summaryrefslogtreecommitdiffabout
path: root/NEWS
blob: b2d04c133b74d2b566253082a9139d4e9a641cae (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
pam-modules -- history of user-visible changes. 2018-08-13
See the end of file for copying conditions.

Please send pam-modules bug reports to <bug-pam-modules@gnu.org.ua>

Version 2.3.1, 2018-08-13

* Add missing symbol

pam_innetgr lacked to define the pam_sm_setcred


Version 2.3, 2018-08-12

* New module pam_innetgr

This module checks if the current hostname and the name of the user
trying to log in are mentioned in a triple of the specified NIS
netgroup.

* The ldappubkey utility imporoved.

The PublicKeyAttribute setting accepts a whitespace-separated list of
attribute names.

The new setting PublicKeyFilter can be used to supply a LDAP filter
expression to use in place of the default.


Version 2.2, 2018-01-02

* Improve pam_fshadow

This release allows the user to use arbitrary group numbers for
username and domain parts.

New options username-index and domain-index are used to indicate
indices of the parenthesized groups used to extract the user and
the domain name. The default corresponds to 'user-index=1 domain-index=1'.

Additionally, the behavior in case if the user name doesn't match the
regexp is changed. Previous versions would fall back to plain
authentication. The new behavior is to reject access.

Version 2.1, 2015-08-04

Fix documentation.


Version 2.0, 2015-02-26

* pam_ldaphome reads LDAP configuration from /etc/ldap.conf

This is in addition to its regular configuration file.

* pam_ldaphome runs inirc-command with user privileges

To run the command with root privileges, the configuration
variable initrc-root must be set to true.

* New pam_ldaphome variable: user-keys-boundary

User key files can contain both keys managed by pam_ldaphome and
added by the user.  These two groups of keys must be separated by
a special comment line, which informs pam_ldaphome that all keys
below it must be retained.

This feature is enabled by the user-keys-boundary configuration
setting.  Its value defines a string which, when used  after a
'#' character, forms the delimiting comment.  E.g. if the
configuration file contains:

  user-keys-boundary :user

then the line '#:user' can be used to delimit ldap-synchronized
and user-specific keys.

* audit option

All modules now support 'audit' option, which is equivalent to
debug=100, i.e. it enables logging maximum debugging output.

* pam_fshadow is built on all systems


Version 1.9, 2014-05-21

* New module pam_groupmember

Tests whether the user is a member of one or more groups.

* pam_ldaphome can invoke an external program

An external program defined with the inirc-command keyword is run
in the newly created user's home directory.  It can be used for
per-user customization of the files copied from the skeleton dir.

The examples directory contains a perl program "usergitconfig", which,
when used as inirc-command, initializes the user's .gitconfig file.

* New auxiliary utilities

** ldappubkey

The `ldappubkey' utility is a simple Perl program which takes user
login name as its argument and produces on the standard output public
ssh keys for that user, each on a separate line.  The program is
designed for use with `openssh' version 6.2p1 or higher.

** usergitconfig

Customizes user's `.gitconfig' file using attributes from his LDAP
entry.  This utility can be used with the initrc-command statement
in pam_ldaphome.conf file.

* Bugfixes


Version 1.8, 2013-07-29

* pam_ldaphome

This module creates the user home directory, if it does not
already exist, and updates his `.ssh/authorized_keys' file with the
keys from the LDAP database.

* pam_umotd

Pam_umotd displays a user-specific message of the day.  The text can
be taken either from a disk file, or read from the standard output of
a program launched for that purpose.  This module is Linux-specific.

* Bugfixes
** pam_fshadow made reentrant



Version 1.7, 2011-04-08

* Allow for use of `CALL proc' in MySQL queries.
* Minor bugfixes in pamck.


Version 1.6, 2009-02-25

* pamck

Pamck is a command line utility for checking PAM authentication and
other management groups.  E.g.:

   pamck -s login smith

attempts to authenticate user `smith' using PAM service name `login'.


Version 1.5, 2009-02-17

* Configure

New command line options:

  --disable-fshadow
  --disable-log
  --disable-regex

Improved autodetection of MySQL and PostgreSQL libraries.

Missing prerequisites for any module cause disabling of that module,
but the configuration process continues.


Version 1.4, 2008-03-20

* pam_mysql and pam_pgsql

** Session management

Session management is implemented for both modules.  Session
management queries are `session-start-query' and `session-stop-query'.

** Variable expansion in configuration file.

Old style of variable expansion has been dropped.  The `$name'
notation is used instead.  To convert your old configuration files,
replace %u with $user, and %p with $password.

** setenv-query

This new query allows to store arbitrary data in PAM environment.


Version 1.3, 2008-03-15

* pam_mysql and pam_pgsql

** Configuration file syntax

Long statements can be split over several lines by placing
'\' character at the end of each line.

** ldap passwords

Both modules understand passwords in LDAP form.  A special
configuration file statement `allow-ldap-pass' is provided to control
this feature.  By default, `allow-ldap-pass yes' is assumed.


Version 1.2, 2008-03-14

* Several fixes in debugging code and pam_mysql, pam_pgsql modules.

* pam_fshadow

By default extended regular expressions are used. 

* pam_regex transform=expr

New command line option `transform' allows to rewrite user names.


Version 1.1, 2007-08-11

* pam_fshadow allows to use virtual domains to specify alternate password
databases.  New options: regex, basic, extended, ignore-case, icase
and revert-index.

* pam_regex: ignore-case can be used as an alias to icase.

* New modules

pam_log                 Log arbitrary data
pam_mysql		Authenticate using a MySQL database
pam_pgsql		Authenticate using a PostgreSQL database


Version 1.0

	Added documentation, improved configuration suite.


Version 0.1

	Initial release. See README for short description.

^L
=========================================================================
Copyright information:

Copyright (C) 2001, 2004-2005, 2007-2012, 2015, 2018 Sergey Poznyakoff

   Permission is granted to anyone to make or distribute verbatim copies
   of this document as received, in any medium, provided that the
   copyright notice and this permission notice are preserved,
   thus giving the recipient permission to redistribute in turn.

   Permission is granted to distribute modified versions
   of this document, or of portions of it,
   under the above conditions, provided also that they
   carry prominent notices stating who last changed them.

Local variables:
mode: outline
paragraph-separate: "[  ]*$"
eval: (add-hook 'write-file-hooks 'time-stamp)
time-stamp-start: "changes. "
time-stamp-format: "%:y-%02m-%02d"
time-stamp-end: "\n"
end:


Return to:

Send suggestions and report system problems to the System administrator.