pam_yubico NEWS — History of user-visible changes. -- outline --
Version 2.28 (unreleased)
Version 2.27 (released 2021-04-09)
Add always_prompt configuration option.
Add client certificate support for ldap.
Add starttls support for ldap.
Add ldap_bind_as_user support.
Parsing, cleanliness and string fixes.
Documentation and spelling fixes.
Version 2.26 (released 2018-04-20)
Make sure to close authfile (CVE-2018-9275).
Fix compiler warnings.
Open file descriptors with O_CLOEXEC.
Use mkostemp() instead of mkstemp().
Version 2.25 (released 2018-03-27)
Only do OTP validation if it’s a token that might be valid.
Return early in case user has no valid tokens.
Ldap, compare values only with yubi_attr attributes.
Add nullok parameter.
Version 2.24 (released 2016-11-25)
Debug mode changed, allows file output with debug_file.
Fixup returning user-unknown correctly.
Version 2.23 (released 2016-06-15)
Fix an issue where a failure to set permissions was wrongly outputted.
Version 2.22 (released 2016-05-23)
Retain ownership and permission of challenge files (issue #92).
Make dependency on yubico-c-client 2.15 clearer.
Version 2.21 (released 2016-02-19)
Add proxy support for yubico-c-client.
Check that conv is set before trying to use it fixes a crash bug with the osx loginwindow.
Add building of a mac installer.
Version 2.20 (released 2015-09-22)
Add cainfo option to allow usage of a cabundle instead of path.
Support comments in authfile.
For challenge response with system-wide directory, write the files as root instead of the user.
Version 2.19 (released 2015-03-23)
Add new ldap functionality ldap_bind_user and ldap_bind_password for authenticated binds ldap_filter for using subtree search and a filter ldap_cacertfile to use a specific cacert for ldaps
Version 2.18 (released 2015-02-12)
Fix a memory leak of the pam response data.
Add more tests.
Add version flag to ykpamcfg.
Version 2.17 (released 2014-08-26)
Fix a bug with the urllist parameter where urls would be forgotten.
Manpages converted to asciidoc.
Version 2.16 (released 2014-06-10)
Fix a crashbug with the new parameter urllist
Version 2.15 (released 2014-04-30)
Added new parameter urllist
Added pam_yubico(8) man page.
Fix memory leak.
Bump yubico-c-client version requirement to 2.12.
Version 2.14 (released 2013-09-27)
Don’t install internal header files.
Don’t print debug info when the "debug" parameter is not given.
Use PBKDF2 to process expected reply for challenge-response mode.
Fixup memory leaks and leaks of privilege.
Let return values reflect whether the user wasn’t found or other error.
Version 2.13 (released 2013-03-01)
Fix a bug in the version check to support major version > 2 (neo). Patch from https://github.com/wwest4
Give ykpamcfg an option for specifying path.
Version 2.12 (released 2012-06-15)
Only use libyubikey when --with-cr is used.
Set correct permissions on tempfile.
YubiKey 2.2 contains a bug in challenge-response that makes it output the same response to all challenges unless HMAC_LT64 is set. Add warnings to ykpamcfg and a warning through conversate in the pam module. Keys programmed like this should be reprogrammed with the HMAC_LT64 flag set.
Version 2.11 (released 2012-02-10)
Fix crash-bug with challenge-response mode when button press is required, but button is never pressed. Reported and fixed by Lingzhu Xiang <firstname.lastname@example.org>.
Fix a memset() with wrong size as reported by clang, as well as some other problems/warnings when building on Mac OS X, thanks to Clemens Lang <email@example.com>.
Add prefix-matching of LDAP fetched values, so you can store the token-to-user mapping in a multi-value attribute with values like "yubikey:publicid", "other-token:something" etc. Patch by Remi Mollon <firstname.lastname@example.org>.
Version 2.10 (released 2011-12-14)
Drop permissions (to the user that is trying to authenticate) before accessing files in the users home directory. Largely based on a patch by Ricky Zhou <email@example.com>. Thanks!
Restore challenge-response support - version 2.7 was supposed to make the dependency on libykpers optional, but in reality accidentally disabled challenge-response for all configurations. As before, use --without-cr to compile pam_yubico without the ykpers dependency.
Version 2.9 (released 2011-11-17)
Security: Explicitly request ykclient to verify server signature. ykclient ⇐ 2.5 strangely enough defaults to signing requests, but not verifying signatures in responses when it is supplied with a client key.
Reported and patched by Dominic Rutherford <firstname.lastname@example.org>.
Version 2.8 (released 2011-08-26)
Fix big security hole: Authentication succeeded when no password was given, unless use_first_pass was being used. This is fatal if pam_yubico is considered sufficient in the PAM configuration.
Reported and patched by Nanakos Chrysostomos <email@example.com>.
