Michael Richters <[EMAIL PROTECTED]> writes: > Package: libpam-krb5 > Version: 3.6-1 > Severity: serious
> Version 3.6-1 of libpam-krb5 prevents login via openssh if the user's > password has expired (i.e. 'REQUIRES_PWCHANGE'). With openssh > configured for ChallengeResponseAuthentication, I get a prompt to set a > new password with libpam-krb5 version 3.5-1, but authentication simply > fails with version 3.6-1. I suspect the changes made to address bug > #437171 are the cause. Actually, it wasn't any source change in libpam-krb5 itself, just the rebuild against MIT Kerberos 1.6. I had made the incorrect assumption that krb5_get_init_creds_opt_alloc also initialized the structure with the default flags, but it doesn't. One has to explicitly call _init afterwards. Previous versions of the module were built against a version of Kerberos without that function and therefore used the backwards compatibility code, which called init on a separately allocated structure. This will be fixed in the next release, which will be uploaded later today. Thanks for the report! -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
