Release Notes

pam_yubico NEWS — History of user-visible changes. -- outline --

  • Version 2.25 (unreleased)

  • Version 2.24 (released 2016-11-25)

    • Debug mode changed, allows file output with debug_file.

    • Fixup returning user-unknown correctly.

  • Version 2.23 (released 2016-06-15)

    • Fix an issue where a failure to set permissions was wrongly outputted.

  • Version 2.22 (released 2016-05-23)

    • Documentation improvements.

    • Retain ownership and permission of challenge files (issue #92).

    • Make dependency on yubico-c-client 2.15 clearer.

  • Version 2.21 (released 2016-02-19)

    • Add proxy support for yubico-c-client.

    • Check that conv is set before trying to use it fixes a crash bug with the osx loginwindow.

    • Add building of a mac installer.

  • Version 2.20 (released 2015-09-22)

    • Add cainfo option to allow usage of a cabundle instead of path.

    • Support comments in authfile.

    • For challenge response with system-wide directory, write the files as root instead of the user.

  • Version 2.19 (released 2015-03-23)

    • Add new ldap functionality ldap_bind_user and ldap_bind_password for authenticated binds ldap_filter for using subtree search and a filter ldap_cacertfile to use a specific cacert for ldaps

  • Version 2.18 (released 2015-02-12)

    • Fix a memory leak of the pam response data.

    • Add more tests.

    • Add version flag to ykpamcfg.

  • Version 2.17 (released 2014-08-26)

    • Fix a bug with the urllist parameter where urls would be forgotten.

    • Manpages converted to asciidoc.

  • Version 2.16 (released 2014-06-10)

    • Fix a crashbug with the new parameter urllist

  • Version 2.15 (released 2014-04-30)

    • Added new parameter urllist

    • Added pam_yubico(8) man page.

    • Fix memory leak.

    • Bump yubico-c-client version requirement to 2.12.

  • Version 2.14 (released 2013-09-27)

    • Don’t install internal header files.

    • Don’t print debug info when the "debug" parameter is not given.

    • Use PBKDF2 to process expected reply for challenge-response mode.

    • Fixup memory leaks and leaks of privilege.

    • Let return values reflect whether the user wasn’t found or other error.

  • Version 2.13 (released 2013-03-01)

    • Fix a bug in the version check to support major version > 2 (neo). Patch from https://github.com/wwest4

    • Give ykpamcfg an option for specifying path.

  • Version 2.12 (released 2012-06-15)

    • Only use libyubikey when --with-cr is used.

    • Set correct permissions on tempfile.

    • YubiKey 2.2 contains a bug in challenge-response that makes it output the same response to all challenges unless HMAC_LT64 is set. Add warnings to ykpamcfg and a warning through conversate in the pam module. Keys programmed like this should be reprogrammed with the HMAC_LT64 flag set.

  • Version 2.11 (released 2012-02-10)

    • Fix crash-bug with challenge-response mode when button press is required, but button is never pressed. Reported and fixed by Lingzhu Xiang <xianglingzhu@gmail.com>.

    • Fix a memset() with wrong size as reported by clang, as well as some other problems/warnings when building on Mac OS X, thanks to Clemens Lang <neverpanic@gmail.com>.

    • Add prefix-matching of LDAP fetched values, so you can store the token-to-user mapping in a multi-value attribute with values like "yubikey:publicid", "other-token:something" etc. Patch by Remi Mollon <remi.mollon@cern.ch>.

  • Version 2.10 (released 2011-12-14)

    • Drop permissions (to the user that is trying to authenticate) before accessing files in the users home directory. Largely based on a patch by Ricky Zhou <ricky@fedoraproject.org>. Thanks!

    • Restore challenge-response support - version 2.7 was supposed to make the dependency on libykpers optional, but in reality accidentally disabled challenge-response for all configurations. As before, use --without-cr to compile pam_yubico without the ykpers dependency.

  • Version 2.9 (released 2011-11-17)

    • Security: Explicitly request ykclient to verify server signature. ykclient ⇐ 2.5 strangely enough defaults to signing requests, but not verifying signatures in responses when it is supplied with a client key.

Reported and patched by Dominic Rutherford <dominic@rutherfordfamily.co.uk>.

  • Version 2.8 (released 2011-08-26)

    • Fix big security hole: Authentication succeeded when no password was given, unless use_first_pass was being used. This is fatal if pam_yubico is considered sufficient in the PAM configuration.

