pam_yubico NEWS -- History of user-visible changes. -*- outline -*- * Version 2.18 (unreleased) * Version 2.17 (released 2014-08-26) ** Fix a bug with the 'urllist' parameter where urls would be forgotten. ** Manpages converted to asciidoc. * Version 2.16 (released 2014-06-10) ** Fix a crashbug with the new parameter 'urllist' * Version 2.15 (released 2014-04-30) ** Added new parameter 'urllist' ** Added pam_yubico(8) man page. ** Fix memory leak. ** Bump yubico-c-client version requirement to 2.12. * Version 2.14 (released 2013-09-27) ** Don't install internal header files. ** Don't print debug info when the "debug" parameter is not given. ** Use PBKDF2 to process expected reply for challenge-response mode. ** Fixup memory leaks and leaks of privilege. ** Let return values reflect whether the user wasn't found or other error. * Version 2.13 (released 2013-03-01) * Fix a bug in the version check to support major version > 2 (neo). Patch from https://github.com/wwest4 * Give ykpamcfg an option for specifying path. * Version 2.12 (released 2012-06-15) ** Only use libyubikey when --with-cr is used. ** Set correct permissions on tempfile. ** YubiKey 2.2 contains a bug in challenge-response that makes it output the same response to all challenges unless HMAC_LT64 is set. Add warnings to ykpamcfg and a warning through conversate in the pam module. Keys programmed like this should be reprogrammed with the HMAC_LT64 flag set. * Version 2.11 (released 2012-02-10) ** Fix crash-bug with challenge-response mode when button press is required, but button is never pressed. Reported and fixed by Lingzhu Xiang <xianglingzhu@gmail.com>. ** Fix a memset() with wrong size as reported by clang, as well as some other problems/warnings when building on Mac OS X, thanks to Clemens Lang <neverpanic@gmail.com>. ** Add prefix-matching of LDAP fetched values, so you can store the token-to-user mapping in a multi-value attribute with values like "yubikey:publicid", "other-token:something" etc. Patch by Remi Mollon <remi.mollon@cern.ch>. * Version 2.10 (released 2011-12-14) ** Drop permissions (to the user that is trying to authenticate) before accessing files in the users home directory. Largely based on a patch by Ricky Zhou <ricky@fedoraproject.org>. Thanks! ** Restore challenge-response support - version 2.7 was supposed to make the dependency on libykpers optional, but in reality accidentally disabled challenge-response for all configurations. As before, use --without-cr to compile pam_yubico without the ykpers dependency. * Version 2.9 (released 2011-11-17) ** Security: Explicitly request ykclient to verify server signature. ykclient <= 2.5 strangely enough defaults to signing requests, but not verifying signatures in responses when it is supplied with a client key. Reported and patched by Dominic Rutherford <dominic@rutherfordfamily.co.uk>. * Version 2.8 (released 2011-08-26) ** Fix big security hole: Authentication succeeded when no password was given, unless use_first_pass was being used. This is fatal if pam_yubico is considered 'sufficient' in the PAM configuration. Reported and patched by Nanakos Chrysostomos <nanakos@wired-net.gr>. * Version 2.7 (released 2011-06-07) ** Make dependency on libykpers optional. Use --without-cr to force it. Reported by Jussi Sallinen <jussi@jus.si>. * Version 2.6 (released 2011-04-11) ** This release includes lots of patches by members of our open source community. Thank you all! ** Add Challenge-Response mode for offline validation (requires YubiKey 2.2). Patch by Tollef Fog Heen. ** Eliminate all problems with pam_get_data by simply getting rid of that code completely. This seems to have caused problems for a lot of people. ** Numerous LDAP bug fixes and improvements, including community patches by judas.iscariote and maxsanna81@gmail.com. Change to LDAPv3, since v2 has been declared historic for a looong time. ** Support passing capath parameter to Yubico validation client. Patch by Remi Mollon. ** Support public id's longer/shorter than 6 bytes. Patch by fraser.scott@gmail.com. ** Convert documentation to Asciidoc