< rra-c-util 7.0 | Russ Allbery > Eagle's Path > December 2017 | DocKnot 1.02 > |
This is the default Kerberos PAM module for Debian and Ubuntu systems, and supports both MIT Kerberos and Heimdal. I'm not sure how many people still use straight Kerberos PAM modules these days, with sssd taking off, but I'm still maintaining it.
This release fixes a somewhat obscure bug: if you configure the module to
do expired password changes properly, it checks to see that the expired
credentials can still get kadmin/changepw
credentials to do the
password change. However, it was setting credential options improperly on
that call, which could cause it to spuriously fail if, say,
krb5.conf
is configured to request proxiable credentials but
kadmin/changepw
doesn't support proxiable credentials. Thanks to
Florian Best for the excellent bug report.
The test suite in this version also works properly with Heimdal 7.0.1 and later, which changed a bunch of the messages (at the cost of skipping tests with earlier versions of Heimdal), and reports richer error messages on PKINIT failures with Heimdal. It also includes documentation fixes and lots of warning fixes, and now builds properly with tons of warnings enabled with GCC 7, Clang, and the Clang static analyzer.
You can get the latest version from the pam-krb5 distribution page.
Posted: 2017-12-30 21:35 — Why no comments?
< rra-c-util 7.0 | Russ Allbery > Eagle's Path > December 2017 | DocKnot 1.02 > |