Russ Allbery > Eagle's Path > October 2021 | rra-c-util 10.0 > |
The primary change in this release of my Kerberos PAM module is support
for calling pam_end
with PAM_DATA_SILENT
. I had not known
that the intent of this flag was to signal that only process resources
were being cleaned up and external resources should not be (in part
because an older version of the man page doesn't make this clear).
This flag is used when a proces forks with an open PAM library handle and wants to clean it up in the child process. In previous versions, this would delete the user's ticket cache, which is not the desired behavior. This version correctly leaves the ticket cache alone.
The implementation required some improvements to the PAM testing framework to support this case as well.
The other significant change in this release is that the build system no
longer attempts to guess the correct PAM module installation path and
instead documents that to install the module in a Linux system PAM module
path, you will probably need to set --libdir
explicitly. The logic
used to decide between Debian and Red Hat multiarch paths broke in the
presence of Debian usrmerge systems and was incredibly fragile even before
that, so I've now dropped it completely.
You can get the latest version from the pam-krb5 distribution page.
Posted: 2021-10-17 16:00 — Why no comments?
Russ Allbery > Eagle's Path > October 2021 | rra-c-util 10.0 > |