1 Linux-PAM NEWS -- history of user-visible changes.
4 * Fix CVE-2015-3238, affected PAM modules are pam_unix and pam_exec
9 * pam_unix: add quiet option
10 * libpam: support alternative configuration files in /usr/lib/pam.d
12 * pam_env: add support for @{HOME} and @{SHELL}
13 * libpam: add grantor field to audit records
14 * libpam: Introduce pam_modutil_sanitize_helper_fds
17 * pam_unix: bug fix for compiling with SELinux, fix crash at login time
22 * pam_exec: add stdout and type= options
23 * pam_tty_audit: add options to control logging of passwords
24 * pam_unix: Read defaults from /etc/login.defs
25 * pam_userdb: Allow modern password hashes
26 * pam_selinux/pam_tally2: Add tty and rhost to audit data
27 * Lot of docu and code fixes
32 * pam_cracklib: Add more checks for weak passwords
33 * pam_lastlog: Never lock out root
34 * Lot of bug fixes and smaller enhancements
38 * pam_env: Fix CVE-2011-3148 and CVE-2011-3149
39 * pam_access: Add hostname resolution cache
40 * Documentation: Improvements/fixes
45 * Add vietnamese translation
46 * pam_namepace: Add new functionality
47 * pam_securetty: Honour console= kernel option, add noconsole option
48 * pam_limits: Add %group syntax, drop change_uid option, add set_all option
49 * Lot of small bug fixes
50 * Lot of compiler warnings fixed
51 * Add support for libtirpc
56 * pam_namespace: Clean environment for childs (CVE-2010-3853)
57 * libpam: New interface to drop/regain privilegs
58 * Drop root privilegs in pam_env, pam_mail and pam_xauth before
59 accessing user files (CVE-2010-3430, CVE-2010-3431)
60 * pam_unix: Add minlen option, change default from 6 to 0
61 * Documentation improvements
62 * Lot of small bug fixes
66 * pam_unix: Add minlen= option
67 * pam_group: Add support for UNIX groups beside netgroups
68 * pam_tally: Document that it is deprecated
69 * pam_rootok: Add support for chauthtok and acct_mgmt
75 * pam_access: Revert netgroup match to original behavior, add new
76 syntax for adding the local hostname to netgroup match
77 * libpam: Add new functions pam_get_authtok_noverify() and
78 pam_get_authtok_verify()
79 * Add sepermit.conf.5 manual page
85 * Documentation updates and fixes
90 * pam_succeed_if: Use provided username
91 * pam_mkhomedir: Fix handling of options
95 * Fixed CVE-2009-0579 (minimum days limit on password change is ignored).
96 * Fix libpam internal config/argument parser
97 * Add optional file locking to pam_tally2
99 * pam_access improvements
100 * Changes in the behavior of the password stack. Results of PRELIM_CHECK
101 are not used for the final run.
105 * Supply hostname of the machine to netgroup match call in pam_access
106 * Make pam_namespace to work safe on child directories of parent directories
108 * Redefine LOCAL keyword of pam_access configuration file
109 * Add support for try_first_pass and use_first_pass to pam_cracklib
110 * Print informative messages for rejected login and add silent and
111 no_log_info options to pam_tally
112 * Add support for passing PAM_AUTHTOK to stdin of helpers from pam_exec
113 * New password quality tests in pam_cracklib
114 * New options for pam_lastlog to show last failed login attempt and
115 to disable lastlog update
116 * New pam_pwhistory module to store last used passwords
117 * New pam_tally2 module similar to pam_tally with wordsize independent
119 * Make libpam not log missing module if its type is prepended with '-'
120 * New pam_timestamp module for authentication based on recent successful
122 * Add blowfish support to pam_unix.
123 * Add support for user specific environment file to pam_env.
124 * Add pam_get_authtok to libpam as Linux-PAM extension.
125 * Rename type option of pam_cracklib to authtok_type.
129 * Small bug fix release
134 * Regression fixed in pam_selinux
135 * Problem with big UIDs fixed in pam_loginuid
140 * Regression fixed in pam_set_item()
146 * Translation updates
151 * New substack directive in config file syntax.
152 * New module pam_tty_audit.so for enabling and disabling tty
154 * New PAM items PAM_XDISPLAY and PAM_XAUTHDATA.
155 * Auditing login denials based by origin (pam_access), time (pam_time),
156 and number of sessions (pam_limits) to the Linux audit subsystem.
157 * Support sha256 and sha512 algorithms in pam_unix when they are supported
159 * New pam_sepermit.so module for allowing/rejecting access based on
161 * Improved functionality of pam_namespace.so module (method flags,
162 namespace.d configuration directory, new options).
163 * Finaly removed deprecated pam_rhosts_auth module.
