I'm pleased to announce release 4.10 of pam-krb5.

This is a small bug-fix release with a possible security fix, although I
don't see a path to exploit the bug. But better safe than sorry.

pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal. It supports ticket refreshing by screen savers, configurable authorization handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard expected PAM features. It works correctly with OpenSSH, even with ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports extensive configuration either by PAM options or in krb5.conf or
both. PKINIT is supported with recent versions of both MIT Kerberos and Heimdal and FAST is supported with recent MIT Kerberos.

Changes from previous release:

When re-retrieving the authenticated principal from the current cache,
ensure the stored principal in the authentication context is always
either valid or NULL. Otherwise, a failure of krb5_cc_get_principal
could result in a double free. Thanks to Michael Muehle for the
report.

Update to rra-c-util 9.0:

* Check that at least one Kerberos header file was found and works.
* Use AS_ECHO in all Autoconf macros in preference to echo.
* Fix portability of reallocarray on NetBSD systems.
* Stop providing a replacement for a broken snprintf.

Update to C TAP Harness 4.7:

* Fix warnings with GCC 10.

You can download it from:

<https://www.eyrie.org/~eagle/software/pam-krb5/>

This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian experimental, and the bug fix patch has been backported to 4.9 in Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)