Release Notes

Add always_prompt configuration option.

Add client certificate support for ldap.

Add starttls support for ldap.

Add ldap_bind_as_user support.

Parsing, cleanliness and string fixes.

Documentation and spelling fixes.

Make sure to close authfile (CVE-2018-9275).

Fix compiler warnings.

Open file descriptors with O_CLOEXEC.

Use mkostemp() instead of mkstemp().

Documentation updates.

Only do OTP validation if it’s a token that might be valid.

Return early in case user has no valid tokens.

Ldap, compare values only with yubi_attr attributes.

Add nullok parameter.

Debug mode changed, allows file output with debug_file.

Fixup returning user-unknown correctly.

Fix an issue where a failure to set permissions was wrongly outputted.

Documentation improvements.

Retain ownership and permission of challenge files (issue #92).

Make dependency on yubico-c-client 2.15 clearer.

Add proxy support for yubico-c-client.

Check that conv is set before trying to use it fixes a crash bug with the osx loginwindow.

Add building of a mac installer.

Add cainfo option to allow usage of a cabundle instead of path.

Support comments in authfile.

For challenge response with system-wide directory, write the files as root instead of the user.

Add new ldap functionality ldap_bind_user and ldap_bind_password for authenticated binds ldap_filter for using subtree search and a filter ldap_cacertfile to use a specific cacert for ldaps

Fix a memory leak of the pam response data.

Add more tests.

Add version flag to ykpamcfg.

Fix a bug with the urllist parameter where urls would be forgotten.

Manpages converted to asciidoc.

Fix a crashbug with the new parameter urllist

Added new parameter urllist

Added pam_yubico(8) man page.

Fix memory leak.

Bump yubico-c-client version requirement to 2.12.

Don’t install internal header files.

Don’t print debug info when the "debug" parameter is not given.

Use PBKDF2 to process expected reply for challenge-response mode.

Fixup memory leaks and leaks of privilege.

Let return values reflect whether the user wasn’t found or other error.

Fix a bug in the version check to support major version > 2 (neo). Patch from https://github.com/wwest4

Give ykpamcfg an option for specifying path.

Only use libyubikey when --with-cr is used.

Set correct permissions on tempfile.

YubiKey 2.2 contains a bug in challenge-response that makes it output the same response to all challenges unless HMAC_LT64 is set. Add warnings to ykpamcfg and a warning through conversate in the pam module. Keys programmed like this should be reprogrammed with the HMAC_LT64 flag set.

Fix crash-bug with challenge-response mode when button press is required, but button is never pressed. Reported and fixed by Lingzhu Xiang <xianglingzhu@gmail.com>.

Fix a memset() with wrong size as reported by clang, as well as some other problems/warnings when building on Mac OS X, thanks to Clemens Lang <neverpanic@gmail.com>.

Add prefix-matching of LDAP fetched values, so you can store the token-to-user mapping in a multi-value attribute with values like "yubikey:publicid", "other-token:something" etc. Patch by Remi Mollon <remi.mollon@cern.ch>.

Drop permissions (to the user that is trying to authenticate) before accessing files in the users home directory. Largely based on a patch by Ricky Zhou <ricky@fedoraproject.org>. Thanks!

Restore challenge-response support - version 2.7 was supposed to make the dependency on libykpers optional, but in reality accidentally disabled challenge-response for all configurations. As before, use --without-cr to compile pam_yubico without the ykpers dependency.

Security: Explicitly request ykclient to verify server signature. ykclient ⇐ 2.5 strangely enough defaults to signing requests, but not verifying signatures in responses when it is supplied with a client key.

Fix big security hole: Authentication succeeded when no password was given, unless use_first_pass was being used. This is fatal if pam_yubico is considered sufficient in the PAM configuration.

Make dependency on libykpers optional. Use --without-cr to force it. Reported by Jussi Sallinen <jussi@jus.si>.

This release includes lots of patches by members of our open source community. Thank you all!

Add Challenge-Response mode for offline validation (requires YubiKey 2.2). Patch by Tollef Fog Heen.

Eliminate all problems with pam_get_data by simply getting rid of that code completely. This seems to have caused problems for a lot of people.

Numerous LDAP bug fixes and improvements, including community patches by judas.iscariote and maxsanna81@gmail.com. Change to LDAPv3, since v2 has been declared historic for a looong time.

Support passing capath parameter to Yubico validation client. Patch by Remi Mollon.

Support public id’s longer/shorter than 6 bytes. Patch by fraser.scott@gmail.com.

Convert documentation to Asciidoc format used in Github wiki.

Try to never log passwords in debug logs.

Wiki articles are now inclded in the archive. Same license as code. Reported by dmitrij.ledkov in Issue #30: http://code.google.com/p/yubico-pam/issues/detail?id=30.

New keyword "verbose_otp" to allow displaying OTP characters. Contributed by qistoph reported in Issue #22: http://code.google.com/p/yubico-pam/issues/detail?id=22.

Build with -DPAM_DEBUG so that debug file writing works. Reported by qistoph in Issue #20: http://code.google.com/p/yubico-pam/issues/detail?id=20.

Make deprecated "ldapserver" work again. Reported by giovannibajo in Issue #27: http://code.google.com/p/yubico-pam/issues/detail?id=27.

Fix segmentation fault on 64-bit systems. Reported by multiple people in Issue #11: http://code.google.com/p/yubico-pam/issues/detail?id=11.

Don’t crash on ^D at su prompt, or generally, on a NULL password value.

New keyword "ldap_uri" added. This keyword is preferred over the old "ldapserver" keyword, and allows you to specify a complete LDAP URI instead of only the hostname of your LDAP server. Contributed by Zubrick.

Improved README. Contributed by Erinn Looney-Triggs <erinn.looneytriggs@gmail.com>.

Added new PAM configuration variable "key" for base64 client key.

Fix documentation.

Fix warning.

Requires libykclient v2.0 or later. See http://code.google.com/p/yubico-c-client/.

Quick release to sync release archive with svn code.

Fix parsing of password into OTP/ID/password. Earlier string handling may have been incorrect for short strings.

Don’t pass integers via pam_set_data/pam_get_data. May solve problems on 64-bit platforms. Based on patch from forum.yubico.com.

Add support for "use_first_pass" and "try_first_pass". They work similar to other PAM modules, see README for more documentation.

Added support to store user:keyid mapping in LDAP. Contributed by Gregory Brusick <gregory@brusick.ch>.

Change license to 2-clause BSD. The Linux-PAM license is unclear, and in any case, the 2-clause BSD license is compatible with 3-clause BSD and GPL.

Solaris portability improvements. Suggested by Martin Englund <Martin.Englund@Sun.COM>.

Add new parameter url to specify the server template URL.

Support two-factor mode to provide a password.

Support a user-specific configuration file to allow yubikeys per user.

Use libyubikey-client instead of direct use of libcurl.

Move *.m4’s to m4/.

First release from code.google.com repository.

Clarify documentation with regard to license and development info.

Clarify that license is the same as Linux-PAM (GPLv2 or modified BSD). This is likely the last internal release, source moving to code.google.com.

Don’t free CURL’s user agent string before we’re done.

Version 1.3 (internal release)

Disable echo’ing of password, for FreeRadius.

Added PDF/HTML manual, see yubico-pam.pdf and yubico-pam.html.

Fixes to use new web service API.

Add "url" parameter.

Fix "alwaysok" parameter.

Fix crash on empty server responses.

Parse "status" properly.

Better debug info.

Fix ws-api usage.

Support "alwaysok".

Initial release.