[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

0.52 available


this is to announce .52 is available. Please download it and test it

Best wishes


Here is the relevant portion of the CHANGELOG file: (but spell-checked ;*)

0. Before I begin, Linux-PAM has a new primary distribution site (kindly
donated by Power Net Inc., Los Angeles)


      ------->  http://www.power.net/morgan/Linux-PAM  <-------


1. I'm hoping to make the next release a bug-fix release... So please find
   all the bugs(! ;^)

2. here are the changes for .52:

* minor changes to module documentation [Incidently, it is now
  available on-line from the WWW page above]. More changes to follow in
  the next two releases. PLEASE EMAIL me or the list if there is
  anything that isn't clear!

* completely changed the unix module. Now a single module for all four
  management groups (this meant that I could define all functions as
  static that were not part of the pam_sm_... scheme. AGM)

  - Shadow support added
  - Elliot's account management included, and enhanced by Cristian Gafton.
  - MD5 password support added by Cristian Gafton.
  - maxtries for authentication now enforced.
  - Password changing function in pam_unix now works!
    Although obviously, I'm not going to *guarantee* it ;^) .
  - stole Marek's locking code from the Red Hat unix module.
    [ If you like you can #ifdef it in or out ... ]

    You can configure the module more from its Makefile in

    If you are nervous that it will destroy your /etc/passwd or shadow
    files then EDIT the 0.52/modules/pam_unix/pam_unix_pass.-c file.
    Here is the warning comment from this file...

/*                           <WARNING>
 * Uncomment the following #define if you are paranoid, and do not
 * want to risk losing your /etc/passwd or shadow files.
 * It works for me (AGM) but there are no guarantees.
 *                          </WARNING>
/* #define TMP_PASSWD_FILE */

  *** If anyone has any trouble, please *say*. Your problem will be
      fixed in the next release. Also please feel free to scour the
      code for race conditions etc... 

[* The above change requires that you purge your /usr/lib/security
   directory of the old pam_unix_XXX.so modules: they will NOT be deleted
   with a 'make remove'.]

* the prototype for the cleanup function supplied to pam_set_data used
  to return "int". According to Sun it should be "void". CHANGED.

* added some definitions for the 'error_status' mask values that are
  passed to the cleanup function associated with each
  module-data-item. These numbers were needed to keep up with changing
  a data item (see for example the code in pam_unix/support.-c that
  manages the maximum number of retries so far). Will see what Sun says
  (current indications are positive); this may be undone before 1.0 is
  released.  Here are the definitions (from pam_modules.h).

#define PAM_DATA_SILENT    0x40000000     /* used to suppress messages... */
#define PAM_DATA_REPLACE   0x20000000     /* used when replacing a data item */

* Changed the .../conf/pam.conf file. It now points to the new
  pam_unix module for 'su' and 'passwd' [can get these as SimpleApps --
  I use them for testing. A more extensive selection of applications is
  available from Red Hat...]

* corrected a bug in pam_dispatch. Basically, the problem was that if
  all the modules were "sufficient" then the return value for this
  function was never set. The net effect was that _pam_dispatch_aux
  returned success when all the sufficient modules failed. :^( I think
  this is the correct fix to a problem that the Red Hat folks had

* Removed advisory locking from libpam (thanks for the POSIX patch
  goes to Josh Wilmes's, my apologies for not using it in the
  end.). Advisory locking did not seem sufficiently secure for libpam.
  Thanks to Werner Almesberger for identifying the corresponding "denial
  of service attack". :*(

* related to fix, have introduced a lock file /var/lock/subsys/PAM
  that can be used to indicate the system should pay attention to
  advisory locking on /etc/pam.conf file. To implement this you need to
  define PAM_LOCKING though. (see .52/libpam)

* modified pam_fail_delay() function. Couldn't find the "not working"
  problem indicated by Michael, but modified it to do pseudo-random
  delays based on the values indicated by pam_fail_delay() -- the
  function "that may eventually go away"... Although Sun is warming to
  the idea.

* new modules include:

	pam_shells    - authentication for users with a shell listed in
			/etc/shells. Erik Troan <ewt@redhat.com>

	pam_listfile  - authentication based on the contents of files.
			Set to be more general than the above in the
			future. UNTESTED. Elliot Lee <sopwith@redhat.com>
			[Note, this module compiles with a non-trivial
			warning: AGM]

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []