Changelog
libpam-krb5 (1.2.0-3) unstable; urgency=low
* Only call krb5_kuserok when the account to which we're authenticating
is a local account to allow use of pam_krb5 for application
authentication of users without local accounts. (Closes: #354133)
* Restructure the code to do user validation after obtaining their
initial tickets. This eliminates a lot of confusing special cases and
deferred checking and makes it easier to audit the code.
* Don't create the ticket cache until after successful authentication.
Otherwise, we leave files behind in /tmp.
* Document what principals libpam_krb5.so looks for in the system keytab
to do ticket validation. (Closes: #350556)
libpam-krb5 (1.2.0-2) unstable; urgency=low
* Always use a disk cache for temporary storage of credentials and cope
with not having module-specific data during pam_sm_setcred by passing
the cache path in an environment variable. This is required to cope
with OpenSSH's technique (when using ChallengeResponseAuthentication)
of doing PAM authentication in a child process and then opening the
session in the parent. (Closes: #339734)
* Only initialize the ticket cache once no matter how many times setcred
is called. Saves duplicate work and works around a bug in xdm, which
calls setcred repeatedly and discards the environment set by the final
call.
* Don't assume we already have a context when changing passwords; passwd
doesn't work that way. (Closes: #344003)
* Fix the test for the new password. I don't think this would have
worked at all before.
* Improve debugging output for password changes.
* If search_k5login is specified but no .k5login is found, still check
the user with krb5_kuserok in case there are custom principal mappings
defined.
* Handle ignore_root in a cleaner fashion and add support for
ignore_root on password changes.
* Depend on krb5-config. (Closes: #342271)
* Document that ccache and ccache_dir must be specified as options to
the session module. (Closes: #341926)
* Document that pam_sm_authenticate and pam_sm_setcred also call
krb5_kuserok.
* Properly override the upstream CFLAGS so that debugging builds work.
* Don't ignore errors from make clean.
* Providing binary-indep in debian/rules is required by Policy even if
there are no arch-independent packages. Whoops.
-- Timo Aaltonen <email address hidden> Thu, 18 May 2006 01:09:34 +0100