./security/pam-krb5, Very flexible kerberos module for the PAM framework

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 4.6, Package name: pam-krb5-4.6, Maintainer: pettai

pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable
authorization handling, authentication of non-local accounts for network
services, password changing, and password expiration, as well as all the
standard expected PAM features.

Required to build:

Master sites:

SHA1: d96b018eda3bd269dcb57f4ecee4898afb5c4369
RMD160: 9edec20d6999112c5eeb436df1d58f3368593164
Filesize: 516.505 KB

Version history: (Expand)

CVS history: (Expand)

   2020-10-23 11:21:00 by Tobias Nygren | Files touched by this commit (9)
Log message:
pam-*: g/c NO_STATIC_MODULES hacks. Handled in openpam/builtin.mk.
   2019-11-04 22:13:04 by Roland Illig | Files touched by this commit (118)
Log message:
security: align variable assignments

pkglint -Wall -F --only aligned --only indent -r

No manual corrections.
   2017-09-03 10:53:18 by Thomas Klausner | Files touched by this commit (165)
Log message:
Follow some redirects.
   2016-12-12 15:22:04 by Thomas Klausner | Files touched by this commit (30)
Log message:
Revert "Specify readline requirement on 30 packages"

Many of these definitely do not depend on readline.
So there must be a different underlying problem, and that
should be tracked down instead of papering over it.
   2016-12-04 04:51:17 by John Marino | Files touched by this commit (30)
Log message:
Specify readline requirement on 30 packages

/usr/libexec/binutils225/elf/ld.gold: error: cannot find -lreadline

The missing specification is obvious on DragonFly because there's
no publically accessible version of readline in base.
   2015-11-04 02:18:12 by Alistair G. Crooks | Files touched by this commit (434)
Log message:
Add SHA512 digests for distfiles for security category

Problems found locating distfiles:
	Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
	Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
	Package libidea: missing distfile libidea-0.8.2b.tar.gz
	Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
	Package uvscan: missing distfile vlp4510e.tar.Z

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.
   2012-10-23 20:17:02 by Aleksej Saushev | Files touched by this commit (368)
Log message:
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.
   2012-06-17 00:15:23 by Fredrik Pettai | Files touched by this commit (2) | Package updated
Log message:
pam-krb5 4.6

  * Add an anon_fast option that attempts anonymous authentication
    (generally implemented via anonymous PKINIT inside the Kerberos
    library) and then, if successful, uses those credentials for FAST
    armor.  If fast_ccache and anon_fast are both specified, anonymous
    authentication will be used as a fallback if the specified FAST ticket
    cache doesn't exist.  Based on patches from Yair Yarom.
  * Add a user_realm option to only set the realm for unqualified user
    principals.  This differs from the existing realm option in that realm
    also changes the default realm for authorization decisions and for
    verification of credentials.  Update the realm option documentation to
    clarify the differences and remove incorrect information.  Patch from
    Roland C. Dowdeswell.
  * Add a no_prompt option to suppress the PAM module's prompt for the
    user's password and defer all prompting to the Kerberos library.  This
    allows the Kerberos library to have complete control of the prompting
    process, which may be desireable if authentication mechanisms other
    than password are in use.  Be aware that, with this option set, the
    PAM module has no control over the contents of the prompt and cannot
    store the user's password in the PAM data.  Based on a patch by Yair
  * Add a silent option to force the module to behave as if the
    application had passed in PAM_SILENT and suppress text messages and
    errors from the Kerberos library.  Patch from Yair Yarom.
  * Add preliminary support for Kerberos trace logging via a trace option
    that enables trace logging if supported by the underlying Kerberos
    library.  The option takes as an argument the file name to which to
    log trace output.  This option does not yet work with any released
    version of Kerberos, but may work with the next release of MIT
  * MIT Kerberos does not add a colon and space to its password prompts,
    but Heimdal does.  pam-krb5 previously unconditionally added a colon
    and space, resulting in doubled colons with Heimdal.  Work around this
    inconsistency by not adding the colon and space if already present.
  * Fix alt_auth_map support to preserve the realm of the authentication
    identity when forming the alternate authentication principal, matching
    the documentation.
  * Document that the alt_auth_map format may contain a realm to force all
    mapped principals to be in that realm.  In that case, don't add the
    realm of the authentication identity.  Note that this can be used as a
    simple way to attempt authentication in an alternate realm first and
    then fall back to the local realm, although any complex attempt at
    authentication in multiple realms should instead run the module
    multiple times with different realm settings.
  * Avoid a NULL pointer dereference if krb5_init_context fails.
  * Fix initialization of time values in the module configuration on
    platforms (like S/390X) where krb5_deltat is not equivalent to long.
  * Close a memory leak when search_k5login is set but the user has no
    .k5login file.
  * Close several memory leaks in alt_auth_map support.
  * Suppress bogus error messages about unknown option for the realm
    option.  The option was being parsed and honored despite the error.
  * Retry authentication under try_first_pass on several other errors in
    addition to decrypt integrity check errors to handle a wider array of
    possible "password incorrect" error messages from the KDC.
  * Update to rra-c-util 4.4:
  * Update to C TAP Harness 1.12: