summaryrefslogtreecommitdiffstats
path: root/debian/NEWS
blob: c6c4f7f04cc501a65f838e9a5ffd86ebb6a2c21c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
pam (1.1.2-1) unstable; urgency=low

  * Name of option for minimum Unix password length has changed

    The Debian-specific 'min=n' option to pam_unix for specifying minimum
    lengths for new passwords has been replaced by a new upstream option
    called 'minlen=n'.  If you are using 'min=n' in
    /etc/pam.d/common-password, this will be migrated to the new option name
    for you on upgrade.  If you have configured pam_unix password changing
    elsewhere on your system, such as in a PAM profile under
    /usr/share/pam-configs or in other files in /etc/pam.d, you will need to
    update them by hand for this change.

 -- Steve Langasek <vorlon@debian.org>  Tue, 31 Aug 2010 23:09:30 -0700

pam (1.1.0-3) unstable; urgency=low

  * pam_rhosts_auth module obsolete, symlink removed

    The pam_rhosts_auth module was dropped upstream prior to the lenny
    release and a compatibility symlink provided in the libpam-modules
    package, pointing at the new (and not 100% compatible) pam_rhosts
    module.  This symlink has now been dropped.  If you still have
    references to pam_rhosts_auth in your /etc/pam.d/* config files, you
    will need to fix these, since they no longer work.

    For information on using pam_rhosts, see the pam_rhosts(8) manpage.

 -- Steve Langasek <vorlon@debian.org>  Wed, 02 Sep 2009 16:17:16 -0700

pam (1.1.0-1) unstable; urgency=low

  * pam_cracklib no longer checks for reuse of old passwords

    The pam_cracklib module no longer checks /etc/security/opasswd to see
    if the proposed password is one that was previously used.  This
    functionality has been split out into a new module, pam_pwhistory.

    The pam_unix module still does its own check of /etc/security/opasswd,
    so if you are using this module you should not need to change anything.

  * Change in handling of /etc/shadow fields

    The Debian PAM package included a patch to treat a value of 0 in certain
    fields in /etc/shadow as the same as an empty field.  This patch has
    been dropped, since it caused the behavior of pam_unix to differ from
    both that of PAM upstream and that of the shadow package.

    The main consequences of this change are that:

    - a "0" in the sp_expire field will be treated as a date of Jan 1, 1970
      instead of a "never expires" value, so users with this set will be
      unable to log in

    - a "0" in the sp_inact field will indicate that the user should not be
      allowed to change an expired password at all, instead of being allowed
      to change an expired at any time after the expiry.

    See Debian bug #308229 for more information about this change.

 -- Steve Langasek <vorlon@debian.org>  Tue, 25 Aug 2009 00:13:57 -0700

pam (0.99.7.1-5) unstable; urgency=low

  * Default Unix minimum password length has changed

    Previous versions of pam_unix on Debian had a built-in minimum password
    length of 1 character, and a minimum password length configured in
    /etc/pam.d/common-password of 4 characters.  This differed from the
    upstream default of 6 characters.  This has been changed, so the
    default /etc/pam.d/common-password no longer overrides the compile-time
    default and the compile-time default has been raised to 6 characters.
    If you are using pam_unix but are not using the default
    /etc/pam.d/common-password file, it is recommended that you drop any
    min= options to pam_unix from your config unless you have stronger
    local password requirements that the upstream default.

    The password length 'max' option has also been deprecated in this
    version because it was never written to work as suggested in the
    documentation.  If you are using pam_unix but are not using the default
    /etc/pam.d/common-password file, you should remove any old max= options
    to pam_unix from your config as this option will be considered an error
    in future versions of pam.

 -- Steve Langasek <vorlon@debian.org>  Sat, 01 Sep 2007 21:27:11 -0700