Path to this page:
Subject: CVS commit: pkgsrc/security/pam-krb5
From: Fredrik Pettai
Date: 2012-03-19 20:31:24
Message id: 20120319193124.A1A32175DD@cvs.netbsd.org
Log Message:
pam-krb5 4.5
* Suppress the notice that the password is being changed because it's
expired if force_first_pass or use_first_pass is set in the password
stack, indicating that it's stacked with another module that's also
doing password changes. This is arguable, but without this change the
notification message of why the password is being changed shows up
confusingly in the middle of the password change interaction.
* Some old versions of Heimdal (0.7.2 in OpenBSD 4.9, specifically)
reportedly return KRB5KDC_ERR_KEY_EXP for accounts with expired
keys even if the supplied password is wrong. Work around this by
confirming that the PAM module can obtain tickets for kadmin/changepw
before returning a password expiration error instead of an invalid
password error.
* The location of the temporary root-owned ticket cache created during
the authentication process is now also controlled by the ccache_dir
option (but not the ccache option) rather than forced to be in /tmp.
This will allow system administrators to configure an alternative
cache directory so that pam-krb5 can continue working when /tmp is
full.
* Report more specific errors in syslog if authorization checks (such as
.k5login checks) fail.
* Pass a NULL principal to krb5_set_password with MIT client libraries
to prefer the older change password protocol for compatibility with
older KDCs. This is not necessary on Heimdal since Heimdal's
krb5_set_password tries both protocols.
* Improve logging and authorization checks when defer_pwchange is set
and a user authenticates with an expired password.
* When probing for Kerberos libraries, always add any supplemental
libraries found to that point to the link command. This will fix
configure failures on platforms without working transitive shared
library dependencies.
* Close some memory leaks where unparsed Kerberos principal names were
never freed.
* Restructure the code to work with OpenPAM's default PAM build
machinery, which exports a struct containing module entry points
rather than public pam_sm_* functions.
* In debug logging, report symbolic names for PAM flags on PAM function
entry rather than the numeric PAM flags. This helps with automated
testing and with debugging PAM problems on different operating
systems.
* Include <krb5/krb5.h> if <krb5.h> is missing, which permits finding
the header file on NetBSD systems.
* Replace the Kerberos compatibility layer with equivalent but
better-structured code from rra-c-util 4.0.
* Avoid krb5-config and use manual library probing if --with-krb5-lib or
--with-krb5-include were given to configure. This avoids having to
point configure at a nonexistent krb5-config to override its results.
* Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config in
configure, to avoid a conflict with the variable used by the Kerberos
libraries to find krb5.conf.
* Change references to Kerberos v5 to just Kerberos in the documentation.
* Update to rra-c-util 4.0
* Update to C TAP Harness 1.9
Files: