[OpenAFS-announce] pam-afs-session 2.2 released

Russ Allbery openafs-info@openafs.org
Thu, 03 Mar 2011 14:48:47 -0800

I'm pleased to announce release 2.2 of pam-afs-session.

pam-afs-session is a PAM module intended for use with a Kerberos v5 PAM
module to obtain an AFS PAG and AFS tokens on login.  It puts every new
session in a PAG regardless of whether it was authenticated with Kerberos
and either uses Heimdal's libkafs or runs a configurable external program
to obtain tokens.  It supports using Heimdal's libkafs or OpenAFS's
libkopenafs for the AFS interface and falls back to an internal
implementation if libkafs isn't available.

Changes from previous release:

    Stop returning PAM_IGNORE from pam_setcred if AFS is not available or
    if we're deleting credentials but the PAM module is configured not to
    delete tokens.  Instead, return PAM_SUCCESS.  This fixes problems with
    the Linux PAM library where returning PAM_IGNORE would cause
    pam_setcred to fail even if other modules succeeded.

    When using libkafs, close the ticket cache after obtaining tokens.
    Fixes a memory leak.

    Fix the error return statuses for pam_setcred.  Previously, on error,
    it was returning PAM_SESSION_ERR, which is a return status that's only
    supposed to be used for pam_open_session and pam_close_session.
    Instead, return PAM_USER_UNKNOWN or PAM_CRED_ERR as appropriate.

    Update to rra-c-util 3.2:

    * Check if the string being duplicated is NULL in strndup replacement.

You can download it from:


This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>