diff options
| author | Dmitry V. Levin <ldv@strace.io> | 2024-05-11 08:00:00 +0000 |
|---|---|---|
| committer | Dmitry V. Levin <ldv@strace.io> | 2024-05-15 08:00:00 +0000 |
| commit | 0f6796ec4c9429494653be48a3cf13b45e55c86f (patch) | |
| tree | 7f83e3a7a14206970c7d9635e774df0e0adbd903 /CHANGELOG | |
| parent | a7eb114974b20aa02ead19e8f905a863ef34ce55 (diff) | |
| download | pam-0f6796ec4c9429494653be48a3cf13b45e55c86f.tar.gz pam-0f6796ec4c9429494653be48a3cf13b45e55c86f.tar.bz2 pam-0f6796ec4c9429494653be48a3cf13b45e55c86f.zip | |
Move all historic changelog files to a top-level ChangeLog.old directory
Move all historic changelog files away to avoid confusion.
Diffstat (limited to 'CHANGELOG')
| -rw-r--r-- | CHANGELOG | 1765 |
1 files changed, 0 insertions, 1765 deletions
diff --git a/CHANGELOG b/CHANGELOG deleted file mode 100644 index 5f9bab2a..00000000 --- a/CHANGELOG +++ /dev/null @@ -1,1765 +0,0 @@ - -======================================================================= -======================================================================= - - This file is no longer used for tracking changes for Linux-PAM. For - user visible changes, please look at the NEWS file. A more verbose - list of changes can be found in ChangeLog. - -======================================================================= -======================================================================= - ------------------------------ - -TODO: - - - sanitize use of md5 throughout distribution.. Make a static - library for helping to develop modules that contains it and other - stuff. Also add sha-1 and ripemd-160 digest algorithms. - - once above is done. remove hacks from the secret@here module etc.. - - document PAM_INCOMPLETE changes - - verify that the PAM_INCOMPLETE interface is sensible. Can we - catch errors? should we permit item changing etc., between - pam_authenticate re-invocations? - - verify that the PAM_INCOMPLETE interface works (auth seems ok..) - - add PAM_INCOMPLETE support to modules (partially added to pam_pwdb) - - work on RFC. - - auth and acct support in pam_cracklib, "yes, I know the password - you just typed was valid, I just don't think it was very strong..." - -==================================================================== - -If you have found a bug in Linux-PAM (including a documentation bug, -or a new feature request and/or patch), please consider filing such a -bug report - outstanding bugs are listed here: - - http://sourceforge.net/tracker/?atid=106663&group_id=6663&func=browse - -(to file another bug see the 'submit bug' button on that page). - -==================================================================== - -0.81: please submit patches for this section with actual code/doc - patches! -* pam_umask: New module for setting umask from GECOS field, /etc/login.defs - or /etc/default/login (kukuk) -* configure/pam_strerror: Remove old ugly-hack option for pam_strerror - interface change (kukuk) -* configure.in: Fix AC_DEFINE usage for autoheader (kukuk) -* configure.in/_pam_aconf.h.in: Remove feature.h inclusion (kukuk) -* defs: Remove obsolete directory/content (kukuk) -* Rename _pam_aconf.h.in to config.h (kukuk) -* pam_unix: Don't ignore pam_get_item return value (kukuk) -* pam_userdb: Fix regression - crash when crypt param not specified (t8m) -* libpam: Remove pam_authenticate_secondary stub (kukuk) -* Use autoconf/automake/libtool (kukuk) -* pam_securetty: Be fail-close on user lookups, always log failures, - not just with "debug" (Solar Designer) -* Add gettext support -* Add translations for cs, de, es, fr, hu, it, ja, nb, pa, pt_BR, - pt, zh_CN and zh_TW -* pam_limits: Apply ALT Linux/Owl patch -* pam_motd: Apply ALT Linux/Owl patch -* libpam: Cache pam_get_user() failures -* libpam: Add pam_prompt,pam_vprompt,pam_error,pam_verror,pam_info - and pam_vinfo functions for use by modules as extension (kukuk). -* pam_cracklib: Make path to cracklib dicts an option (kukuk). -* libpam: Add pam_syslog function for unified syslog messages from - PAM modules (kukuk). -* pam_tally, pam_time, pam_userdb: use pam_syslog and pam_prompt (ldv) -* pam_issue: major cleanup (ldv) -* pam_echo: New PAM module for message output (kukuk) -* pam_limits: Fix regression from RLIMIT_NICE support (wrong limit - values for other limits are applied) patch by Anton Guda -* pam_unix: Always honor nis flag on password change (by Aaron Hope) -* libpam: Moved functions from pammodutil to libpam (t8m) -* pam_lastlog: Cleanup, fix broken logic in pam_parse, - modify wtmp by default, nowtmp option switches that off (ldv) - -0.80: Wed Jul 13 13:23:20 CEST 2005 -* pam_tally: test for NULL data before dereferencing them (t8m) -* pam_unix: fix regression introduced in 0.78 - both NIS and local password - should be changed if possible (t8m) -* misc_conv: flush input first then print the prompt - fixes problem - with expect scripts (t8m) -* pam_unix: nis option shouldn't clear the shadow option (t8m) -* cleanups and minor bugfixes by Steve Grubb (t8m) -* pam_private.h: set PAM_DEFAULT_PROMPT to "login: " (kukuk) -* pam_mkhomedir: Create parent directories if they do not already - exist (Bug 600351 - kukuk) -* pam_mkhomedir: Set owner/permissions of home directory after we - created all files (Bug 1032922 - kukuk) -* pam_rhosts: Get rid of static buffer for path (kukuk) -* pam_selinux/pam_unix/pam_rootok: Add SELinux support based on - patch from Red Hat (kukuk) -* pam_limits: Correct support of unlimited limits, use correct type - for rlimit value (Bug 945449 - kukuk, t8m) -* pam_xauth: Unset the XAUTHORITY variable when requesting user is - root and target user is not (t8m) -* pam_access: Add listsep option to set list element separator by - Richard Shaffer (t8m) -* pam_limits: Don't reset process priority if none is specified in - the config file (Novell #81690 - kukuk) -* Fix all occurrence of dereferencing type-punned pointer will break - strict-aliasing rules warnings (kukuk) -* pam_limits: Support new limits in linux 2.6.12 (t8m) -* pam_mkhomedir: change mode datatype (toady) -* pam_limits: Don't lowercase login names (kukuk) - -0.79: Thu Mar 31 16:48:45 CEST 2005 -* pam_tally: added audit option (toady) -* pam_unix: don't log user unknown failure when he can be properly - authenticated by another module (t8m) -* configure: don't abort if no cracklib dictinaries were found, but - warn user that pam_cracklib will not be built (kukuk) -* modules/pam_unix/support.c: Fix return value if user aborts while - changes the password (Bug 872945 - kukuk) -* modules/pam_unix/support.c: Fix return value for an unknown user - (Bug 872943 - kukuk) -* pam_limits: support for new Linux kernel 2.6 limits (from toby cabot - - t8m) -* pam_tally: major rewrite of the module (t8m) -* libpam: don't return PAM_IGNORE for OK or JUMP actions if using - cached chain (Bug 629251 - t8m) -* pam_nologin: don't overwrite return value with return from - pam_get_item (t8m) -* libpam: Add more checks for broken PAM configuration files to - avoid seg.faults (kukuk) -* pam_shells: correct README -* libpam: Fix debug code (kukuk) -* pam_limits: Fix order of LIMITS_DEF_* priorities (kukuk) -* pam_xauth: preserve DISPLAY variable (Novell #66885 - kukuk) -* libpam: Add prelude ids (http://www.prelude-ids.org) support, - as experimental. (toady) -* configure: Add the directory where new versions of cracklib is - installed (from Jim Gifford - toady) -* libpamc: Use standard u_intX_t types instead of __uX (kukuk) - -0.78: Do Nov 18 14:48:36 CET 2004 - -* pam_unix: change the order of trying password changes - local first, - NIS second (t8m) -* pam_wheel: add option only_root to make it affect authentication - to root account only -* pam_unix: test return values on renaming files and report error to - syslog and to user -* pam_unix: forced password change shouldn't trump account expiration -* pam_unix: remove the use of openlog (from debian - toady) -* pam_unix: NIS cleanup (patch from Philippe Troin) -* pam_access: you can now authenticate an explicit user on an explicit - tty (from debian - toady) -* pam_limits, pam_rhosts, pam_unix: fixed hurd portability issues - (patch from Igor Khavkine) -* pam_env: added comments in the configuration file to avoid errors - (from debian - toady) -* pam_mail: check PAM_NO_ENV to know if we can delete the environment - variable (from debian - toady) -* pam_filter: s/termio/termios/g (from debian - toady) -* pam_mkhomedir: no maxpathlen required (from debian - toady) -* pam_limits: applied patch to allow explicit limits for root - and remove limits on su. (from debian - toady) -* pam_unix: severe denial of service possible with this module since - it locked too aggressively. Bug report and testing help from Sascha - Loetz. (Bug 664290 - agmorgan) -* getlogin was spoofable: "/tmp/" and "/dev/" have the same number of - characters, so 'ln /dev/tty /tmp/tty1 ; bash < /tmp/tty1 ; logname' - attacks could potentially spoof pam_wheel with the 'trust' module - argument into granting access to a luser. Also, pam_unix gave - odd error messages in such a situation (logname != uid). This - problem was found by David Endler of iDefense.com (Bug 667584 - - agmorgan). -* added my new DSA public key to the pgp.keys.asc file. Also included - a signed copy of my new public key (1024D/D41A6DF2) made with my old - key (1024/2A398175). -* added "include" directive to config file syntax. - The whole idea is to create few "systemwide" pam configs and include - parts of them in application pam configs. - (patch by "Dmitry V. Levin" <ldv@altlinux.org>) (Bug 812567 - baggins). -* doc/modules/pam_mkhomedir.sgml: Remove wrong debug options - (Bug 591605 - kukuk) -* pam_unix: Call password checking helper whenever the password field - contains only one character (Bug 1027903 - kukuk) -* libpam/pam_start.c: All service names should be files below /etc/pam.d - and nothing else. Forbid paths. (Bug 1027912 - kukuk) -* pam_cracklib: Fix error in distance algorithm in the 0.9 pam_cracklib - module (Bug 1010142 - toady) -* pam_userdb: applied patch from Paul Walmsley <paul@booyaka.com> - it now indicates whether encrypted or plaintext passwords are stored - in the database needed for pam_userdb (BerliOS - toady) -* pam_group: The module should also ignore PAM_REINITIALIZE_CRED to - avoid spurious errors (from Linux distributors - kukuk) -* pam_cracklib: Clear the entire options structure (from Linux - distributors - kukuk) -* pam_issue: We write a NUL to prompt_tmp[tot_size] later, so make sure - that the destination is part of the allocated block, make do_prompt - static (from Linux distributors - kukuk) -* ldconfig: Only run full ldconfig, if we don't install into a FAKEROOT - environment, else let ldconfig only create the symlinks correct - (from Linux distributors - kukuk) -* pam_unix/pam_pwdb: Use SIG_DFL instead of SIG_IGN for SIGCHLD - (from Linux distributors - kukuk) -* Add most of Steve Grubb's resource leak and other fixes (from - Linux distributors - kukuk) -* doc/Makefile: Don't include .cvsignore files in tar ball (kukuk) -* libpam_misc/misc_conv.c: Differentiate between Ctrl-D and - <Return> (Bug 1032604 - kukuk) -* Make.Rules.in: Add targets for installing man pages for modules - (from Linux distributors - kukuk) -* Add pam_xauth module (Bug 436440 - kukuk) -* Add pam_localuser module (Bug 436444 - kukuk) -* Add pam_succeed_if module (from Linux distributors - kukuk) -* configure.in: Fix check for libcrypt (Bug 417704 - kukuk) -* Add the "broken_shadow" argument to pam_unix, for ignoring errors - reading shadow information (from Linux distributors - kukuk) -* Add patches to make PAM modules reentrant (Bug 440107 - kukuk) -* Merge patches from Red Hat (Bug 477000 and other - kukuk) -* Fix pam_rhosts option parsing (Bug 922648 - kukuk) -* Add $ISA support in config files (from Red Hat - kukuk) - -0.77: Mon Sep 23 10:25:42 PDT 2002 - -* documentation support for pdf files was not quite right - - installation was messed up. -* pam_wheel was too aggressive to grant access (in the case of the - 'deny' option you want to pay attention to 'trust'). Fix from - Nalin (Bugs 476951, 476953 - agmorgan) -* account management support for: pam_shells, pam_listfile, pam_wheel - and pam_securetty (+ static module fix for pam_nologin). Patch from - redhat through Harald Welte (Bug 436435 - agmorgan). -* pam_wheel feature from Nalin - can use the module to provide wheel - access to non-root accounts. Also from Nalin, a bugfix related to - the primary group of the applicant is the 'wheel' group. (Bugs - 476980, 476941 - agmorgan) -* pam_unix and pam_pwdb: by default turn off the SIGCHLD handler while - running the helper binary (patch from Nalin) added the "noreap" - module argument to both of these modules to turn off this new - default. Bugfix found by Silvan Minghetti for former module and - 521314 checkin. (Bugs 476963, 521314 - agmorgan). -* updated CHANGELOG and configure.in for 0.77 work. - -0.76: Mon Jul 8 21:44:59 PDT 2002 - -* pam_unix: fix for legacy crypt() support when the password entered - was long. (Bug 521314 - agmorgan). -* pam_access no longer include gethostname() prototype complaint from - David Lee (Bug 415423 - agmorgan). -* make pam_nologin more secure by default, added two new module - arguments etc. - acting on suggestion from Nico (Bug 419307 - - agmorgan) -* link in libpam to libpam_misc - since the latter uses functions in - the former it makes some sort of sense to do this (although, in the - static library case, I remain to be convinced). (Bug 565470 - - agmorgan). -* absorbed some of the proposed darwin (OS X) changes from Luke Howard - (of PADL software) - hopefully will get the rest (see Rob Braun's - 534205) by 0.77 (Bug 491466 - agmorgan). -* README fix for pam_unix from Nalin (Bug 476971 - agmorgan). -* add support for building pdf files from the documentation - request - from 'lolive' (Bug 471377 - agmorgan). -* documented the equivalent '[..]' expressions for "required" - etc. Request from Ross Patterson (Bug 529078 - agmorgan). -* '[...]' parsing: document it and also fix it to support '\]' escape - sequence. Feature request from Russell Kliese (Bug 517064 - - agmorgan). -* pam_rootok: compilation warning noted by Tony den Haan wrt no - prototype for strcmp() (Bug 557322 - agmorgan). -* documentation: (a few of mine in passing) and app documentation - suggestions regarding PAM environment variables and module - documentation changes regarding the conversation function from Jenn - Vesperman (Bug 527821, 527965 - agmorgan) -* documentation: pam_time.sgml typo fixed, pam_motd exists now, - correct Red Hat comment about config files (Bugs 554274, 554261, - 554182 - agmorgan) -* pam_limits: added '%' domain for maxlogins limiting, now '*' and @group - have the old meaning (every) and '%' the new one (all) - (Bug 533664 - baggins) -* pam_limits: put not so interesting log messages under debug arg - (Bug 533668 - baggins) -* pam_access: added the 'fieldsep=' argument (Bug 547051 - agmorgan), - made a PAM_RHOST of "" equivalent to NULL (Bug 547521 - agmorgan). -* pam_limits: keep well know behaviour of maxlogins default ('*') limit - (Bug 533664 - baggins) -* pam_unix: more from Nalin log password changes (Bug 517743 - agmorgan) -* pam_limits: make it use the priority value specified in config - (bug 530428 - baggins) -* pam_unix: removed broken code in password update code. Report from - Len Lattanzi (Bug 507379 - agmorgan) -* pam_mkhomedir: recurse directories. Patch from Nalin (Bug 476981 - - agmorgan) -* pam_limits can handle negative priority limits now (which can apply - to the superuser too) - based on patch from Nalin. Also cleanup the - error handling that was very sloppy before. Also, courtesy of Berend - De Schouwe get the math right on login counting (Bug 476990, 476987, - 493294 - agmorgan) -* documentation: random typo fixes from Nalin and more stuff from me - (Bug 476949, Tasks 43507, 17426 - agmorgan) -* A Tru64 fix (given other stuff has already resolved this, it - actually just a comment actually) from 'Eddie'. (Bug 418450 - - agmorgan) -* pam_handlers: BSD fix from Dag-Erling Smørgrav and Anton Berezin - (Bug 486063 - agmorgan) -* added the dynamic/* directory to the distribution. If you go in - there after building the rest of the tree, you'll make a pam.so - object that can be used by something like a java runtime with - dlopen. Its not very well tested - caveat emptor. (Bug 232194 - - agmorgan) -* somehow pam_unix has started forcing the user prompt to be "login: ". - This is entirely inapropriate as it overrides PAM_USER_PROMPT. (Bug - 486361 - agmorgan). -* added a static module helper library object includes a few changes - to examples/xsh.c for testing purposes (added a simple shell wrapper - for running xsh with the sandbox libraries), and also modified the - pam_rhosts_auth module to use this new library. (Bug 490938, 409852 - - agmorgan). -* pam_unix: fix 'likeauth' to kill off the memory leak once and for all. - (Bug 483959 - vorlon) -* pam_unix: restore handling of 'likeauth' argument to a known working - state; prettify AUTH_RETURN macro; remove redundant argv checks in - pam_sm_setcred() (Bugs 483959, 113596 - vorlon) -* pam_cracklib: another try at implementing similar() from Harald - Welte and Nalin (Bugs 436053, 476957 - agmorgan) -* pam_access: default access.conf file contained a type (console - instead of LOCAL) fix from Nalin (Bug 476934 - agmorgan) -* pam_unix: fixed bizarre memory leak pointed out by Fernando Trias - (Bug 483959 - agmorgan) -* misc string comparison length checking changes from Nalin. Modules - touched, pam_cracklib, pam_listfile, pam_unix, pam_wheel (Bug 476947 - - agmorgan) -* pam_userdb: require that all of typed password matches that in - database report and fix from Vladimir Pastukhov. (Bug 484252 - agmorgan) -* pam_malloc: revived malloc debugging code, now tied to - --enable-memory-debug and added strdup() support (Bug 485454 - agmorgan) -* pam_tally: Nalin's fix for lastlog corruption (Bug 476985 - agmorgan) -* pam_rhosts: Nalin adds support for '+hostname', and zdd fix - compilation warning. (Bug 476986 - agmorgan) -* pam_motd: Nalin fixed compiler warning. (Bug 476938 - agmorgan) -* pam_pwdb: Solar Designer pointed out that there was a problem with - the compatibility support for md5 password hashing. (Bug 460717, - 476961 - agmorgan) -* pam_issue: Nalin found segfaulting problems if the PAM_USER_PROMPT - is unset, found some similar problems with assumptions about - realloc. (Bug 476983 - agmorgan) -* pam_env: 'weichangyang of hotmail' pointed out a wild string with no - valid '\0' was leading to problems with sshd and suggested fix (Bug - 473034 - agmorgan) -* MANDIR cleanup. It defaults to /usr/share/man, but can be overridden - using the --enable-mandir ./configure option, similarly for DOCDIR - from Nalin (Bug 476940 - agmorgan) -* pam_filter cleanup (including moving the filter directory) Nalin - and Harald Welte (Bugs 436057, 476970 - agmorgan) -* db3 is now recognized as a libdb candidate (Bug 435764 - agmorgan) -* more changes (extracted from redhat version) courtesy of - Harald Welte (Bugs pam_limits=436061, pam_lastlog=436060, - pam_mkhomedir/pam_env=435991 - agmorgan) -* fix for legacy behavior of pam_setcred and pam_close_session in - the case that pam_authenticate and pam_open_session hadn't been - called - bug report from Seongwan Park. (Bug 468724 - agmorgan) -* some BSD updates and fixes from Mark Murray - including a slightly - more robust conversation function and some minimization of gcc - warnings. (Bugs 449203,463984 - agmorgan) -* verified that the setcred stack didn't suffer from the bug I was - nervous about, add a new module pam_debug to help me test this. - fixed a libpam/pam_dispatch.c instrumentation line that I tripped - over when testing. Also restructured pam_warn to help here (Bug - 424315 - agmorgan). -* pam_unix/support.c: sample use of reentrant NSS function. Not yet active, - because modules do not include _pam_aconf_h! (Bug 440107 - vorlon) -* doc/Makefile changes - use $(mandir) [courtesy Harald Welte] (Bug - 435760) and add some rules to make/delete the draft rfc I've been - working on (Task 17426 - agmorgan) -* pam_modules.sgml: sourceforge has changed its CVS viewing software - (Bug 460491 - agmorgan) -* pam_unix_passwd: got rid of an annoying warning (Bug 461089 - agmorgan) -* configure.in, _pam_aconf.h.in: set the stage for fully reentrant PAM - modules, with some infrastructure to detect getxxbyxx_r() functions - (Bug 440107 - vorlon) -* pam_unix: removed superfluous use of static variables in md5 and bigcrypt - routines, bringing us a step closer