forked from linux-pam/linux-pam
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
433 lines (337 loc) · 15.7 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
Linux-PAM NEWS -- history of user-visible changes.
Release 1.5.2
* pam_exec: implemented quiet_log option.
* pam_mkhomedir: added support of HOME_MODE and UMASK from /etc/login.defs.
* pam_timestamp: changed hmac algorithm to call openssl instead of the bundled
sha1 implementation if selected, added option to select
the hash algorithm to use with HMAC.
* Added pkgconfig files for provided libraries.
* Added --with-systemdunitdir configure option to specify systemd unit
directory.
* Added --with-misc-conv-bufsize configure option to specify the buffer size
in libpam_misc's misc_conv() function, raised the default value for this
parameter from 512 to 4096.
* Multiple minor bug fixes, portability fixes, documentation improvements,
and translation updates.
Release 1.5.1
* pam_unix: fixed CVE-2020-27780 - authentication bypass when a user
doesn't exist and root password is blank
* pam_faillock: added nodelay option to not set pam_fail_delay
* pam_wheel: use pam_modutil_user_in_group to check for the group membership
with getgrouplist where it is available
Release 1.5.0
* Multiple minor bug fixes, portability fixes, and documentation improvements.
* Extended libpam API with pam_modutil_check_user_in_passwd function.
* configure: added --disable-unix option to disable build of pam_unix module.
* pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660.
* pam_limits: added support for nonewprivs item.
* pam_motd: read motd files with target user credentials skipping unreadable ones.
* pam_pwhistory: added a SELinux helper executable.
* pam_unix, pam_usertype: implemented avoidance of certain timing attacks.
* pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails.
* Removed deprecated pam_cracklib module, use pam_passwdqc (from passwdqc project)
or pam_pwquality (from libpwquality project) instead.
* Removed deprecated pam_tally and pam_tally2 modules, use pam_faillock instead.
* pam_env: Reading of the user environment is deprecated and will be removed
at some point in the future.
* libpam: pam_modutil_drop_priv() now correctly sets the target user's
supplementary groups, allowing pam_motd to filter messages accordingly
Release 1.4.0
* Multiple minor bug fixes and documentation improvements
* Fixed grammar of messages printed via pam_prompt
* Added support for a vendor directory and libeconf
* configure: Added --enable-Werror option to enable -Werror build
* configure: Allowed disabling documentation through --disable-doc
* pam_get_authtok_verify: Avoid duplicate password verification
* pam_cracklib: Fixed parsing of options without arguments
* pam_env: Changed the default to not read the user .pam_environment file
* pam_exec: Require a user name to be specified before the command is executed
* pam_faillock: New module for locking after multiple auth failures
* pam_group, pam_time: Fixed logical error with multiple ! operators
* pam_keyinit: In pam_sm_setcred do the same as in pam_sm_open_session
* pam_lastlog: Do not log info about failed login if the session was opened
with PAM_SILENT flag
* pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs
* pam_lastlog: With 'unlimited' option prevent SIGXFSZ due to reduced 'fsize'
limit
* pam_mkhomedir: Fixed return value when the user is unknown
* pam_motd: Export MOTD_SHOWN=pam after showing MOTD
* pam_motd: Support multiple motd paths specified, with filename overrides
* pam_namespace: Added a systemd service, which creates the namespaced
instance parent directories during boot
* pam_namespace: Support for noexec, nosuid and nodev flags for tmpfs mounts
* pam_selinux: Check unknown object classes or permissions in current policy
* pam_selinux: Fall back to log to syslog if audit logging fails
* pam_setquota: New module to set or modify disk quotas on session start
* pam_shells: Recognize /bin/sh as the default shell
* pam_succeed_if: Fixed potential override of the default prompt
* pam_succeed_if: Support lists in group membership checks
* pam_time: Added conffile= option to specify an alternative configuration file
* pam_tty_audit: If kernel audit is disabled return PAM_IGNORE
* pam_umask: Added new 'nousergroups' module argument and allowed specifying
the default for usergroups at build-time
* pam_unix: Added 'nullresetok' option to allow resetting blank passwords
