  125 Russ Allbery	2006-11-28
      We need to retrieve the PAM user into a temporary pointer and then
      strdup it in the account management code as well.

  124 Russ Allbery	2006-11-28
      Release 2.6.

  123 Russ Allbery	2006-11-27
      Update the current porting status and add documentation for Solaris.

  122 Russ Allbery	2006-11-27
      Use __func__ instead of __FUNCTION__ and provide a fallback for older
      versions of gcc and for systems that support neither.  Should fix
      compilation issues with Sun's C compiler.

  121 Russ Allbery	2006-11-27
      Make the PAM module non-executable.

  120 Russ Allbery	2006-11-27
      Pass -shared only to gcc.  Report an error for non-gcc compilers on
      platforms other than Solaris, since we don't know how to create PIC
      code or shared objects there.

  119 Russ Allbery	2006-11-27
      Cast uid_t to int before using it with a %d printf format.

  118 Russ Allbery	2006-11-27
      Solaris requires security/pam_appl.h always be included before
      security/pam_modules.h.

  117 Russ Allbery	2006-11-27
      We now get the PIC flag from configure, so don't add it here.

  116 Russ Allbery	2006-11-27
      On platforms where we know the appropriate compiler flags, try to
      build the module so that symbols are resolved within the module in
      preference to any externally available symbols.  Also add the
      hopefully correct compiler flags for Sun's C compiler.

  115 Russ Allbery	2006-11-27
      Add dependency information.

  114 Russ Allbery	2006-11-27
      Don't assume the pointer set by pam_get_user is usable over the life
      of the PAM module; instead, save a local copy.

  113 Russ Allbery	2006-11-17
      Don't obtain and carry around the PAM service.  We don't actually use
      it now that we're using krb5_verify_init_creds instead of rolling it
      ourself.

  112 Russ Allbery	2006-11-17
      Don't ask krb5_verify_init_creds to create a new ticket cache for
      us, since we just throw it away.  There still seems to be a memory
      leak somewhere here, but this is at least more correct.

  111 Russ Allbery	2006-11-17
      Fix an incorrect comment for pamk5_credlist_copy.

  110 Russ Allbery	2006-11-17
      Avoid a use of already-freed memory when debugging is enabled.

  109 Russ Allbery	2006-11-17
      Man page is installed in man5, not man8.

  108 Russ Allbery	2006-11-10
      Add maintainer-clean as an alias for maintclean and remove configure as
      well.

  107 Russ Allbery	2006-11-08
      Include security/pam_modules.h for the pam_strerror prototype.

  106 Russ Allbery	2006-11-08
      Comment fix for syslog priorities.

  105 Russ Allbery	2006-11-03
      Release 2.5.

  104 Russ Allbery	2006-11-03
      Add a blurb that I can use announcements.  Recommend use_authtok for
      the password configuration where cracklib runs first.

  103 Russ Allbery	2006-11-03
      Nothing needs to include com_err.h any more except the MIT compat
      code, since Kerberos error resolution is now done via the compat
      function.

  102 Russ Allbery	2006-11-03
      Be a bit more thorough when checking authorization in
      pam_sm_acct_mgmt.  Re-retrieve the value of user in case the
      application changed it, and if we have a ticket cache (we may not even
      after a successful authentication if no_ccache was specified),
      retrieve the principal from it rather than using the principal from
      the context.

  101 Russ Allbery	2006-11-03
      Fix typo in last news entry.

  100 Russ Allbery	2006-11-03
      Don't free the results of pam_get_item(PAM_AUTHTOK) when one is
      already available when changing passwords.  Thanks, Arne Nordmark.
      
      Override passwords with 0 before freeing them, just out of paranoia
      (and because PAM also does this internally).

   99 Russ Allbery	2006-10-05
      Release 2.4.

   98 Russ Allbery	2006-10-05
      Fix several places where an uninitialized context could have been
      passed into the argument parsing function.

   97 Russ Allbery	2006-10-05
      Cast result lengths to int before using them as field lengths to
      avoid warnings when building with Heimdal.

   96 Russ Allbery	2006-10-05
      Current Heimdal sends the same arguments to the prompter function as
      MIT, so we don't need a compat layer and the current compat layer was
      actually registering an invalid prompting function for Heimdal.

   95 Russ Allbery	2006-10-05
      krb5_get_err_text handles NULL contexts fine, so we can use it to
      report errors in creating a context as well.