to thread-safeness. Eliminated - some variable indirection along the way. (Bug 440107 - vorlon) -* pam_tally: remove #include of stdlib.h, which isn't needed by anything - found in this module. Can be readded if we find a real need for it at - a later date. (Bug 436432 - vorlon) -* pam_tally: added an #include (was it really needed?) and made the - pam_tally app install (with more pretty printing and a corrected - Makefile dependency) motivated by a (red hat diff) courtesy of Harald - Welte (Bug 436432 - agmorgan) -* configure.in changes to help support non-Linux environments courtesy - of Scott T. Emery (Bug 422563 - agmorgan) -* made a pam_cracklib enhancement to interpret -ve limits in a - sensible fashion contributed by Werner Puschitz (Bug 413162 - - agmorgan) -* another fix for the latest number of rlimits available to pam_limits - (Bug 424060 - agmorgan) -* removed stale link from pam_pwdb documentation (Bug 433460 - agmorgan) -* pam_appl.sgml change - more discussion of choosing a service name - (Bug 417512 - agmorgan) -* more specific linking requirements for -lndbm for pam_userdb - from - David Lee (Bug 417339 - agmorgan) -* a large number of small changes to make AIX support better (Bug - 416229 - agmorgan) -* $(MAKE) instead of 'make' - from Scott T. Emery (Bug 422144 - - agmorgan) -* c++ header fixes for pam_misc.h and pam_client.h - from Alexandre - Sagala (Bug 420270 - agmorgan) -* pam_access fixes - looks out for trailing '.' - from Carlo Marcelo - Arenas Belon (Bug 419631 - agmorgan) -* don't zero out password strings during pam_unix's password changing - function (Bug 419803 - vorlon) -* propagate some definitions to the _pam_aconf.h file - from David Lee - (Bug 415419 - agmorgan) -* solaris GCC OS_CFLAGS change from David Lee (Bug 415412 - agmorgan) -* added a comment to this CHANGELOG to explain why most of the bugids - used below appear not to be known to sourceforge [try adding 100000 - to the bugid number.] (Bug 414943 - agmorgan) -* bumped version numbers and also added support for SONAME defines - that appear not to have survived the great autoconf experiment (Bug - 414669 - agmorgan). - -0.75: Sat Apr 7 23:10:50 PDT 2001 - - ** WARNING ** - -This release contains backwardly incompatible changes to -libpam. Prior versions were buggy - see bugfix for Bug 129775. - - ** WARNING ** - -* made 0.75 release (Bug 414665 - agmorgan) -* pam_pwdb has been removed from the suggested pam.conf template. I've - replaced it with pam_unix. (Bug 227565 - agmorgan) -* pam_limits - Richard M. Yumul reported that "<domain> -" didn't - work, first fix suggested by Werner Puschitz (Bug 404953 - agmorgan) -* Nicolay Pelov suggested a simple fix for freebsd support (Bug 407282 - - agmorgan) -* Michel D'HOOGE submitted documentation fixes (Bug 408961 - agmorgan) -* fix for module linking directions (Bug 133545 - agmorgan) -* fix for glibc-2.2.2 compilation of pam_issue (Bug 133542 - agmorgan) -* fix pam_userdb to make and link both .o files it needs - converse() - wasn't being linked! (Bug 132880 - agmorgan) -* added some sys-admin documentation for the pam_tally module (Bug - 126210 - agmorgan). -* added a link to module examples from the module writers doc (Bug - 131192 - agmorgan). -* fixed a small security hole (more of a user confusion issue) with - the unix and pwdb password helper binaries. The beef is described in - the bug report, but no uid change was possible so no-one should - think they need to issue a security bulletin over this one! (Bug - 112540 - agmorgan) -* pam_lastlog needs to be linked with -lutil, also removed ambiguity - from sysadmin guide regarding this module being a 'session' module - (Bug 131549 - agmorgan). -* pam_cracklib needs to be linked with -lcrypt (old password checking) - (Bug 131601 - agmorgan). -* fixes for static library builds and also the examples when linked - with the debugging build of the libraries. (Bug 131783 - agmorgan) -* fixed URL for original RFC to a cached kernel.org file. (Bug 131503 - - agmorgan) -* quoted the $CRACKLIB_DICTPATH test in configure.in (Bug 130130 - - agmorgan). -* improved handling of the setcred/close_session and update chauthtok - stack. *Warning* This is a backwardly incompatable change, but 'more - sane' than before. (Bug 129775 - agmorgan) -* bumped the version number, and added some code to assist in making - documentation releases (Bug 129644 - agmorgan). - -0.74: Sun Jan 21 22:36:08 PST 2001 - -* made 0.74 release (Bug 129642 - agmorgan) -* libpam - cleaned up a few non-static functions to be static and added - support for libpam to enforce things like pam_[gs]et_data() and - AUTHTOK rules for using the API. Also documented pam_[gs]et_item() - a little better including return codes (Bugs 129027, 128576 - - agmorgan). -* pam_access - fixed the non-default config file option (Bug 127561 - - agmorgan) -* pam.8 manual page clarified with respect to the default location for - finding modules, also added some text describing the [...] control - syntax. (Bug 127625 - agmorgan) -* md5.h ia64 fixes for pam_unix and pam_pwdb (Bug 127700 - agmorgan) -* removed requirement for c++ from the configure{.in,} files (Bug - 128298 - agmorgan) -* removed subdirectories from man page redirections (124396 - baggins) -* per David Lee, fixed non-POSIX shell command in modules/pam_filter/Makefile - (Bug 126440 - vorlon) -* modify format of pam_unix log messages to include service name - (Bug 126423 - vorlon) -* prevent pam_unix from logging unknown usernames (Bug 126431 - vorlon) -* changed format of pam_unix 'authentication failure' log messages to make - them clearer and more consistent (Bug 126036 - vorlon) -* improved portability of pam_unix by eliminating Linux-specific utmp - defines in PAM_getlogin() (Bug 125704 - vorlon) -* removed static variables from pam_tally (Bug 117434 - agmorgan) -* added copyright message to pam_access module from original logdaemon - sources (Bug 125022 - agmorgan) -* configure.in - removed the GCC -Wtraditional flag (Bug 124923 - agmorgan) -* pam_mail - use PAM_PATH_MAILDIR as the location of mail spool - (Bug 124397 - baggins) -* _pam_aconf.h.in, configure.in - added PAM_PATH_MAILDIR set via - --with-mailspool=dir option (default is _PAM_MAILDIR if defined - in paths.h otherwise /var/spool/mail (Bug 124397 - baggins) -* removed unnecessary CVS Log tags from all over the source - (Bug 124391 - baggins) -* pam_tally - check for PAM_TTY if PAM_RHOST is not set when writing - to faillog (Bug 124394 - baggins) -* use O_NOFOLLOW if available when opening debug log (Bug 124385 - baggins) -* pam_cracklib - removed comments about pam_unix not working with - pam_cracklib, added information about use_authtok parameter - (Bug 124388 - baggins) -* pam_userdb - fixed wrong definition of struct pam_module (was pam_wheel) - (Bug 124386 - baggins) -* fixed example/Makefile include path (Bug 124187, 127563(?) - agmorgan) -* pam_userdb compiles on RH5x. Also removed circular dependency on - configure.in. Also bumped revision number to 0.74. (Bug 124136 - - agmorgan) - -0.73: Sat Dec 2 00:04:04 PST 2000 - -* updated documentaion revisions and added 'make release' support - to the top level Makefile (Bug 124132 - agmorgan). -* documented Qmail support in pam_mail (Bug 109219 - baggins) -* add change_uid option to pam_limits, and set real uid only if - this option is present (Bug 124062 - baggins) -* pam_limits - set real uid to the user for who we set limits. - (Bug 123972 - baggins) -* removed static variables from pam_limits (thread safe now). (Bug - 117450 - agmorgan). -* removed static variable from pam_wheel (module should be thread safe - now). (Bug 112906 - agmorgan) -* added support for '/' symbols in pam_time and pam_group config files - (support for modern terminal devices). Fixed infinite loop problem - with '\\[^\n]' in these files. (Bug 116076 - agmorgan) -* avoid potential SIGPIPE when writing to helper binaries with (Bug - 123399 - agmorgan) -* replaced bogus logic in the pam_cracklib module for determining if - the replacement is too similar to the old password (Bug 115055 - - agmorgan) -* added accessconf=<filename> feature to pam_access - request from - Aldrin Martoq and Meelis Roos (Bugs 111927,117240 - agmorgan) -* fix for pam_limit module not dealing with all limits Adam J. Richter - (Bug 119554 - agmorgan) -* comment fix describing fail_delay callback in _pam_types.h (Bug - 112646 - agmorgan) -* "likeauth" fix for pam_unix and pam_pwdb which (Bug 113596 - agmorgan) -* fix for pam_unix (support.c) to avoid segfault with NULL password - (Bug 113238 - vorlon) -* fix to pam_unix_passwd: try repeatedly to get a lock on the password - file, instead of failing immediately (Bug 108845 - fix vorlon) -* fix to pam_shells: logged information was not formatted correctly - (extra comma) (Bug 111491 - fix vorlon) -* fix for C++ application support (Bug 111645 - fix agmorgan) -* fix for typo in pam_client.h (Bug 111648 - fix agmorgan) -* removal of -lpam from pam_mkhomedir Makefile (Bug 116380 - fix agmorgan) -* autoconf support [Task ID 15788, Bug ID 108297 - agmorgan with help!] - - bugfix for libpamc.h include file [Bug ID 117476 - agmorgan] - - bugfix for pam_filter.h inclusion [Bug ID 117474 - agmorgan] - -0.72: Mon Dec 13 22:41:11 PST 1999 - -* patches from Debian (Ben Collins): pam_ftp supports event driven - conversations now; pwdb_chkpwd cleanup; pam_warn static compile fix; - user_db compiler warnings removed; debian defs file; pam_mail can - now be used as a session module -* ndbm compilation option for user_db module (fix explained by Richard Khoo) -* pam_cracklib bug fix -* packaging fixes & build from scratch stuff (Konst Bulatnikov & Frodo - Looijaard) -* -ldl appended to the libpam.so compilation make rule. (Charles Seeger) -* Red Hat security patch for pam_pwdb forwarded by Debian! (Ben - Collins. Fix provided by Andrey as it caught the problem earlier in the - code.) -* heuristic to prevent leaking filedescriptors to an agent. [This needs - to be better supported perhaps by an additional libpamc API function?] -* pam_userdb segfault fix from (Ben Collins) -* PAM draft spec extras added at request of 'sen_ml' - -0.71: Sun Nov 7 20:21:19 PST 1999 - -* added -lc to linker pass for pam_nologin module (glibc is weird). -* various header changes to lower the number of warnings on glibc - systems (Dan Yefimov) -* merged a bunch of Debian fixes/patches/documentation (Ben Collins) - things touched: libpam (minor); doc/modules/pam_unix.sgml; pam_env - (plus docs); pam_mkhomedir (new module for new home directories on - the fly...); pam_motd (new module); pam_limits (adjust to match - docs); pam_issue (new module + doc) [Some of these were also - submitted by Thorsten Kukuk] -* small hack to lower the number of warnings that pam_client.h was - generating. -* debian and SuSE apparently can use the pam_ftp module, so - removed the obsolete comment about this from the docs. (Thorsten - Kukuk) - -0.70: Fri Oct 8 22:05:30 PDT 1999 - -* bug fix for parsing of value=action tokens in libpam/pam_misc.c was - segfaulting (Jan Rekorajski and independently Matthew Melvin) -* numerous fixes from Thorsten Kukuk (icluding much needed fixes for - bitrot in modules and some documentation) that got included in SuSE 6.2. -* reentrancy issues in pam_unix and pam_cracklib resolved (Jan Rekorajski) -* added hosts_equiv_rootok module option to pam_rhosts module (Tim Berger) -* added comment about 'expose_account' module argument to admin and - module writers' docs (request from Michael K Johnson). -* myriad of bug fixes for libpamc - library now built by default and - works with the biomouse fingerprint scanner agent/module - (distributed separately). - -0.69: Sun Aug 1 20:25:37 PDT 1999 - -* c++ header #ifdef'ing for pam_appl.h (Tuomo Pyhala) -* added pam_userdb module (Cristian Gafton) -* minor documentation changes -* added in revised pam_client library (libpamc). Not installed by - default yet, since the example agent/module combo is not very secure. -* glibc fixes (Thorsten Kukuk, Adam J. Richter) - -0.68: Sun Jul 4 23:04:13 PDT 1999 - -* completely new pam_unix module from Jan Rekorajski and Stephen Langasek -* Jan Rekorajski pam_mail - support for Maildir format mailboxes -* Jan Rekorajski pam_cracklib - support for old password comparison -* Jan Rekorajski bug fix for pam_pwdb setcred reusing auth retval -* Andrey's pam_tally patch (lstat -> fstat) -* Robert Milkowski's additional pam_tally patches to **change format of - /var/log/faillog** to one from shadow-utils, add new option "per_user" - for pam_tally module, failure time logging, support for fail_line - field, and support for fail_locktime field with new option - no_lock_time. -* pam_tally: clean up the tally application too. -* Marcin Korzonek added process priority settings to pam_limits (bonus - points for adding to documentation!) -* Andrey's pam_pwdb patch (cleanup + md5 endian fubar fix) -* more binary prompt preparations (make misc conv more compatible with spec) -* modified callback hook for fail delay to be more useful with event - driven applications (changed function prototype - suspect no one - will notice). Documented this in app developer guide. -* documentation for pam_access from Tim Berger -* syntax fixes for the documentation - a long time since I've built it :*( - added some more names to the CREDITS file. - -0.67: Sat Jun 19 14:01:24 PDT 1999 - -* [dropped libpam_client - libpamc will be in the next release and - conforms to the developing spec in doc/specs/draft-morgan-pam.raw. - Sorry if you are keeping a PAM tree in CVS. CVS is a pain for - directories, but this directory was actually not referenced by - anything so the disruption should be light.] -* updates to pam_tally from Tim -* multiple updates from Stephen Langasek to pam_unix -* pam_filter had some trouble compiling (bug report from Sridhar) -* pam_wheel now attempts to identify the wheel group for the local - system instead of blindly assuming it is gid=0. In the case that - there is no "wheel" group, we default to assuming gid=0 is what was - meant - former behavior. (courtesy of Sridhar) -* NIS+ changes to pam_unix module from Dmitry O Panov -* hopefully, a fix for redefinition of LOG_AUTHPRIV (bug report Luke - Kenneth Casson Leighton) -* fix for minor typo in pam_wheel documentation (Jacek Kopecky) -* slightly more explanation of the [x=y] pam.conf syntax in the sys - admin guide. - -0.66: Mon Dec 28 20:22:23 PST 1998 <morgan@linux.kernel.org> - -* Started using cvs to keep track of changes to Linux-PAM. This will - likely break some of the automated building stuff (RPMs etc..). -* security bug fix to pam_unix and pam_tally from Andrey. -* modules make file is now more automatic. It should be possible to - unpack an external module in the modules directory and have it automatically - added to the build process. Also added a modules/download-all script - that will make such downloading easier. I'm happy to receive patches to - this file, informing the distribution of places from which to enrich itself. -* removed pam_system_log stuff. Thought about it long and hard: a - bad idea. If libc cannot guarantee a thread safe syslog, it needs - to be fixed and compatibility with other PAM libraries was - unnecessarily strained. -* SAG documentation changes: Seth Chaiklin -* rhosts: problems with NIS lookup failures with the root-uid check. - As a work-around, I've partially eliminated the need for the lookup - by supplying two new arguments: no_uid_check, superuser=<username>. - As a general rule this is more pluggable, since this module might be - used as an authentication scheme for a network service that does not - need root privilege... -* authenticate retval -> setcred for pam_pwdb (likeauth arg). -* pam_pwdb event driven support -* non openlog pam_listfile logging -* BUGFIX: close filedescriptor in pam_group and pam_time (Emmanuel Galanos) -* Chris Adams' mailhash change for pam_mail module -* fixed malloc failure check in pam_handlers.c (follow up to comment - by Brad M. Garcia). -* update to _pam_compat.h (Brad M. Garcia) -* support static modules in libpam again (Brad M. Garcia) -* libpam/pam_misc.c for egcs to grok the code (Brad M. Garcia) -* added a solaris-2.5.1 defs file (revived by Derrick J Brashear) -* pam_listfile logs failed attempts -* added a comment (Michael K Johnson pointed it out) about sgml2latex - having a new syntax. I'll make it the change real when I upgrade... -* a little more text to the RFC, spelling fix from William J Buffam. -* minor changes to pam_securetty to accommodate event driven support. - -0.65: Sun Apr 5 22:29:09 PDT 1998 <morgan@linux.kernel.org> - -* added event driven programming extensions to libpam - - added PAM_INCOMPLETE handling to libpam/pam_dispatch.c - - added PAM_CONV_AGAIN which is a new conversation response that - should be mapped to PAM_INCOMPLETE by the module. - - ensured that the pam_get_user() function can resume - - changes to pam_strerror to accommodate above return codes - - clean up _pam_former_state at pam_end() - - ensured that former state is correctly initialized - - added resumption tests to pam_authenticate(), pam_chauthtok() - - added PAM_FAIL_DELAY item for pausing on failure - -* improved _pam_macros.h so that macros can be used as single commands - (Andrey) - -* reimplemented logging to avoid bad interactions with libc. Added - new functions, pam_[,v]system_log() to libpam's API. A programmer - can check for this function's availablility by checking if - HAVE_PAM_SYSTEM_LOG is #defined. - -* removed the reduce conflict from pam_conv1 creation -- I can sleep - again now. :^] - -* made building of static and dynamic libpam separate. This is - towards making it possible to build both under Solaris (for Derrick) - -* made USE_CRACKLIB a condition in unix module (Luke Kenneth Casson Leighton) - -* automated (quiet) config installation (Andrey) - -0.64: Thu Feb 19 23:30:24 PST 1998 Andrew Morgan <morgan@linux.kernel.org> - -* miscellaneous patches for building under Solaris (Derrick J Brashear) - -* removed STATIC support from a number of module Makefiles. Notably, - these modules are those that use libpwdb and caused difficulties - satisfying the build process. (Please submit patches to fix this...;) - -* reomved the union for binary packet conversations from - (_pam_types.h). This is now completely implemented in libpam_client. - -* Andrey's patch for working environment variable handling in - sh_secret module. - -* made the libpam_misc conversation function a bit more flexible with - respect to binary conversations. - -* added top level define (DEBUG_REL) for compiling in the form of - a debugging release. I use this on a Red Hat 4.2 system with little - chance of crashing the system as a whole. (Andrey has another - implementation of this -- with a spec file to match..) - -0.63: Wed Jan 28 22:55:30 PST 1998 Andrew Morgan <morgan@linux.kernel.org> - -* added libpam_client "convention" library. This makes explicit the - use of PAM_BINARY_PROMPT. It is a first cut, so don't take it too - seriously yet. Comments/suggestions for improvements are very - welcome. Note, this library does not compile by default. It will - be enabled when it is judged stable. The library comes with two - module/agent pairs and can be used with ssh using a patch available - from my pre-release directory [where you got this file.] - -* backward compatibility patch for libpam/pam_handlers.c (PAM_IGNORE - was working with neither "requistie" nor "required") and a DEBUG'ing - compile time bug with pam_dispatch.c (Savochkin Andrey Vladimirovich) - -* minor Makefile change from (Savochkin Andrey Vladimirovich) - -* added pam_afsauth, pam_afspass, pam_restrict, and pam_syslog hooks - (Derrick J Brashear) - -* pam_access use of uname(2) problematic (security problem - highlighted by Olaf Kirch). - -* pam_listfile went a bit crazy reading group membersips (problem - highlighted by Olaf Kirch and patched independently by Cristian - Gafton and Savochkin Andrey Vladimirovich) - -* compatibility hooks for solaris and hpux (Derrick J Brashear) - -* 64 bit Linux/alpha bug fixed in pam_rhosts (Andrew D. Isaacson) - -0.62: Wed Jan 14 14:10:55 PST 1998 Andrew Morgan <morgan@linux.kernel.org> - -* Derrick J Brashear's patches: adds the HP stuff missed in the first - patch; adds SunOS support; adds support for the Solaris native ld - instead of requiring gnu ld. - -* last line of .rhosts file need not contain a newline. (Bug reported by - Thompson Freeman.) - -0.61: Thu Jan 8 22:57:44 PST 1998 Andrew Morgan <morgan@linux.kernel.org> - -* complete rewrite of the "control flag" logic. Formerly, we were - limited to four flags: requisite, required, sufficient, optional. - We can now use these keywords _and_ a great deal more besides. - The extra logic was inspired by Vipin Samar, a preliminary patch was - written by Andy Berkheimer, but I "had some ideas of my own" and - that's what I've actually included. The basic idea is to allow the - admin to custom build a control flag with a series of token=value - pairs inside square brackets. Eg., '[default=die success=ok]' which - is pretty close to a synonym for 'requisite'. I'll try to document it - better in the sys-admin guide but I'm pretty sure it is a change for - the better.... If what is in the sys-admin guide is not good enough - for you, just take a look at the source for libpam ;^) - -0.59: Thu Jan 8 22:27:22 PST 1998 Andrew Morgan <morgan@linux.kernel.org> - -* better handling of empty lines in .rhosts file. (Formerly, we asked - the nameserver about them!) Fix from Hugh Daschbach. - -* _broke_some_binary_compatibility_ with previous versions to become - compliant with X/Open's XSSO spec. Specifically, this has been - by changing the prototype for pam_strerror(). - -* altered the convention for the conversation mechanism to agree - with that of Sun. (number of responses 'now=' number of messages - with help from Cristian for finding a bug.. Cristian also found a - nasty speradic segfault bug -- Thanks!) - -* added NIS+ support to pam_unix_* - -* fixed a "regular file checking" problem with the ~/.rhosts sanity - check. Added "privategroup" option to permit group write permission - on the ~/.rhosts file in the case that the group owner has the same - name as the authenticating user. :*) "promiscuous" and "suppress" - were not usable! - -* added glibc compatibility to pam_rhosts_auth (protected __USE_MISC - with #ifndef since my libc already defines it!). - -* Security fix from Savochkin Andrey Vladimirovich with suggested - modification from Olaf Seibert. - -* preC contains mostly code clean-ups and a number of changes to - _pam_macros. - -0.58: whenever - -* pam_getenvlist() has a more robust definition (XSSO) than was previously - thought. It would seem that we no longer need pam_misc_copy_env() - which was there to provide the robustness that pam_getenvlist() - lacked before... - - Accordingly, I have REMOVED the prototype from libpam_misc. (The - function, however, will remain in the library as a wrapper for - legacy apps, but will likely be removed from libpam_misc-1.0.) PLEASE - FIX YOUR APPS *BEFORE* WE GET THERE! - -* Alexy Nogin reported garbage output from pam_env in the case of - a non-existent environment variable. - -* 'fixed' pwdb compilation for pam_wheel. Not very cleanly - done.. Mmmm. Should really clean up the entire source tree... - -* added prototypes for mapping functions - - <**WARNING**> - - various constants have had there names changed. Numerical values have - been retained but be aware some source old modules/applications will - need to be fixed before recompilation. - - </**WARNING**> - -* appended documentation to README for pam_rhosts module (Nicolai - Langfeldt). - -* verified X/Open compatibility of header files - note, where we differ - it is at the level of compilation warnings and the use of 'const char *' - instead of 'char *'. Previously, Sun(X/open) have revised their spec - to be more 'const'-ervative in the light of comments from Linux-PAM - development. - -* Ooops! PAM_AUTHTOKEN_REQD should have been PAM_NEW_AUTHTOK_REQD. - - changed: pam_pwdb(pam_unix_acct) (also bug fix for - _shadow_acct_mgmt_exp() return value), pam_stress, - libpam/pam_dispatch, blank, xsh. - -* New: PAM_AUTHTOK_EXPIRED - password has expired. - -* Ooops! PAM_CRED_ESTABLISH (etc.) should have been PAM_ESTABLISH_CRED - etc... (changed - this may break some people's modules - PLEASE TAKE - NOTE!) - changed: pam_group, pam_mail, blank, xsh; module and appl - docs, pam_setcred manual page. - -* renamed internal _pam_handle structure to be pam_handle as per XSSO. - -* added PAM_RADIO_TYPE (for multiple choice input method). Also - added PAM_BINARY_{MSG,PROMPT} (for interaction out of sight of user - - this could be used for RSA type authentication but is currently - just there for experimental purposes). The _BINARY_ types are now - usable with hooks in the libpam_misc conversation function. Still - have to add PAM_RADIO_TYPE. - -* added pam_access module (Alexei Nogin) - -* added documentation for pam_lastlog. Also modified the module to - not (by default) print "welcome to your new account" when it cannot - find a utmp entry for the user (you can turn this on with the - "never" argument). - -* small correction to the pam_fail_delay manual page. Either the appl or - the modules header file will prototype this function. - -* added "bigcrypt" (DEC's C2) algorithm(0) to pam_pwdb. (Andy Phillips) - -* *BSD tweaking for various #include's etc. (pam_lastlog, pam_rhosts, - pam_wheel, libpam/pam_handlers). (Michael Smith) - -* added configuration directory $SCONFIGED for module specific - configuration files. - -* added two new "linked" man pages (pam.conf(8) and pam.d(8)) - -* included a reasonable default for /etc/pam.conf (which can be - translated to /etc/pam.d/* files with the pam_conv1 binary) - -* fixed the names of the new configuration files in - conf/pam_conv1/pam_conv.y - -* fixed make check. - -* pam_lastlog fixed to handle UID in virgin part of /var/log/lastlog - (bug report from Ronald Wahl). - -* grammar fix in pam_cracklib - -* segfault avoided in pam_pwdb (getting user). Updating of passwords - that are directed to a "new" database are more robust now (bug noted - by Michael K. Johnson). Added "unix" module argument for migrating - passwords from another database to /etc/passwd. (documentation - updated). Removed "bad username []" warning for empty passwords - - on again if you supply the 'debug' module argument. - -* ctrl-D respected in conversation function (libpam_misc) - -* Removed -DPAM_FAIL_DELAY_ON from top-level Makefile. Nothing in - the distribution uses it. I guess this change happened a while - back, basically I'm trying to make the module parts of the - distribution "source compatible" with the RFC definition of PAM. - This implementation of PAM is a superset of that definition. I have - added the following symbols to the Linux-PAM header files: - - PAM_DATA_SILENT (see _pam_types.h) - HAVE_PAM_FAIL_DELAY (see _pam_types.h) - PAM_DATA_REPLACE (see _pam_modules.h) - - Any module (or application) that wants to utilize these features, - should check (#ifdef) for these tokens before using the associated - functionality. (Credit to Michael K. Johnson for pointing out my - earlier omission: not documenting this change :*) - -* first stab at making modules more independent of full library - source. Modules converted: - pam_deny - pam_permit - pam_lastlog - pam_pwdb - -* pam_env.c: #include <errno.h> added to ease GNU libc use. (Michael - K. Johnson) - -* pam_unix_passwd fixes to shadow aging code (Eliot Frank) - -* added README for pam_tally - -0.57: Fri Apr 4 23:00:45 PST 1997 Andrew Morgan <morgan@parc.power.net> - -* added "nodelay" argument to pam_pwdb. This can be used to turn off - the call to pam_fail_delay that takes effect when the user fails to - authenticate themself. - -* added "suppress" argument to pam_rhosts_auth module. This will stop - printing the "rlogin failure message" when the user does not have a - .rhosts file. - -* Extra fixes for FAKEROOT in Makefiles (Savochkin Andrey - Vladimirovich) - -* pam_tally added to tree courtesy of Tim Baverstock - -* pam_rhosts_auth was failing to read NFS mounted .rhosts - files. (Fixed by Peter Allgeyer). Refixed and further enhanced - (netgroups) by Nicolai Langfeldt. [Credit also to G.Wilford for some - changes that were not actually included..] - -* optional (#ifdef PAM_READ_BOTH_CONFS) support for parsing of pam.d/ - AND pam.conf files (Elliot Lee). - -* Added (and signed) Cristian's PGP key. (I've never met him, but I am - convinced the key belongs to the guy that is making the PAM rpms and - also producing libpwdb. Please note, I will not be signing anyone - else's key without a personal introduction..) - -* fixed erroneous syslog warning in pam_listfile (Savochkin Andrey - Vladimirovich, whole file reformatted by Cristian) - -* modified pam_securetty to return PAM_IGNORE in the case that the user's - name is not known to the system (was previously, PAM_USER_UNKNOWN). The - Rationale is that pam_securetty's sole purpose is to prevent superuser - login anywhere other than at the console. It is not its concern that the - user is unknown - only that they are _not_ root. Returning - PAM_IGNORE, however, insures that the pam_securetty can never be used to - "authenticate" a non-existent user. (Cristian Gafton with bug report from - Roger Hu) - -* Modified pam_nologin to display the no-login message when the user - is not known. The return value in this case is still PAM_USER_UNKNOWN. - (Bug report from Cristian Gafton) - -* Added NEED_LCKPWD for pam_unix/ This is used to define the locking - functions and should only be turned on if you don't have them in - your libc. - -* tidied up pam_lastlog and pam_pwdb: removed function that was never used. - -* Note for package maintainers: I have added $(FAKEROOT) to the list of - environment variables. This should help greatly when you build PAM - in a subdirectory. I've gone through the tree and tried to make - everything compatible with it. - -* added pam_env (courtesy of Dave Kinchlea) - -* removed pam_passwd+ from the tree. It has not been maintained in a - long time and running a shell script was basically insecure. I've - indicated where you can pick up the source if you want it. - -* #define HAVE_PAM_FAIL_DELAY . Applications can conditionally compile - with this if they want to see if the facility is available. It is - now always available. (corresponding compilation cleanups..) - -* _pam_sanitize() added to pam_misc. It purges the PAM_AUTHTOK and - PAM_OLDAUTHTOK items. (calls replaced in pam_auth and pam_password) - -* pam_rhosts now knows about the '+' entry. Since I think this is a - dangerous thing, I have required that the sysadmin supply the - "promiscuous" flag for it in the corresponding configuration file - before it will work. - -* FULL_LINUX_PAM_SOURCE_TREE exported from