Hi Russ, Did you have a chance to look at the keytab verification problem I mentioned some time ago ? Right now you need to have a host/fqdn entry to verify the tickets, but this means the application needs to run as root (Assuming verify_ap_req_nofail is set to true which I think should be the default for pam anyway)
Thank you Markus "Russ Allbery" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > I'm pleased to announce release 3.6 of pam-krb5. > > pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal. > It supports ticket refreshing by screen savers, configurable authorization > handling, authentication of non-local accounts for network services, > password changing, and password expiration, as well as all the standard > expected PAM features. It works correctly with OpenSSH, even with > ChallengeResponseAuthentication and PrivilegeSeparation enabled, and > supports configuration either by PAM options or in krb5.conf or both. > > Changes from previous release: > > When the local user doesn't exist and search_k5login is enabled, fall > back to simple Kerberos authentication just as if the account existed > with no .k5login file. This avoids trying to verify an all-zero > credentials structure, leading to non-expoloitable segfaults on x86_64 > systems. Be more careful in general about setting error codes in the > search_k5login implementation. > > Explicitly clear the forwardable and proxiable options and don't ask > for renewable tickets when getting a ticket for the password changing > service. Otherwise, system-wide defaults and PAM configuration will > apply to those tickets as well and the resulting ticket request may be > rejected based on KDC configuration. Based on a patch by Sergio > Gelato. > > Do username canonicalization earlier so that .k5login checking and > similar work uses the correct username but only change the PAM > username if authentication succeeds. Document that username > canonicalization won't work with unmodified OpenSSH and with several > common PAM modules. Thanks to R. Scott Bailey for the bug report and > analysis. > > Add a prompt_principal option which, if set, causes the PAM module to > prompt the user for the Kerberos principal to use for authentication > before prompting for the password. > > Try to determine whether the PAM headers use const in the prototypes > of such things as pam_get_item and adjust accordingly. This should > address most compiler warnings on Solaris. Thanks, Markus Moeller. > > Change lib to lib64 on x86_64 Linux to allow for the magical $ISA > parameter in Red Hat's PAM configuration. Hopefully this won't cause > problems elsewhere. > > Support DESTDIR for make install. > > You can download it from: > > <http://www.eyrie.org/~eagle/software/pam-krb5/> > > Debian packages have been uploaded to Debian unstable. > > Please let me know of any problems or feature requests not already listed > in the TODO file. > > -- > Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
