pam-modules/NEWS

pam-modules -- history of user-visible changes. 2022-05-09
See the end of file for copying conditions.

Please send pam-modules bug reports to <bug-pam-modules@gnu.org.ua>

Version 2.5, 2022-05-09

* pam_fshadow: skip-password option

Based on the proposal of Mirsad Goran Todorovac, the new option
skip-password instructs pam_fshadow to check whether the user 
being authenticated is present in the passwd and/or shadow files,
without verifying his password.  This way pam_fshadow can be used as
an auxiliary module in the stack, actual authentication being
performed by one of the modules before it.


Version 2.4.1, 2021-08-11

* Fix pam_mysql and pam_pgsql authentication

* New pam_mysql configuration keywords: default-file and default-group

The new keywords define the MySQL "default file" and name of the group
in it that should be used.  In presense of "default-file", the rest of
connection and credentials keywords (host, login, etc.), become
optional.

Version 2.4, 2020-12-30

* Major rewrite of memory allocation code

* Bugfixes

** usage of pam_regex with 'transform=', but without 'regex='
    
** ldappubkey: Pass arguments to start_tls

Version 2.3.1, 2018-08-13

* Add missing symbol

pam_innetgr lacked pam_sm_setcred


Version 2.3, 2018-08-12

* New module pam_innetgr

This module checks if the current hostname and the name of the user
trying to log in are mentioned in a triple of the specified NIS
netgroup.

* The ldappubkey utility improved.

The PublicKeyAttribute setting accepts a whitespace-separated list of
attribute names.

The new setting PublicKeyFilter can be used to supply a LDAP filter
expression to use in place of the default.


Version 2.2, 2018-01-02

* Improve pam_fshadow

This release allows the user to use arbitrary group numbers for
username and domain parts.

New options username-index and domain-index are used to indicate
indices of the parenthesized groups used to extract the user and
the domain name. The default corresponds to 'user-index=1 domain-index=1'.

Additionally, the behavior in case if the user name doesn't match the
regexp is changed. Previous versions would fall back to plain
authentication. The new behavior is to reject access.

Version 2.1, 2015-08-04

Fix documentation.


Version 2.0, 2015-02-26

* pam_ldaphome reads LDAP configuration from /etc/ldap.conf

This is in addition to its regular configuration file.

* pam_ldaphome runs inirc-command with user privileges

To run the command with root privileges, the configuration
variable initrc-root must be set to true.

* New pam_ldaphome variable: user-keys-boundary

User key files can contain both keys managed by pam_ldaphome and
added by the user.  These two groups of keys must be separated by
a special comment line, which informs pam_ldaphome that all keys
below it must be retained.

This feature is enabled by the user-keys-boundary configuration
setting.  Its value defines a string which, when used  after a
'#' character, forms the delimiting comment.  E.g. if the
configuration file contains:

  user-keys-boundary :user

then the line '#:user' can be used to delimit ldap-synchronized
and user-specific keys.

* audit option

All modules now support 'audit' option, which is equivalent to
debug=100, i.e. it enables logging maximum debugging output.

* pam_fshadow is built on all systems


Version 1.9, 2014-05-21

* New module pam_groupmember

Tests whether the user is a member of one or more groups.

* pam_ldaphome can invoke an external program

An external program defined with the inirc-command keyword is run
in the newly created user's home directory.  It can be used for
per-user customization of the files copied from the skeleton dir.

The examples directory contains a perl program "usergitconfig", which,
when used as inirc-command, initializes the user's .gitconfig file.

* New auxiliary utilities

** ldappubkey

The `ldappubkey' utility is a simple Perl program which takes user
login name as its argument and produces on the standard output public
ssh keys for that user, each on a separate line.  The program is
designed for use with `openssh' version 6.2p1 or higher.

** usergitconfig

Customizes user's `.gitconfig' file using attributes from his LDAP
entry.  This utility can be used with the initrc-command statement
in pam_ldaphome.conf file.

* Bugfixes


Version 1.8, 2013-07-29

* pam_ldaphome

This module creates the user home directory, if it does not
already exist, and updates his `.ssh/authorized_keys' file with the
keys from the LDAP database.

* pam_umotd

Pam_umotd displays a user-specific message of the day.  The text can
be taken either from a disk file, or read from the standard output of
a program launched for that purpose.  This module is Linux-specific.

* Bugfixes
** pam_fshadow made reentrant



Version 1.7, 2011-04-08

* Allow for use of `CALL proc' in MySQL queries.
* Minor bugfixes in pamck.


Version 1.6, 2009-02-25

* pamck

Pamck is a command line utility for checking PAM authentication and
other management groups.  E.g.:

   pamck -s login smith

attempts to authenticate user `smith' using PAM service name `login'.


Version 1.5, 2009-02-17

* Configure

New command line options:

  --disable-fshadow
  --disable-log
  --disable-regex

Improved autodetection of MySQL and PostgreSQL libraries.

Missing prerequisites for any module cause disabling of that module,
but the configuration process continues.


Version 1.4, 2008-03-20

* pam_mysql and pam_pgsql

** Session management

Session management is implemented for both modules.  Session
management queries are `session-start-query' and `session-stop-query'.

** Variable expansion in configuration file.

Old style of variable expansion has been dropped.  The `$name'
notation is used instead.  To convert your old configuration files,
replace %u with $user, and %p with $password.

** setenv-query

This new query allows to store arbitrary data in PAM environment.


Version 1.3, 2008-03-15

* pam_mysql and pam_pgsql

** Configuration file syntax

Long statements can be split over several lines by placing
'\' character at the end of each line.

** ldap passwords

Both modules understand passwords in LDAP form.  A special
configuration file statement `allow-ldap-pass' is provided to control
this feature.  By default, `allow-ldap-pass yes' is assumed.


Version 1.2, 2008-03-14

* Several fixes in debugging code and pam_mysql, pam_pgsql modules.

* pam_fshadow

By default extended regular expressions are used. 

* pam_regex transform=expr

New command line option `transform' allows to rewrite user names.


Version 1.1, 2007-08-11

* pam_fshadow allows to use virtual domains to specify alternate password
databases.  New options: regex, basic, extended, ignore-case, icase
and revert-index.

* pam_regex: ignore-case can be used as an alias to icase.

* New modules

pam_log                 Log arbitrary data
pam_mysql		Authenticate using a MySQL database
pam_pgsql		Authenticate using a PostgreSQL database


Version 1.0

	Added documentation, improved configuration suite.


Version 0.1

	Initial release. See README for short description.

^L
=========================================================================
Copyright information:

Copyright (C) 2001-2022 Sergey Poznyakoff

   Permission is granted to anyone to make or distribute verbatim copies
   of this document as received, in any medium, provided that the
   copyright notice and this permission notice are preserved,
   thus giving the recipient permission to redistribute in turn.

   Permission is granted to distribute modified versions
   of this document, or of portions of it,
   under the above conditions, provided also that they
   carry prominent notices stating who last changed them.

Local variables:
mode: outline
paragraph-separate: "[  ]*$"
eval: (add-hook 'write-file-hooks 'time-stamp)
time-stamp-start: "changes. "
time-stamp-format: "%:y-%02m-%02d"
time-stamp-end: "\n"
end: