Table of Contents
This report covers the period from March 9th, 2002 to April 8th, 2002. The period being cut short by Easter and obligations to other customers, a total of only 42.5 hours were spent on PAM work during this period. A large majority of this time was spent on upgrading FreeBSD's version of OpenSSH, integrating PAM in OpenSSH, updating the pam_ssh(8) module, and fixing related bugs. Some time was spent cleaning up other PAM modules and improving OpenPAM.
All work this period was performed by Dag-Erling Smørgrav.
During the period covered by this activity report, two new OpenPAM releases were rolled (Centaury on 2002-03-14 and Cinchona on 2002-04-08). These releases incorporated a number of bug fixes, mostly related to resource allocation and minor memory leaks, and a number of improvements, most notably:
Updated documentation; only five API functions still lack documentation.
Additional error checking to detect incorrect usage of PAM primitives.
Added code to pam_get_authtok(3) to ask the user to retype the new password when it detects that the password is being changed.
Added API functions for credential switching for modules that need to borrow the target user's credentials for certain operations (like starting processes on the user's behalf).
We have also been contacted by individuals who are interested in using OpenPAM on Linux and OS X.
FreeBSD's version of pam_ssh(8) was upgraded to version 1.6, and extensive modifications were made to plug memory leaks and a possible security hole. Some minor issues remain to be investigated, but they are believed to be bugs in the original code and not integration errors.
FreeBSD's version of OpenSSH was upgraded to version 3.1, and a number of bugs (both pre-existing ones and a few introduced in the upgrade) were fixed. Some known bugs still remain, and will be corrected in due time.
Once the upgrade was complete, OpenSSH's authentication code was patched to use PAM for protocol version 2 connections (it had previously been patched to use PAM for protocol version 1 connections by Eivind Eklund.) This introduced some minor but annoying interoperability problems with older versions of OpenSSH; these remain to be solved.
No significant work was done in the ports collection this period. Some time was spent discussing portability issues with some authors and integrators of third-party software; this resulted in changes both to OpenPAM and to third-party software to ease portability of such software between Linux-PAM and OpenPAM.
The following is a list of some of the major remaining tasks:
Complete OpenPAM documentation, and the PAM article which was begun late last year and put on hold while OpenPAM was being implemented.
Finish cleaning up FreeBSD's PAM modules.
Finish converting FreeBSD userland applications such as the passwd(1) and chpass(1) commands to PAM.
Fully inventorize and test PAM consumers in the ports collection, and update or correct them as necessary.
Investigate Apple's CDSA technology and its advantages or disadvantages compared to PAM. Investigate the possibility and usefulness of a CDSA compatibility layer in FreeBSD.
Implement support for at least two hardware authentication tokens and / or biometric devices.
This list is essentially unchanged from last month.
To date, 201.5 of the 575 contracted hours have been spent. There remain 373.5 hours to perform the tasks listed above.