the top level make file. - If you want to build a module, you can test for this to determine if - it should take its directions from above or supply default locations - for installation. Etc. - -0.56: Sat Feb 15 12:21:01 PST 1997 <morgan@parc.power.net> - -* pam_handlers.c can now interpret the pam.d/ service config tree: - - if /etc/pam.d/ exists /etc/pam.conf is IGNORED - (otherwise /etc/pam.conf is treated as before) - - given /etc/pam.d/ - . config files are named (in lower case) by service-name - . config files have same syntax as /etc/pam.conf except - that the "service-name" field is not present. (there - are thus three manditory fields (and arguments are - optional): - - module-type control-flag module-path optional-args... - - ) - -* included conf/pam_conv1 for converting pam.conf to a pam.d/ version - 1.0 directory tree. This program reads a pam.conf file on the - standard input stream and creates ./pam.d/ (in the local directory) - and fills it with ./pam.d/"service-name" files. - - *> Note: It will fail if ./pam.d/ already exists. - - PLEASE REPORT ANY BUGS WITH THIS CONVERSION PROGRAM... It currently - cannot retain comments from the old conf file, so take care to do this - by hand. Also, please email me with the fix that makes the - shift/reduce conflict go away... - -* Added default module path to libpam for modules (see pam_handlers.c) - it makes use of Makfile defined symbol: DEFAULT_MODULE_PATH which is - inhereted from the defs/* variable $(SECUREDIR). Removed module - paths from the sample pam.conf file as they are no longer needed. - -* pam_pwdb can now verify read protected passwords when it is not run - by root. This is via a helper binary that is setuid root. - -* pam_permit now prompts for a username if it is not already determined - -* pam_rhosts now honors "debug" and no longer hardwire's "root" as the - superuser's name. - -* pam_securetty now honors the "debug" flag - -* trouble parsing extra spaces fixed in pam_time and pam_group - -* added Michael K. Johnson's PGP key to the pgp.keys.asc list - -* pam_end->env not being free()'d: fixed - -* manuals relocated to section 3 - -* fixed bug in pam_mail.c, and enhanced to recognize '~' as a prefix - to indicate the $HOME of the user (courtesy David - Kinchlea). *Changed* from a "session" module to an "auth" - module. It cannot be used to authenticate a user, but it can be used - in setting credentials. - -* fixed a stupid bug in pam_warn.. Only PAM_SERVICE was being read :*( - -* pam_radius rewritten to exclusively make use of libpwdb. (minor fix - to Makefile for cleaning up - AGM) - -* pam_limits extended to limit the total number of logins on a system - at any given time. - -* libpam and libpam_misc use $(MAJOR_REL) and $(MINOR_REL) to set their - version numbers [defined in top level makefile] - -* bugfix in sed command in defs/redhat.defs (AGM's fault) - -* The following was related to a possibility of buffer overruns in - the syslogging code: removed fixed length array from syslogging - function in the following modules [capitalized the log identifier - so the sysadmin can "know" these are fixed on the local system], - - pam_ftp, pam_stress, pam_rootok, pam_securetty, - pam_listfile, pam_shells, pam_warn, pam_lastlog - and - pam_unix_passwd (where it was definitely _not_ exploitable) - -0.55: Sat Jan 4 14:43:02 PST 1997, Andrew Morgan <morgan@parc.power.net> - -* added "requisite" control_flag to /etc/pam.conf syntax. [See - Sys. Admin. Guide for explanation] changes to pam_handlers.c - -* completely new handling of garbled pam.conf lines. The modus - operandi now is to assume that any errors in the line are minor. - Errors of this sort should *most definitely* lead to the module - failing, however, just ignoring the line (as was the case - previously) can lead to gaping security holes(! Not foreseen by the - RFC). The "motivation" for the RFC's comments about ignoring garbled - lines is present in spirit in the new code: basically a garbled line - is treated like an instance of the pam_deny.so module. - changes to pam_handlers.c and pam_dispatch.c . - -* patched libpam, to (a) call _pam_init_handlers from pam_start() and - (b) to log a text error if there are no modules defined for a given - service when a call to a module is requested. [pam_start() and - pam_dispatch() were changed]. - -* patched pam_securetty to deal with "/dev/" prefix on PAM_TTY item. - -* reorganized the modules/Makefile to include *ALL* modules. It is now - the responsibility of the modules themselves to test whether they can - be compiled locally or not. - -* modified pam_group to add to the getgroups() list rather than overwrite - it. [In the case of "HAVE_LIBPWDB" we use the pwdb_..() calls to - translate the group names.]. Module now pays attention to - PAM_CRED_.. flag(!) - -* identified and removed bugs in field reading code of pam_time and - (thus) pam_group. - -* Cristian's patches to pam_listfile module, corresponding change to - documentation. - -* I've discovered &ero; for sgml! - Added pam_time documentation to the admin guide. - -* added manual pages: pam.8, pam_start.2(=pam_end.2), - pam_authenticate.2, pam_setcred.2, pam_strerror.2, - pam_open_session.2(=pam_close_session.2) and pam_chauthtok.2 . - -* added new modules: - - - pam_mail (tells the user if they have any new mail - and sets their MAIL env variable) - - pam_lastlog (reports on the last time this user called - this module) - -* new module hooks provided. - -* added a timeout feature to the conversation function in - libpam_misc. Documented it in the application developers' guide. - -* fixed bug in pam_misc_paste_env() function.. - -* slight modifications to wheel and rhosts writeup. - -* more security issues added to module and application guides. - --- -Things present but not mentioned in previous release (sorry) - -* pam_pwdb module now resets the "last_change" entry before updating a - password. --- - -Sat Nov 30 19:30:20 PST 1996, Andrew Morgan <morgan@parc.power.net> - -* added environment handling to libpam. involved change to _pam_types.h - also added supplementary functions to libpam_misc - -* added pam_radius - Cristian - -* slight speed up for pam_rhosts - -* significantly enhanced sys-admin documentation (8 p -> 41 p in - PostScript). Added to other documentation too. Mostly the changes - in the other docs concern the new PAM-environment support, there is - also some coverage of libpam_misc in the App. Developers' guide. - -* Cristian's patches to pam_limits and pam_pwdb. Fixing bugs. (MORE added) - -* adopted Cristian's _pam_macros.h file to help with common macros and - debugging stuff, gone through tree tidying up debugging lines to use - this [not complete]. - - - for consistency replaced DROP() with _pam_drop() - -* commented memory debugging in top level makefile - -* added the following modules - - - pam_warn log information to syslog(3) about service application - - pam_ftp if user is 'ftp' then set PAM_RUSER/PAM_RHOST with password - (comment about nologin added to last release's notes) - -* modified the pam_listfile module. It now declares a meaningful static - structure name. - -Sun Nov 10 13:26:39 PST 1996, Andrew Morgan <morgan@parc.power.net> - - **PLEASE *RE*AMEND YOUR PERSONAL LINKS** - - -------> http://parc.power.net/morgan/Linux-PAM/index.html <------- - - **PLEASE *RE*AMEND YOUR PERSONAL LINKS** - -A brief summary of what has changed: - -* many modules have been modified to accomodate fixing the pam_get_user() - change. Please take note if you have a module in this distribution. - -* pam_unix is now the pam_unix that Red Hat has been using and which - should be fairly well debugged. - - - I've added some #ifdef's to make it compile for me, and also - updated it with respect to the libpam-0.53, so have a look at the - .../modules/pam_unix/Makefile to enable cracklib and shadow features - - ** BECAUSE OF THIS, I cannot guarantee this code works as it ** - ** did for Red Hat. Please test and report any problems. ** - -* the pam_unix of .52 (renamed to pam_pwdb) has been enhanced and made - more flexible with by implementing it with respect to the new - "Password Database Library" see - - http://parc.power.net/morgan/libpwdb/index.html - - modules included in this release that require this library to - function are the following: - - - pam_pwdb (ne pam_unix-0.52 + some enhancements) - - pam_wheel - - pam_limits - - pam_nologin - -* Added some optional code for memory debugging. In order to support - this you have to enable MEMORY_DEBUG in the top level makefile and - also #define MEMORY_DEBUG in your applications when they are compiled. - The extra code resides in libpam (compiled if MEMORY_DEBUG is defined) - and the macros for malloc etc. are to be found at the end of - _pam_types.h - -* used above code to locate two memory leaks in pam_unix module and two - in libpam (pam_handlers.h) - -* pam_get_user() now sets the PAM_USER item. After reading the Sun - manual page again, it was clear that it should do this. Various - modules have been assuming this and now I have modified most of them - to account for this change. Additionally, pam_get_user() is now - located in the module include file; modules are supposed to be the - ones that use it(!) [Note, this is explicitly contrary to the Sun - manual page, but in the spirit of the Linux distribution to date.] - -* replaced -D"LINUX" with -D"LINUX_PAM" as this is more explicit and less - likely to be confused with -D"linux". - Also, modified the libpam #include files to behave more like the Sun - ones #ifndef LINUX_PAM. - -* removed <bf/ .. / from documentation titles. This was not giving - politically correct html.. - ------ My vvvvvvvvvvvvvvvvvvv was a long time ago ;*] ----- - -Wed Sep 4 23:57:19 PDT 1996 (Andrew Morgan <morgan@physics.ucla.edu> - -0. Before I begin, Linux-PAM has a new primary distribution site (kindly -donated by Power Net Inc., Los Angeles) - - **PLEASE AMMEND YOUR PERSONAL LINKS** - - -------> http://www.power.net/morgan/Linux-PAM <------- - - **PLEASE AMMEND YOUR PERSONAL LINKS** - -1. I'm hoping to make the next release a bug-fix release... So please find - all the bugs(! ;^) - -2. here are the changes for .52: - -* minor changes to module documentation [Incidently, it is now - available on-line from the WWW page above]. More changes to follow in - the next two releases. PLEASE EMAIL me or the list if there is - anything that isn't clear! - -* completely changed the unix module. Now a single module for all four - management groups (this meant that I could define all functions as - static that were not part of the pam_sm_... scheme. AGM) - - - Shadow support added -PASSWD - Elliot's account management included, and enhanced by Cristian Gafton. - - MD5 password support added by Cristian Gafton. - - maxtries for authentication now enforced. - - Password changing function in pam_unix now works! - Although obviously, I'm not going to *guarantee* it ;^) . - - stole Marek's locking code from the Red Hat unix module. - [ If you like you can #ifdef it in or out ... ] - - You can configure the module more from its Makefile in - 0.52/modules/pam_unix/ - - If you are nervous that it will destroy your /etc/passwd or shadow - files then EDIT the 0.52/modules/pam_unix/pam_unix_pass.