and a bit of release testing. The new code was implemented by Jon Robertson (who's also done a lot of work on wallet in the past).

You can get the latest release from the wallet distribution page.

2014-12-08 21:39 — Permanent link

2014-12-25: C TAP Harness 3.2

This is a fairly minor release, mostly to have a release of files that I'm updating in rra-c-util. Most of the changes are typos and other cosmetic fixes. But I hate releasing a new version of something without a little bit of new functionality, so I implemented comment support in test lists. The runtests driver now ignores comments (lines starting with #) and blank lines in test list files, and leading whitespace in front of test names.

You can get the latest version from the C TAP Harness distribution page.

2014-12-25 13:38 — Permanent link

2014-12-25: rra-c-util 5.6

rra-c-util is my personal collection of infrastructure for C and Perl packages. This release has a quite-large accumulation of small fixes, mostly from work Julien ÉLIE has done on merging it into INN and testing INN's portability on a wide variety of platforms.

The highlights:

• Add a new module-version.t test and helper script for Perl modules that checks that all modules included in a distribution have the correct version.

• Add a new portable/socket-unix.h portability layer that includes sys/un.h and defines SUN_LEN if the implementation does not do so. (Use in combination with the RRA_MACRO_SUN_LEN Autoconf macro.)

• Check for interview overflow in vector_join and vector_cjoin.

• Avoid strlcpy in the getnameinfo and setenv replacements. I'm slowly trying to eliminate strlcpy and strlcat in my code in favor of asprintf and other cleaner replacements following an extensive discussion on the glibc mailing lists.

• Fix network_addr_match with the empty string on AIX 7.1, whose inet_aton accepts the empty string.

• network_connect, network_connect_host, and network_client_create all accept "any" as a synonym for "all" as a source, for parallelism with other functions.

• Add PIPE_READ and PIPE_WRITE macros to util/macros.h to name the elements of the array passed to pipe.

• Fix Windows portability for socket functions that, on UNIX, want to return an error code of EINVAL.

• Fix visibility of some of the utility and portability functions.

You can get the latest version from the rra-c-util distribution page.

2014-12-25 16:28 — Permanent link

2014-12-25: pam-krb5 4.7

It's been a long, long time since the last upstream release. Rather too long, as the changes to the portability and test framework were larger than the changes to the module itself. But there are a few bug fixes here and one new feature.

The new feature is a new option, no_update_user, which disables the normal update of PAM_USER for the rest of the PAM stack to the canonicalized local username. This allows users to do things like enter Kerberos principals into the login prompt and have the right thing happen, but sometimes it's important to keep the authentication credentials as originally entered and not canonicalize, even if there's a local canonicalization available. This new option allows that.

In the bug-fix department, the module now suppresses spurious password prompts from Heimdal while using PKINIT and understands more Kerberos errors for purposes of try_first_pass support and returning better PAM errors.

The documentation now notes next to each option the version of pam-krb5 at which it was introduced with its current meaning.

You can get the latest version from the pam-krb5 distribution page.

2014-12-25 20:01 — Permanent link