-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
194 lines (194 loc) · 11 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
- 2.4.9: * fix a memory leak when acquiring creds
* change the default for subsequent_prompt to be false when the
module is called to change passwords (#1063933)
- 2.4.8: * handle when the [libdefaults] default_ccache_name setting is not set
- 2.4.7: * try to read the [libdefaults] default_ccache_name setting, and
handle the %{uid}, %{euid}, %{userid}, and %{username} substitutions
* stop trying to fix ownership on keyring ccaches, since we stopped
having to worry about it around 2.4.0
- 2.4.6: * fix handling of ccaches for users who are mapped to principal
names in a realm other than the configured default realm (#999604)
- 2.4.5: * handle ccname templates that don't include a template suffix
by accepting the location at create-time if the permissions
look right, and not deleting the creds at cleanup-time
* fix some memory leaks
- 2.4.4: * compilation fixes
- 2.4.3: * translation updates
- 2.4.2: * handle different function signatures for krb5_trace_callback
* avoid overriding the primary when updating DIR: caches
- 2.4.1: * handle creation of /run/user/XXX for FILE: and DIR: caches
- 2.4.0: * drop configuration settings that duplicated library settings
* drop the existing_ticket option
* drop krb4 support
* add support for preserving configuration information in ccaches
* add support for creating and cleaning up DIR: ccaches
* finish cleaning up KEYRING: ccaches
* add experimental "armor" and "armor_strategy" options
- 2.3.14:* also drop privileges when reinitializing or refreshing credentials,
for the sake of login (#822493)
- 2.3.13:* don't bother creating a v5 ccache in "external" mode
* add a "trace" option to enable libkrb5 tracing, if available
* avoid trying to get password-change creds twice
* use an in-memory ccache when obtaining tokens using v5 creds
* turn off creds==session in "sshd"
- 2.3.12:* add a "validate_user_user" option to control trying to perform
user-to-user authentication to validate TGTs when a keytab is not
available
* add an "ignore_k5login" option to control whether or not the module
will use the krb5_kuserok() function to perform additional
authorization checks
* turn on validation by default - verify_ap_req_nofail controls how we
treat errors reading keytab files now
* add an "always_allow_localname" option when we can use
krb5_aname_to_localname() to second-guess the krb5_kuserok() check
* prefer krb5_change_password() to krb5_set_password()
- 2.3.11:* create credentials before trying to look up the location of the
user's home directory via krb5_kuserok()
- 2.3.10:* fine-tune the logic for selecting which key we use for validating
credentials
- 2.3.9: * add a "multiple_ccaches" option to allow forcing the previous
behavior of not deleting an old ccache whenever we create a new
one, but saving them until the call that caused us to create
them is reversed
- 2.3.8: * add a "chpw_prompt" option to allow password changes to happen
during what the calling application thinks is just a password
check, to work around applications that don't handle the case
of an expired password correctly (#509092, based on patch from
Olivier Fourdan)
- 2.3.7: * when refreshing credentials, store the new creds in the default
ccache if $KRB5CCNAME isn't set (#507984)
- 2.3.6: * prefer a "host" key, if one is found, when validating TGTs
(#450776)
- 2.3.5: * make prompting behavior for non-existent accounts and users who
just press enter match up with those who aren't/don't (#502602,
CVE-2009-1384)
- 2.3.4: * don't request password-changing credentials using the same options
we use for ticket-granting tickets
- 2.3.3: * close a couple of open pipes to defunct processes, fix a couple
of debug messages
- 2.3.2: * fix ccache permissions bypass when the "existing_ticket" option is
used (CVE-2008-3825, which affects 2.2.0-2.2.25, 2.3.0, and 2.3.1)
- 2.3.1: * make afs5log's -n option actually work the "null_afs" option
* translations for messages!
- 2.3.0: * added the ability to set up tokens in the rxk5 format
* added the "token_strategy" option to control which methods we'll
try to use for setting tokens
* merge "null_afs" functionality from Jan Iven
- 2.2.23: * when we're changing passwords, force at least one attempt to
authenticate using the KDC, even in the pathological case where
there's no previously- entered password and we were told not to ask
for one (#400611)
- 2.2.22: * moved .k5login checks to a subprocess to avoid screwing with the
parent process's tokens and PAG (fallout from #371761)
* all options which took true/false before ("debug", "tokens", and
so on) can now take service names
- 2.2.21: * fix permissions problems on keyring ccaches, so that users can write
to them after we've set them up, and we can still do the cleanup
* fix permission problems accessing .k5login files in home directories
which live in AFS (#371761)
- 2.2.20: * fixes for credential refreshing
* avoid running afoul of SELinux policy when attempting to get tokens
- 2.2.19: * the "keytab" option can now be used to specify a custom location
for a given service from within krb5.conf
* log messages are now logged with facility LOG_AUTHPRIV (or LOG_AUTH
if LOG_AUTHPRIV is not defined) instead of the application's default
or LOG_USER
* added the "pkinit_identity" option to provide a way to specify
where the user's public-key credentials are, and "pkinit_flags" to
specify arbitrary flags for libkrb5 (Heimdal only)
* added the "preauth_options" option to provide a way to specify
arbitrary preauthentication options to libkrb5 (MIT only)
* added the "ccname_template" option to provide a way to specify
where the user's credentials should be stored, so that KEYRING:
credential caches can be deployed at will.