-c file. - Here is the warning comment from this file... - --------------8<----------------- -/* <WARNING> - * - * Uncomment the following #define if you are paranoid, and do not - * want to risk losing your /etc/passwd or shadow files. - * It works for me (AGM) but there are no guarantees. - * - * </WARNING> - */ -/* #define TMP__FILE */ -------------->8----------------- - - *** If anyone has any trouble, please *say*. Your problem will be - fixed in the next release. Also please feel free to scour the - code for race conditions etc... - -[* The above change requires that you purge your /usr/lib/security - directory of the old pam_unix_XXX.so modules: they will NOT be deleted - with a 'make remove'.] - -* the prototype for the cleanup function supplied to pam_set_data used - to return "int". According to Sun it should be "void". CHANGED. - -* added some definitions for the 'error_status' mask values that are - passed to the cleanup function associated with each - module-data-item. These numbers were needed to keep up with changing - a data item (see for example the code in pam_unix/support.-c that - manages the maximum number of retries so far). Will see what Sun says - (current indications are positive); this may be undone before 1.0 is - released. Here are the definitions (from pam_modules.h). - -#define PAM_DATA_SILENT 0x40000000 /* used to suppress messages... */ -#define PAM_DATA_REPLACE 0x20000000 /* used when replacing a data item */ - -* Changed the .../conf/pam.conf file. It now points to the new - pam_unix module for 'su' and 'passwd' [can get these as SimpleApps -- - I use them for testing. A more extensive selection of applications is - available from Red Hat...] - -* corrected a bug in pam_dispatch. Basically, the problem was that if - all the modules were "sufficient" then the return value for this - function was never set. The net effect was that _pam_dispatch_aux - returned success when all the sufficient modules failed. :^( I think - this is the correct fix to a problem that the Red Hat folks had - found... - -sopwith* Removed advisory locking from libpam (thanks for the POSIX patch - goes to Josh Wilmes's, my apologies for not using it in the - end.). Advisory locking did not seem sufficiently secure for libpam. - Thanks to Werner Almesberger for identifying the corresponding "denial - of service attack". :*( - -* related to fix, have introduced a lock file /var/lock/subsys/PAM - that can be used to indicate the system should pay attention to - advisory locking on /etc/pam.conf file. To implement this you need to - define PAM_LOCKING though. (see .52/libpam) - -* modified pam_fail_delay() function. Couldn't find the "not working" - problem indicated by Michael, but modified it to do pseudo-random - delays based on the values indicated by pam_fail_delay() -- the - function "that may eventually go away"... Although Sun is warming to - the idea. - -* new modules include: - - pam_shells - authentication for users with a shell listed in - /etc/shells. Erik Troan <ewt@redhat.com> - - pam_listfile - authentication based on the contents of files. - Set to be more general than the above in the - future. UNTESTED. Elliot Lee <@redhat.com> - [Note, this module compiles with a non-trivial - warning: AGM] - -Thu Aug 8 22:32:15 PDT 1996 (Andrew Morgan <morgan@physics.ucla.edu>) - -* modified makefiles to take more of their installation instructions - from the top level makefile. Desired for integration into the Debian - distribution, and generally a good idea. - -* fixed memory arithmetic in pam_handlers - -- still need to track down why failure to load modules can lead to - authentication succeding.. - -* added tags for new modules (smartcards from Alex -- just a promise - at this stage) and a new module from Elliot Lee; pam_securetty - -* I have not had time to smooth out the wrinkles with it, but Alex's - pam_unix modifications are provided in pam_unix-alex (in the modules - directory) they will not be compiled by 'make all' and I can't even - say if they do compile... I will try to look at them for .52 but, in - the mean time please feel free to study/fix/discuss what is there. - -* pam_rhosts module. Removed code for manually setting the ruser - etc. This was not very secure. - -* [remade .ps docs to be in letter format -- my printer complains - about a4] - -Sunday July, 7 12:45:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>) - -* No longer accompanying the Linux-PAM release with apps installed. - [Will provide what was here in a separate package.. (soon) -lib Also see http://www.redhat.com/pam for some more (in .rpm form...)] - -* renamed libmisc to libpam_misc. It is currently configured to only compile - the static library. For some strange reason (perhaps someone can - investigate) my Linux 2.0.0 kernel with RedHat 3.0.3 system - segfaults when I compile it to be a dynamic library. The segfault - seems to be inside the call to the ** dl_XXX ** function...!? - - There is a simple flag in the libpam_misc/Makefile to turn on dynamic - compiles. - -* Added a little unofficial code for delay support in libpam (will probably - disappear later..) There is some documentation for it in the pam_modules - doc now. That will obviously go too. - -* rewritten pam_time to use *logic* to specify the stringing together of - users/times/terminals etc.. (what was there before was superficially - logical but basically un-predictable!) - -* added pam_group. Its syntax is almost identical to pam_time but it - has another field added; a list of groups to make the user a member - of if they pass the previous tests. It seems to not co-exist too well - with the groups in the /etc/group but I hope to have that fixed by - the next release... - -* minor re-formatting of pam_modules documentation - -* removed ...// since it wasn't being used and didn't look like it - would be! - -GCCSunday 23 22:35:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>) - -* The major change is the addition of a new module: pam_time for - restricting access on terminals at given times for indicated users - it comes with its own configuration file /etc/security/time.conf - and the sample file simply restricts 'you' from satisfying the blank - application if they try to use blank from any tty* - -* Small changes include -- altered pam.conf to demonstrate above new module (try typing username: you) -- very minor changes to the docs (pam_appl and pam_modules) - -Saturday June 2 01:40:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>) - -*** PLEASE READ THE README, it has changed *** - -* NOTE, 'su' exhibits a "system error", when static linking is - used. This is because the pam_unix_... module currently only has - partial static linking support. This is likely to change on Monday - June 3, when Alex makes his latest version availible. I will include - the updated module in next release. - -changes for .42: - -* modified the way in which libpam/pam_modules.h defines prototypes for - the pam_sm_ functions. Now the module must declare which functions it - is to provide *before* the #include <security/pam_modules.h> line. - (for contrasting examples, see the pam_deny and pam_rootok modules) - This removed the ugly hack of defining functions that are never called - to overcome warnings... This seems much tidier. -insterted* updated the TODO list. (changed mailing list address) -* updated README in .../modules to reflect modifications to static - compliation protocol -* modified the pam_modules documentation to describe this. -* corrected last argument of pam_get_item( ... ) in - pam_appl/modules.sgml, to "const void **". -* altered GNU GPL's in the documentation, and various other parts of - the distribution. *Please check* that any code you are responsible for - is corrected. -* Added ./Copyright (please check that it is acceptable) -* updated ./README to make current and indicate the new mailing list - address -* have completely rewritten pam_filter. It now runs modular filter - executables (stored in /usr/sbin/pam_filter/) This should make it - trivial for others to write their own filters.. If you want yours - included in the distribution please email the list/me. -* changes to libpam; there was a silly bug with multiple arguments on a - pam.conf line that was broken with a '\<LF>'. -* 'su' rearranged code (to make better use of PAM) - *Also* now uses POSIX signals--this should help the Alpha port. -* 'passwd' now uses getlogin() to determine who's passwords to change. - -Sunday May 26 9:00:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>) - -* fixed module makefiles to create needed dynamic/static subdirectories - -Saturday May 25 20:30:27.8 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>) - -* LOTS has changed regarding how the modules/libpam are built. -* Michael's mostly complete changes for static support--see below - (Andrew got a little carried away and automated the static linking - of modules---bugs are likely mine ;( ) -* Thanks mostly to Michael, libpam now compiles without a single warning :^] -* made static modules/library optional. -CFLAGS* added 'make sterile' to top level makefile. This does extraclean and remove -* added Michael and Joseph to documentation credits (and a subsection for - future documentation of static module support in pam_modules.sgml) -* libpam; many changes to makefiles and also automated the inclusion of - static