168 * misc_conv no longer blocks SIGINT; applications that don't want
169 user-interruptable prompts should block SIGINT themselves
170 * Merge fixes from Debian
171 * Fix parser for pam_group and pam_time
176 * Fix a regression in audit code introduced with last release
177 * Fix compiling with --disable-nls
182 * Add translations for ar, ca, da, ru, sv and zu.
183 * Update hungarian translation.
184 * Add support for limits.d directory to pam_limits.
185 * Improve pam_namespace module tobe more useful
186 for MLS, fixed crash with bad config files.
187 * Improve pam_selinux module to be more useful
189 * Add minclass option to pam_cracklib
190 * Add new group syntax to pam_access
195 * Security fix for pam_unix.so (CVE-2007-0003).
200 * Add manual page for pam_unix.so.
201 * Add pam_faildelay module to set pam_fail_delay() value.
202 * Fix possible seg.fault in libpam/pam_set_data().
203 * Cleanup of configure options.
204 * Update hungarian translation, fix german translation.
209 * pam_loginuid: New PAM module.
210 * pam_access, pam_succeed_if: Support passwd and session services.
215 * pam_lastlog: Don't refuse login if lastlog file got lost.
216 * pam_cracklib: Fix a user triggerable crash.
217 * documentation: Regenerate with fixed docbook stylesheet.
222 * Fix bootstrapping problems.
223 * Bug fixes: pam_keyinit, pam_umask
228 * pam_namespace: Code cleanup, add init script to tar archive.
229 * pam_succeed_if: Add support for service match.
230 * Add xtests (to run after installation).
231 * Documentation: Convert sgml guides to XML, unify documentation
232 for PAM functions and modules.
237 * pam_tally: Fix support for large UIDs
238 * Fixed all problems found by Coverity
239 * Add support for Intel C Compiler
240 * Add manual page for pam_mkhomedir, pam_umask, pam_filter,
241 pam_issue, pam_ftp, pam_group, pam_lastlog, pam_listfile,
242 pam_localuser, pam_mail, pam_motd, pam_nologin, pam_permit,
243 pam_rootok, pam_securetty, pam_shells, pam_userdb, pam_warn,
244 pam_time, pam_limits, pam_debug, pam_tally
245 * The libpam memory debug code was removed
246 * pam_keyinit: New module to initialise kernel session keyring.
247 * pam_namespace: New module to configure private namespace for a session.
248 * pam_rhosts: New module which replaces pam_rhosts_auth, now IPv6 capable.
249 * pam_rhosts_auth: This module is now deprecated.
255 * Fix building of static variants of libpam, libpamc and libpam_misc
256 * pam_listfile: Add support for password and session management
257 * pam_exec: New PAM module to execute arbitary commands
258 * Fix building of a static libpam including all PAM modules
259 * New/updated translations for: nl, pt, pl, fi, km, tr, uk, fr
260 * pam_access: Add network(address) / netmask and IPv6 support
261 * Add manual pages for pam_cracklib, pam_deny and pam_access
262 * pam_pwdb: This deprecated module was removed
263 * Manual pages: Major rewrite/cleanup
268 * Fix NULL pointer checks in libpam.so
269 * pam_succeed_if, pam_group, pam_time: Support netgroup matching
270 * New translations for: nb, hu, fi, de, es, fr, it, ja, pt_BR, zh_CN, zh_TW
271 * Audit PAM calls if Linux Audit is available
272 * Compile upperLOWER and unix_chkpwd as PIE binaries
277 * Fix install of PS, PDF, TXT and HTML files
278 * pam_mail: Update README
280 * pam_modutil_getlogin: Fix parsing of PAM_TTY variable
285 * Fix parsing of full path tty name in various modules
286 * pam_xauth: Look for xauth executable in multiple places
287 * pam_unix: Disable user check in unix_chkpwd only if real uid
288 is 0 (CVE-2005-2977). Log failed password check attempt.
289 * pam_env: Support /etc/environment again, but don't treat it as
290 error if it is missing.
291 * pam_userdb: Fix memory leak.
296 * Use autoconf/automake/libtool
297 * Add gettext support
298 * Add translations for cs, de, es, fr, hu, it, ja, nb, pa, pt_BR,
300 * libpam: Remove pam_authenticate_secondary stub
301 * libpam: Add pam_prompt,pam_vprompt,pam_error,pam_verror,pam_info
302 and pam_vinfo functions for use by modules as extension
303 * libpam: Add pam_syslog function for unified syslog messages from
305 * libpam: Moved functions from pammodutil to libpam
306 * pam_umask: New module for setting umask from GECOS field, /etc/login.defs
307 or /etc/default/login
308 * pam_echo: New PAM module for message output
309 * pam_userdb: Fix regression (crash when crypt param not specified)
310 * pam_limits: Fix regression from RLIMIT_NICE support (wrong limit
311 values for other limits are applied)
312 * pam_access: Support for NULL tty - matches ALL and NONE keywords
313 * pam_lastlog: Enable log to wtmp by default. Add "nowtmp" option
314 * pam_radius: This module was removed