forked from rra/pam-krb5
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathNEWS
1176 lines (887 loc) · 52.8 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
User-Visible pam-krb5 Changes
pam-krb5 4.9 (2020-03-30)
SECURITY: All previous versions of this module could overflow the
buffer provided by the underlying Kerberos library for the response to
a prompt by writing a single nul character past the end of the buffer.
(CVE-2020-10595)
Support use_pkinit with MIT Kerberos. (Debian Bug#871699)
Reject passwords as long or longer than PAM_MAX_RESP_SIZE (normally
512 octets), since extremely long passwords can be used for a denial
of service attack via the Kerberos string to key function. Thanks to
Florian Best for pointing out this issue and suggesting a good fix.
Use explicit_bzero instead of memset, where available, to overwrite
the memory used by PAM responses before freeing. This reduces the
lifetime of passwords and other secrets in memory.
Return more accurate errors from the Kerberos prompter function if it
was unable to prompt for the password. This may translate into better
debug log messages and, in some situations, returning the slightly
more accurate PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR.
Fix an edge-case memory leak in pam_chauthtok when prompting for a new
password for an ignored user.
Ensure the module/basic test will run properly when the system
krb5.conf file does not specify a default realm. Reported by TBK.
Update to rra-c-util 8.2:
* Fix support for configuring the test suite with a krb5.conf file.
* Drop support for Perl 5.6.
* Reformat all C source using clang-format 10.
* Remove bogus snprintf tests.
* Fix misplaced va_end in the pam-util putil_log_failure function.
* Skip checking for krb5-config on the path if a prefix was given.
* Add SPDX-License-Identifier headers to all substantial source files.
Update to C TAP Harness 4.6:
* Fixed malloc error checking in bstrndup.
* Fix (harmless) allocation error in runtests driver.
* Add support for valgrind testing via test list options.
* Report test failures as left and right, not wanted and seen.
* Fix is_string comparisons involving NULL pointers and "(null)".
* Add SPDX-License-Identifier headers to all substantial source files.
pam-krb5 4.8 (2017-12-30)
When verifying that an expired password can still be used to get
kadmin/changepw credentials, correctly set the credential options for
getting password change credentials, not for getting initial
credentials. This should fix password change issues when, for
example, krb5.conf requests that all tickets be proxiable but
kadmin/changepw doesn't allow proxiable credentials. Thanks to
Florian Best for the bug report.
When built against recent versions of Heimdal with richer status codes
from PKINIT attempts, report to the user the reason for a PKINIT
failure. Based on work by Henry Jacques.
Document the test suite configuration files required to run the PKINIT
tests.
Fix expired password tests to work with Heimdal 7.0.1 and later.
Better document that the default Kerberos library ticket cache
location is not used (and why), and how to set configuration
parameters in krb5.conf. Thanks, Matthew Gabeler-Lee. (Debian
Bug#872943)
Compile cleanly under GCC 7 and Clang warnings and Clang's static
analyzer.
Rename the script to bootstrap from a Git checkout to bootstrap,
matching the emerging consensus in the Autoconf world.
Update to rra-c-util 7.0:
* Fix new warnings in GCC 7.
* Support a warning build under Clang.
* Avoid zero-length allocations in reallocarray and vector.
* Probe for warning flags instead of hard-coding a list.
* New test for obsolete URLs and email addresses.
* Remove unused portable replacements for strlcpy and strlcat.
* Use C_TAP_SOURCE and C_TAP_BUILD environment variables in tests.
* Fix portability defines for anonymous principal strings.
* Clear errno on pam_modutil_getpwnam to improve other testing.
* Add portability defines for macOS's PAM implementation.
* Add new Autoconf macro to probe for pam_strerror const usage.
* Support Solaris 10's included Kerberos.
Update to C TAP Harness 4.2:
* Avoid zero-length allocations in breallocarray.
* Add is_blob and is_bool functions.
* Use C_TAP_SOURCE and C_TAP_BUILD environment variables in tests.
* Fix segfault in runtests with an empty test list.
* Display verbose test results with -v or C_TAP_VERBOSE.
* Test infrastructure builds cleanly with Clang warnings.
pam-krb5 4.7 (2014-12-25)
Add a no_update_user option that disables the normal update of the
PAM_USER PAM variable after canonicalization of the username. When
this is set, pam-krb5 will not convert full principal names to local
usernames where possible for the rest of the PAM stack.
Suppress spurious password prompt from Heimdal when authenticating
with PKINIT.
Map unknown realm errors from the Kerberos libraries to the PAM error
code PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR.
Treat an KRB5_GET_IN_TKT_LOOP error as an incorrect password. Heimdal
KDCs sometimes return it, and Heimdal kinit treats it this way.
Similarly, treat a KRB5_BAD_ENCTYPE error as an incorrect password,
since this error is returned by a Heimdal 1.6-rc2 KDC for incorrect
preauth from a MIT Kerberos 1.12.1 client.
Add the version number at which each module option was added with its
current meaning to the documentatation.
Update to rra-c-util 5.6:
* Suppress warnings from Kerberos headers in non-system paths.
* Fix probing for Heimdal's libroken to work with older versions.
* Fix Kerberos header detection if root or include paths are given.
* Pass --deps to krb5-config in the non-reduced-dependencies case.
* Provide a reallocarray replacement for platforms without it.
* Use reallocarray where appropriate.
* Drop checks for NULL before freeing pointers.
* Drop explicit pointer initialization to NULL and rely on calloc.
* Check the return status of snprintf and vsnprintf properly.
* Preserve errno if snprintf fails in vasprintf replacement.
* Suppress a dummy symbol in the client library that could leak.
* Fix syntax errors when building with a C++ compiler.
* Avoid test suite failures where tested functions are macros.
Update to C TAP Harness 3.2:
* Reopen standard input to /dev/null when running a test list.
* Don't leak extraneous file descriptors to tests.
* Suppress lazy plans and test summaries if the test failed with bail.
* bail and sysbail now exit with status 255 to match Test::More.
* runtests now treats the command line as a list of tests by default.
* The full test executable path can now be passed to runtests -o.
* Improved harness output for tests with lazy plans.
* Improved harness output to a terminal for some abort cases.
* Flush harness output after each test even when not on a terminal.
pam-krb5 4.6 (2012-06-02)
Add an anon_fast option that attempts anonymous authentication
(generally implemented via anonymous PKINIT inside the Kerberos
library) and then, if successful, uses those credentials for FAST
armor. If fast_ccache and anon_fast are both specified, anonymous
authentication will be used as a fallback if the specified FAST ticket
cache doesn't exist. Based on patches from Yair Yarom.
Add a user_realm option to only set the realm for unqualified user
principals. This differs from the existing realm option in that realm
also changes the default realm for authorization decisions and for
verification of credentials. Update the realm option documentation to
clarify the differences and remove incorrect information. Patch from
Roland C. Dowdeswell.
Add a no_prompt option to suppress the PAM module's prompt for the
user's password and defer all prompting to the Kerberos library. This
allows the Kerberos library to have complete control of the prompting
process, which may be desirable if authentication mechanisms other
than password are in use. Be aware that, with this option set, the
PAM module has no control over the contents of the prompt and cannot
store the user's password in the PAM data. Based on a patch by Yair
Yarom.
Add a silent option to force the module to behave as if the
application had passed in PAM_SILENT and suppress text messages and
errors from the Kerberos library. Patch from Yair Yarom.
Add preliminary support for Kerberos trace logging via a trace option
that enables trace logging if supported by the underlying Kerberos
library. The option takes as an argument the file name to which to
log trace output. This option does not yet work with any released
version of Kerberos, but may work with the next release of MIT
Kerberos.
MIT Kerberos does not add a colon and space to its password prompts,
but Heimdal does. pam-krb5 previously unconditionally added a colon
and space, resulting in doubled colons with Heimdal. Work around this
inconsistency by not adding the colon and space if already present.
Fix alt_auth_map support to preserve the realm of the authentication
identity when forming the alternate authentication principal, matching
the documentation.
Document that the alt_auth_map format may contain a realm to force all
mapped principals to be in that realm. In that case, don't add the
realm of the authentication identity. Note that this can be used as a
simple way to attempt authentication in an alternate realm first and
then fall back to the local realm, although any complex attempt at
authentication in multiple realms should instead run the module
multiple times with different realm settings.
Avoid a NULL pointer dereference if krb5_init_context fails.
Fix initialization of time values in the module configuration on
platforms (like S/390X) where krb5_deltat is not equivalent to long.
Close a memory leak when search_k5login is set but the user has no
.k5login file.
Close several memory leaks in alt_auth_map support.
Suppress bogus error messages about unknown option for the realm
option. The option was being parsed and honored despite the error.
Retry authentication under try_first_pass on several other errors in
addition to decrypt integrity check errors to handle a wider array of
possible "password incorrect" error messages from the KDC.
Update to rra-c-util 4.4:
* Replacement strndup now works with non-nul-terminated strings.
* New Kerberos test setup that simplifies writing tests.
* Add -D_FORTIFY_SOURCE=2 to the make warnings flags.
* Use --deps flag to krb5-config by default.
* Suppress __alloc_size__ attribute with older versions of gcc.
* Suppress attribute warnings for non-gcc compilers.
Update to C TAP Harness 1.12:
* Add bstrndup to the basic C TAP library.
* Only use feature-test macros when requested or built with gcc -ansi.
* New tests/tap/macros.h header with some common definitions.
* Drop is_double from the C TAP library to avoid requiring -lm.
* Avoid using local in the shell libtap.sh library.
pam-krb5 4.5 (2011-12-24)
Suppress the notice that the password is being changed because it's
expired if force_first_pass or use_first_pass is set in the password
stack, indicating that it's stacked with another module that's also
doing password changes. This is arguable, but without this change the
notification message of why the password is being changed shows up
confusingly in the middle of the password change interaction. Based
on a patch by William Yang.
Some old versions of Heimdal (0.7.2 in OpenBSD 4.9, specifically)
reportedly return KRB5KDC_ERR_KEY_EXP for accounts with expired
keys even if the supplied password is wrong. Work around this by
confirming that the PAM module can obtain tickets for kadmin/changepw
before returning a password expiration error instead of an invalid
password error. Based on a patch by William Yang.
The location of the temporary root-owned ticket cache created during
the authentication process is now also controlled by the ccache_dir
option (but not the ccache option) rather than forced to be in /tmp.
This will allow system administrators to configure an alternative
cache directory so that pam-krb5 can continue working when /tmp is
full.
Report more specific errors in syslog if authorization checks (such as
.k5login checks) fail.
Pass a NULL principal to krb5_set_password with MIT client libraries
to prefer the older change password protocol for compatibility with
older KDCs. This is not necessary on Heimdal since Heimdal's
krb5_set_password tries both protocols.
Improve logging and authorization checks when defer_pwchange is set
and a user authenticates with an expired password.
When probing for Kerberos libraries, always add any supplemental
libraries found to that point to the link command. This will fix
configure failures on platforms without working transitive shared
library dependencies.
Close some memory leaks where unparsed Kerberos principal names were
never freed.
Restructure the code to work with OpenPAM's default PAM build
machinery, which exports a struct containing module entry points
rather than public pam_sm_* functions. Thanks to Fredrik Pettai for
the information.
In debug logging, report symbolic names for PAM flags on PAM function
entry rather than the numeric PAM flags. This helps with automated
testing and with debugging PAM problems on different operating
systems.
Include <krb5/krb5.h> if <krb5.h> is missing, which permits finding
the header file on NetBSD systems. Thanks to Fredrik Pettai for the
report.
Replace the Kerberos compatibility layer with equivalent but
better-structured code from rra-c-util 4.0.
Avoid krb5-config and use manual library probing if --with-krb5-lib or
--with-krb5-include were given to configure. This avoids having to
point configure at a nonexistent krb5-config to override its results.
Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config in
configure, to avoid a conflict with the variable used by the Kerberos
libraries to find krb5.conf.
Change references to Kerberos v5 to just Kerberos in the
documentation. Kerberos v5 has been the default version of Kerberos
for over ten years now.
Update to rra-c-util 4.0:
* Add notices to all files copied over from rra-c-util.
* Include strings.h for additional POSIX functions where found.
* Fix detection of whether PAM uses const on FreeBSD.
* Update warning flags for make warnings for GCC 4.6.1.
* Limit symbol exports even on systems without GNU ld.
* Fix replacement mkstemp to use long long where available.
* Improve stripping of /usr/include from krb5-config results.
* Use issetugid where available, not the misnamed issetuidgid.
Update to C TAP Harness 1.9:
* Add bmalloc, bcalloc, brealloc, and bstrdup TAP library functions.
* Fix runtests to honor -s even if BUILD and -b aren't given.
* Add test_tmpdir and test_tmpdir_free to TAP library.
* runtests now frees all allocated resources on exit.
pam-krb5 4.4 (2010-12-31)
Do not prompt for a password when try_pkinit is set and the module is
built against MIT Kerberos. This fixes a spurious password prompt
introduced in 4.1, but partly reintroduces the bug fixed in 4.1 where
the user's password is not saved in the PAM data if the authentication
falls back to password when PKINIT fails. This requires more work
to fix and will be addressed in a subsequent release. Thanks to
Бранко Мајић (Branko Majic) for the report.
Reorganize the configuration section of the pam_krb5 man page to
divide the many PAM module options into sections.
When probing for <ibm_svc/krb5_svc.h> (part of AIX's bundled Kerberos
implementation), include <krb5.h> before attempting to include that
header to quiet confusing Autoconf warnings. Reported by Wilfried
Weiss.
Update to rra-c-util 3.0:
* Fix compilation of the replacement snprintf for old systems.
* Look for krb5-config in /usr/kerberos/bin for Red Hat systems.
* Fix compilation with OpenBSD's Heimdal without separate libroken.
pam-krb5 4.3 (2010-06-09)
Add a fast_ccache option that, if set, points to a Kerberos ticket
cache used for Flexible Authentication Secure Tunneling (FAST) to
protect the authentication. FAST is a mechanism to protect Kerberos
against password guessing attacks and provide other security
improvements. This option is only available when built against
Kerberos libraries with FAST support (currently only MIT Kerberos 1.7
or later). Patch from Sam Hartman.
Fix error in freeing a previous alt_auth_map setting when parsing
configuration options. Patch from Sam Hartman.
