- 2.3.11:* create credentials before trying to look up the location of the user's home directory via krb5_kuserok() - 2.3.10:* fine-tune the logic for selecting which key we use for validating credentials - 2.3.9: * add a "multiple_ccaches" option to allow forcing the previous behavior of not deleting an old ccache whenever we create a new one, but saving them until the call that caused us to create them is reversed - 2.3.8: * add a "chpw_prompt" option to allow password changes to happen during what the calling application thinks is just a password check, to work around applications that don't handle the case of an expired password correctly (#509092, based on patch from Olivier Fourdan) - 2.3.7: * when refreshing credentials, store the new creds in the default ccache if $KRB5CCNAME isn't set (#507984) - 2.3.6: * prefer a "host" key, if one is found, when validating TGTs (#450776) - 2.3.5: * make prompting behavior for non-existent accounts and users who just press enter match up with those who aren't/don't (#502602, CVE-2009-1384) - 2.3.4: * don't request password-changing credentials using the same options we use for ticket-granting tickets - 2.3.3: * close a couple of open pipes to defunct processes, fix a couple of debug messages - 2.3.2: * fix ccache permissions bypass when the "existing_ticket" option is used (CVE-2008-3825, which affects 2.2.0-2.2.25, 2.3.0, and 2.3.1) - 2.3.1: * make afs5log's -n option actually work the "null_afs" option * translations for messages! - 2.3.0: * added the ability to set up tokens in the rxk5 format * added the "token_strategy" option to control which methods we'll try to use for setting tokens * merge "null_afs" functionality from Jan Iven - 2.2.23: * when we're changing passwords, force at least one attempt to authenticate using the KDC, even in the pathological case where there's no previously- entered password and we were told not to ask for one (#400611) - 2.2.22: * moved .k5login checks to a subprocess to avoid screwing with the parent process's tokens and PAG (fallout from #371761) * all options which took true/false before ("debug", "tokens", and so on) can now take service names - 2.2.21: * fix permissions problems on keyring ccaches, so that users can write to them after we've set them up, and we can still do the cleanup * fix permission problems accessing .k5login files in home directories which live in AFS (#371761) - 2.2.20: * fixes for credential refreshing * avoid running afoul of SELinux policy when attempting to get tokens - 2.2.19: * the "keytab" option can now be used to specify a custom location for a given service from within krb5.conf * log messages are now logged with facility LOG_AUTHPRIV (or LOG_AUTH if LOG_AUTHPRIV is not defined) instead of the application's default or LOG_USER * added the "pkinit_identity" option to provide a way to specify where the user's public-key credentials are, and "pkinit_flags" to specify arbitrary flags for libkrb5 (Heimdal only) * added the "preauth_options" option to provide a way to specify arbitrary preauthentication options to libkrb5 (MIT only) * added the "ccname_template" option to provide a way to specify where the user's credentials should be stored, so that KEYRING: credential caches can be deployed at will. - 2.2.18: * fix permissions-related problems creating v4 ticket files - 2.2.17: * corrected a typo in the pam_krb5(8) man page * clarified that the "tokens" flag should only be needed for applications which are not using PAM correctly * clarified COPYING and .spec file to better reflect licensing as indicated in the source files - 2.2.16: * don't bother using a helper for creating v4 ticket files when we're just getting tokens * clean up the debug message which we emit when we do v5->v4 principal name conversion * compilation fixes - 2.2.15: * let default "external" and "use_shmem" settings be specified at compile-time * correctly return a "unknown user" error when attempting to change a password for a user who has no corresponding principal (#235020) * don't bother using a helper for creating ccache files, which we're just going to delete, when we need to get tokens - 2.2.14: * handle "client revoked" errors - 2.2.13: * make it possible to have more than one ccache (and tktfile) at a time to work around apps which open a session, set the environment, and initialize creds (when we previously created a ccache, removing the one which was named in the environment) (#204939) - 2.2.12: * add a "pwhelp" option. Display the KDC error to users. - 2.2.11: * return success from our account management callback in cases where our authentication callback simply failed to authenticate (#207410) * fix setting of items for password-changing modules which get called after us (Michael Calmer) - 2.2.10: * add the "no_subsequent_prompt" option, to force the module to always answer a libkrb5 prompt with the PAM_AUTHTOK value * add the "debug_sensitive" option, which actually logs passwords * add the --with-os-distribution option to configure to override "Red Hat Linux" in the man pages * if the server returns an error message during password-changing, let the user see it - 2.2.9: * return PAM_IGNORE instead of PAM_SERVICE_ERR when we're called in an unsafe situation and told to refresh credentials * fix a race condition in how the ccache creation helper is invoked * properly handle "external" cases where the forwarded creds belong to someone other than the principal name we guessed for the user - 2.2.8: * skip attempts to set non-"2b" tokens when use of v4 credentials has been completely disabled - 2.2.7: * do 524 conversion for the "external" cases, too - 2.2.6: * add "krb4_use_as_req" to completely disallow any attempts to get v4 credentials (along with "krb4_convert_524", which was already there) * don't try to convert v5 creds to v4 creds for AFS when "krb4_convert_524" is disabled, either - 2.2.5: * fix a couple of cases where a debug message would be logged even if debugging wasn't enabled - 2.2.4: * fix reporting of the reasons for password change failures - 2.2.3: * fix a compilation error - 2.2.2: * when validating user credentials, don't leak the keytab file descriptor - 2.2.1: * fix a thinko which broke afs5log on systems where the AFS syscall isn't available - 2.2: * refreshing of preexisting credentials works, so unlocking your screensaver should fetch new credentials and tokens. Be careful that you don't invoke the authentication function with the "tokens" flag, which creates a new PAG, if you want this to be useful. As of this writing, at least xscreensaver calls pam_setcred() with the proper flag to signal that credentials should be refreshed. Other screen saver applications may not. * new "external" option for use with OpenSSH's GSSAPI authentication with credential delegation and AFS, *should* work with anything which uses GSSAPI, accepts delegated credentials, and sets KRB5CCNAME in the PAM environment * new "use_shmem" option for use with OpenSSH's privilege separation mode * credential and renewal lifetimes can now be given either as krb5-style times or as numbers of seconds * new "ignore_unknown_principal"/"ignore_unknown_spn" option * new "krb4_convert_524" option * configure can now set the default location of the system keytab * configure disables AFS support except on Linux and Solaris (for now), but can be overridden either way (needs testing on Solaris) * can now specify a principal name for AFS cells, to save guesswork * should now correctly work with SAM authentication, needs testing * "tokens" now behaves like "external" and "use_shmem", in that it can be specified in the configuration as a list of service names - 2.1: switch to a minikafs implementation to flush out lurking ABI differences between the krb4 interface the kafs library used and the one which libkrb4 provides. Also, we support "2b" tokens now. - 2.0: more or less complete rewrite. Jettison our own krb5.conf parsing code in favor of the supported API. This means that configuration settings which look like this: [pam] forwardable = yes are no longer recognized, and must be changed to: [appdefaults] pam = { forwardable = yes }