Skip to content

Releases: linux-pam/linux-pam

Linux-PAM 1.7.0

24 Oct 11:00
Compare
Choose a tag to compare

Noteworthy changes in Linux-PAM 1.7.0

  • build: changed build system from autotools to meson.
  • libpam_misc: use ECHOCTL in the terminal input
  • pam_access: support UID and GID in access.conf
  • pam_env: install environment file in vendordir if vendordir is enabled
  • pam_issue: only count class user if logind support is enabled
  • pam_limits: use systemd-logind instead of utmp if logind support is enabled
  • pam_unix: compare password hashes in constant time
  • Multiple minor bug fixes, build fixes, portability fixes,
    documentation improvements, and translation updates.

Linux-PAM 1.6.1

09 Apr 17:36
Compare
Choose a tag to compare

Noteworthy changes in Linux-PAM 1.6.1

  • build: fail if specified configure options cannot be satisfied.
  • pam_env: fixed --disable-econf --enable-vendordir support.
  • pam_unix: do not warn if password aging is disabled.
  • pam_unix: try to set uid to 0 before unix_chkpwd invocation.
  • pam_unix: allow empty passwords with non-empty hashes.
  • Multiple minor bug fixes, build fixes, portability fixes,
    documentation improvements, and translation updates.

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

Linux-PAM 1.6.0

17 Jan 15:17
Compare
Choose a tag to compare

Noteworthy changes in Linux-PAM 1.6.0

  • Added support of configuration files with arbitrarily long lines.
  • build: fixed build outside of the source tree.
  • libpam: added use of getrandom(2) as a source of randomness if available.
  • libpam: fixed calculation of fail delay with very long delays.
  • libpam: fixed potential infinite recursion with includes.
  • libpam: implemented string to number conversions validation when parsing
    controls in configuration.
  • pam_access: added quiet_log option.
  • pam_access: fixed truncation of very long group names.
  • pam_canonicalize_user: new module to canonicalize user name.
  • pam_echo: fixed file handling to prevent overflows and short reads.
  • pam_env: added support of '' character in environment variable values.
  • pam_exec: allowed expose_authtok for password PAM_TYPE.
  • pam_exec: fixed stack overflow with binary output of programs.
  • pam_faildelay: implemented parameter ranges validation.
  • pam_listfile: changed to treat \r and \n exactly the same in configuration.
  • pam_mkhomedir: hardened directory creation against timing attacks.
    Please note that using *at functions leads to more open file handles
    during creation.
  • pam_namespace: fixed potential local DoS (CVE-2024-22365).
  • pam_nologin: fixed file handling to prevent short reads.
  • pam_pwhistory: helper binary is now built only if SELinux support is enabled.
  • pam_pwhistory: implemented reliable usernames handling when remembering
    passwords.
  • pam_shells: changed to allow shell entries with absolute paths only.
  • pam_succeed_if: fixed treating empty strings as numerical value 0.
  • pam_unix: added support of disabled password aging.
  • pam_unix: synchronized password aging with shadow.
  • pam_unix: implemented string to number conversions validation.
  • pam_unix: fixed truncation of very long user names.
  • pam_unix: corrected rounds retrieval for configured encryption method.
  • pam_unix: implemented reliable usernames handling when remembering passwords.
  • pam_unix: changed to always run the helper to obtain shadow password entries.
  • pam_unix: unix_update helper binary is now built only if SELinux support
    is enabled.
  • pam_unix: added audit support to unix_update helper.
  • pam_userdb: added gdbm support.
  • Multiple minor bug fixes, portability fixes, documentation improvements,
    and translation updates.

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

Linux-PAM 1.5.3

08 May 21:44
Compare
Choose a tag to compare

Noteworthy changes in Linux-PAM 1.5.3

  • configure: added options to configure stylesheets.
  • configure: added --enable-logind option to use logind instead of utmp
    in pam_issue and pam_timestamp.
  • pam_modutil_getlogin: changed to use getlogin() from libc instead of parsing utmp.
  • Added libeconf support to pam_env and pam_shells.
  • Added vendor directory support to pam_access, pam_env, pam_group, pam_faillock,
    pam_limits, pam_namespace, pam_pwhistory, pam_sepermit, pam_shells, and pam_time.
  • pam_limits: changed to not fail on missing config files.
  • pam_pwhistory: added conf= option to specify config file location.
  • pam_pwhistory: added file= option to specify password history file location.
  • pam_shells: added shells.d support when libeconf and vendordir are enabled.
  • Deprecated pam_lastlog: this module is no longer built by default because
    it uses utmp, wtmp, btmp and lastlog, but none of them are Y2038 safe,
    even on 64bit architectures.
    pam_lastlog will be removed in one of the next releases, consider using
    pam_lastlog2 (from https://github.com/thkukuk/lastlog2) and/or
    pam_wtmpdb (from https://github.com/thkukuk/wtmpdb) instead.
  • Deprecated _pam_overwrite(), _pam_overwrite_n(), and _pam_drop_reply() macros
    provided by _pam_macros.h; the memory override performed by these macros can
    be optimized out by the compiler and therefore can no longer be relied upon.
  • Multiple minor bug fixes, portability fixes, documentation improvements,
    and translation updates.

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

Linux-PAM 1.5.2

03 Sep 12:20
v1.5.2
Compare
Choose a tag to compare

Noteworthy changes in Linux-PAM 1.5.2

  • pam_exec: implemented quiet_log option.
  • pam_mkhomedir: added support of HOME_MODE and UMASK from /etc/login.defs.
  • pam_timestamp: changed hmac algorithm to call openssl instead of the bundled
    sha1 implementation if selected, added option to select
    the hash algorithm to use with HMAC.
  • Added pkgconfig files for provided libraries.
  • Added --with-systemdunitdir configure option to specify systemd unit
    directory.
  • Added --with-misc-conv-bufsize configure option to specify the buffer size
    in libpam_misc's misc_conv() function, raised the default value for this
    parameter from 512 to 4096.
  • Multiple minor bug fixes, portability fixes, documentation improvements,
    and translation updates.

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

Linux-PAM 1.5.1

25 Nov 18:29
v1.5.1
Compare
Choose a tag to compare

Noteworthy changes in Linux-PAM 1.5.1

  • pam_unix: fixed CVE-2020-27780 - authentication bypass when a user
    doesn't exist and root password is blank
  • pam_faillock: added nodelay option to not set pam_fail_delay
  • pam_wheel: use pam_modutil_user_in_group to check for the group membership
    with getgrouplist where it is available

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

Linux-PAM 1.5.0

10 Nov 16:19
v1.5.0
Compare
Choose a tag to compare

Noteworthy changes in Linux-PAM 1.5.0

  • Multiple minor bug fixes, portability fixes, and documentation improvements.
  • Extended libpam API with pam_modutil_check_user_in_passwd function.
  • configure: added --disable-unix option to disable build of pam_unix module.
  • pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660.
  • pam_limits: added support for nonewprivs item.
  • pam_motd: read motd files with target user credentials skipping unreadable ones.
  • pam_pwhistory: added a SELinux helper executable.
  • pam_unix, pam_usertype: implemented avoidance of certain timing attacks.
  • pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails.
  • Removed deprecated pam_cracklib module, use pam_passwdqc (from passwdqc project)
    or pam_pwquality (from libpwquality project) instead.
  • Removed deprecated pam_tally and pam_tally2 modules, use pam_faillock instead.
  • pam_env: Reading of the user environment is deprecated and will be removed
    at some point in the future.
  • libpam: pam_modutil_drop_priv() now correctly sets the target user's
    supplementary groups, allowing pam_motd to filter messages accordingly.