format used in Github wiki. ** Try to never log passwords in debug logs. * Version 2.5 (released 2010-09-10) ** Wiki articles are now inclded in the archive. Same license as code. Reported by dmitrij.ledkov in Issue #30: <http://code.google.com/p/yubico-pam/issues/detail?id=30>. * Version 2.4 (released 2010-09-10) ** New keyword "verbose_otp" to allow displaying OTP characters. Contributed by qistoph reported in Issue #22: <http://code.google.com/p/yubico-pam/issues/detail?id=22>. ** Build with -DPAM_DEBUG so that debug file writing works. Reported by qistoph in Issue #20: <http://code.google.com/p/yubico-pam/issues/detail?id=20>. ** Make deprecated "ldapserver" work again. Reported by giovannibajo in Issue #27: <http://code.google.com/p/yubico-pam/issues/detail?id=27>. ** Fix segmentation fault on 64-bit systems. Reported by multiple people in Issue #11: <http://code.google.com/p/yubico-pam/issues/detail?id=11>. ** Don't crash on ^D at su prompt, or generally, on a NULL password value. * Version 2.3 (released 2010-04-14) ** New keyword "ldap_uri" added. This keyword is preferred over the old "ldapserver" keyword, and allows you to specify a complete LDAP URI instead of only the hostname of your LDAP server. Contributed by Zubrick. ** Improved README. Contributed by Erinn Looney-Triggs <erinn.looneytriggs@gmail.com>. * Version 2.2 (released 2009-05-11) ** Added new PAM configuration variable "key" for base64 client key. * Version 2.1 (released 2009-03-31) ** Fix documentation. ** Fix warning. * Version 2.0 (released 2009-03-25) ** Requires libykclient v2.0 or later. See <http://code.google.com/p/yubico-c-client/>. * Version 1.14 (released 2009-03-24) ** Quick release to sync release archive with svn code. * Version 1.13 (released 2009-03-24) ** Fix parsing of password into OTP/ID/password. Earlier string handling may have been incorrect for short strings. ** Don't pass integers via pam_set_data/pam_get_data. May solve problems on 64-bit platforms. Based on patch from forum.yubico.com. * Version 1.12 (released 2009-03-24) ** Add support for "use_first_pass" and "try_first_pass". They work similar to other PAM modules, see README for more documentation. Upgrade notice: If you are relying on getting the Yubikey OTP from an earlier PAM module, and no prompting by the pam_yubico module, you need to add "try_first_pass" to preserve the same behaviour. * Version 1.11 (released 2009-02-11) ** Added support to store user:keyid mapping in LDAP. Contributed by Gregory Brusick <gregory@brusick.ch>. * Version 1.10 (released 2009-01-13) ** Change license to 2-clause BSD. The Linux-PAM license is unclear, and in any case, the 2-clause BSD license is compatible with 3-clause BSD and GPL. * Version 1.9 (released 2009-01-13) ** Solaris portability improvements. Suggested by Martin Englund <Martin.Englund@Sun.COM>. * Version 1.8 (released 2008-09-15) ** Add new parameter 'url' to specify the server template URL. * Version 1.7 (released 2008-09-01) ** Support two-factor mode to provide a password. ** Support a user-specific configuration file to allow yubikeys per user. ** Use libyubikey-client instead of direct use of libcurl. ** Move *.m4's to m4/. * Version 1.6 (released 2008-01-11) ** First release from code.google.com repository. ** Clarify documentation with regard to license and development info. * Version 1.5 (internal release) ** Clarify that license is the same as Linux-PAM (GPLv2 or modified BSD). This is likely the last internal release, source moving to code.google.com. * Version 1.4 (internal release) ** Don't free CURL's user agent string before we're done. ** Version 1.3 (internal release) ** Disable echo'ing of password, for FreeRadius. * Version 1.2 (internal release) ** Added PDF/HTML manual, see yubico-pam.pdf and yubico-pam.html. ** Fixes to use new web service API. ** Add "url" parameter. ** Fix "alwaysok" parameter. ** Fix crash on empty server responses. ** Parse "status" properly. ** Better debug info. * Version 1.1 (internal release) ** Fix ws-api usage. ** Support "alwaysok". * Version 1.0 (internal release) ** Initial release.