Reported and patched by Nanakos Chrysostomos <nanakos@wired-net.gr>.

  • Version 2.7 (released 2011-06-07)

    • Make dependency on libykpers optional. Use --without-cr to force it. Reported by Jussi Sallinen <jussi@jus.si>.

  • Version 2.6 (released 2011-04-11)

    • This release includes lots of patches by members of our open source community. Thank you all!

    • Add Challenge-Response mode for offline validation (requires YubiKey 2.2). Patch by Tollef Fog Heen.

    • Eliminate all problems with pam_get_data by simply getting rid of that code completely. This seems to have caused problems for a lot of people.

    • Numerous LDAP bug fixes and improvements, including community patches by judas.iscariote and maxsanna81@gmail.com. Change to LDAPv3, since v2 has been declared historic for a looong time.

    • Support passing capath parameter to Yubico validation client. Patch by Remi Mollon.

    • Support public id’s longer/shorter than 6 bytes. Patch by fraser.scott@gmail.com.

    • Convert documentation to Asciidoc format used in Github wiki.

    • Try to never log passwords in debug logs.

  • Version 2.5 (released 2010-09-10)

  • Version 2.4 (released 2010-09-10)

  • Version 2.3 (released 2010-04-14)

    • New keyword "ldap_uri" added. This keyword is preferred over the old "ldapserver" keyword, and allows you to specify a complete LDAP URI instead of only the hostname of your LDAP server. Contributed by Zubrick.

    • Improved README. Contributed by Erinn Looney-Triggs <erinn.looneytriggs@gmail.com>.

  • Version 2.2 (released 2009-05-11)

    • Added new PAM configuration variable "key" for base64 client key.

  • Version 2.1 (released 2009-03-31)

    • Fix documentation.

    • Fix warning.

  • Version 2.0 (released 2009-03-25)

  • Version 1.14 (released 2009-03-24)

    • Quick release to sync release archive with svn code.

  • Version 1.13 (released 2009-03-24)

    • Fix parsing of password into OTP/ID/password. Earlier string handling may have been incorrect for short strings.

    • Don’t pass integers via pam_set_data/pam_get_data. May solve problems on 64-bit platforms. Based on patch from forum.yubico.com.

  • Version 1.12 (released 2009-03-24)

    • Add support for "use_first_pass" and "try_first_pass". They work similar to other PAM modules, see README for more documentation.

Upgrade notice: If you are relying on getting the Yubikey OTP from an earlier PAM module, and no prompting by the pam_yubico module, you need to add "try_first_pass" to preserve the same behaviour.

  • Version 1.11 (released 2009-02-11)

    • Added support to store user:keyid mapping in LDAP. Contributed by Gregory Brusick <gregory@brusick.ch>.

  • Version 1.10 (released 2009-01-13)

    • Change license to 2-clause BSD. The Linux-PAM license is unclear, and in any case, the 2-clause BSD license is compatible with 3-clause BSD and GPL.

  • Version 1.9 (released 2009-01-13)

  • Version 1.8 (released 2008-09-15)

    • Add new parameter url to specify the server template URL.

  • Version 1.7 (released 2008-09-01)

    • Support two-factor mode to provide a password.

    • Support a user-specific configuration file to allow yubikeys per user.

    • Use libyubikey-client instead of direct use of libcurl.

    • Move *.m4’s to m4/.

  • Version 1.6 (released 2008-01-11)

    • First release from code.google.com repository.

    • Clarify documentation with regard to license and development info.

  • Version 1.5 (internal release)

    • Clarify that license is the same as Linux-PAM (GPLv2 or modified BSD). This is likely the last internal release, source moving to code.google.com.

  • Version 1.4 (internal release)

    • Don’t free CURL’s user agent string before we’re done.

    • Version 1.3 (internal release)

    • Disable echo’ing of password, for FreeRadius.

  • Version 1.2 (internal release)

    • Added PDF/HTML manual, see yubico-pam.pdf and yubico-pam.html.

    • Fixes to use new web service API.

    • Add "url" parameter.

    • Fix "alwaysok" parameter.

    • Fix crash on empty server responses.

    • Parse "status" properly.

    • Better debug info.

  • Version 1.1 (internal release)

    • Fix ws-api usage.

    • Support "alwaysok".

  • Version 1.0 (internal release)

    • Initial release.