Fix the linker flags for Solaris with the native compiler. Thanks,
Kevin Sumner.
pam-krb5 4.2 (2009-11-25)
Add a new fail_pwchange option, which suppresses password changes for
expired passwords and treats expired passwords the same as incorrect
passwords.
Include all the new header files from the portability code so that
it will actually compile on non-Linux platforms.
pam-krb5 4.1 (2009-11-20)
Return PAM_SUCCESS, not PAM_USER_UNKNOWN, for ignored users in
pam_setcred. It's safe to return success when doing nothing in
pam_setcred because the stack has already been frozen after the
authentication step, and returning an error causes the stack to fail
on some other Linux PAM implementations. Thanks, Ian Ward Comfort.
In the second pass through the password group, prompt for the new
password and store it in the PAM data even if the user is being
ignored. This is required to allow this module to be stacked with
another module that uses use_authtok. Without this behavior, the
second module won't be able to work for any ignored user since it will
see no saved password and use_authtok will reject the password change.
Fix return status from pam_sm_acct_mgmt if we were unable to retrieve
PAM_USER.
Log successful authentications to syslog with priority LOG_INFO,
including the Kerberos principal used for authentication.
Log failed authentication to syslog with priority LOG_NOTICE,
including roughly the same additional information that the Linux PAM
pam_unix logs by default.
Use pam_syslog for logging where available. This means pam-krb5 log
messages will look like all other log messages for Linux PAM modules
on Linux. Change the format of log messages on all platforms to
hopefully be somewhat clearer.
Rationalize logging. The module should now follow the recommendations
of the Linux PAM Module Writers' Guide for log levels. More errors
are logged at LOG_ERR instead of LOG_DEBUG, and system resource errors
are now logged at LOG_CRIT instead of LOG_ERR.
Add additional error and debug logging in places where significant
actions or failures may happen without previously being logged. Also
add failure information from PAM or Kerberos libraries to messages
where appropriate.
Add replacement snprintf, vsnprintf, and mkstemp functions for
pointless portability to ancient systems.
pam-krb5 4.0 (2009-11-13)
UPGRADE WARNING: If you were using pam_krb5 with the use_authtok
parameter in the password group, you will need to add use_first_pass
to your configuration to keep the same behavior. See below for
details.
UPGRADE WARNING: If you used the use_authtok parameter in the
authentication group, you should change it to force_first_pass.
Previous versions of this module incorrectly implemented the standard
use_authtok parameter. use_authtok applies only to the password group
and says to use the new password stored in the PAM data rather than
prompting for a new password. It doesn't imply anything about where
to obtain the old password, but it was implemented as requiring both
the old and new password be in the PAM stack already. This doesn't
work when stacked with pam_cracklib. Change use_authtok to have the
correct meaning, which means that password group configurations may
need to add use_first_pass to use_authtok to get the desired behavior.
use_first_pass and try_first_pass no longer affect how the new
password is obtained during password changes. To use a password
obtained by a previous module, use use_authtok instead.
A new option, force_first_pass, is now supported for both the
authentication and password groups. It tells the module to always get
the user's current password from the PAM data and fail without
prompting if it isn't already set. This is the meaning that
use_authtok previously had for the current password.
use_authtok no longer has any meaning for the authentication stack.
Use force_first_pass instead, which does the same as use_authtok used
to do. use_authtok will be temporarily converted to force_first_pass
in the authentication group and log a diagnostic, but this will be
removed in the future.
Stop returning PAM_IGNORE from pam_setcred if the user is ignored or
didn't log in via Kerberos and instead return PAM_USER_UNKNOWN. This
fixes problems with the Linux PAM library where returning PAM_IGNORE
would cause pam_setcred to fail even if other modules succeeded.
Since pam_authenticate never returned PAM_IGNORE, this change should
not cause any differences in behavior.
Do not use issetugid on Solaris to determine when to avoid refreshing
the ticket cache named in KRB5CCNAME during pam_setcred. Instead,
compare effective and real UID and GID and permit KRB5CCNAME to be
trusted if they match. This allows setuid screensavers on Solaris to
refresh ticket caches and makes behavior on Solaris match other
platforms. Using issetugid is arguably safer since it protects
programs that switch users via setuid to a user other than the calling
user but still should not trust the original environment, but such
programs are rare in the PAM context and should not be calling
pam_setcred anyway unless the calling user is permitted to generally
act as the target user. Thanks, William Yang.
Do the same logging in pam_sm_open_session and pam_sm_close_session as
we do with the other functions. This will mean pam_sm_open_session
calls will be logged as pam_sm_open_session, not as pam_sm_setcred as
before.
pam-krb5 is now built using Automake and Libtool to bring it more in
line with other software packages. This means that it now relies on
Libtool to know how to generate a loadable module rather than
hand-configured linker rules. This may improve portability on some
platforms and may hurt it on other platforms.
If configured with a prefix of /usr on Linux, use /lib, /lib32, or
/lib64 as an installation path based on the size of an integer in the
compilation environment rather than based on known 64-bit Linux
variants.
Update to rra-c-util 2.0:
* Sanity-check the results of krb5-config before proceeding.
* Fall back on manual probing if krb5-config results don't work.
* Don't break if the user clobbers CPPFLAGS at build time.
pam-krb5 3.15 (2009-07-21)
Fix a segfault (null pointer dereference) if pam-krb5 is configured
with use_first_pass or use_authtok and there is no password stored in
the PAM stack. Thanks to Jonathan Guthrie for the bug report.
pam-krb5 3.14 (2009-07-18)
Return PAM_IGNORE instead of PAM_PERM_DENIED from pam_chauthtok for
ignored users. This allows making the Kerberos PAM module mandatory
for password changes and still falling back to other PAM modules for
ignored users. Thanks, Steve Langasek.
Always treat the empty password as an authentication failure rather
than passing it to the Kerberos libraries. The Kerberos libraries
may treat it as equivalent to no password and prompt for a password
without our knowledge, leading to the user authenticating with a
different password than the one stored in the PAM stack. This could
cause unexpected problems with some PAM configurations. It's safer
to make the assumption that the empty password is always invalid and
reject it outside of the Kerberos libraries. Thanks, Sanjay Sha.
Fix error handling if ticket cache initialization fails.
Authentication will still fail, but this avoids a segfault from a
double-free of the ticket cache structure. The most common cause of
this problem was having the attempt to initialize the ticket cache
be blocked by AppArmor. Thanks to Alex Mauer for the report.
Call krb5_free_error_string correctly, fixing a portability issue
when building against Heimdal. Thanks, Andrew Drake.
Work around a deficiency in pam_putenv on FreeBSD 7.2 that doesn't
allow deleting environment variables, only setting them to empty
values. Thanks, Andrew Elble.
pam-krb5 3.13 (2009-02-11)
SECURITY: When built against MIT Kerberos, if pam_krb5 is called in a
setuid context (effective UID or GID doesn't match the real UID or
GID), use krb5_init_secure_context instead of krb5_init_context. This
ignores environment variable settings for the local Kerberos
configuration and keytab. Previous versions could allow a local
attacker to point a setuid program that used PAM authentication at a
different Kerberos configuration under the attacker's control,
possibly resulting in privilege escalation. Heimdal handles this
logic within the Kerberos libraries and therefore was not affected.
(CVE-2009-0360)
SECURITY: Disable pam_setcred(PAM_REINITIALIZE_CREDS) for setuid
applications. If pam_krb5 detects this call in a setuid context, it
now logs an error and returns success without doing anything. Solaris
su calls pam_setcred with that option rather than PAM_ESTABLISH_CREDS
after authentication and without wiping the environment, leading
previous versions of pam_krb5 to trust the KRB5CCNAME environment
variable for the ticket cache location. This permitted an attacker to
use previous versions of pam_krb5 to overwrite arbitrary files with
Kerberos credential caches that were left owned by the attacker.
Setuid screen lock programs may also be affected. Discovered by Derek
Chan and reported by Steven Luo. Thanks to Sam Hartman and Jeffrey
Hutzelman for additional analysis. (CVE-2009-0361)
If a prefix of /usr is requested at configure time, install the PAM
module into /lib/security or /lib64/security on Linux, matching the
standard Linux-PAM module location. Use lib64 instead of lib on
64-bit SPARC, PowerPC, and S390 Linux as well as x86_64. Patch from
Peter Breitenlohner.
Fix a build problem when builddir != srcdir introduced in 3.11. Patch
from Peter Breitenlohner.
Add support for the old Heimdal krb5_get_error_string interface.
Thanks, Chaskiel Grundman.
Add --with-krb5-include and --with-krb5-lib configure options to allow
more specific setting of paths if necessary.
If krb5-config isn't available, attempt to determine if the library
directory for the Kerberos libraries is lib32 or lib64 instead of lib
and set LDFLAGS accordingly. Based on an idea from the CMU Autoconf
macros.
pam-krb5 3.12 (2008-11-13)
Add alt_auth_map configuration option, which allows mapping of
usernames to alternative Kerberos principals, useful primarily for
using particular instances for access to a given PAM-authenticated
service. Also added force_alt_auth and only_alt_auth options to
control when alternative Kerberos principals are used. Patch from
Booker Bense.
Fix incorrect error handling for bad .k5login ownership when
search_k5login is set, leading to a NULL pointer dereference and a
segfault. Thanks, Andrew Deason.
Fix double-free of the ticket cache structure if creation of the
ticket cache in the session module fails. Thanks, Jens Jorgensen.
Log all syslog messages to LOG_AUTHPRIV, or LOG_AUTH if the system
doesn't define LOG_AUTHPRIV. Thanks, Mark Painter.
Fix portability to AIX's bundled Kerberos. Thanks, Markus Moeller.
When debugging is enabled, log an exit status of PAM_IGNORE as ignore
rather than failure.
Document that pam-krb5 must be listed in the session group as well as
the auth group for interactive logins or OpenSSH won't set up the
user's credential cache properly.
Document adding ignore=ignore to complex [] action configuration for
the session and account groups since the module now returns PAM_IGNORE
instead of PAM_SUCCESS for accounts that didn't use Kerberos.
pam-krb5 3.11 (2008-07-10)
pam_setcred, pam_open_session, and pam_acct_mgmt now return PAM_IGNORE
for ignored users or non-Kerberos logins rather than PAM_SUCCESS.
This return code tells the PAM library to continue as if the module
were not present in the configuration and allows sufficient to be
meaningful for pam-krb5 in account and session groups.
pam_authenticate continues to return failure for ignored users;
PAM_IGNORE would arguably be more correct, but increases the risk of
security holes through incorrect configuration.
Support correct password expiration handling according to the PAM
standard (returning success from pam_authenticate and an error from
pam_acct_mgmt and completing the authentication after pam_chauthotk).
This is not the default since it opens security holes with broken
applications that don't call pam_acct_mgmt or ignore its exit status.
To enable it, set the PAM option defer_pwchange for applications known
to make the correct PAM calls and check return codes.
Add a new option to attempt change of expired passwords during
pam_authenticate if Kerberos authentication returns a password expired
error. Normally, the Kerberos library will do this for you, but some
Kerberos libraries (notably Solaris) disable that code. This option
allows simulation of the normal Kerberos library behavior on those
platforms.
Work around an apparent Heimdal bug when krb5_free_cred_contents is
called on an all-zero credential structure. It's not clear what's
going on here and the Heimdal code looks correct, but avoiding the
call fixes the problem.
Warn if more than one of use_authtok, use_first_pass, and
try_first_pass is set and use the strongest of the one set.
Remove the workaround for versions of MIT Kerberos that didn't
initialize a krb5_get_init_creds_opt structure on opt_alloc. This bug
was only present in early versions of 1.6; the correct fix is to
upgrade.
Add an additional header check for AIX's bundled Kerberos.
If KRB5_CONFIG was explicitly set in the environment, don't use a
different krb5-config based on --with-krb5. If krb5-config isn't
executable, don't use it. This allows one to force library probing by
setting KRB5_CONFIG to point to a nonexistent file.
Sanity-check the results of krb5-config before proceeding and error
out in configure if they don't work.
For Kerberos libraries without krb5-config, also check for networking
libraries (-lsocket and friends) before checking for Kerberos
libraries in case shared library dependencies are broken.
Fix Autoconf syntax error when probing for libkrb5support. Thanks,
Mike Garrison.
Set an explicit visibility of hidden for all internal functions at
compile time if gcc is used to permit better optimization. Hide all
functions except the official interfaces using a version script on
Linux. This protects against leaking symbols into the application
namespace and provides some mild optimization benefit.
Fix the probing of PAM headers for const on Mac OS X. This will
suppress some harmless compiler warnings there. Thanks, Markus
Moeller.
pam-krb5 3.10 (2007-12-28)
The workaround for krb5_get_init_creds_opt_alloc problems in MIT
Kerberos 1.6 broke PKINIT support with Heimdal. Only apply that
workaround when building against the MIT Kerberos libraries. Thanks
to Jaakko Pero for the detailed report.
If no_ccache is set, always exit successfully from pam_setcred or
pam_open_session, even if we couldn't retrieve module data. Thanks,
Markus Moeller.
When keytab is set, properly handle failure to create a keytab cursor
and don't assume that the cursor is valid. Thanks, Markus Moeller.
Define _ALL_SOURCE on AIX to get prototypes for snprintf.
Add additional portability glue and Autoconf probes to support
building against the version of Kerberos bundled with AIX. Support
for this should be considered alpha in this release. Thanks to Markus
Moeller for the initial patch.
pam-krb5 3.9 (2007-11-12)
If use_authtok is set, fail even if we can retrieve the stored PAM
password if that password is set to NULL. Apparently that can happen
in some cases, such as with pam_cracklib. Thanks to Christian Holler
for the diagnosis and a patch.
Add a new clear_on_fail option for the password group. If set, when a
password change fails, set PAM_AUTHTOK to NULL so that subsequent
modules in the PAM stack with use_authtok set will also fail. Just
returning failure doesn't abort the stack on the second pass when
actual password changes are made. This is not the default since it
interferes with other desirable PAM configurations. It's useful
primarily when using the PAM stack to synchronize passwords between
multiple environments. Thanks to Christian Holler and Tomas Mraz for
the analysis.
Fix portability issues with Heimdal, versions of PAM that don't
provide pam_modutil_getpwnam, and compiler warnings when building
PKINIT support. Thanks, Martin von Gagern.
Fix parsing of the keytab PAM option. Thanks, Markus Moeller.
Return PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR when unable to
resolve the Kerberos realm. Thanks, Frank Cornelissen.
Add a new debugging section to the README.
pam-krb5 3.8 (2007-09-30)
krb5_get_init_creds_opt_alloc doesn't initialize the returned
structure with the default flags in MIT Kerberos 1.6, which meant that
users with expired passwords were not being prompted to change their
password but just rejected. Fixed by always calling _init before
setting the credential flags, regardless of the provenance of the opt
structure. Thanks, Michael Richters.
Fix configure and Makefile glue so that Mac OS X and HP-UX have a
chance of working (still untested).
Add a make warnings target with aggressive gcc warning options. Treat
negative minimum UIDs as zero so that UID comparisons can always be
done unsigned. Add casts and unused attributes as needed.
pam-krb5 3.7 (2007-09-29)
If given an explicit keytab path to use for credential verification,
use the first principal found in that keytab as the principal for
verification rather than the library default (which is normally the
host/* principal for the local system and may not be found in that
keytab).
When authenticating, don't store our context data until after
authentication has succeeded. Otherwise, we may destroy the ticket
cache of a previous successful authentication. This bug would only
affect configurations where pam_krb5 was run multiple times with
different settings, such as multiple realms. Thanks to Dave Botsch
for the report.
Use pam_modutil_getpwnam instead of getpwnam if available for better
thread safety.
Don't store PAM data unless we're saving a ticket cache. All other
calls use it for is to find the ticket cache, so without a cache it's
pointless and means we run the risk of stomping on ourselves in
multithreaded programs.
Still canonicalize the PAM user before returning when not saving a
ticket cache.
Fix determination of linker flags on non-x86_64 Linux. Always link
with -fPIC when using GCC, just in case.
Add compilation options for Mac OS X and HP-UX (untested).
Use pam_krb5 instead of ctx for our PAM data name to reduce the
chances of collision.
pam-krb5 3.6 (2007-09-18)
When the local user doesn't exist and search_k5login is enabled, fall
back to simple Kerberos authentication just as if the account existed
with no .k5login file. This avoids trying to verify an all-zero
credentials structure, leading to non-expoloitable segfaults on x86_64
systems. Be more careful in general about setting error codes in the
search_k5login implementation.
Explicitly clear the forwardable and proxiable options and don't ask
for renewable tickets when getting a ticket for the password changing
service. Otherwise, system-wide defaults and PAM configuration will
apply to those tickets as well and the resulting ticket request may be
rejected based on KDC configuration. Based on a patch by Sergio
Gelato.
Do username canonicalization earlier so that .k5login checking and
similar work uses the correct username but only change the PAM
username if authentication succeeds. Document that username
canonicalization won't work with unmodified OpenSSH and with several
common PAM modules. Thanks to R. Scott Bailey for the bug report and
analysis.
Add a prompt_principal option which, if set, causes the PAM module to
prompt the user for the Kerberos principal to use for authentication
before prompting for the password.
Try to determine whether the PAM headers use const in the prototypes
of such things as pam_get_item and adjust accordingly. This should
address most compiler warnings on Solaris. Thanks, Markus Moeller.
Change lib to lib64 on x86_64 Linux to allow for the magical $ISA
parameter in Red Hat's PAM configuration. Hopefully this won't cause
problems elsewhere.
Support DESTDIR for make install.
pam-krb5 3.5 (2007-04-10)
Don't try to chown non-FILE ticket caches, which among other things
breaks using pam-krb5 with Heimdal KCM caches. Thanks, Jeremy
Jackson.
When logging session deletion via pam_setcred or pam_close_session,
don't look for the username in the PAM context after it's been freed.
Thanks, Markus Moeller.
Map more Kerberos status codes to PAM status codes for authentication
errors.
pam-krb5 3.4 (2007-01-28)
More compilation fixes for Heimdal 0.7, which has a pkinit function
but takes a different number of arguments. Thanks, Morgan LEFIEUX.
Never call error_message directly on Heimdal. krb5_get_err_text can
cope with a NULL context and krb5-config on Heimdal doesn't include
-lcom_err.
Handle a NULL return from krb5_get_error_message, since that seems
possible in some edge cases.
Call krb5_get_error_message on Heimdal as well if it's available,
since it's supported by the 0.8 release candidates.
pam-krb5 3.3 (2007-01-24)
Support the new MIT Kerberos error message functions.
Fix compilation errors in the Heimdal PKINIT support and don't be
confused by a similar function in the MIT Kerberos PKINIT branch.
Thanks to Douglas E. Engert for the testing and patch.
Fix compilation errors with Heimdal 0.7, which has some of the PKINIT
functions but doesn't define the same error codes. Thanks, Morgan
LEFIEUX.
