- Update to version 2.6.14
* pam_oath: Support null_usersfile_okay parameter. The argument
no_usersfile_okay forces the module to act as if the user is
not present in the config, if the config file does not exist.
This has security implications only use if you know what you
are doing. E.g. if the file is in a mount like home and that
fails to be mounted, then this will succeed even if the OTP if
configured for that user. Patch by Luna, Jan Zerebecki, and
Miika Alikirri; see
https://codeberg.org/oath-toolkit/oath-toolkit/pulls/94.
* pam_oath README: Suggest KbdInteractiveAuthentication. Instead
of deprecated ChallengeResponseAuthentication.
see https://codeberg.org/oath-toolkit/oath-toolkit/pulls/112.
* Various build fixes including updated gnulib files. Fixes
building with glibc 2.43.
- Update to version 2.6.13
* liboath/libpskc: Fix _FORTIFY_SOURCE build problem and allow
configuration.
* liboath: Fix --with-openssl builds
* Git hosting moved from gitlab.com to codeberg.org. The new URL
is https://codeberg.org/oath-toolkit/oath-toolkit although the
old GitLab project will continue to be used for pipelines.
https://gitlab.com/oath-toolkit/oath-toolkit/-/pipelines
* Various build fixes including updated gnulib files. Gnulib
files are no longer stored in git version control. As a
consequence, gnulib is a required build dependency when
building from git, see CONTRIBUTING.md.
- Update to version 2.6.12
* Reported by Fabian Vogt (SUSE), and associated with
CVE-2024-47191.
OBS-URL: https://build.opensuse.org/request/show/1330695
OBS-URL: https://build.opensuse.org/package/show/security/oath-toolkit?expand=0&rev=43
- Update to version 2.6.7
* pam_oath: Support variables in usersfile string parameter.
These changes introduce the ${USER} and ${HOME} placeholder
values for the usersfile string in the pam_oath configuration
file. The placeholder values allow the user credentials file
to be stored in a file path that is relative to the user, and
mimics similar behavior found in google-authenticator-libpam.
The motivation for these changes is to allow for
non-privileged processes to use pam_oath (e.g., for 2FA with
xscreensaver). Non-privileged and non-suid programs are
unable to use pam_oath. These changes are a proposed
alternative to a suid helper binary as well.
* doc: Fix project URL in man pages.
* build: Drop use of libxml's AM_PATH_XML2 in favor of pkg-config.
* build: Modernize autotools usage.
Most importantly, no longer use -Werror with AM_INIT_AUTOMAKE
to make rebuilding from source more safe with future automake
versions.
* Updated gnulib files.
OBS-URL: https://build.opensuse.org/request/show/889828
OBS-URL: https://build.opensuse.org/package/show/security/oath-toolkit?expand=0&rev=29
- Update to version 2.6.6
* oathtool: Support for reading KEY and OTP from standard input
or filename. KEY and OTP may now be given as '-' to mean
stdin, or @FILE to read from a particular file. This is
recommended on multi-user systems, since secrets as command
line parameters leak.
* pam_oath: Fix unlikely logic fail on out of memory conditions.
OBS-URL: https://build.opensuse.org/request/show/865095
OBS-URL: https://build.opensuse.org/package/show/security/oath-toolkit?expand=0&rev=27
- Update to version 2.6.5
* oathtool: Support for reading KEY and OTP from standard input
or filename.
KEY and OTP may now be given as '-' to mean stdin, or @FILE to
read from a particular file. This is recommended on multi-user
systems, since secrets as command line parameters leak.
* pam_oath: Fix unlikely logic fail on out of memory conditions.
* Doc fixes.
- Update to version 2.6.4
* libpskc: New --with-xmlsec-crypto-engine to hard-code crypto
engine. Use it like --with-xmlsec-crypto-engine=gnutls or
--with-xmlsec-crypto-engine=openssl if the default dynamic
loading fails because of runtime linker search path issues.
* oathtool --totp --verbose now prints TOTP hash mode.
* oathtool: Hash names (e.g., SHA256) for --totp are now upper
case. Lower/mixed case hash names are supported for
compatibility.
* pam_oath: Fail gracefully for missing users.
This allows you to incrementally add support for OATH
authentication instead of forcing it on all users.
* Fix libpskc memory corruption bug.
* Fix man pages.
* Build fixes.
- Update to version 2.6.3
* pam_oath: Fix self-tests.
- Drop not longer needed patches:
* 0001-Fix-no-return-in-nonvoid-function-errors-reported-by.patch
* 0003-pam_oath-assign-safe-default-to-alwaysok-config-memb.patch
* 0002-update_gnulibs_files.patch
* gnulib-libio.patch
OBS-URL: https://build.opensuse.org/request/show/859201
OBS-URL: https://build.opensuse.org/package/show/security/oath-toolkit?expand=0&rev=25