- 2.2.18: * fix permissions-related problems creating v4 ticket files
- 2.2.17: * corrected a typo in the pam_krb5(8) man page
* clarified that the "tokens" flag should only be needed for
applications which are not using PAM correctly
* clarified COPYING and .spec file to better reflect licensing as
indicated in the source files
- 2.2.16: * don't bother using a helper for creating v4 ticket files when we're
just getting tokens
* clean up the debug message which we emit when we do v5->v4
principal name conversion
* compilation fixes
- 2.2.15: * let default "external" and "use_shmem" settings be specified at
compile-time
* correctly return a "unknown user" error when attempting to change
a password for a user who has no corresponding principal (#235020)
* don't bother using a helper for creating ccache files, which we're
just going to delete, when we need to get tokens
- 2.2.14: * handle "client revoked" errors
- 2.2.13: * make it possible to have more than one ccache (and tktfile) at a
time to work around apps which open a session, set the environment,
and initialize creds (when we previously created a ccache, removing
the one which was named in the environment) (#204939)
- 2.2.12: * add a "pwhelp" option. Display the KDC error to users.
- 2.2.11: * return success from our account management callback in cases where
our authentication callback simply failed to authenticate (#207410)
* fix setting of items for password-changing modules which get called
after us (Michael Calmer)
- 2.2.10: * add the "no_subsequent_prompt" option, to force the module to
always answer a libkrb5 prompt with the PAM_AUTHTOK value
* add the "debug_sensitive" option, which actually logs passwords
* add the --with-os-distribution option to configure to override
"Red Hat Linux" in the man pages
* if the server returns an error message during password-changing,
let the user see it
- 2.2.9: * return PAM_IGNORE instead of PAM_SERVICE_ERR when we're called in
an unsafe situation and told to refresh credentials
* fix a race condition in how the ccache creation helper is invoked
* properly handle "external" cases where the forwarded creds belong
to someone other than the principal name we guessed for the user
- 2.2.8: * skip attempts to set non-"2b" tokens when use of v4 credentials
has been completely disabled
- 2.2.7: * do 524 conversion for the "external" cases, too
- 2.2.6: * add "krb4_use_as_req" to completely disallow any attempts to get
v4 credentials (along with "krb4_convert_524", which was already
there)
* don't try to convert v5 creds to v4 creds for AFS when
"krb4_convert_524" is disabled, either
- 2.2.5: * fix a couple of cases where a debug message would be logged even if
debugging wasn't enabled
- 2.2.4: * fix reporting of the reasons for password change failures
- 2.2.3: * fix a compilation error
- 2.2.2: * when validating user credentials, don't leak the keytab file
descriptor
- 2.2.1: * fix a thinko which broke afs5log on systems where the AFS syscall
isn't available
- 2.2: * refreshing of preexisting credentials works, so unlocking your
screensaver should fetch new credentials and tokens. Be careful that
you don't invoke the authentication function with the "tokens" flag,
which creates a new PAG, if you want this to be useful.
As of this writing, at least xscreensaver calls pam_setcred() with the
proper flag to signal that credentials should be refreshed. Other
screen saver applications may not.
* new "external" option for use with OpenSSH's GSSAPI authentication
with credential delegation and AFS, *should* work with anything which
uses GSSAPI, accepts delegated credentials, and sets KRB5CCNAME in
the PAM environment
* new "use_shmem" option for use with OpenSSH's privilege separation mode
* credential and renewal lifetimes can now be given either as krb5-style
times or as numbers of seconds
* new "ignore_unknown_principal"/"ignore_unknown_spn" option
* new "krb4_convert_524" option
* configure can now set the default location of the system keytab
* configure disables AFS support except on Linux and Solaris (for now),
but can be overridden either way (needs testing on Solaris)
* can now specify a principal name for AFS cells, to save guesswork
* should now correctly work with SAM authentication, needs testing
* "tokens" now behaves like "external" and "use_shmem", in that it
can be specified in the configuration as a list of service names
- 2.1: switch to a minikafs implementation to flush out lurking ABI differences
between the krb4 interface the kafs library used and the one which libkrb4
provides. Also, we support "2b" tokens now.
- 2.0: more or less complete rewrite.
Jettison our own krb5.conf parsing code in favor of the supported API.
This means that configuration settings which look like this:
[pam]
forwardable = yes
are no longer recognized, and must be changed to:
[appdefaults]
pam = {
forwardable = yes
}