* pam_unix: Report unusable hashes found by checksalt to syslog
* pam_unix: Return PAM_AUTHINFO_UNAVAIL when shadow entry is unavailable
* pam_unix: Support for (gost-)yescrypt hashing methods
* pam_unix: Use bcrypt b-variant when it bcrypt is chosen
* pam_usertype: New module to tell if uid is in login.defs ranges
* Fixed and documented possible values returned by pam_get_user()
* Added new API call pam_start_confdir() for special applications that
cannot use the system-default PAM configuration paths and need to
explicitly specify another path
* Deprecated pam_cracklib: this module is no longer built by default and will
be removed in the next release, use pam_passwdqc (from passwdqc project)
or pam_pwquality (from libpwquality project) instead
* Deprecated pam_tally and pam_tally2: these modules are no longer built
by default and will be removed in the next release, use pam_faillock instead
Release 1.3.1
* pam_motd: add support for a motd.d directory
* pam_umask: Fix documentation to align with order of loading umask
* pam_get_user.3: Fix missing word in documentation
* pam_tally2 --reset: avoid creating a missing tallylog file
* pam_mkhomedir: Allow creating parent of homedir under /
* access.conf.5: Add note about spaces around ':'
* pam.8: Workaround formatting problem
* pam_unix: Check return value of malloc used for setcred data
* pam_cracklib: Drop unused prompt macros
* pam_tty_audit: Support matching users by uid range
* pam_access: support parsing files in /etc/security/access.d/*.conf
* pam_localuser: Correct documentation
* pam_issue: Fix no prompting in parse escape codes mode
* Unification and cleanup of syslog log levels
Release 1.3.0
* Remove of static modules support
* pam_unix: pass_not_set was removed
* Lot of documentation fixes
* Use TI-RPC function calls if we build against libtirpc
* Add support for new, IPv6 enabled libnsl
* Lot of bug fixes
* Use fedora.zanata.org for translations
Release 1.2.1
* Fix CVE-2015-3238, affected PAM modules are pam_unix and pam_exec
Release 1.2.0
* Update documentation
* Update translations
* pam_unix: add quiet option
* libpam: support alternative configuration files in /usr/lib/pam.d
as fallback
* pam_env: add support for @{HOME} and @{SHELL}
* libpam: add grantor field to audit records
* libpam: Introduce pam_modutil_sanitize_helper_fds
Release 1.1.8
* pam_unix: bug fix for compiling with SELinux, fix crash at login time
Release 1.1.7
* Update translations
* pam_exec: add stdout and type= options
* pam_tty_audit: add options to control logging of passwords
* pam_unix: Read defaults from /etc/login.defs
* pam_userdb: Allow modern password hashes
* pam_selinux/pam_tally2: Add tty and rhost to audit data
* Lot of docu and code fixes
Release 1.1.6
* Update translations
* pam_cracklib: Add more checks for weak passwords
* pam_lastlog: Never lock out root
* Lot of bug fixes and smaller enhancements
Release 1.1.5
* pam_env: Fix CVE-2011-3148 and CVE-2011-3149
* pam_access: Add hostname resolution cache
* Documentation: Improvements/fixes
Release 1.1.4
* Add vietnamese translation
* pam_namepace: Add new functionality
* pam_securetty: Honour console= kernel option, add noconsole option
* pam_limits: Add %group syntax, drop change_uid option, add set_all option
* Lot of small bug fixes
* Lot of compiler warnings fixed
* Add support for libtirpc
Release 1.1.3
* pam_namespace: Clean environment for child processes (CVE-2010-3853)
* libpam: New interface to drop/regain privileges
* Drop root privilegs in pam_env, pam_mail and pam_xauth before
accessing user files (CVE-2010-3430, CVE-2010-3431)
* pam_unix: Add minlen option, change default from 6 to 0
* Documentation improvements
* Lot of small bug fixes
Release 1.1.2
* pam_unix: Add minlen= option
* pam_group: Add support for UNIX groups beside netgroups
* pam_tally: Document that it is deprecated
* pam_rootok: Add support for chauthtok and acct_mgmt
* Update translations
Release 1.1.1
* Update translations
* pam_access: Revert netgroup match to original behavior, add new
syntax for adding the local hostname to netgroup match
* libpam: Add new functions pam_get_authtok_noverify() and
pam_get_authtok_verify()
* Add sepermit.conf.5 manual page
* Lot of bug fixes
Release 1.1.0
* Update translations
* Documentation updates and fixes
Release 1.0.92
* Update translations
* pam_succeed_if: Use provided username
* pam_mkhomedir: Fix handling of options
Release 1.0.91
* Fixed CVE-2009-0579 (minimum days limit on password change is ignored).
