The pam_krb5 module allows PAM-aware applications to authenticate users by performing an AS exchange with a Kerberos KDC. It can optionally set up AFS tokens for a user's session.
Releases can be expected to buildable against MIT Kerberos versions 1.6.1 and later and Heimdal 1.0.2 and later.
The module aims to work with minimal (ideally, no) configuration beyond that provided to the Kerberos library itself.
- Downloads for recent releases can be found at fedorahosted.org. Older versions can be found at people.redhat.com.
- Go right to the source repository. Clone it by running git clone git://git.fedorahosted.org/pam_krb5.git and have at it.
- Versions 2.2.11 through 2.2.28 and 2.3.0 through 2.3.4 are vulnerable to CVE-2009-1384: the password prompt could vary based on whether or not a user name was known to the local system and on whether or not the client's principal name was known to the KDC. Versions 2.2.29 and 2.3.5 fix this bug.
- Versions 2.2.0 through 2.2.25 and 2.3.0 through 2.3.1 are vulnerable to CVE-2008-3825: when using the "existing_ticket" option in a setuid/setgid context, the permissions on the existing credential cache are not enforced correctly. Versions 2.2.26 and 2.3.2 fix this bug.
Trac Starting Points
- TracGuide -- Built-in Documentation
- The Trac project -- Trac Open Source Project
- Trac FAQ -- Frequently Asked Questions
- TracSupport -- Trac Support
For a complete list of local wiki pages, see TitleIndex.