   94 Russ Allbery	2006-10-04
      Log an error when an unknown option is passed via the PAM 
      configuration.  

   93 Russ Allbery	2006-10-04
      Log errors (not just authentication failures) at the LOG_ERR level
      to match (some of) the recommendations of the Linux PAM documentation.

   92 Russ Allbery	2006-10-04
      Clean up additional fallout from the previous change.

   91 Russ Allbery	2006-10-04
      Parse renew_lifetime immediately and always report an error rather than
      deferring time parsing until acquiring tickets.

   90 Russ Allbery	2006-10-04
      Add some additional ideas from reviewing the FreeBSD module.

   89 Russ Allbery	2006-09-08
      Add a missing include.

   88 Russ Allbery	2006-09-08
      Refactor the code to read configuration from krb5.conf to be easier
      to read and understand.

   87 Russ Allbery	2006-09-08
      Check for memory allocation failures when parsing PAM options rather
      than segfaulting.

   86 Russ Allbery	2006-09-08
      Fix compilation problems with Heimdal.  Thanks, Matthijs Mohlmann.

   85 Russ Allbery	2006-09-03
      Release 2.3.

   84 Russ Allbery	2006-09-03
      Fix the interface between the Kerberos prompting function and the
      PAM conversation function on Linux.  Prior to this fix, the PAM module
      would only work on Solaris if Kerberos passed multiple prompts, which
      happens when an account requires a password change.  Solaris and Linux
      PAM implementations expect a different structure of pam_message
      structs in the conversation function; use a workaround to cater to
      both of them.  Based on a patch by Joachim Keltsch.

   83 Russ Allbery	2006-08-29
      Minor comment fixes.

   82 Russ Allbery	2006-08-29
      Implement retain_after_close, which specifies that the PAM module
      should never destroy the user's ticket cache, even on session end.

   81 Russ Allbery	2006-08-29
      Adjust for the differences in Solaris's PAM libraries:  Include
      pam_appl.h everywhere for structure and type definitions, and add
      portability workarounds for the return statuses missing from the
      Solaris implementation.

   80 Russ Allbery	2006-08-28
      Release 2.2.

   79 Russ Allbery	2006-08-28
      Release 2.2.

   78 Russ Allbery	2006-08-26
      Document recent changes.

   77 Russ Allbery	2006-08-26
      Realm handling is now done.  Add a few more things that need doing.

   76 Russ Allbery	2006-08-26
      Don't override the configured realm with the default one before parsing
      options.

   75 Russ Allbery	2006-08-26
      Fix POD typo.

   74 Russ Allbery	2006-08-26
      Check for the existence of krb5_get_init_opt_set_default_flags.

   73 Russ Allbery	2006-08-26
      Allow the user to set the default realm on the PAM option line.  Use that
      both to set the default realm for other operations and when reading
      defaults from the krb5.conf file.
      
      For Heimdal, also set default options from krb5.conf before getting tickets.
      This mostly just duplicates lookups that the PAM module was already doing,
      but it may also pick up configuration from [libdefaults] and [realms] under
      some circumstances and supports all the options that Heimdal supports (even
      if pam_krb5 doesn't handle them specially).

   72 Russ Allbery	2006-08-26
      pamk5_compat_princ_component wasn't used, so remove it.

   71 Russ Allbery	2006-08-26
      Note the fix for Heimdal compatibility.

   70 Russ Allbery	2006-08-26
      Add casts to silence compiler warnings.

   69 Russ Allbery	2006-08-26
      Resolve a couple of implicit declarations of free.

   68 Russ Allbery	2006-08-26
      Spell compat_heimdal.c correctly.

   67 Russ Allbery	2006-08-26
      We now use Autoconf, so remove the item saying to add it.

   66 Russ Allbery	2006-08-26
      Update the build and installation documentation for the new Autoconf-based
      build system.  This should have been in the last release but was missed.

   65 Russ Allbery	2006-08-26
      Rename CHANGES.old so that rsync's default ignore list doesn't bite me.
      Sneak this change into 2.1.

   64 Russ Allbery	2006-08-26
      Release 2.1.

   63 Russ Allbery	2006-08-26
      Redid make dist to use rsync -C.  Added a .cvsignore file to control what
      files rsync distributes.  Updated .bzrignore with all the Autoconf
      droppings.

