Skip to content
v1.5.2
Compare
Choose a tag to compare

Noteworthy changes in Linux-PAM 1.5.2

  • pam_exec: implemented quiet_log option.
  • pam_mkhomedir: added support of HOME_MODE and UMASK from /etc/login.defs.
  • pam_timestamp: changed hmac algorithm to call openssl instead of the bundled
    sha1 implementation if selected, added option to select
    the hash algorithm to use with HMAC.
  • Added pkgconfig files for provided libraries.
  • Added --with-systemdunitdir configure option to specify systemd unit
    directory.
  • Added --with-misc-conv-bufsize configure option to specify the buffer size
    in libpam_misc's misc_conv() function, raised the default value for this
    parameter from 512 to 4096.
  • Multiple minor bug fixes, portability fixes, documentation improvements,
    and translation updates.

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

v1.5.1
Compare
Choose a tag to compare

Noteworthy changes in Linux-PAM 1.5.1

  • pam_unix: fixed CVE-2020-27780 - authentication bypass when a user
    doesn't exist and root password is blank
  • pam_faillock: added nodelay option to not set pam_fail_delay
  • pam_wheel: use pam_modutil_user_in_group to check for the group membership
    with getgrouplist where it is available

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

v1.5.0
Compare
Choose a tag to compare

Noteworthy changes in Linux-PAM 1.5.0

  • Multiple minor bug fixes, portability fixes, and documentation improvements.
  • Extended libpam API with pam_modutil_check_user_in_passwd function.
  • configure: added --disable-unix option to disable build of pam_unix module.
  • pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660.
  • pam_limits: added support for nonewprivs item.
  • pam_motd: read motd files with target user credentials skipping unreadable ones.
  • pam_pwhistory: added a SELinux helper executable.
  • pam_unix, pam_usertype: implemented avoidance of certain timing attacks.
  • pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails.
  • Removed deprecated pam_cracklib module, use pam_passwdqc (from passwdqc project)
    or pam_pwquality (from libpwquality project) instead.
  • Removed deprecated pam_tally and pam_tally2 modules, use pam_faillock instead.
  • pam_env: Reading of the user environment is deprecated and will be removed
    at some point in the future.
  • libpam: pam_modutil_drop_priv() now correctly sets the target user's
    supplementary groups, allowing pam_motd to filter messages accordingly.

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

v1.4.0
Compare
Choose a tag to compare

Noteworthy changes in Linux-PAM 1.4.0

  • Multiple minor bug fixes and documentation improvements
  • Fixed grammar of messages printed via pam_prompt
  • Added support for a vendor directory and libeconf
  • configure: Added --enable-Werror option to enable -Werror build
  • configure: Allowed disabling documentation through --disable-doc
  • pam_get_authtok_verify: Avoid duplicate password verification
  • pam_cracklib: Fixed parsing of options without arguments
  • pam_env: Changed the default to not read the user .pam_environment file
  • pam_exec: Require a user name to be specified before the command is executed
  • pam_faillock: New module for locking after multiple auth failures
  • pam_group, pam_time: Fixed logical error with multiple ! operators
  • pam_keyinit: In pam_sm_setcred do the same as in pam_sm_open_session
  • pam_lastlog: Do not log info about failed login if the session was opened
    with PAM_SILENT flag
  • pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs
  • pam_lastlog: With 'unlimited' option prevent SIGXFSZ due to reduced 'fsize'
    limit
  • pam_mkhomedir: Fixed return value when the user is unknown
  • pam_motd: Export MOTD_SHOWN=pam after showing MOTD
  • pam_motd: Support multiple motd paths specified, with filename overrides
  • pam_namespace: Added a systemd service, which creates the namespaced
    instance parent directories during boot
  • pam_namespace: Support for noexec, nosuid and nodev flags for tmpfs mounts
  • pam_selinux: Check unknown object classes or permissions in current policy
  • pam_selinux: Fall back to log to syslog if audit logging fails
  • pam_setquota: New module to set or modify disk quotas on session start
  • pam_shells: Recognize /bin/sh as the default shell
  • pam_succeed_if: Fixed potential override of the default prompt
  • pam_succeed_if: Support lists in group membership checks
  • pam_time: Added conffile= option to specify an alternative configuration file
  • pam_tty_audit: If kernel audit is disabled return PAM_IGNORE
  • pam_umask: Added new 'nousergroups' module argument and allowed specifying
    the default for usergroups at build-time
  • pam_unix: Added 'nullresetok' option to allow resetting blank passwords
  • pam_unix: Report unusable hashes found by checksalt to syslog
  • pam_unix: Return PAM_AUTHINFO_UNAVAIL when shadow entry is unavailable
  • pam_unix: Support for (gost-)yescrypt hashing methods
  • pam_unix: Use bcrypt b-variant when it bcrypt is chosen
  • pam_usertype: New module to tell if uid is in login.defs ranges
  • Fixed and documented possible values returned by pam_get_user()
  • Added new API call pam_start_confdir() for special applications that
    cannot use the system-default PAM configuration paths and need to
    explicitly specify another path
  • Deprecated pam_cracklib: this module is no longer built by default and will
    be removed in the next release, use pam_passwdqc (from passwdqc project)
    or pam_pwquality (from libpwquality project) instead
  • Deprecated pam_tally and pam_tally2: these modules are no longer built
    by default and will be removed in the next release, use pam_faillock instead

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

v1.3.1
Compare
Choose a tag to compare
  • pam_motd: add support for a motd.d directory
  • pam_umask: Fix documentation to align with order of loading umask
  • pam_get_user.3: Fix missing word in documentation
  • pam_tally2 --reset: avoid creating a missing tallylog file
  • pam_mkhomedir: Allow creating parent of homedir under /
  • access.conf.5: Add note about spaces around ':'
  • pam.8: Workaround formatting problem
  • pam_unix: Check return value of malloc used for setcred data
  • pam_cracklib: Drop unused prompt macros
  • pam_tty_audit: Support matching users by uid range
  • pam_access: support parsing files in /etc/security/access.d/*.conf
  • pam_localuser: Correct documentation
  • pam_issue: Fix no prompting in parse escape codes mode
  • Unification and cleanup of syslog log levels