Fetching contributors…
Cannot retrieve contributors at this time
321 lines (192 sloc) 9.25 KB
pam_yubico NEWS -- History of user-visible changes. -*- outline -*-
* Version 2.24 (unreleased)
* Version 2.23 (released 2016-06-15)
** Fix an issue where a failure to set permissions was wrongly outputted.
* Version 2.22 (released 2016-05-23)
** Documentation improvements.
** Retain ownership and permission of challenge files (issue #92).
** Make dependency on yubico-c-client 2.15 clearer.
* Version 2.21 (released 2016-02-19)
** Add proxy support for yubico-c-client.
** Check that conv is set before trying to use it
fixes a crash bug with the osx loginwindow.
** Add building of a mac installer.
* Version 2.20 (released 2015-09-22)
** Add cainfo option to allow usage of a cabundle instead of path.
** Support comments in authfile.
** For challenge response with system-wide directory, write the files as root
instead of the user.
* Version 2.19 (released 2015-03-23)
** Add new ldap functionality
ldap_bind_user and ldap_bind_password for authenticated binds
ldap_filter for using subtree search and a filter
ldap_cacertfile to use a specific cacert for ldaps
* Version 2.18 (released 2015-02-12)
** Fix a memory leak of the pam response data.
** Add more tests.
** Add version flag to ykpamcfg.
* Version 2.17 (released 2014-08-26)
** Fix a bug with the 'urllist' parameter where urls would be forgotten.
** Manpages converted to asciidoc.
* Version 2.16 (released 2014-06-10)
** Fix a crashbug with the new parameter 'urllist'
* Version 2.15 (released 2014-04-30)
** Added new parameter 'urllist'
** Added pam_yubico(8) man page.
** Fix memory leak.
** Bump yubico-c-client version requirement to 2.12.
* Version 2.14 (released 2013-09-27)
** Don't install internal header files.
** Don't print debug info when the "debug" parameter is not given.
** Use PBKDF2 to process expected reply for challenge-response mode.
** Fixup memory leaks and leaks of privilege.
** Let return values reflect whether the user wasn't found or other error.
* Version 2.13 (released 2013-03-01)
** Fix a bug in the version check to support major version > 2 (neo).
Patch from
** Give ykpamcfg an option for specifying path.
* Version 2.12 (released 2012-06-15)
** Only use libyubikey when --with-cr is used.
** Set correct permissions on tempfile.
** YubiKey 2.2 contains a bug in challenge-response that makes it output the
same response to all challenges unless HMAC_LT64 is set. Add warnings to
ykpamcfg and a warning through conversate in the pam module. Keys programmed
like this should be reprogrammed with the HMAC_LT64 flag set.
* Version 2.11 (released 2012-02-10)
** Fix crash-bug with challenge-response mode when button press is required,
but button is never pressed. Reported and fixed by
Lingzhu Xiang <>.
** Fix a memset() with wrong size as reported by clang, as well as some
other problems/warnings when building on Mac OS X, thanks to
Clemens Lang <>.
** Add prefix-matching of LDAP fetched values, so you can store the
token-to-user mapping in a multi-value attribute with values like
"yubikey:publicid", "other-token:something" etc. Patch by
Remi Mollon <>.
* Version 2.10 (released 2011-12-14)
** Drop permissions (to the user that is trying to authenticate) before
accessing files in the users home directory. Largely based on a patch by
Ricky Zhou <>. Thanks!
** Restore challenge-response support - version 2.7 was supposed to make
the dependency on libykpers optional, but in reality accidentally
disabled challenge-response for all configurations. As before, use
--without-cr to compile pam_yubico without the ykpers dependency.
* Version 2.9 (released 2011-11-17)
** Security: Explicitly request ykclient to verify server signature.
ykclient <= 2.5 strangely enough defaults to signing requests, but not
verifying signatures in responses when it is supplied with a client key.
Reported and patched by Dominic Rutherford <>.
* Version 2.8 (released 2011-08-26)
** Fix big security hole: Authentication succeeded when no password
was given, unless use_first_pass was being used.
This is fatal if pam_yubico is considered 'sufficient' in the PAM
Reported and patched by Nanakos Chrysostomos <>.
* Version 2.7 (released 2011-06-07)
** Make dependency on libykpers optional.
Use --without-cr to force it. Reported by Jussi Sallinen <>.
* Version 2.6 (released 2011-04-11)
** This release includes lots of patches by members of our open
source community. Thank you all!
