pam (1.1.0-1) unstable; urgency=low
* pam_cracklib no longer checks for reuse of old passwords
The pam_cracklib module no longer checks /etc/security/opasswd to see
if the proposed password is one that was previously used. This
functionality has been split out into a new module, pam_pwhistory.
The pam_unix module still does its own check of /etc/security/opasswd,
so if you are using this module you should not need to change anything.
* Change in handling of /etc/shadow fields
The Debian PAM package included a patch to treat a value of 0 in certain
fields in /etc/shadow as the same as an empty field. This patch has
been dropped, since it caused the behavior of pam_unix to differ from
both that of PAM upstream and that of the shadow package.
The main consequences of this change are that:
- a "0" in the sp_expire field will be treated as a date of Jan 1, 1970
instead of a "never expires" value, so users with this set will be
unable to log in
- a "0" in the sp_inact field will indicate that the user should not be
allowed to change an expired password at all, instead of being allowed
to change an expired at any time after the expiry.
See Debian bug #308229 for more information about this change.
-- Steve Langasek <email@example.com> Tue, 25 Aug 2009 00:13:57 -0700
pam (0.99.10.0-1) unstable; urgency=low
* pam_rhosts_auth module obsolete
The pam_rhosts_auth module has been dropped upstream in favor of the
more featureful and better-maintained pam_rhosts module. To ease the
transition to pam_rhosts, a compatibility symlink has been provided to
map pam_rhosts_auth to pam_rhosts on your system; however, pam_rhosts
doesn't support all of the same module options and the compatibility
symlink will be dropped in a future release. You should update any
configs to use pam_rhosts instead of pam_rhosts_auth as soon as possible.
For information on using pam_rhosts, see the pam_rhosts(8) manpage.
-- Steve Langasek <firstname.lastname@example.org> Sat, 26 Jul 2008 22:01:22 -0700
pam (0.99.7.1-5) unstable; urgency=low
* Default Unix minimum password length has changed
Previous versions of pam_unix on Debian had a built-in minimum password
length of 1 character, and a minimum password length configured in
/etc/pam.d/common-password of 4 characters. This differed from the
upstream default of 6 characters. This has been changed, so the
default /etc/pam.d/common-password no longer overrides the compile-time
default and the compile-time default has been raised to 6 characters.
If you are using pam_unix but are not using the default
/etc/pam.d/common-password file, it is recommended that you drop any
min= options to pam_unix from your config unless you have stronger
local password requirements that the upstream default.
The password length 'max' option has also been deprecated in this
version because it was never written to work as suggested in the
documentation. If you are using pam_unix but are not using the default
/etc/pam.d/common-password file, you should remove any old max= options
to pam_unix from your config as this option will be considered an error
in future versions of pam.
-- Steve Langasek <email@example.com> Sat, 01 Sep 2007 21:27:11 -0700