   62 Russ Allbery	2006-08-26
      Added an Autoconf script to distinguish between Heimdal and MIT Kerberos
      and take care of other portability issues.  Rewrote the Makefile
      accordingly.

   61 Russ Allbery	2006-08-25
      Pass the context in as the first argument to pamk5_compat_get_err_text.

   60 Russ Allbery	2006-08-25
      Call error_message for MIT Kerberos but krb5_get_err_text for Heimdal,
      using the appropriate compat indirection.  (The only exception is that
      we still call error_message for Heimdal if what failed was the creation
      of a context.)
      
      Remove the pamk5_compat_cc_next_cred wrapper.  It wasn't actually used,
      and Heimdal takes its arguments in the same order as MIT and the Heimdal
      compat layer wouldn't compile.
      
      Patches from Matthijs Mohlmann, committed with modifications.

   59 Russ Allbery	2006-08-24
      Ignore the auto-generated CHANGES file.

   58 Russ Allbery	2006-08-24
      Strip off a FILE: prefix from the cache path before creating it in
      case the user set ccache or ccache_dir with a cache type prefix.

   57 Russ Allbery	2006-08-11
      Release 2.0.

   56 Russ Allbery	2006-08-11
      Add a make dist target and ignore the files that it generates.

   55 Russ Allbery	2006-08-11
      Add some notes about the mission of this module and features in the
      Sourceforge module that it isn't going to support.

   54 Russ Allbery	2006-08-11
      Bring the TODO list back in line with reality.

   53 Russ Allbery	2006-08-11
      Move the old ChangeLog to CHANGES.old since we're going to generate a new
      CHANGES file from bzr and since it's not in ChangeLog format.  Add a NEWS
      file with a higher-level overview of interesting changes between versions
      and fill out all the changes that have happened in 2.0.

   52 Russ Allbery	2006-08-07
      Support FILE: prefixes to the ticket cache names.

   51 Russ Allbery	2006-07-29
      Rename the rest of the public functions to avoid stomping on the
      namespace of the application or glibc and running into unfortunate
      conflicts.

   50 Russ Allbery	2006-07-29
      Rename all the credlist functions.  Fix some accidental renamings from
      the context renaming.

   49 Russ Allbery	2006-07-29
      Rename all of the context functions to the pamk5_* namespace.

   48 Russ Allbery	2006-07-29
      Save the authentication credentials during the preliminary password
      change check so that we don't have to reacquire them for the actual
      password change.

   47 Russ Allbery	2006-07-16
      After setting the authentication token, retrieve it from the same storage
      location as we stored it.  Otherwise, password changes prompt twice.

   46 Russ Allbery	2006-07-16
      Call krb5_free_data_contents, not krb5_free_data, on buffers that are
      declared on the stack.

   45 Russ Allbery	2006-07-16
      The sense of the test in the last change was reversed.

   44 Russ Allbery	2006-07-16
      Don't try to verify the ticket cache when authenticating for password
      changes.

   43 Russ Allbery	2006-07-16
      Use strncmp for the options that take arguments.

   42 Russ Allbery	2006-07-16
      If ctx is set to NULL, fetch_context must fail.

   41 Russ Allbery	2006-07-16
      Always exit pam_sm_setcred through the normal exit path and don't free
      the clist unless it's non-NULL.

   40 Russ Allbery	2006-07-16
      Don't assume ctx is non-NULL when checking whether the ticket cache was
      already initialized in pam_sm_setcred.

   39 Russ Allbery	2006-07-16
      Rename the logging functions to avoid conflicting with system functions
      and calling the system error function by mistake.

   38 Russ Allbery	2006-07-16
      renew_lifetime defaults pulled from krb5.conf weren't handled properly.

   37 Russ Allbery	2006-07-16
      Initialize session to NULL in pam_sm_authenticate.

   36 Russ Allbery	2006-07-16
      krb5_appdefault_string has to have a default string; NULL doesn't work.

   35 Russ Allbery	2006-07-16
      Add support for use_authtok, which is like use_first_pass except that it
      won't ever prompt the user, even if no prior module obtained the
      password.
      
      Fix up the return status from password authentication and password
      changing to reduce the number of PAM_SERVICE_ERRs we were returning from
      calls that didn't accept that as a valid return status.

   34 Russ Allbery	2006-07-16
      Use PAM_OLDAUTHTOK to retrieve the user's password if we're changing the
      password rather than PAM_AUTHTOK and save the password back into the same
      place.  Don't always save authentication passwords into PAM_OLDAUTHTOK;
      only do that if we're changing passwords.
      
