Noteworthy changes in Linux-PAM 1.7.1

• pam_access: do not resolve ttys or display variables as hostnames.
• pam_access: added "nodns" option to disallow resolving of tokens as hostnames
  (CVE-2024-10963).
• pam_limits: added support for rttime (RLIMIT_RTTIME).
• pam_namespace: fixed potential privilege escalation (CVE-2025-6020).
• meson: added support of elogind as a logind provider.
• Multiple minor bug fixes, build fixes, portability fixes,
  documentation improvements, and translation updates.

Noteworthy changes in Linux-PAM 1.7.0

• build: changed build system from autotools to meson.
• libpam_misc: use ECHOCTL in the terminal input
• pam_access: support UID and GID in access.conf
• pam_env: install environment file in vendordir if vendordir is enabled
• pam_issue: only count class user if logind support is enabled
• pam_limits: use systemd-logind instead of utmp if logind support is enabled
• pam_unix: compare password hashes in constant time
• Multiple minor bug fixes, build fixes, portability fixes,
  documentation improvements, and translation updates.

Noteworthy changes in Linux-PAM 1.6.1

• build: fail if specified configure options cannot be satisfied.
• pam_env: fixed --disable-econf --enable-vendordir support.
• pam_unix: do not warn if password aging is disabled.
• pam_unix: try to set uid to 0 before unix_chkpwd invocation.
• pam_unix: allow empty passwords with non-empty hashes.
• Multiple minor bug fixes, build fixes, portability fixes,
  documentation improvements, and translation updates.

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

Noteworthy changes in Linux-PAM 1.6.0

• Added support of configuration files with arbitrarily long lines.
• build: fixed build outside of the source tree.
• libpam: added use of getrandom(2) as a source of randomness if available.
• libpam: fixed calculation of fail delay with very long delays.
• libpam: fixed potential infinite recursion with includes.
• libpam: implemented string to number conversions validation when parsing
  controls in configuration.
• pam_access: added quiet_log option.
• pam_access: fixed truncation of very long group names.
• pam_canonicalize_user: new module to canonicalize user name.
• pam_echo: fixed file handling to prevent overflows and short reads.
• pam_env: added support of '' character in environment variable values.
• pam_exec: allowed expose_authtok for password PAM_TYPE.
• pam_exec: fixed stack overflow with binary output of programs.
• pam_faildelay: implemented parameter ranges validation.
• pam_listfile: changed to treat \r and \n exactly the same in configuration.
• pam_mkhomedir: hardened directory creation against timing attacks.
  Please note that using *at functions leads to more open file handles
  during creation.
• pam_namespace: fixed potential local DoS (CVE-2024-22365).
• pam_nologin: fixed file handling to prevent short reads.
• pam_pwhistory: helper binary is now built only if SELinux support is enabled.
• pam_pwhistory: implemented reliable usernames handling when remembering
  passwords.
• pam_shells: changed to allow shell entries with absolute paths only.
• pam_succeed_if: fixed treating empty strings as numerical value 0.
• pam_unix: added support of disabled password aging.
• pam_unix: synchronized password aging with shadow.
• pam_unix: implemented string to number conversions validation.
• pam_unix: fixed truncation of very long user names.
• pam_unix: corrected rounds retrieval for configured encryption method.
• pam_unix: implemented reliable usernames handling when remembering passwords.
• pam_unix: changed to always run the helper to obtain shadow password entries.
• pam_unix: unix_update helper binary is now built only if SELinux support
  is enabled.
• pam_unix: added audit support to unix_update helper.
• pam_userdb: added gdbm support.
• Multiple minor bug fixes, portability fixes, documentation improvements,
  and translation updates.

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

Noteworthy changes in Linux-PAM 1.5.3

• configure: added options to configure stylesheets.
• configure: added --enable-logind option to use logind instead of utmp
  in pam_issue and pam_timestamp.
• pam_modutil_getlogin: changed to use getlogin() from libc instead of parsing utmp.
• Added libeconf support to pam_env and pam_shells.
• Added vendor directory support to pam_access, pam_env, pam_group, pam_faillock,
  pam_limits, pam_namespace, pam_pwhistory, pam_sepermit, pam_shells, and pam_time.
• pam_limits: changed to not fail on missing config files.
• pam_pwhistory: added conf= option to specify config file location.
• pam_pwhistory: added file= option to specify password history file location.
• pam_shells: added shells.d support when libeconf and vendordir are enabled.
• Deprecated pam_lastlog: this module is no longer built by default because
  it uses utmp, wtmp, btmp and lastlog, but none of them are Y2038 safe,
  even on 64bit architectures.
  pam_lastlog will be removed in one of the next releases, consider using
  pam_lastlog2 (from https://github.com/thkukuk/lastlog2) and/or
  pam_wtmpdb (from https://github.com/thkukuk/wtmpdb) instead.
• Deprecated _pam_overwrite(), _pam_overwrite_n(), and _pam_drop_reply() macros
  provided by _pam_macros.h; the memory override performed by these macros can
  be optimized out by the compiler and therefore can no longer be relied upon.
• Multiple minor bug fixes, portability fixes, documentation improvements,
  and translation updates.

