1- 2.4.9: * fix a memory leak when acquiring creds 2 * change the default for subsequent_prompt to be false when the 3 module is called to change passwords (#1063933) 4- 2.4.8: * handle when the [libdefaults] default_ccache_name setting is not set 5- 2.4.7: * try to read the [libdefaults] default_ccache_name setting, and 6 handle the %{uid}, %{euid}, %{userid}, and %{username} substitutions 7 * stop trying to fix ownership on keyring ccaches, since we stopped 8 having to worry about it around 2.4.0 9- 2.4.6: * fix handling of ccaches for users who are mapped to principal 10 names in a realm other than the configured default realm (#999604) 11- 2.4.5: * handle ccname templates that don't include a template suffix 12 by accepting the location at create-time if the permissions 13 look right, and not deleting the creds at cleanup-time 14 * fix some memory leaks 15- 2.4.4: * compilation fixes 16- 2.4.3: * translation updates 17- 2.4.2: * handle different function signatures for krb5_trace_callback 18 * avoid overriding the primary when updating DIR: caches 19- 2.4.1: * handle creation of /run/user/XXX for FILE: and DIR: caches 20- 2.4.0: * drop configuration settings that duplicated library settings 21 * drop the existing_ticket option 22 * drop krb4 support 23 * add support for preserving configuration information in ccaches 24 * add support for creating and cleaning up DIR: ccaches 25 * finish cleaning up KEYRING: ccaches 26 * add experimental "armor" and "armor_strategy" options 27- 2.3.14:* also drop privileges when reinitializing or refreshing credentials, 28 for the sake of login (#822493) 29- 2.3.13:* don't bother creating a v5 ccache in "external" mode 30 * add a "trace" option to enable libkrb5 tracing, if available 31 * avoid trying to get password-change creds twice 32 * use an in-memory ccache when obtaining tokens using v5 creds 33 * turn off creds==session in "sshd" 34- 2.3.12:* add a "validate_user_user" option to control trying to perform 35 user-to-user authentication to validate TGTs when a keytab is not 36 available 37 * add an "ignore_k5login" option to control whether or not the module 38 will use the krb5_kuserok() function to perform additional 39 authorization checks 40 * turn on validation by default - verify_ap_req_nofail controls how we 41 treat errors reading keytab files now 42 * add an "always_allow_localname" option when we can use 43 krb5_aname_to_localname() to second-guess the krb5_kuserok() check 44 * prefer krb5_change_password() to krb5_set_password() 45- 2.3.11:* create credentials before trying to look up the location of the 46 user's home directory via krb5_kuserok() 47- 2.3.10:* fine-tune the logic for selecting which key we use for validating 48 credentials 49- 2.3.9: * add a "multiple_ccaches" option to allow forcing the previous 50 behavior of not deleting an old ccache whenever we create a new 51 one, but saving them until the call that caused us to create 52 them is reversed 53- 2.3.8: * add a "chpw_prompt" option to allow password changes to happen 54 during what the calling application thinks is just a password 55 check, to work around applications that don't handle the case 56 of an expired password correctly (#509092, based on patch from 57 Olivier Fourdan) 58- 2.3.7: * when refreshing credentials, store the new creds in the default 59 ccache if $KRB5CCNAME isn't set (#507984) 60- 2.3.6: * prefer a "host" key, if one is found, when validating TGTs 61 (#450776) 62- 2.3.5: * make prompting behavior for non-existent accounts and users who 63 just press enter match up with those who aren't/don't (#502602, 64 CVE-2009-1384) 65- 2.3.4: * don't request password-changing credentials using the same options 66 we use for ticket-granting tickets 67- 2.3.3: * close a couple of open pipes to defunct processes, fix a couple 68 of debug messages 69- 2.3.2: * fix ccache permissions bypass when the "existing_ticket" option is 70 used (CVE-2008-3825, which affects 2.2.0-2.2.25, 2.3.0, and 2.3.1) 71- 2.3.1: * make afs5log's -n option actually work the "null_afs" option 72 * translations for messages! 73- 2.3.0: * added the ability to set up tokens in the rxk5 format 74 * added the "token_strategy" option to control which methods we'll 75 try to use for setting tokens 76 * merge "null_afs" functionality from Jan Iven 77- 2.2.23: * when we're changing passwords, force at least one attempt to 78 authenticate using the KDC, even in the pathological case where 79 there's no previously- entered password and we were told not to ask 80 for one (#400611) 81- 2.2.22: * moved .k5login checks to a subprocess to avoid screwing with the 82 parent process's tokens and PAG (fallout from #371761) 83 * all options which took true/false before ("debug", "tokens", and 84 so on) can now take service names 85- 2.2.21: * fix permissions problems on keyring ccaches, so that users can write 86 to them after we've set them up, and we can still do the cleanup 87 * fix permission problems accessing .k5login files in home directories 88 which live in AFS (#371761) 89- 2.2.20: * fixes for credential refreshing 90 * avoid running afoul of SELinux policy when attempting to get tokens 91- 2.2.19: * the "keytab" option can now be used to specify a custom location 92 for a given service from within krb5.conf 93 * log messages are now logged with facility LOG_AUTHPRIV (or LOG_AUTH 94 if LOG_AUTHPRIV is not defined) instead of the application's default 95 or LOG_USER 96 * added the "pkinit_identity" option to provide a way to specify 97 where the user's public-key credentials are, and "pkinit_flags" to 98 