      Free the passwords retrieved from the user.  We were doing that already
      when obtaining the user's password for authentication, so apparently it
      is safe.
      
      Save the new password when changing passwords into PAM_AUTHTOK if the
      user enters the same password both times.
      
      Implement PAM_PRELIM_CHECK by doing all the steps up to prompting for the
      new password and changing it.  That includes authenticating the user, so
      PAM_PRELIM_CHECK now may prompt.

   33 Russ Allbery	2006-07-12
      Add a version number.

   32 Russ Allbery	2006-07-12
      Ignore the generated man page.

   31 Russ Allbery	2006-07-12
      Rewrite the man page in POD and add documentation for all the new
      configuration options.

   30 Russ Allbery	2006-07-12
      Don't set PAM_KRB5CCNAME if no_ccache is set, and set it after we run
      mkstemp so that it gets set to the correct value.

   29 Russ Allbery	2006-07-12
      If no_ccache is set, don't even create a temporary ticket cache in
      pam_authenticate.

   28 Russ Allbery	2006-07-12
      When checking minimum_uid, use the passed in username rather than
      ctx->name.

   27 Russ Allbery	2006-07-03
      Overhaul the README file and remove additional documentation that's no
      longer interesting.

   26 Russ Allbery	2006-07-03
      Factor out the common code in the MIT and Heimdal prompting functions and
      finish redoing all the code for style and formatting by doing the two
      compat_*.c files.

   25 Russ Allbery	2006-07-03
      Mostly finish cleanup for style and formatting.  Merge all the headers
      together; nothing is really gained from keeping the headers separate for
      context.c and credlist.c.
      
      Still close the cache even if we're not supposed to destroy it on context
      destruction just in case not closing it would leak resources.

   24 Russ Allbery	2006-07-03
      When obtaining the ticket cache name for pam_sm_setcred, never use the
      name of the cache in the existing context.  That's the temporary cache
      created by pam_sm_authenticate.  Instead, fall back on the default ticket
      cache name for reinitialization if KRB5CCNAME isn't set in the
      environment.

   23 Russ Allbery	2006-07-03
      If use_first_pass is set, password changing should never prompt for the
      password and just fail if one wasn't obtained by a previous module.

   22 Russ Allbery	2006-07-02
      Switch to the new logging functions and macros everywhere.  Also fix some
      other style and comment issues.

   21 Russ Allbery	2006-07-02
      Style and formatting cleanup.

   20 Russ Allbery	2006-06-28
      Verify the user's TGT immediately after obtaining it rather than
      deferring to validate_auth, since then we have the krb5_creds handy and
      don't have to dig them back out of the ticket cache.  Don't redo this
      work in the other callers of validate_auth (pam_sm_setcred and
      pam_sm_acct_mgmt); it's properly part of authentication and there isn't
      a need.

   19 Russ Allbery	2006-06-28
      Remove the hand-rolled Kerberos v5 TGT verification and instead call
      krb5_verify_init_creds.

   18 Russ Allbery	2006-06-28
      More reformatting for coding style.

   17 Russ Allbery	2006-06-28
      Add support for minimum_uid, which is like ignore_root but more general.
      Centralize the code to check for ignore_root or minimum_uid.
      
      Reformat the password_auth function for indentation and comment style.

   16 Russ Allbery	2006-06-27
      Remove code that was omitted with #if 0.

   15 Russ Allbery	2006-06-27
      Reformat the code and comment about not freeing the response data to make
      it clearer and remove #if 0 code and a pointless loop.

   14 Russ Allbery	2006-06-27
      Remove the unused Jokostat function.

   13 Russ Allbery	2006-06-27
      Allow ccache, ccache_dir, ignore_k5login, and renew_lifetime to be set
      in krb5.conf as well.
      
      Store all string options as allocated strings.  Use strlen to find the
      offset of the argument to string options in the PAM configuration for
      better maintainability.  Free the allocated strings when freeing the args
      structure.

   12 Russ Allbery	2006-06-27
      Eliminate the global pam_args struct.  Instead, allocate a new pam_args
      struct at each of our entry points and then free it before exiting.

   11 Russ Allbery	2006-06-27
      ENCTYPE_DES_CBC_MD5 was not used in the source, so don't set it here.

   10 Russ Allbery	2006-06-27
      Remove reuse_ccache; nothing actually referenced it.

    9 Russ Allbery	2006-06-27
      Add support for the renew_lifetime option in the PAM configuration, which
      if set specifies the renewable lifetime of obtained tickets.
      
      Alphabetize the option parsing code for easier maintenance.  Explicitly
      initialize to NULL the pointer members of pam_args.

    8 Russ Allbery	2006-06-27
      Add an ignore_k5login option to not check .k5login files but still do the
      krb5_aname_to_localname check, for sites that can't use .k5login files or
      can't allow the system access to user's home directories for some reason.

    7 Russ Allbery	2006-06-27
      Reformat for clarity.  Remove the OpenVision copyright left over from the
      MIT Kerberos code, since that only covered the kadmin interface, and none
      of that code is in the PAM module.

    6 Russ Allbery	2006-06-27
      valid_context is no longer used (it was replaced with validate_auth).

    5 Russ Allbery	2006-06-27
      Get the default values for debug, forwardable, ignore_root, and
      search_k5login out of krb5.conf.  The first two are also used by the
      Red Hat module, so look for the values in the pam section for
      compatibility.  Set up an infrastructure so that we can add further
      defaults from krb5.conf in the future.
      
      Pass a context into parse_args if we have one available so that it
      doesn't have to create its own krb5_context at least some of the time.
      
      Move parse_args into a new options.c source file and out of the support.c
      grab bag.

    4 Russ Allbery	2006-06-27
      In the PAM prompting function, copy the trailing nul at the end of the
      password into the krb5_prompt struct, even though the length set there
      does not include the trailing nul.  This matches the behavior of the
      prompter in the MIT Kerberos library, and something apparently depends
      on finding it.
      
      Add some comments to the prompter, since it's otherwise very difficult
      to follow what's going on.

    3 Russ Allbery	2006-06-27
      The old patches directory is no longer interesting.

    2 Russ Allbery	2006-06-27
      Apply the current Debian patch to 1.2.0.  This includes the following
      changes:
      
        * Only call krb5_kuserok when the account to which we're authenticating
          is a local account to allow use of pam_krb5 for application
          authentication of users without local accounts.  (Closes: #354133)
        * Restructure the code to do user validation after obtaining their
          initial tickets.  This eliminates a lot of confusing special cases and
          deferred checking and makes it easier to audit the code.
        * Don't create the ticket cache until after successful authentication.
          Otherwise, we leave files behind in /tmp.
        * Document what principals libpam_krb5.so looks for in the system keytab
          to do ticket validation.  (Closes: #350556)
      
        * Always use a disk cache for temporary storage of credentials and cope
          with not having module-specific data during pam_sm_setcred by passing
          the cache path in an environment variable.  This is required to cope
          with OpenSSH's technique (when using ChallengeResponseAuthentication)
          of doing PAM authentication in a child process and then opening the
          session in the parent.  (Closes: #339734)
        * Only initialize the ticket cache once no matter how many times setcred
          is called.  Saves duplicate work and works around a bug in xdm, which
          calls setcred repeatedly and discards the environment set by the final
          call.
        * Don't assume we already have a context when changing passwords; passwd
          doesn't work that way.  (Closes: #344003)
        * Fix the test for the new password.  I don't think this would have
          worked at all before.
        * Improve debugging output for password changes.
        * If search_k5login is specified but no .k5login is found, still check
          the user with krb5_kuserok in case there are custom principal mappings
          defined.
        * Handle ignore_root in a cleaner fashion and add support for
          ignore_root on password changes.
        * Document that ccache and ccache_dir must be specified as options to
          the session module.  (Closes: #341926)
        * Document that pam_sm_authenticate and pam_sm_setcred also call
          krb5_kuserok.
      
        * Bug fixes to upstream version (all sent back to the maintainer):
          - Succeed silently in account management if Kerberos wasn't used.
          - Parse ccache_dir correctly.
          - Bring the man page up to date.
          - Link with -z defs to ensure all symbols were found.
        * Readd the ccache option with a better implementation and allow for
          randomization of the filename using mkstemp even if ccache is used.
        * Add search_k5login option to allow authentication based on the
          principals listed in ~/.k5login when the local account name doesn't
          easily map to the Kerberos principal.

    1 Russ Allbery	2006-06-27
      Import of 1.2.0 release from Andres Salomon.

