                   User-Visible pam-afs-session Changes

pam-afs-session 1.5 (2007-09-30)

    Free the results of pam_getenvlist and the command-line argument for
    aklog properly.

    Don't de-reference a NULL pointer if memory allocation fails while
    parsing PAM options.  Thanks, Jason D. McCormick.

    Change lib to lib64 on x86_64 Linux to allow for the magical $ISA
    parameter in Red Hat's PAM configuration.  Hopefully this won't cause
    problems elsewhere.

    Fix linker determination when using gcc on HP-UX.

    Add additional debugging output when acquiring or destroying tokens.

pam-afs-session 1.4 (2007-05-10)

    Added the afs_cells configuration option which specifies the list of
    cells in which to get tokens.

    Ported to HP-UX.  HP-UX's PAM libraries do not support a separate
    environment used for the new session, so manipulate the regular
    environment instead.  Thanks to Joe Buehler for the port.

    Document using the module with Mac OS X, now that it's been confirmed
    to work with sshd on that platform.

    Support DESTDIR for make install.

pam-afs-session 1.3 (2007-04-11)

    Add a notokens configuration option which, when set, tells the module
    to only create a PAG and not to try to obtain tokens.  Based on a
    patch from Jason McCormick.

    When forking an external aklog, also close standard input and reopen
    it to /dev/null.  Normal aklog programs won't try to read from
    standard input, but don't connect their standard input to any stray
    file descriptor inherited by the process just in case.

    Make --with-kerberos and --without-libkafs work properly together.

    Improve diagnostics around token acquisition.  Thanks, Jeff Blaine.

pam-afs-session 1.2 (2007-03-24)

    Add support for calling the Heimdal libkafs functions for obtaining
    AFS tokens rather than running an external aklog program.  This
    support is the default if libkafs and the Kerberos v5 functions were
    found at build time and --with-kerberos was passed to configure.

    When retain_after_close is set, don't destroy tokens on DELETE_CRED
    either.  OpenSSH calls this when the session dies.  Thanks to Thomas
    Kula for the patch.

    Don't fail during configure if Kerberos libraries couldn't be found
    unless --with-kerberos was explicitly requested.

    Produce better error messages when Kerberos operations fail.

    Added --without-libkafs to force using the internal AFS syscall
    implementation and not link with libkafs or libkopenafs, even if the
    libraries are available.

    Fix installation of the man page when building outside of the source
    directory.

pam-afs-session 1.1 (2006-12-18)

    Add optional support for linking with the Kerberos libraries and
    obtaining configuration from the system krb5.conf file.

    Add the kdestroy option which, if built with Kerberos support, removes
    the ticket cache after successfully running aklog.

    Actually link with libkafs if we detect it at configure time.

    Fix a bug in reporting unknown options.

pam-afs-session 1.0 (2006-12-06)

    Add --with-afs-headers to configure so that the user doesn't have to
    know the right syntax for setting CPPFLAGS.

    When using gcc, link with -fPIC as well as compiling with it per the
    gcc documentation.

    Add additional configuration information for Solaris.

    Link explicitly against the Kerberos libraries by default when linking
    with libkafs, only relying on transitive shared library dependencies
    when --enable-reduced-depends is passed to configure.  This should not
    be necessary on any of the currently supported platforms but may make
    porting easier to systems with deficient shared library support.

    Support building on Mac OS X.  The resulting module isn't tested and
    may not work.  Thanks, Sebastian Hagedorn.

pam-afs-session 0.3 (2006-11-28)

    Compile in a default path to aklog if configure can find it on the
    path or if told the path with the --with-aklog option.  In this case,
    program is now optional in the PAM configuration.

    Use __func__ instead of __FUNCTION__ and provide a fallback for older
    versions of gcc and for systems that support neither.  Should fix
    compilation issues with Sun's C compiler.

    On platforms where we know the appropriate compiler flags, try to
    build the module so that symbols are resolved within the module in
    preference to any externally available symbols.  Also add the
    hopefully correct compiler flags for Sun's C compiler.

pam-afs-session 0.2 (2006-11-17)

    Add a man page.

    Add a fallback implementation of the AFS system call for platforms
    that use syscall, and add the signal handler protection for the
    k_hasafs probe for those platforms.  The PAM module should now build
    on Solaris without requiring libkafs or libkopenafs.

    Add an always_aklog option saying to always run aklog even if the user
    doesn't appear to have a ticket cache.

    Add an aklog_homedir option saying to pass -p <homedir> to aklog.
    This will obtain tokens in whatever AFS cells are required to access
    the user's home directory and can be used when something more complex
    than obtaining tokens in the local default cell is needed.

    Reopen stdout and stderr to /dev/null before running aklog so that any
    error messages from aklog don't confuse the calling program.

    Log a message if aklog fails, but return PAM_SUCCESS from the module
    whether aklog succeeded or not.  If we fail, the user may be kicked
    out of their session even though AFS tokens may not be necessary and
    only obtained as a convenience.  Obtaining a PAG is still required.

pam-afs-session 0.1 (2006-11-10)

    Initial beta release.

    Supports libkafs and libkopenafs in theory, but only the internal
    syscall layer has been tested.  No man page yet, and the program to
    run to obtain tokens must be specified in the PAM options.