* Fix libpam internal config/argument parser
* Add optional file locking to pam_tally2
* Update translations
* pam_access improvements
* Changes in the behavior of the password stack. Results of PRELIM_CHECK
are not used for the final run.
Release 1.0.90
* Supply hostname of the machine to netgroup match call in pam_access
* Make pam_namespace to work safe on child directories of parent directories
owned by users
* Redefine LOCAL keyword of pam_access configuration file
* Add support for try_first_pass and use_first_pass to pam_cracklib
* Print informative messages for rejected login and add silent and
no_log_info options to pam_tally
* Add support for passing PAM_AUTHTOK to stdin of helpers from pam_exec
* New password quality tests in pam_cracklib
* New options for pam_lastlog to show last failed login attempt and
to disable lastlog update
* New pam_pwhistory module to store last used passwords
* New pam_tally2 module similar to pam_tally with wordsize independent
tally data format
* Make libpam not log missing module if its type is prepended with '-'
* New pam_timestamp module for authentication based on recent successful
login.
* Add blowfish support to pam_unix.
* Add support for user specific environment file to pam_env.
* Add pam_get_authtok to libpam as Linux-PAM extension.
* Rename type option of pam_cracklib to authtok_type.
Release 1.0.3
* Small bug fix release
Release 1.0.2
* Regression fixed in pam_selinux
* Problem with big UIDs fixed in pam_loginuid
Release 1.0.1
* Regression fixed in pam_set_item()
Release 1.0.0
* Small bug fixes
* Translation updates
Release 0.99.10.0
* New substack directive in config file syntax.
* New module pam_tty_audit.so for enabling and disabling tty
auditing.
* New PAM items PAM_XDISPLAY and PAM_XAUTHDATA.
* Auditing login denials based by origin (pam_access), time (pam_time),
and number of sessions (pam_limits) to the Linux audit subsystem.
* Support sha256 and sha512 algorithms in pam_unix when they are supported
by crypt().
* New pam_sepermit.so module for allowing/rejecting access based on
SELinux mode.
* Improved functionality of pam_namespace.so module (method flags,
namespace.d configuration directory, new options).
* Finally removed deprecated pam_rhosts_auth module.
Release 0.99.9.0
* misc_conv no longer blocks SIGINT; applications that don't want
user-interruptable prompts should block SIGINT themselves
* Merge fixes from Debian
* Fix parser for pam_group and pam_time
Release 0.99.8.1
* Fix a regression in audit code introduced with last release
* Fix compiling with --disable-nls
Release 0.99.8.0
* Add translations for ar, ca, da, ru, sv and zu.
* Update hungarian translation.
* Add support for limits.d directory to pam_limits.
* Improve pam_namespace module tobe more useful
for MLS, fixed crash with bad config files.
* Improve pam_selinux module to be more useful
for MLS.
* Add minclass option to pam_cracklib
* Add new group syntax to pam_access
Release 0.99.7.1
* Security fix for pam_unix.so (CVE-2007-0003).
Release 0.99.7.0
* Add manual page for pam_unix.so.
* Add pam_faildelay module to set pam_fail_delay() value.
* Fix possible seg.fault in libpam/pam_set_data().
* Cleanup of configure options.
* Update hungarian translation, fix german translation.
Release 0.99.6.3
* pam_loginuid: New PAM module.
