Noteworthy changes in Linux-PAM 1.5.2
- pam_exec: implemented quiet_log option.
- pam_mkhomedir: added support of HOME_MODE and UMASK from /etc/login.defs.
- pam_timestamp: changed hmac algorithm to call openssl instead of the bundled
sha1 implementation if selected, added option to select
the hash algorithm to use with HMAC. - Added pkgconfig files for provided libraries.
- Added --with-systemdunitdir configure option to specify systemd unit
directory. - Added --with-misc-conv-bufsize configure option to specify the buffer size
in libpam_misc's misc_conv() function, raised the default value for this
parameter from 512 to 4096. - Multiple minor bug fixes, portability fixes, documentation improvements,
and translation updates.
Downloads
Please ignore so called "Source code" links provided by github, they are useless.
Noteworthy changes in Linux-PAM 1.5.1
- pam_unix: fixed CVE-2020-27780 - authentication bypass when a user
doesn't exist and root password is blank - pam_faillock: added nodelay option to not set pam_fail_delay
- pam_wheel: use pam_modutil_user_in_group to check for the group membership
with getgrouplist where it is available
Downloads
Please ignore so called "Source code" links provided by github, they are useless.
Noteworthy changes in Linux-PAM 1.5.0
- Multiple minor bug fixes, portability fixes, and documentation improvements.
- Extended libpam API with pam_modutil_check_user_in_passwd function.
- configure: added --disable-unix option to disable build of pam_unix module.
- pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660.
- pam_limits: added support for nonewprivs item.
- pam_motd: read motd files with target user credentials skipping unreadable ones.
- pam_pwhistory: added a SELinux helper executable.
- pam_unix, pam_usertype: implemented avoidance of certain timing attacks.
- pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails.
- Removed deprecated pam_cracklib module, use pam_passwdqc (from passwdqc project)
or pam_pwquality (from libpwquality project) instead. - Removed deprecated pam_tally and pam_tally2 modules, use pam_faillock instead.
- pam_env: Reading of the user environment is deprecated and will be removed
at some point in the future. - libpam: pam_modutil_drop_priv() now correctly sets the target user's
supplementary groups, allowing pam_motd to filter messages accordingly.
Downloads
Please ignore so called "Source code" links provided by github, they are useless.
Noteworthy changes in Linux-PAM 1.4.0
- Multiple minor bug fixes and documentation improvements
- Fixed grammar of messages printed via pam_prompt
- Added support for a vendor directory and libeconf
- configure: Added --enable-Werror option to enable -Werror build
- configure: Allowed disabling documentation through --disable-doc
- pam_get_authtok_verify: Avoid duplicate password verification
- pam_cracklib: Fixed parsing of options without arguments
- pam_env: Changed the default to not read the user .pam_environment file
- pam_exec: Require a user name to be specified before the command is executed
- pam_faillock: New module for locking after multiple auth failures
- pam_group, pam_time: Fixed logical error with multiple ! operators
- pam_keyinit: In pam_sm_setcred do the same as in pam_sm_open_session
- pam_lastlog: Do not log info about failed login if the session was opened
with PAM_SILENT flag - pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs
- pam_lastlog: With 'unlimited' option prevent SIGXFSZ due to reduced 'fsize'
limit - pam_mkhomedir: Fixed return value when the user is unknown
- pam_motd: Export MOTD_SHOWN=pam after showing MOTD
- pam_motd: Support multiple motd paths specified, with filename overrides
- pam_namespace: Added a systemd service, which creates the namespaced
instance parent directories during boot - pam_namespace: Support for noexec, nosuid and nodev flags for tmpfs mounts
- pam_selinux: Check unknown object classes or permissions in current policy
- pam_selinux: Fall back to log to syslog if audit logging fails
- pam_setquota: New module to set or modify disk quotas on session start
- pam_shells: Recognize /bin/sh as the default shell
- pam_succeed_if: Fixed potential override of the default prompt
- pam_succeed_if: Support lists in group membership checks
- pam_time: Added conffile= option to specify an alternative configuration file
- pam_tty_audit: If kernel audit is disabled return PAM_IGNORE
- pam_umask: Added new 'nousergroups' module argument and allowed specifying
the default for usergroups at build-time - pam_unix: Added 'nullresetok' option to allow resetting blank passwords
- pam_unix: Report unusable hashes found by checksalt to syslog
- pam_unix: Return PAM_AUTHINFO_UNAVAIL when shadow entry is unavailable
- pam_unix: Support for (gost-)yescrypt hashing methods
- pam_unix: Use bcrypt b-variant when it bcrypt is chosen
- pam_usertype: New module to tell if uid is in login.defs ranges
- Fixed and documented possible values returned by pam_get_user()
- Added new API call pam_start_confdir() for special applications that
cannot use the system-default PAM configuration paths and need to
explicitly specify another path - Deprecated pam_cracklib: this module is no longer built by default and will
be removed in the next release, use pam_passwdqc (from passwdqc project)
or pam_pwquality (from libpwquality project) instead - Deprecated pam_tally and pam_tally2: these modules are no longer built
by default and will be removed in the next release, use pam_faillock instead
Downloads
Please ignore so called "Source code" links provided by github, they are useless.
- pam_motd: add support for a motd.d directory
- pam_umask: Fix documentation to align with order of loading umask
- pam_get_user.3: Fix missing word in documentation
- pam_tally2 --reset: avoid creating a missing tallylog file
- pam_mkhomedir: Allow creating parent of homedir under /
- access.conf.5: Add note about spaces around ':'
- pam.8: Workaround formatting problem
- pam_unix: Check return value of malloc used for setcred data
- pam_cracklib: Drop unused prompt macros
- pam_tty_audit: Support matching users by uid range
- pam_access: support parsing files in /etc/security/access.d/*.conf
- pam_localuser: Correct documentation
- pam_issue: Fix no prompting in parse escape codes mode
- Unification and cleanup of syslog log levels