pam-krb5 4.5

  * Suppress the notice that the password is being changed because it's
    expired if force_first_pass or use_first_pass is set in the password
    stack, indicating that it's stacked with another module that's also
    doing password changes.  This is arguable, but without this change the
    notification message of why the password is being changed shows up
    confusingly in the middle of the password change interaction.
  * Some old versions of Heimdal (0.7.2 in OpenBSD 4.9, specifically)
    reportedly return KRB5KDC_ERR_KEY_EXP for accounts with expired
    keys even if the supplied password is wrong.  Work around this by
    confirming that the PAM module can obtain tickets for kadmin/changepw
    before returning a password expiration error instead of an invalid
    password error.
  * The location of the temporary root-owned ticket cache created during
    the authentication process is now also controlled by the ccache_dir
    option (but not the ccache option) rather than forced to be in /tmp.
    This will allow system administrators to configure an alternative
    cache directory so that pam-krb5 can continue working when /tmp is
    full.
  * Report more specific errors in syslog if authorization checks (such as
    .k5login checks) fail.
  * Pass a NULL principal to krb5_set_password with MIT client libraries
    to prefer the older change password protocol for compatibility with
    older KDCs.  This is not necessary on Heimdal since Heimdal's
    krb5_set_password tries both protocols.
  * Improve logging and authorization checks when defer_pwchange is set
    and a user authenticates with an expired password.
  * When probing for Kerberos libraries, always add any supplemental
    libraries found to that point to the link command.  This will fix
    configure failures on platforms without working transitive shared
    library dependencies.
  * Close some memory leaks where unparsed Kerberos principal names were
    never freed.
  * Restructure the code to work with OpenPAM's default PAM build
    machinery, which exports a struct containing module entry points
    rather than public pam_sm_* functions.
  * In debug logging, report symbolic names for PAM flags on PAM function
    entry rather than the numeric PAM flags.  This helps with automated
    testing and with debugging PAM problems on different operating
    systems.
  * Include <krb5/krb5.h> if <krb5.h> is missing, which permits finding
    the header file on NetBSD systems.
  * Replace the Kerberos compatibility layer with equivalent but
    better-structured code from rra-c-util 4.0.
  * Avoid krb5-config and use manual library probing if --with-krb5-lib or
    --with-krb5-include were given to configure.  This avoids having to
    point configure at a nonexistent krb5-config to override its results.
  * Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config in
    configure, to avoid a conflict with the variable used by the Kerberos
    libraries to find krb5.conf.
  * Change references to Kerberos v5 to just Kerberos in the documentation.
  * Update to rra-c-util 4.0
  * Update to C TAP Harness 1.9


(pettai)