Version 2.7 (released 2011-06-07)
Make dependency on libykpers optional. Use --without-cr to force it. Reported by Jussi Sallinen <firstname.lastname@example.org>.
Version 2.6 (released 2011-04-11)
This release includes lots of patches by members of our open source community. Thank you all!
Add Challenge-Response mode for offline validation (requires YubiKey 2.2). Patch by Tollef Fog Heen.
Eliminate all problems with pam_get_data by simply getting rid of that code completely. This seems to have caused problems for a lot of people.
Numerous LDAP bug fixes and improvements, including community patches by judas.iscariote and email@example.com. Change to LDAPv3, since v2 has been declared historic for a looong time.
Support passing capath parameter to Yubico validation client. Patch by Remi Mollon.
Support public id’s longer/shorter than 6 bytes. Patch by firstname.lastname@example.org.
Convert documentation to Asciidoc format used in Github wiki.
Try to never log passwords in debug logs.
Version 2.5 (released 2010-09-10)
Wiki articles are now inclded in the archive. Same license as code. Reported by dmitrij.ledkov in Issue #30: http://code.google.com/p/yubico-pam/issues/detail?id=30.
Version 2.4 (released 2010-09-10)
New keyword "verbose_otp" to allow displaying OTP characters. Contributed by qistoph reported in Issue #22: http://code.google.com/p/yubico-pam/issues/detail?id=22.
Build with -DPAM_DEBUG so that debug file writing works. Reported by qistoph in Issue #20: http://code.google.com/p/yubico-pam/issues/detail?id=20.
Make deprecated "ldapserver" work again. Reported by giovannibajo in Issue #27: http://code.google.com/p/yubico-pam/issues/detail?id=27.
Fix segmentation fault on 64-bit systems. Reported by multiple people in Issue #11: http://code.google.com/p/yubico-pam/issues/detail?id=11.
Don’t crash on ^D at su prompt, or generally, on a NULL password value.
Version 2.3 (released 2010-04-14)
New keyword "ldap_uri" added. This keyword is preferred over the old "ldapserver" keyword, and allows you to specify a complete LDAP URI instead of only the hostname of your LDAP server. Contributed by Zubrick.
Improved README. Contributed by Erinn Looney-Triggs <email@example.com>.
Version 2.2 (released 2009-05-11)
Added new PAM configuration variable "key" for base64 client key.
Version 2.1 (released 2009-03-31)
Version 2.0 (released 2009-03-25)
Requires libykclient v2.0 or later. See http://code.google.com/p/yubico-c-client/.
Version 1.14 (released 2009-03-24)
Quick release to sync release archive with svn code.
Version 1.13 (released 2009-03-24)
Fix parsing of password into OTP/ID/password. Earlier string handling may have been incorrect for short strings.
Don’t pass integers via pam_set_data/pam_get_data. May solve problems on 64-bit platforms. Based on patch from forum.yubico.com.
Version 1.12 (released 2009-03-24)
Add support for "use_first_pass" and "try_first_pass". They work similar to other PAM modules, see README for more documentation.
Upgrade notice: If you are relying on getting the YubiKey OTP from an earlier PAM module, and no prompting by the pam_yubico module, you need to add "try_first_pass" to preserve the same behaviour.
Version 1.11 (released 2009-02-11)
Added support to store user:keyid mapping in LDAP. Contributed by Gregory Brusick <firstname.lastname@example.org>.
Version 1.10 (released 2009-01-13)
Change license to 2-clause BSD. The Linux-PAM license is unclear, and in any case, the 2-clause BSD license is compatible with 3-clause BSD and GPL.
Version 1.9 (released 2009-01-13)
Solaris portability improvements. Suggested by Martin Englund <Martin.Englund@Sun.COM>.
Version 1.8 (released 2008-09-15)
Add new parameter url to specify the server template URL.
Version 1.7 (released 2008-09-01)
Support two-factor mode to provide a password.
Support a user-specific configuration file to allow yubikeys per user.
Use libyubikey-client instead of direct use of libcurl.
Move *.m4’s to m4/.
Version 1.6 (released 2008-01-11)
First release from code.google.com repository.
Clarify documentation with regard to license and development info.
Version 1.5 (internal release)
Clarify that license is the same as Linux-PAM (GPLv2 or modified BSD). This is likely the last internal release, source moving to code.google.com.
Version 1.4 (internal release)
Don’t free CURL’s user agent string before we’re done.
Version 1.3 (internal release)
Disable echo’ing of password, for FreeRadius.
Version 1.2 (internal release)
Added PDF/HTML manual, see yubico-pam.pdf and yubico-pam.html.
Fixes to use new web service API.
Add "url" parameter.
Fix "alwaysok" parameter.
Fix crash on empty server responses.
Parse "status" properly.
Better debug info.
Version 1.1 (internal release)
Fix ws-api usage.
Version 1.0 (internal release)