Initial support for the MIT Kerberos PKINIT branch, which uses a
different mechanism for configuring PKINIT support than Heimdal. Also
support configuration of general preauth parameters for the MIT
preauth plugin system via the preauth_opt option. Thanks to Douglas
E. Engert for the initial patch.
If use_pkinit is set in the PAM configuration and PKINIT isn't
available or cannot be forced, always fail authentication.
pam-krb5 3.2 (2007-01-16)
This release fixes numerous bugs all identified by Douglas E. Engert
while testing with Heimdal and PKINIT support. Thank you!
Rewrite the code to drop the credlist data structure since we only
ever have one set of credentials, allocate new krb5_creds objects, and
do proper memory management, which should plug some memory leaks of
the contents of krb5_creds objects.
Probe for the correct Heimdal function to set default initial
credential options.
Prefix the default cache path with "FILE:" to make the cache type
explicit.
Fix installation of the manual page when building from a different
directory than the source directory.
Fix several compilation errors with the PKINIT support with Heimdal
0.8rc1 or later. This code should still be considered alpha-quality.
pam-krb5 3.1 (2007-01-03)
Fix an infinite loop with failed Kerberos authentication and a doubled
colon that causes a syntax error with some compilers. Thanks, Markus
Moeller.
Move the check for users we should ignore to pam_sm_authenticate
from pamk5_password_auth so that it's consistently done in the API
function. This also avoids bogus log messages when authenticating as
an ignored user with debug enabled.
pam-krb5 3.0 (2006-12-18)
Add preliminary PKINIT support, contributed by Douglas E. Engert.
I reorganized and refactored the code extensively and it therefore may
not compile; until it has received more testing, it should be
considered alpha-quality. Currently, PKINIT support requires Heimdal
0.8rc1 or later.
Add a keytab configuration option to use a different keytab for
initial credential validation.
Add a ticket_lifetime configuration option to set the lifetime of
obtained credentials.
Add the banner and expose_account configuration options, which control
the prompts for authentication and password changing. Provide more
informative prompts when changing passwords.
Work around a bug in MIT Kerberos prior to 1.4 causing the library to
cache the default realm and assume a particular realm even if the
default realm is later changed. This bug prevented running two
instances of pam-krb5 with different realm settings in the same PAM
stack. Thanks, Dave Botsch.
Honor PAM_SILENT when the Kerberos library prompts for more
information, passing to the application only prompts.
If PAM_USER is set to a fully-qualified principal that the Kerberos
library can map to a local account name, reset PAM_USER to that local
account name after authentication.
Avoid memory leaks in the Kerberos prompter by freeing the PAM
response strings. We were already doing this elsewhere and the world
didn't end, so assume that it's safe for the PAM module to do this.
Also avoid memory leaks in some unusual error conditions.
Return unknown user rather than internal error when attempting
authentication of a user we're supposed to ignore.
When debug is enabled, report the principal for which we're attempting
authentication to help catch realm configuration errors.
Document the broken behavior of old versions of OpenSSH, which tell
PAM to refresh credentials rather than opening a session. Thanks,
Michael C. Garrison.
Add a link to the distribution page to the pam-krb5 man page.
Extensive refactoring and reorganization of the code.
pam-krb5 2.6 (2006-11-28)
Don't assume the pointer set by pam_get_user is usable over the life
of the PAM module; instead, save a local copy.
Avoid a use of already freed memory when debugging is enabled.
Use __func__ instead of __FUNCTION__ and provide a fallback for older
versions of gcc and for systems that support neither. Should fix
compilation issues with Sun's C compiler.
On platforms where we know the appropriate compiler flags, try to
build the module so that symbols are resolved within the module in
preference to any externally available symbols. Also add the
hopefully correct compiler flags for Sun's C compiler.
pam-krb5 2.5 (2006-11-03)
Don't free the results of pam_get_item(PAM_AUTHTOK) when changing
passwords. Thanks, Arne Nordmark.
Be a bit more thorough when checking authorization in
pam_sm_acct_mgmt. Re-retrieve the value of user in case the
application changed it, and if we have a ticket cache (we may not even
after a successful authentication if no_ccache was specified),
retrieve the principal from it rather than using the principal from
the context.
Overwrite passwords with 0 before freeing them, just out of paranoia
(and because PAM also does this internally).
pam-krb5 2.4 (2006-10-05)
Fix compilation problems with Heimdal. Thanks, Matthijs Mohlmann and
Douglas Engert.
Check for memory allocation failures when parsing PAM options rather
than segfaulting.
Fix several places where an uninitialized context could have been
passed into the argument parsing function.
Refactor the code to read configuration from krb5.conf to be easier
to read and understand. Parse renew_lifetime immediately and always
report an error rather than deferring time parsing until acquiring
tickets.
Log errors (not just authentication failures) at the LOG_ERR level
to match (some of) the recommendations of the Linux PAM documentation.
Log an error when an unknown option is passed via the PAM
configuration.