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

Linux-PAM 1.4.0

08 Jun 10:50
v1.4.0
Compare
Choose a tag to compare

Noteworthy changes in Linux-PAM 1.4.0

  • Multiple minor bug fixes and documentation improvements
  • Fixed grammar of messages printed via pam_prompt
  • Added support for a vendor directory and libeconf
  • configure: Added --enable-Werror option to enable -Werror build
  • configure: Allowed disabling documentation through --disable-doc
  • pam_get_authtok_verify: Avoid duplicate password verification
  • pam_cracklib: Fixed parsing of options without arguments
  • pam_env: Changed the default to not read the user .pam_environment file
  • pam_exec: Require a user name to be specified before the command is executed
  • pam_faillock: New module for locking after multiple auth failures
  • pam_group, pam_time: Fixed logical error with multiple ! operators
  • pam_keyinit: In pam_sm_setcred do the same as in pam_sm_open_session
  • pam_lastlog: Do not log info about failed login if the session was opened
    with PAM_SILENT flag
  • pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs
  • pam_lastlog: With 'unlimited' option prevent SIGXFSZ due to reduced 'fsize'
    limit
  • pam_mkhomedir: Fixed return value when the user is unknown
  • pam_motd: Export MOTD_SHOWN=pam after showing MOTD
  • pam_motd: Support multiple motd paths specified, with filename overrides
  • pam_namespace: Added a systemd service, which creates the namespaced
    instance parent directories during boot
  • pam_namespace: Support for noexec, nosuid and nodev flags for tmpfs mounts
  • pam_selinux: Check unknown object classes or permissions in current policy
  • pam_selinux: Fall back to log to syslog if audit logging fails
  • pam_setquota: New module to set or modify disk quotas on session start
  • pam_shells: Recognize /bin/sh as the default shell
  • pam_succeed_if: Fixed potential override of the default prompt
  • pam_succeed_if: Support lists in group membership checks
  • pam_time: Added conffile= option to specify an alternative configuration file
  • pam_tty_audit: If kernel audit is disabled return PAM_IGNORE
  • pam_umask: Added new 'nousergroups' module argument and allowed specifying
    the default for usergroups at build-time
  • pam_unix: Added 'nullresetok' option to allow resetting blank passwords
  • pam_unix: Report unusable hashes found by checksalt to syslog
  • pam_unix: Return PAM_AUTHINFO_UNAVAIL when shadow entry is unavailable
  • pam_unix: Support for (gost-)yescrypt hashing methods
  • pam_unix: Use bcrypt b-variant when it bcrypt is chosen
  • pam_usertype: New module to tell if uid is in login.defs ranges
  • Fixed and documented possible values returned by pam_get_user()
  • Added new API call pam_start_confdir() for special applications that
    cannot use the system-default PAM configuration paths and need to
    explicitly specify another path
  • Deprecated pam_cracklib: this module is no longer built by default and will
    be removed in the next release, use pam_passwdqc (from passwdqc project)
    or pam_pwquality (from libpwquality project) instead
  • Deprecated pam_tally and pam_tally2: these modules are no longer built
    by default and will be removed in the next release, use pam_faillock instead

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

Release Version 1.3.1

18 May 11:54
v1.3.1
Compare
Choose a tag to compare
  • pam_motd: add support for a motd.d directory
  • pam_umask: Fix documentation to align with order of loading umask
  • pam_get_user.3: Fix missing word in documentation
  • pam_tally2 --reset: avoid creating a missing tallylog file
  • pam_mkhomedir: Allow creating parent of homedir under /
  • access.conf.5: Add note about spaces around ':'
  • pam.8: Workaround formatting problem
  • pam_unix: Check return value of malloc used for setcred data
  • pam_cracklib: Drop unused prompt macros
  • pam_tty_audit: Support matching users by uid range
  • pam_access: support parsing files in /etc/security/access.d/*.conf
  • pam_localuser: Correct documentation
  • pam_issue: Fix no prompting in parse escape codes mode
  • Unification and cleanup of syslog log levels