specify arbitrary flags for libkrb5 (Heimdal only) 99 * added the "preauth_options" option to provide a way to specify 100 arbitrary preauthentication options to libkrb5 (MIT only) 101 * added the "ccname_template" option to provide a way to specify 102 where the user's credentials should be stored, so that KEYRING: 103 credential caches can be deployed at will. 104- 2.2.18: * fix permissions-related problems creating v4 ticket files 105- 2.2.17: * corrected a typo in the pam_krb5(8) man page 106 * clarified that the "tokens" flag should only be needed for 107 applications which are not using PAM correctly 108 * clarified COPYING and .spec file to better reflect licensing as 109 indicated in the source files 110- 2.2.16: * don't bother using a helper for creating v4 ticket files when we're 111 just getting tokens 112 * clean up the debug message which we emit when we do v5->v4 113 principal name conversion 114 * compilation fixes 115- 2.2.15: * let default "external" and "use_shmem" settings be specified at 116 compile-time 117 * correctly return a "unknown user" error when attempting to change 118 a password for a user who has no corresponding principal (#235020) 119 * don't bother using a helper for creating ccache files, which we're 120 just going to delete, when we need to get tokens 121- 2.2.14: * handle "client revoked" errors 122- 2.2.13: * make it possible to have more than one ccache (and tktfile) at a 123 time to work around apps which open a session, set the environment, 124 and initialize creds (when we previously created a ccache, removing 125 the one which was named in the environment) (#204939) 126- 2.2.12: * add a "pwhelp" option. Display the KDC error to users. 127- 2.2.11: * return success from our account management callback in cases where 128 our authentication callback simply failed to authenticate (#207410) 129 * fix setting of items for password-changing modules which get called 130 after us (Michael Calmer) 131- 2.2.10: * add the "no_subsequent_prompt" option, to force the module to 132 always answer a libkrb5 prompt with the PAM_AUTHTOK value 133 * add the "debug_sensitive" option, which actually logs passwords 134 * add the --with-os-distribution option to configure to override 135 "Red Hat Linux" in the man pages 136 * if the server returns an error message during password-changing, 137 let the user see it 138- 2.2.9: * return PAM_IGNORE instead of PAM_SERVICE_ERR when we're called in 139 an unsafe situation and told to refresh credentials 140 * fix a race condition in how the ccache creation helper is invoked 141 * properly handle "external" cases where the forwarded creds belong 142 to someone other than the principal name we guessed for the user 143- 2.2.8: * skip attempts to set non-"2b" tokens when use of v4 credentials 144 has been completely disabled 145- 2.2.7: * do 524 conversion for the "external" cases, too 146- 2.2.6: * add "krb4_use_as_req" to completely disallow any attempts to get 147 v4 credentials (along with "krb4_convert_524", which was already 148 there) 149 * don't try to convert v5 creds to v4 creds for AFS when 150 "krb4_convert_524" is disabled, either 151- 2.2.5: * fix a couple of cases where a debug message would be logged even if 152 debugging wasn't enabled 153- 2.2.4: * fix reporting of the reasons for password change failures 154- 2.2.3: * fix a compilation error 155- 2.2.2: * when validating user credentials, don't leak the keytab file 156 descriptor 157- 2.2.1: * fix a thinko which broke afs5log on systems where the AFS syscall 158 isn't available 159- 2.2: * refreshing of preexisting credentials works, so unlocking your 160 screensaver should fetch new credentials and tokens. Be careful that 161 you don't invoke the authentication function with the "tokens" flag, 162 which creates a new PAG, if you want this to be useful. 163 As of this writing, at least xscreensaver calls pam_setcred() with the 164 proper flag to signal that credentials should be refreshed. Other 165 screen saver applications may not. 166 * new "external" option for use with OpenSSH's GSSAPI authentication 167 with credential delegation and AFS, *should* work with anything which 168 uses GSSAPI, accepts delegated credentials, and sets KRB5CCNAME in 169 the PAM environment 170 * new "use_shmem" option for use with OpenSSH's privilege separation mode 171 * credential and renewal lifetimes can now be given either as krb5-style 172 times or as numbers of seconds 173 * new "ignore_unknown_principal"/"ignore_unknown_spn" option 174 * new "krb4_convert_524" option 175 * configure can now set the default location of the system keytab 176 * configure disables AFS support except on Linux and Solaris (for now), 177 but can be overridden either way (needs testing on Solaris) 178 * can now specify a principal name for AFS cells, to save guesswork 179 * should now correctly work with SAM authentication, needs testing 180 * "tokens" now behaves like "external" and "use_shmem", in that it 181 can be specified in the configuration as a list of service names 182- 2.1: switch to a minikafs implementation to flush out lurking ABI differences 183 between the krb4 interface the kafs library used and the one which libkrb4 184 provides. Also, we support "2b" tokens now. 185- 2.0: more or less complete rewrite. 186 Jettison our own krb5.conf parsing code in favor of the supported API. 187 This means that configuration settings which look like this: 188 [pam] 189 forwardable = yes 190 are no longer recognized, and must be changed to: 191 [appdefaults] 192 pam = { 193 forwardable = yes 194 } 195