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

Noteworthy changes in Linux-PAM 1.5.2

• pam_exec: implemented quiet_log option.
• pam_mkhomedir: added support of HOME_MODE and UMASK from /etc/login.defs.
• pam_timestamp: changed hmac algorithm to call openssl instead of the bundled
  sha1 implementation if selected, added option to select
  the hash algorithm to use with HMAC.
• Added pkgconfig files for provided libraries.
• Added --with-systemdunitdir configure option to specify systemd unit
  directory.
• Added --with-misc-conv-bufsize configure option to specify the buffer size
  in libpam_misc's misc_conv() function, raised the default value for this
  parameter from 512 to 4096.
• Multiple minor bug fixes, portability fixes, documentation improvements,
  and translation updates.

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

Noteworthy changes in Linux-PAM 1.5.1

• pam_unix: fixed CVE-2020-27780 - authentication bypass when a user
  doesn't exist and root password is blank
• pam_faillock: added nodelay option to not set pam_fail_delay
• pam_wheel: use pam_modutil_user_in_group to check for the group membership
  with getgrouplist where it is available

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

Noteworthy changes in Linux-PAM 1.5.0

• Multiple minor bug fixes, portability fixes, and documentation improvements.
• Extended libpam API with pam_modutil_check_user_in_passwd function.
• configure: added --disable-unix option to disable build of pam_unix module.
• pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660.
• pam_limits: added support for nonewprivs item.
• pam_motd: read motd files with target user credentials skipping unreadable ones.
• pam_pwhistory: added a SELinux helper executable.
• pam_unix, pam_usertype: implemented avoidance of certain timing attacks.
• pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails.
• Removed deprecated pam_cracklib module, use pam_passwdqc (from passwdqc project)
  or pam_pwquality (from libpwquality project) instead.
• Removed deprecated pam_tally and pam_tally2 modules, use pam_faillock instead.
• pam_env: Reading of the user environment is deprecated and will be removed
  at some point in the future.
• libpam: pam_modutil_drop_priv() now correctly sets the target user's
  supplementary groups, allowing pam_motd to filter messages accordingly.

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

Noteworthy changes in Linux-PAM 1.4.0

• Multiple minor bug fixes and documentation improvements
• Fixed grammar of messages printed via pam_prompt
• Added support for a vendor directory and libeconf
• configure: Added --enable-Werror option to enable -Werror build
• configure: Allowed disabling documentation through --disable-doc
• pam_get_authtok_verify: Avoid duplicate password verification
• pam_cracklib: Fixed parsing of options without arguments
• pam_env: Changed the default to not read the user .pam_environment file
• pam_exec: Require a user name to be specified before the command is executed
• pam_faillock: New module for locking after multiple auth failures
• pam_group, pam_time: Fixed logical error with multiple ! operators
• pam_keyinit: In pam_sm_setcred do the same as in pam_sm_open_session
• pam_lastlog: Do not log info about failed login if the session was opened
  with PAM_SILENT flag
• pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs
• pam_lastlog: With 'unlimited' option prevent SIGXFSZ due to reduced 'fsize'
  limit
• pam_mkhomedir: Fixed return value when the user is unknown
• pam_motd: Export MOTD_SHOWN=pam after showing MOTD
• pam_motd: Support multiple motd paths specified, with filename overrides
• pam_namespace: Added a systemd service, which creates the namespaced
  instance parent directories during boot
• pam_namespace: Support for noexec, nosuid and nodev flags for tmpfs mounts
• pam_selinux: Check unknown object classes or permissions in current policy
• pam_selinux: Fall back to log to syslog if audit logging fails
• pam_setquota: New module to set or modify disk quotas on session start
• pam_shells: Recognize /bin/sh as the default shell
• pam_succeed_if: Fixed potential override of the default prompt
• pam_succeed_if: Support lists in group membership checks
• pam_time: Added conffile= option to specify an alternative configuration file
• pam_tty_audit: If kernel audit is disabled return PAM_IGNORE
• pam_umask: Added new 'nousergroups' module argument and allowed specifying
  the default for usergroups at build-time
• pam_unix: Added 'nullresetok' option to allow resetting blank passwords
• pam_unix: Report unusable hashes found by checksalt to syslog
• pam_unix: Return PAM_AUTHINFO_UNAVAIL when shadow entry is unavailable
• pam_unix: Support for (gost-)yescrypt hashing methods
• pam_unix: Use bcrypt b-variant when it bcrypt is chosen
• pam_usertype: New module to tell if uid is in login.defs ranges
• Fixed and documented possible values returned by pam_get_user()
• Added new API call pam_start_confdir() for special applications that
  cannot use the system-default PAM configuration paths and need to
  explicitly specify another path
• Deprecated pam_cracklib: this module is no longer built by default and will
  be removed in the next release, use pam_passwdqc (from passwdqc project)
  or pam_pwquality (from libpwquality project) instead
• Deprecated pam_tally and pam_tally2: these modules are no longer built
  by default and will be removed in the next release, use pam_faillock instead

Downloads

Please ignore so called "Source code" links provided by github, they are useless.

• pam_motd: add support for a motd.d directory
• pam_umask: Fix documentation to align with order of loading umask
• pam_get_user.3: Fix missing word in documentation
• pam_tally2 --reset: avoid creating a missing tallylog file
• pam_mkhomedir: Allow creating parent of homedir under /
• access.conf.5: Add note about spaces around ':'
• pam.8: Workaround formatting problem
• pam_unix: Check return value of malloc used for setcred data
• pam_cracklib: Drop unused prompt macros
• pam_tty_audit: Support matching users by uid range
• pam_access: support parsing files in /etc/security/access.d/*.conf
• pam_localuser: Correct documentation
• pam_issue: Fix no prompting in parse escape codes mode
• Unification and cleanup of syslog log levels