lp:debian/squeeze/libpam-krb5

Created by James Westby and last modified
Get this branch:
bzr branch lp:debian/squeeze/libpam-krb5
Members of Ubuntu branches can upload to this branch. Log in for directions.

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Status:
Development

Recent revisions

18. By Russ Allbery

* New upstream release.
  - New fast_ccache option, which if set attempts to use credentials in
    that ticket cache to protect the Kerberos authentication with FAST.
    Requires FAST support in the Kerberos libraries and hence only is
    available in libpam-krb5, not libpam-heimdal, for right now.
  - Fix error in freeing a previous alt_auth_map setting.
* Switch to 3.0 (quilt) source format. Force a single Debian patch and
  include a custom patch header explaining that it is a rollup of any
  fixes cherry-picked from upstream and breaking those patches out
  separately would be work for no gain.

17. By Russ Allbery

* Build libpam-krb5 and libpam-heimdal from the same source package.
* Acknowledge libpam-heimdal NMU.
  - Rebuild against current Heimdal libraries. (Closes: #559779)
  - Add support for pam-auth-update. (Closes: #551455)
* Lower libpam-heimdal priority to extra, since it conflicts with
  libpam-krb5 and the MIT Kerberos version will be sufficient for most
  users.
* Fix spelling error in manual page.
* Update standards version to 3.8.4 (no changes required).

16. By Russ Allbery

* New upstream release.
  - New fail_pwchange option which treats expired passwords like
    authentication failure and suppresses password change.

15. By Russ Allbery

* New upstream release.
  - Fix a segfault if pam-krb5 is configured with use_first_pass or
    use_authtok and there is no stored password. Thanks, Jonathan
    Guthrie. (Closes: #537729)

14. By Russ Allbery

Return PAM_IGNORE for ignored users in pam_chauthtok instead of
PAM_PERM_DENIED. This change is necessary for the pam-auth-update
configuration to work properly. Thanks, Steve Langasek.

13. By Russ Allbery

Fix segfault after detection of unsafe .k5login ownership when
search_k5login is set. Thanks, Andrew Deason. (Closes: #499479)

12. By Russ Allbery

* New upstream release.
  - If no_ccache is set, don't fail if we can't find module data.
  - Better error handling when reading keytabs.
* Document in README.Debian that accounts must still exist in
  /etc/shadow when following the standard configuration and suggest an
  alternate configuration when that isn't appropriate. Thanks, Raoul
  Borenius. (Closes: #452592)
* No longer build-depend on comerr-dev, since the module no longer links
  to it directly.
* Update standards version to 3.7.3 (no changes required).

11. By Russ Allbery

* New upstream release.
  - If use_authtok is set, fail if we retrieve a NULL password, since
    that's how pam_cracklib rejects passwords. (Closes: #447306)
  - Add clear_on_fail option to clear the password on failed password
    change to force later password modules using use_authtok to fail.
  - Fix parsing of the keytab PAM option.
  - Return PAM_AUTHINFO_UNAVAIL when unable to resolve the realm.
  - Additional debugging information in README.
* Add Homepage control field.

10. By Russ Allbery

* New upstream release.
  - Restore prompting for expired passwords. (Closes: #444740)
  - Correctly handle a negative minimum UID setting.

9. By Russ Allbery

* New upstream release.
  - Fix compilation errors with Heimdal. (Closes: #413553)
  - Document that ChallengeResponseAuthentication must be enabled in
    sshd to prompt users to change expired passwords. (Closes: #411816)
  - Support specifying a keytab other than the system keytab to use to
    verify passwords. (Partly addresses #399002)
  - New ticket_lifetime, banner, and expose_account config options.
  - Honor PAM_SILENT where appropriate.
  - Prefix the default cache type with FILE: to be explicit.
  - If PAM_USER is set to a fully-qualified principal that the Kerberos
    library can map to a local account name, reset PAM_USER to that
    local account name after authentication.
  - Return better PAM error codes for authentication failures.
  - Fix various memory leaks and memory handling problems.
  - Better error message handling with later Kerberos releases.
  - Various improvements to debug logging.
* Update debhelper compatibility level to V5.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.

Subscribers