* pam_access, pam_succeed_if: Support passwd and session services.
Release 0.99.6.2
* pam_lastlog: Don't refuse login if lastlog file got lost.
* pam_cracklib: Fix a user triggerable crash.
* documentation: Regenerate with fixed docbook stylesheet.
Release 0.99.6.1
* Fix bootstrapping problems.
* Bug fixes: pam_keyinit, pam_umask
Release 0.99.6.0
* pam_namespace: Code cleanup, add init script to tar archive.
* pam_succeed_if: Add support for service match.
* Add xtests (to run after installation).
* Documentation: Convert sgml guides to XML, unify documentation
for PAM functions and modules.
Release 0.99.5.0
* pam_tally: Fix support for large UIDs
* Fixed all problems found by Coverity
* Add support for Intel C Compiler
* Add manual page for pam_mkhomedir, pam_umask, pam_filter,
pam_issue, pam_ftp, pam_group, pam_lastlog, pam_listfile,
pam_localuser, pam_mail, pam_motd, pam_nologin, pam_permit,
pam_rootok, pam_securetty, pam_shells, pam_userdb, pam_warn,
pam_time, pam_limits, pam_debug, pam_tally
* The libpam memory debug code was removed
* pam_keyinit: New module to initialise kernel session keyring.
* pam_namespace: New module to configure private namespace for a session.
* pam_rhosts: New module which replaces pam_rhosts_auth, now IPv6 capable.
* pam_rhosts_auth: This module is now deprecated.
Release 0.99.4.0
* Add test suite
* Fix building of static variants of libpam, libpamc and libpam_misc
* pam_listfile: Add support for password and session management
* pam_exec: New PAM module to execute arbitrary commands
* Fix building of a static libpam including all PAM modules
* New/updated translations for: nl, pt, pl, fi, km, tr, uk, fr
* pam_access: Add network(address) / netmask and IPv6 support
* Add manual pages for pam_cracklib, pam_deny and pam_access
* pam_pwdb: This deprecated module was removed
* Manual pages: Major rewrite/cleanup
Release 0.99.3.0
* Fix NULL pointer checks in libpam.so
* pam_succeed_if, pam_group, pam_time: Support netgroup matching
* New translations for: nb, hu, fi, de, es, fr, it, ja, pt_BR, zh_CN, zh_TW
* Audit PAM calls if Linux Audit is available
* Compile upperLOWER and unix_chkpwd as PIE binaries
Release 0.99.2.1
* Fix install of PS, PDF, TXT and HTML files
* pam_mail: Update README
* Use %m consistent
* pam_modutil_getlogin: Fix parsing of PAM_TTY variable
Release 0.99.2.0
* Fix parsing of full path tty name in various modules
* pam_xauth: Look for xauth executable in multiple places
* pam_unix: Disable user check in unix_chkpwd only if real uid
is 0 (CVE-2005-2977). Log failed password check attempt.
* pam_env: Support /etc/environment again, but don't treat it as
error if it is missing.
* pam_userdb: Fix memory leak.
Release 0.99.1.0
* Use autoconf/automake/libtool
* Add gettext support
* Add translations for cs, de, es, fr, hu, it, ja, nb, pa, pt_BR,
pt, zh_CN and zh_TW
* libpam: Remove pam_authenticate_secondary stub
* libpam: Add pam_prompt,pam_vprompt,pam_error,pam_verror,pam_info
and pam_vinfo functions for use by modules as extension
* libpam: Add pam_syslog function for unified syslog messages from
PAM modules
* libpam: Moved functions from pammodutil to libpam
* pam_umask: New module for setting umask from GECOS field, /etc/login.defs
or /etc/default/login
* pam_echo: New PAM module for message output
* pam_userdb: Fix regression (crash when crypt param not specified)
* pam_limits: Fix regression from RLIMIT_NICE support (wrong limit
values for other limits are applied)
* pam_access: Support for NULL tty - matches ALL and NONE keywords
* pam_lastlog: Enable log to wtmp by default. Add "nowtmp" option
* pam_radius: This module was removed