- 2.2.13: * make it possible to have more than one ccache (and tktfile) at a
time to work around apps which open a session, set the environment,
and initialize creds (when we previously created a ccache, removing
the one which was named in the environment)
- 2.2.12: * add a "pwhelp" option. Display the KDC error to users.
- 2.2.11: * return success from our account management callback in cases where
our authentication callback simply failed to authenticate (#207410)
* fix setting of items for password-changing modules which get called
after us (Michael Calmer)
- 2.2.10: * add the "no_subsequent_prompt" option, to force the module to
always answer a libkrb5 prompt with the PAM_AUTHTOK value
* add the "debug_sensitive" option, which actually logs passwords
* add the --with-os-distribution option to configure to override
"Red Hat Linux" in the man pages
* if the server returns an error message during password-changing,
let the user see it
- 2.2.9: * return PAM_IGNORE instead of PAM_SERVICE_ERR when we're called in
an unsafe situation and told to refresh credentials
* fix a race condition in how the ccache creation helper is invoked
* properly handle "external" cases where the forwarded creds belong
to someone other than the principal name we guessed for the user
- 2.2.8: * skip attempts to set non-"2b" tokens when use of v4 credentials
has been completely disabled
- 2.2.7: * do 524 conversion for the "external" cases, too
- 2.2.6: * add "krb4_use_as_req" to completely disallow any attempts to get
v4 credentials (along with "krb4_convert_524", which was already
there)
* don't try to convert v5 creds to v4 creds for AFS when
"krb4_convert_524" is disabled, either
- 2.2.5: * fix a couple of cases where a debug message would be logged even if
debugging wasn't enabled
- 2.2.4: * fix reporting of the reasons for password change failures
- 2.2.3: * fix a compilation error
- 2.2.2: * when validating user credentials, don't leak the keytab file
descriptor
- 2.2.1: * fix a thinko which broke afs5log on systems where the AFS syscall
isn't available
- 2.2: * refreshing of preexisting credentials works, so unlocking your
screensaver should fetch new credentials and tokens. Be careful that
you don't invoke the authentication function with the "tokens" flag,
which creates a new PAG, if you want this to be useful.
As of this writing, at least xscreensaver calls pam_setcred() with the
proper flag to signal that credentials should be refreshed. Other
screen saver applications may not.
* new "external" option for use with OpenSSH's GSSAPI authentication
with credential delegation and AFS, *should* work with anything which
uses GSSAPI, accepts delegated credentials, and sets KRB5CCNAME in
the PAM environment
* new "use_shmem" option for use with OpenSSH's privilege separation mode
* credential and renewal lifetimes can now be given either as krb5-style
times or as numbers of seconds
* new "ignore_unknown_principal"/"ignore_unknown_spn" option
* new "krb4_convert_524" option
* configure can now set the default location of the system keytab
* configure disables AFS support except on Linux and Solaris (for now),
but can be overridden either way (needs testing on Solaris)
* can now specify a principal name for AFS cells, to save guesswork
* should now correctly work with SAM authentication, needs testing
* "tokens" now behaves like "external" and "use_shmem", in that it
can be specified in the configuration as a list of service names
- 2.1: switch to a minikafs implementation to flush out lurking ABI differences
between the krb4 interface the kafs library used and the one which libkrb4
provides. Also, we support "2b" tokens now.
- 2.0: more or less complete rewrite.
Jettison our own krb5.conf parsing code in favor of the supported API.
This means that configuration settings which look like this:
[pam]
forwardable = yes
are no longer recognized, and must be changed to:
[appdefaults]
pam = {
forwardable = yes
}