module objects in pam_static.c -* modified modules for automated static/dynamic support. Added static & - dynamic subdirectories, as instructed by Michael -* removed an annoying syslog message from pam_filter: "parent exited.." -* updated todo list (anyone know anything about svgalib/X? we probably should - have some support for these...) - -Friday May 24 16:30:15 EDT 1996 (Michael K. Johnson <johnsonm@redhat.com>) - -* Added first (incomplete) cut at static support. - This includes: - . changes in libpam, including a new file, pam_static.c - . changes to modules including exporting struct of function pointers - . static and dynamic linking can be combined - . right now, the only working combinations are just dynamic - linking and dynamic libpam.so with static modules linked - into libpam.so. That's on the list of things to fix... - . modules are built differently depending on whether they - are static or dynamic. Therefore, there are two directories - under each module directory, one for static, and one for - dynamic modules. -* Fixed random brokenness in the Makefiles. [ foo -nt bar ] is - rather redundant in a makefile, for instance. Also, passing - on the command line is broken because it cannot be - overridden in any way (even adding important parts) in lower-level - makefiles. -* Unfortunately, fixing some of the brokenness meant that I used - GNU-specific stuff. However, I *think* that there was GNU-specific - stuff already. And I think that we should just use the GNU - extensions, because any platform that GNU make doesn't port to - easily will be hard to port to anyway. It also won't be likely -passwd to handle autoconf, which was Ted's suggestion for getting - around limitations in standard make... - For now, I suggest that we just use some simple GNU-specific - extensions. - -Monday May 20 22:00:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>) - -* added some text to pam_modules.sgml -* corrected Marek's name in all documentation -* made pam_stress conform to chauthtok conventions -- ie can now request - old password before proceeding. -* included Alex's latest unix module -* included Al's + password strength checking module -* included pam_rootok module -* fixed too many bugs in libpam.. all subtly related to the argument lists - or use of syslog. Added more debugging lines here too. -* fixed the pam.conf file -* deleted pam_test module. It is pretty old and basically superceeded - by pam_stress - -Friday May 9 1:00:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>) - -* updated documentaion, added Al Longyear to credits and corrected the - spelling of Jeff's name(!). Most changes to pam.sgml (even added a figure!) -* new module pam_rhosts_auth (from Al Longyear) -* new apps rlogind and ftpd (a patch) from Al. -* modified 'passwd' to not call pam_authenticate (note, none of the - modules respect this convention yet!) -* fixed bug in libpam that caused trouble if the last line of a - pam.conf file ends with a module name and no newline character -* also made more compatable with documentation, in that bad lines in - pam.conf are now ignored rather than causing libpam to return an - error to the app. -* libpam now overwrites the AUTHTOKs when returning from - pam_authenticate and pam_chauthtok calls (as per Sun/RFC too) -* libpam is now installed as libpam.so.XXX in a way that ldconfig can - handle! - - -Wednesday May 1 22:00:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>) - -* removed .../test directory, use .../examples from now on. -* added .../apps directory for fully functional applications - - the apps directory contains directories that actually contain the apps. - the idea is to make application compilation conditional on the presence - of the directory. Note, there are entries in the Makefile for - 'login' and 'ftpd' that are ready for installation... Email me if - you want to reserve a directory name for an application you are - working on... -* similar changes to .../modules makefile [entries for pam_skey and - pam_kerberos created---awaiting the directories.] Email me if you - want to register another module... -* minor changes to docs.. Not really worth reprinting them quite yet! - [save the trees] -* added misc_conv to libmisc. it is a generic conversation function - for text based applications. [would be nice to see someone create - an Xlib and/or svgalib version] -* fixed ctrl-z/c bug with pam_filter module [try xsh with the default - pam.conf file] -* added 'required' argument to 'pam_stress' module. -* added a TODO list... other suggestions to the list please. - -Saturday April 7 00:00:00 PST 1996 ( Andrew Morgan <morgan@physics.ucla.edu> ) - -* Alex and Marek please note I have altered _pam_auth_unix a little, to - make it get the passwords with the "proper method" (and also fixed it - to not have as many compiler warnings) -* updated the conf/pam.conf file -* added new example application examples/xsh.c (like blank but invokes - /bin/sh) -* Marc's patches for examples/blank.c (and AGM's too) -* fixed stacking of modules in libpam/pam_handlers.c -* fixed RESETing in libpam/pam_item.c -* added new module modules/pam_filter/ to demonstrate the possibility - of inserting an arbitrary filter between the terminal and the - application that could do customized logging etc... (see use of - bin/xsh as defined in conf/pam.conf) - - -Saturday March 16 19:00:00 PST 1996 ( Andrew Morgan <morgan@physics.ucla.edu> ) - -These notes are for 0.3 I don't think I've left anything important -out, but I will use emacs 'C-x v a' next time! (Thanks Jeff) - - * not much has changed with the functionality of the Linux-PAM lib - .../libpam - - pam_password calls module twice with different arguments - - added const to some of the function arguments - - added PAM_MAX_MES_ to <security/_pam_types.h> - - was a lot over zealous about purging old passwords... - I have removed much of this from source to make it - more compatible with SUN. - - moved some PAM_... tokens to pam_modules.h from _pam_types.h - (no-one should notice) - - * added three modules: pam_permit pam_deny pam_stress - no prizes for guessing what the first two do. The third is - a reasonably complete (functional) module. Is intended for testing - applications with. - - * fixed a few pieces of examples/blank.c so that it works (with - pam_stress) - - * ammended the documentation. Looking better, but suggestions/comments - very welcome! - -Sunday March 10 10:50:00 PST 1996 ( Andrew Morgan <morgan@physics.ucla.edu> ) - -These notes are for Linux-PAM release 0.21. They cover what's changed -since I relased 0.2. - - * am now using RCS - * substantially changed ./README - * fixed bug reading \\\n in pam.conf file - * small changes to documentation - * added `blank' application to ./examples (could be viewed as - a `Linux-PAM aware' application template.) - * oops. now including pam_passwd.o and pam_session.o in pamlib.so - * compute md5 checksums for all the source when making a release - - added `make check' and `make RCScheck' to compute md5 checksums - * create a second tar file with all the RCS files in. - * removed the .html and .txt docs, supplying sgml sources instead. - - see README for info on where to get .ps files - -Thursday March 6 0:44:?? PST 1996 ( Andrew Morgan <morgan@physics.ucla.edu> ) - -These notes are for Linux-PAM release 0.2. They cover what's changed -since Marc Ewing relased 0.1. - -**** Please note. All of the directories in this release have been modified -**** slightly to conform to the new pamlib. A couple of new directories have -**** been added. As well as some documentation. If some of your code -**** was in the previous release. Feel free to update it, but please -**** try to conform to the new headers and Makefiles. - -* Andrew Morgan (morgan@physics.ucla.edu) is making this release - availible, Marc has been busy...! - -* Marc's pam-0.1/lib has been (quietly) enhanced and integrated into - Alex Yurie's collected tree of library and module code - (linux-pam.prop.1.tar.gz). Most of the changes are to do with error - checking. Some more robustness in the reading of the pam.conf file - and the addition of the pam_get_user() function. - -* The pam_*.h files have been reorganized to logically enforce the - separation of modules from applications. [Don't panic! Apart from - changing references of the form - - #include "pam_appl.h" - - to - - #include <security/pam_appl.h> - - The reorganization should be backwardly compatable (ie. a module - written for SUN will be as compatable as it was before with the - previous version ;)~ ] - - (All of the source in this tree now conforms to this scheme...) - - The new reorganization means that modules can be compiled with a - single header, <security/pam_modules.h>, and applications with - <security/pam_appl.h>. - -* I have tried to remove all the compiler warnings from the updated - "pamlib/*.c" files. On my system, (with a slightly modified <dlfcn.h> - email me if it interests you..) there are only two warnings that - remain: they are that ansi does not permit void --> fn ptr - assignment. K&Rv2 doesn't mention this....? As a matter of principle, - if anyone knows how to get rid of that warning... please - tell. Thanks! "-pedantic" - -* you can "make all" as a plain user, but - -* to "make install" you must be root. The include files are placed in - /usr/include/security. The libpam.so library is installed in /usr/lib - and the modules in /usr/lib/security. The two test binaries - are installed in the Linux-PAM-0.2/bin directory and a chance is given to - replace your /etc/pam.conf file with the one in Linux-PAM-0.2/conf. - -* I have included some documentation (pretty preliminary at the -moment) which I have been working on in .../doc . - -I have had a little trouble with the modules, but atleast there are no -segfaults! Please try it out and discuss your results... I actually -hope it all works for you. But, Email any bugs/suggestions to the -Linux-PAM list: linux-pam@mit.edu ..... - -Regards, - -Andrew Morgan -(morgan@physics.ucla.edu) - - -Sat Feb 17 17:30:24 EST 1996 (Alexander O. Yuriev alex@bach.cis.temple.edu) - - * conf directory created with example of pam_conf - * stable code from pam_unix is added to modules/pam_unix - * test/test.c now requests username and password and attempts - to perform authentication |