** Add Challenge-Response mode for offline validation (requires
YubiKey 2.2). Patch by Tollef Fog Heen.
** Eliminate all problems with pam_get_data by simply getting rid
of that code completely. This seems to have caused problems for a lot
of people.
** Numerous LDAP bug fixes and improvements, including community
patches by judas.iscariote and Change to
LDAPv3, since v2 has been declared historic for a looong time.
** Support passing capath parameter to Yubico validation client.
Patch by Remi Mollon.
** Support public id's longer/shorter than 6 bytes. Patch by
** Convert documentation to Asciidoc format used in Github wiki.
** Try to never log passwords in debug logs.
* Version 2.5 (released 2010-09-10)
** Wiki articles are now inclded in the archive. Same license as code.
Reported by dmitrij.ledkov in Issue #30:
* Version 2.4 (released 2010-09-10)
** New keyword "verbose_otp" to allow displaying OTP characters.
Contributed by qistoph reported in Issue #22:
** Build with -DPAM_DEBUG so that debug file writing works.
Reported by qistoph in Issue #20:
** Make deprecated "ldapserver" work again.
Reported by giovannibajo in Issue #27:
** Fix segmentation fault on 64-bit systems.
Reported by multiple people in Issue #11:
** Don't crash on ^D at su prompt, or generally, on a NULL password value.
* Version 2.3 (released 2010-04-14)
** New keyword "ldap_uri" added.
This keyword is preferred over the old "ldapserver" keyword, and
allows you to specify a complete LDAP URI instead of only the hostname
of your LDAP server. Contributed by Zubrick.
** Improved README.
Contributed by Erinn Looney-Triggs <>.
* Version 2.2 (released 2009-05-11)
** Added new PAM configuration variable "key" for base64 client key.
* Version 2.1 (released 2009-03-31)
** Fix documentation.
** Fix warning.
* Version 2.0 (released 2009-03-25)
** Requires libykclient v2.0 or later.
See <>.
* Version 1.14 (released 2009-03-24)
** Quick release to sync release archive with svn code.
* Version 1.13 (released 2009-03-24)
** Fix parsing of password into OTP/ID/password.
Earlier string handling may have been incorrect for short strings.
** Don't pass integers via pam_set_data/pam_get_data.
May solve problems on 64-bit platforms. Based on patch from
* Version 1.12 (released 2009-03-24)
** Add support for "use_first_pass" and "try_first_pass".
They work similar to other PAM modules, see README for more
Upgrade notice: If you are relying on getting the Yubikey OTP from an
earlier PAM module, and no prompting by the pam_yubico module, you
need to add "try_first_pass" to preserve the same behaviour.
* Version 1.11 (released 2009-02-11)
** Added support to store user:keyid mapping in LDAP.
Contributed by Gregory Brusick <>.
* Version 1.10 (released 2009-01-13)
** Change license to 2-clause BSD.
The Linux-PAM license is unclear, and in any case, the 2-clause BSD
license is compatible with 3-clause BSD and GPL.
* Version 1.9 (released 2009-01-13)
** Solaris portability improvements.
Suggested by Martin Englund <Martin.Englund@Sun.COM>.
* Version 1.8 (released 2008-09-15)
** Add new parameter 'url' to specify the server template URL.
* Version 1.7 (released 2008-09-01)
** Support two-factor mode to provide a password.
** Support a user-specific configuration file to allow yubikeys per user.
** Use libyubikey-client instead of direct use of libcurl.
** Move *.m4's to m4/.
* Version 1.6 (released 2008-01-11)
** First release from repository.
** Clarify documentation with regard to license and development info.
* Version 1.5 (internal release)
** Clarify that license is the same as Linux-PAM (GPLv2 or modified BSD).
This is likely the last internal release, source moving to
* Version 1.4 (internal release)
** Don't free CURL's user agent string before we're done.
** Version 1.3 (internal release)
** Disable echo'ing of password, for FreeRadius.
* Version 1.2 (internal release)
** Added PDF/HTML manual, see yubico-pam.pdf and yubico-pam.html.
** Fixes to use new web service API.
** Add "url" parameter.
** Fix "alwaysok" parameter.
** Fix crash on empty server responses.
** Parse "status" properly.
** Better debug info.
* Version 1.1 (internal release)
** Fix ws-api usage.
** Support "alwaysok".
* Version 1.0 (internal release)
** Initial release.