Tryag File Manager
Home
-
Turbo Force
Current Path :
/
proc
/
self
/
root
/
usr
/
share
/
doc
/
pam_krb5-2.2.14
/
Upload File :
New :
File
Dir
//proc/self/root/usr/share/doc/pam_krb5-2.2.14/NEWS
- 2.2.13: * make it possible to have more than one ccache (and tktfile) at a time to work around apps which open a session, set the environment, and initialize creds (when we previously created a ccache, removing the one which was named in the environment) - 2.2.12: * add a "pwhelp" option. Display the KDC error to users. - 2.2.11: * return success from our account management callback in cases where our authentication callback simply failed to authenticate (#207410) * fix setting of items for password-changing modules which get called after us (Michael Calmer) - 2.2.10: * add the "no_subsequent_prompt" option, to force the module to always answer a libkrb5 prompt with the PAM_AUTHTOK value * add the "debug_sensitive" option, which actually logs passwords * add the --with-os-distribution option to configure to override "Red Hat Linux" in the man pages * if the server returns an error message during password-changing, let the user see it - 2.2.9: * return PAM_IGNORE instead of PAM_SERVICE_ERR when we're called in an unsafe situation and told to refresh credentials * fix a race condition in how the ccache creation helper is invoked * properly handle "external" cases where the forwarded creds belong to someone other than the principal name we guessed for the user - 2.2.8: * skip attempts to set non-"2b" tokens when use of v4 credentials has been completely disabled - 2.2.7: * do 524 conversion for the "external" cases, too - 2.2.6: * add "krb4_use_as_req" to completely disallow any attempts to get v4 credentials (along with "krb4_convert_524", which was already there) * don't try to convert v5 creds to v4 creds for AFS when "krb4_convert_524" is disabled, either - 2.2.5: * fix a couple of cases where a debug message would be logged even if debugging wasn't enabled - 2.2.4: * fix reporting of the reasons for password change failures - 2.2.3: * fix a compilation error - 2.2.2: * when validating user credentials, don't leak the keytab file descriptor - 2.2.1: * fix a thinko which broke afs5log on systems where the AFS syscall isn't available - 2.2: * refreshing of preexisting credentials works, so unlocking your screensaver should fetch new credentials and tokens. Be careful that you don't invoke the authentication function with the "tokens" flag, which creates a new PAG, if you want this to be useful. As of this writing, at least xscreensaver calls pam_setcred() with the proper flag to signal that credentials should be refreshed. Other screen saver applications may not. * new "external" option for use with OpenSSH's GSSAPI authentication with credential delegation and AFS, *should* work with anything which uses GSSAPI, accepts delegated credentials, and sets KRB5CCNAME in the PAM environment * new "use_shmem" option for use with OpenSSH's privilege separation mode * credential and renewal lifetimes can now be given either as krb5-style times or as numbers of seconds * new "ignore_unknown_principal"/"ignore_unknown_spn" option * new "krb4_convert_524" option * configure can now set the default location of the system keytab * configure disables AFS support except on Linux and Solaris (for now), but can be overridden either way (needs testing on Solaris) * can now specify a principal name for AFS cells, to save guesswork * should now correctly work with SAM authentication, needs testing * "tokens" now behaves like "external" and "use_shmem", in that it can be specified in the configuration as a list of service names - 2.1: switch to a minikafs implementation to flush out lurking ABI differences between the krb4 interface the kafs library used and the one which libkrb4 provides. Also, we support "2b" tokens now. - 2.0: more or less complete rewrite. Jettison our own krb5.conf parsing code in favor of the supported API. This means that configuration settings which look like this: [pam] forwardable = yes are no longer recognized, and must be changed to: [appdefaults] pam = { forwardable = yes }