pam_krb5 bug fix and enhancement update

Updated pam_krb5 packages that address several bugs and add enhancements
are now available.

The pam_krb5 module allows PAM-aware applications to use Kerberos to verify
user identities by obtaining user credentials at log in time.

These updated packages fix the following bugs:

* if the calling application correctly opened a Pluggable Authentication
Module (PAM) session and initialized PAM credentials, but read the
environment (ie for setting up a child process) before completing either
step, the KRB5CCNAME environment variable would either not be set, or would
contain a value that had become invalid. These updated packages accommodate
applications which propagate the PAM environment to child processes before
initializing PAM credentials.

* when a user who is unknown to the Kerberos server attempted to change
their password, a "passwd: Authentication failure" error occurred. A
"passwd: User not known to the underlying authentication module" error is
now returned.

* after a user attempted to change an expired password, their new Kerberos
credentials were not provided for their session. The "klist -a" command
displayed no credentials. User sessions are now correctly established with
updated credentials after changing an expired password.

* the pam_krb5 module would incorrectly attempt to validate credentials
obtained for use during a password change operation. This caused the
password-changing operation to fail when it should have succeeded. The
system log would receive a "TGT failed verification using key for XXX"
error, where XXX is the name of a service whose key is in the local
keytab file.

* when validating credentials the pam_krb5 module would open a keytab file
twice but only close it once; the extra open file descriptor was lost.

* in these updated packages the client's principal name is correctly stored
in a Kerberos IV ticket file, when the Kerberos IV credentials have been
obtained by converting Kerberos 5 credentials, which were obtained from
outside pam_krb5. For example, credentials that have been delegated to
the system from over the network during authentication.

* applications that used dlopen() to load the PAM library would fail to
authenticate with pam_krb5 due to symbol resolution problems. The module
now links directly to libpam.

* in certain situations configuring a system to authenticate using pam_krb5
caused sudo to fail. You are repeatedly asked for a password, and in some
situations a broken pipe error occurred. Note, this issue may not be
confined to the sudo program.

* pam_krb5 logged some debug messages even when debugging was disabled.

* when changing passwords the old password is not saved correctly causing a
"passwd: Authentication token manipulation error" error. Old passwords are
now saved correctly for use by other modules in the PAM stack, allowing
users to change their password.

This update also adds the following enhancements:

* new "pwhelp" option configured in krb5.conf, that allows the specified
file using "pwhelp = [path/to/file]" to be displayed when a user changes
passwords, where [path/to/file] is the text file to be displayed.

* the account management function has been modified so a "Error: account is
locked" error is returned if the Key Distribution Center (KDC) indicates a
user's account has been revoked.

* the warning message supplied by KDCs about user passwords expiring is
now displayed to the user.

* if the KDC rejected a user's new password, for example, due to failure to
meet the realm's password complexity requirements, the user would be told
that the password change succeeded, when in fact it had not. The outcome of
password changes are now checked.

All pam_krb5 users should upgrade to these updated packages, which resolve
these issues and add these enhancements.

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

150056 - PAM patches to /bin/su call pam_setcred after pam_open_session
173681 - [PATCH] pam_krb5 leaks file descriptor
202190 - Lots of new pam_krb5 messages after update
213407 - Agressive protection in pam_krb5 makes sudo fail (broken pipe)
227097 - missing symbols in pam_krb5