1. 31 Dec, 2017 2 commits
  2. 11 Aug, 2017 1 commit
    • Russ Allbery's avatar
      Update to rra-c-util 6.3 and C TAP Harness 3.4 · 89c30260
      Russ Allbery authored
      Update to rra-c-util 6.3:
      
      * Fix new warnings in GCC 7.
      * Probe for warning flags instead of hard-coding a list.
      * New test for obsolete URLs and email addresses.
      * Remove unused portable replacements for strlcpy and strlcat.
      * Use C_TAP_SOURCE and C_TAP_BUILD environment variables in tests.
      * Fix portability defines for anonymous principal strings.
      * Clear errno on pam_modutil_getpwnam to improve other testing.
      * Add portability defines for macOS's PAM implementation.
      * Add new Autoconf macro to probe for pam_strerror const usage.
      * Support Solaris 10's included Kerberos.
      
      Update to C TAP Harness 3.4:
      
      * Fix segfault in runtests with an empty test list.
      * Display verbose test results with -v or C_TAP_VERBOSE.
      * Test infrastructure builds cleanly with Clang warnings.
      89c30260
  3. 26 Dec, 2014 2 commits
  4. 13 Apr, 2014 1 commit
  5. 02 Jun, 2012 1 commit
  6. 25 Dec, 2011 1 commit
  7. 23 Dec, 2011 1 commit
  8. 22 Dec, 2011 1 commit
  9. 22 Aug, 2011 2 commits
    • Russ Allbery's avatar
      Remove v5 from Kerberos references in documentation · 45f889c0
      Russ Allbery authored
      Change references to Kerberos v5 to just Kerberos in the
      documentation.  Kerberos v5 has been the default version of Kerberos
      for over ten years now.
      45f889c0
    • Russ Allbery's avatar
      Update to rra-c-util 3.8 · 15295a65
      Russ Allbery authored
      Avoid krb5-config and use manual library probing if --with-krb5-lib or
      --with-krb5-include were given to configure.  This avoids having to
      point configure at a nonexistent krb5-config to override its results.
      
      Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config in
      configure, to avoid a conflict with the variable used by the Kerberos
      libraries to find krb5.conf.
      
      Fix replacement mkstemp to use long long where available.
      
      Some other minor coding style changes.
      15295a65
  10. 01 Jan, 2011 1 commit
  11. 10 Jun, 2010 2 commits
  12. 26 Nov, 2009 1 commit
  13. 20 Nov, 2009 1 commit
  14. 14 Nov, 2009 3 commits
  15. 11 Aug, 2009 1 commit
    • Russ Allbery's avatar
      Update recommend password stack configuration of pam_unix · ba40b4d0
      Russ Allbery authored
      Remove the min/max settings on the example pam_unix configuration line.
      They shouldn't be used.  Also remove nullok; that seems like a bad
      default.  When pam_krb5 runs before pam_unix, add try_first_pass to the
      pam_unix configuration line.
      ba40b4d0
  16. 21 Jul, 2009 1 commit
  17. 18 Jul, 2009 1 commit
  18. 11 Feb, 2009 1 commit
  19. 22 Jan, 2009 1 commit
  20. 20 Jan, 2009 1 commit
  21. 13 Nov, 2008 2 commits
    • Russ Allbery's avatar
      Update the requirements section of README · bfa6753d
      Russ Allbery authored
      The MIT Kerberos PKINIT support was released, so update the requirements
      accordingly.  Require a version with the fix to the option handling since
      we no longer enable the workaround.
      
      The AIX support can probably be considered beta now.
      
      Note that I can only test against Linux and need other people to report
      problems on different operating systems.
      bfa6753d
    • Russ Allbery's avatar
      Release 3.12 · 84ead506
      Russ Allbery authored
      84ead506
  22. 07 Aug, 2008 1 commit
    • Russ Allbery's avatar
      Add alt_auth_map for mapping of usernames to authorization identities · fc095d49
      Russ Allbery authored
      Add alt_auth_map configuration option, which allows mapping of
      usernames to alternative Kerberos principals, useful primarily for
      using particular instances for access to a given PAM-authenticated
      service.  Also added force_alt_auth and only_alt_auth options to
      control when alternative Kerberos principals are used.  Patch from
      Booker Bense.
      fc095d49
  23. 04 Aug, 2008 6 commits
  24. 10 Jul, 2008 2 commits
  25. 06 Jul, 2008 3 commits
    • Russ Allbery's avatar
      Finish implementation of proper expired password handling · 8cd2d4b7
      Russ Allbery authored
      pam_chauthtok, when handling expired passwords, now obtains credentials
      and creates a cache the same way that pam_authenticate does after
      changing the password.
      8cd2d4b7
    • Russ Allbery's avatar
      Initial support for correct password expiration handling · cb79a67a
      Russ Allbery authored
      Support correct password expiration handling according to the PAM
      standard (returning success from pam_authenticate and an error from
      pam_acct_mgmt and completing the authentication after pam_chauthotk).
      This is not the default since it opens security holes with broken
      applications that don't call pam_acct_mgmt or ignore its exit status.
      To enable it, set the PAM option defer_pwchange for applications known
      to make the correct PAM calls and check return codes.
      
      This is an intermediate check-in, which supports changing the password
      but doesn't obtain credentials after the password change.
      cb79a67a
    • Russ Allbery's avatar
      Return PAM_IGNORE in account and session interfaces · b099018c
      Russ Allbery authored
      pam_setcred, pam_open_session, and pam_acct_mgmt now return PAM_IGNORE
      for ignored users or non-Kerberos logins rather than PAM_SUCCESS.
      This return code tells the PAM library to continue as if the module
      were not present in the configuration and allows sufficient to be
      meaningful for pam-krb5 in account and session groups.
      pam_authenticate continues to return failure for ignored users;
      PAM_IGNORE would arguably be more correct, but increases the risk of
      security holes through incorrect configuration.
      b099018c