pam-modules -- history of user-visible changes. 2022-05-09 See the end of file for copying conditions. Please send pam-modules bug reports to Version 2.5, 2022-05-09 * pam_fshadow: skip-password option Based on the proposal of Mirsad Goran Todorovac, the new option skip-password instructs pam_fshadow to check whether the user being authenticated is present in the passwd and/or shadow files, without verifying his password. This way pam_fshadow can be used as an auxiliary module in the stack, actual authentication being performed by one of the modules before it. Version 2.4.1, 2021-08-11 * Fix pam_mysql and pam_pgsql authentication * New pam_mysql configuration keywords: default-file and default-group The new keywords define the MySQL "default file" and name of the group in it that should be used. In presense of "default-file", the rest of connection and credentials keywords (host, login, etc.), become optional. Version 2.4, 2020-12-30 * Major rewrite of memory allocation code * Bugfixes ** usage of pam_regex with 'transform=', but without 'regex=' ** ldappubkey: Pass arguments to start_tls Version 2.3.1, 2018-08-13 * Add missing symbol pam_innetgr lacked pam_sm_setcred Version 2.3, 2018-08-12 * New module pam_innetgr This module checks if the current hostname and the name of the user trying to log in are mentioned in a triple of the specified NIS netgroup. * The ldappubkey utility improved. The PublicKeyAttribute setting accepts a whitespace-separated list of attribute names. The new setting PublicKeyFilter can be used to supply a LDAP filter expression to use in place of the default. Version 2.2, 2018-01-02 * Improve pam_fshadow This release allows the user to use arbitrary group numbers for username and domain parts. New options username-index and domain-index are used to indicate indices of the parenthesized groups used to extract the user and the domain name. The default corresponds to 'user-index=1 domain-index=1'. Additionally, the behavior in case if the user name doesn't match the regexp is changed. Previous versions would fall back to plain authentication. The new behavior is to reject access. Version 2.1, 2015-08-04 Fix documentation. Version 2.0, 2015-02-26 * pam_ldaphome reads LDAP configuration from /etc/ldap.conf This is in addition to its regular configuration file. * pam_ldaphome runs inirc-command with user privileges To run the command with root privileges, the configuration variable initrc-root must be set to true. * New pam_ldaphome variable: user-keys-boundary User key files can contain both keys managed by pam_ldaphome and added by the user. These two groups of keys must be separated by a special comment line, which informs pam_ldaphome that all keys below it must be retained. This feature is enabled by the user-keys-boundary configuration setting. Its value defines a string which, when used after a '#' character, forms the delimiting comment. E.g. if the configuration file contains: user-keys-boundary :user then the line '#:user' can be used to delimit ldap-synchronized and user-specific keys. * audit option All modules now support 'audit' option, which is equivalent to debug=100, i.e. it enables logging maximum debugging output. * pam_fshadow is built on all systems Version 1.9, 2014-05-21 * New module pam_groupmember Tests whether the user is a member of one or more groups. * pam_ldaphome can invoke an external program An external program defined with the inirc-command keyword is run in the newly created user's home directory. It can be used for per-user customization of the files copied from the skeleton dir. The examples directory contains a perl program "usergitconfig", which, when used as inirc-command, initializes the user's .gitconfig file. * New auxiliary utilities ** ldappubkey The `ldappubkey' utility is a simple Perl program which takes user login name as its argument and produces on the standard output public ssh keys for that user, each on a separate line. The program is designed for use with `openssh' version 6.2p1 or higher. ** usergitconfig Customizes user's `.gitconfig' file using attributes from his LDAP entry. This utility can be used with the initrc-command statement in pam_ldaphome.conf file. * Bugfixes Version 1.8, 2013-07-29 * pam_ldaphome This module creates the user home directory, if it does not already exist, and updates his `.ssh/authorized_keys' file with the keys from the LDAP database. * pam_umotd Pam_umotd displays a user-specific message of the day. The text can be taken either from a disk file, or read from the standard output of a program launched for that purpose. This module is Linux-specific. * Bugfixes ** pam_fshadow made reentrant Version 1.7, 2011-04-08 * Allow for use of `CALL proc' in MySQL queries. * Minor bugfixes in pamck. Version 1.6, 2009-02-25 * pamck Pamck is a command line utility for checking PAM authentication and other management groups. E.g.: pamck -s login smith attempts to authenticate user `smith' using PAM service name `login'. Version 1.5, 2009-02-17 * Configure New command line options: --disable-fshadow --disable-log --disable-regex Improved autodetection of MySQL and PostgreSQL libraries. Missing prerequisites for any module cause disabling of that module, but the configuration process continues. Version 1.4, 2008-03-20 * pam_mysql and pam_pgsql ** Session management Session management is implemented for both modules. Session management queries are `session-start-query' and `session-stop-query'. ** Variable expansion in configuration file. Old style of variable expansion has been dropped. The `$name' notation is used instead. To convert your old configuration files, replace %u with $user, and %p with $password. ** setenv-query This new query allows to store arbitrary data in PAM environment. Version 1.3, 2008-03-15 * pam_mysql and pam_pgsql ** Configuration file syntax Long statements can be split over several lines by placing '\' character at the end of each line. ** ldap passwords Both modules understand passwords in LDAP form. A special configuration file statement `allow-ldap-pass' is provided to control this feature. By default, `allow-ldap-pass yes' is assumed. Version 1.2, 2008-03-14 * Several fixes in debugging code and pam_mysql, pam_pgsql modules. * pam_fshadow By default extended regular expressions are used. * pam_regex transform=expr New command line option `transform' allows to rewrite user names. Version 1.1, 2007-08-11 * pam_fshadow allows to use virtual domains to specify alternate password databases. New options: regex, basic, extended, ignore-case, icase and revert-index. * pam_regex: ignore-case can be used as an alias to icase. * New modules pam_log Log arbitrary data pam_mysql Authenticate using a MySQL database pam_pgsql Authenticate using a PostgreSQL database Version 1.0 Added documentation, improved configuration suite. Version 0.1 Initial release. See README for short description. ^L ========================================================================= Copyright information: Copyright (C) 2001-2022 Sergey Poznyakoff Permission is granted to anyone to make or distribute verbatim copies of this document as received, in any medium, provided that the copyright notice and this permission notice are preserved, thus giving the recipient permission to redistribute in turn. Permission is granted to distribute modified versions of this document, or of portions of it, under the above conditions, provided also that they carry prominent notices stating who last changed them. Local variables: mode: outline paragraph-separate: "[ ]*$" eval: (add-hook 'write-file-hooks 'time-stamp) time-stamp-start: "changes. " time-stamp-format: "%:y-%02m-%02d" time-stamp-end: "\n" end: