[OpenAFS-announce] pam-afs-session 2.6 released

Russ Allbery openafs-info@openafs.org
Sat, 19 Sep 2015 18:25:43 -0700

I'm pleased to announce release 2.6 of pam-afs-session.

pam-afs-session is a PAM module intended for use with a Kerberos PAM
module to obtain an AFS PAG and AFS tokens on login.  It puts every new
session in a PAG regardless of whether it was authenticated with Kerberos
and either uses Heimdal's libkafs or runs a configurable external program
to obtain tokens.  It supports using Heimdal's libkafs or OpenAFS's
libkopenafs for the AFS interface and falls back to an internal
implementation if libkafs isn't available.

Note that this package is technically orphaned, but a bug in the PAM (as
opposed to the AFS) part was reported in Debian, and I used that as an
excuse to finish up some pending cleanup work I had.  It's unlikely that
I'll make another release.  Let me know if you've taken it over and have
put out a new release so that I can update the web site.

Changes from previous release:

    When pam_setcred is called with PAM_REINITIALIZE_CRED or
    PAM_REFRESH_CRED, don't set the PAM data item that says to skip a
    subsequent pam_open_session and delete tokens on pam_close_session.
    This fixes a problem with sudo when pam_setcred is enabled, since sudo
    first calls pam_setcred with PAM_REINITIALIZE_CRED and then opens a
    new session.  The previous code would not create a new PAG for the new
    session and then would delete the caller's tokens after sudo
    completed.  The new behavior is more conceptually correct, since
    reinitializing creds doesn't take ownership of the session, and
    therefore shouldn't mean deleting them on session close.

    Fix compilation failure on Solaris 11 and later with the built-in kafs

    Use the PATH_KRB5_CONFIG environment variable or command-line setting
    to configure instead of KRB5_CONFIG to get the path to krb5-config.
    The latter is used to point to an alternative krb5.conf file.

    Update to rra-c-util 5.8:

    * Improve robustness of PAM entry and exit handling.
    * Do not append a PAM error message if the status is PAM_SUCCESS.
    * Fix a memory leak in PAM logging.
    * Pass --deps to krb5-config except with --enable-reduced-depends.
    * Avoid calling krb5_get_error_message with a NULL context.
    * Use krb5/krb5.h if krb5.h is not present, for NetBSD portability.
    * Fix stripping of -I/usr/include from krb5-config output.
    * Use manual Kerberos library probing if lib or include paths given.
    * Do not assume string is nul-terminated in replacement strdup.
    * Avoid using local in the shell TAP library for Solaris portability.
    * Silence __attribute__ warnings on more compilers.
    * Add more __format__ annotations on various utility functions.
    * Adjust POD tests to handle multiple .. paths in build directory.

    Update to C TAP Harness 3.4:

    * Suppress plan and summary if bail is called before any tests run.
    * Only use feature-test macros when requested or built with gcc -ansi.
    * Drop is_double from the C TAP library to avoid requiring -lm.
    * Avoid using local in the shell libtap.sh library.
    * Silence __attribute__ warnings on more compilers.
    * runtests now frees all allocated resources on exit.
    * Fix runtests to honor -s even if BUILD and -b aren't given.
    * Fix segfault with an empty test list.

You can download it from:


This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Russ Allbery (eagle@eyrie.org)              <http://www.eyrie.org/~eagle/>