Table of Contents
This report covers the period from April 9th, 2002 to May 8th, 2002. A total of 62 hours were spent on PAM work during this period. A large majority of this time was spent on PAM conversion of the r* daemons and password-related utilities. Some time was spent cleaning up PAM modules and improving OpenPAM.
All work this period was performed by Dag-Erling Smørgrav.
During the period covered by this activity report, two new OpenPAM releases were rolled (Cineraria on 2002-04-14 and Cinnamon on 2002-05-02). These releases incorporated a number of bug fixes, some cleanup and restructuring, and a number of improvements, most notably:
Updated documentation; all standard API functions, and most of the OpenPAM API extensions, are now fully documented. Also, a number of markup errors were corrected.
Addition of a null conversation function for applications that do not support direct user interaction.
Restructuring of the policy-loading code, bringing it in line with how Solaris and Linux-PAM behave with respect to the “other” fallback policy.
Simplification of the static linking support code.
Minor improvements in debugging support, error logging and user interaction.
Three new PAM modules were added to FreeBSD: pam_rhost(8) for ~/.rhosts support, pam_ftpusers(8) for /etc/ftpusers support, and Solar Designer's pam_passwdqc(8) which enforces password quality requirements.
The pam_unix(8) module was greatly simplified by factoring out its passwd file manipulation and NIS handling code (which it shared with chpass(1), passwd(1) and vipw(8)) into shared libraries.
A no_fail option was added to the pam_lastlog(8) module to address concerns that its failure (due, for instance, to a read-only /var partition) could lock users out.
FreeBSD's rexecd(8), rlogind(8) and rshd(8) daemons were fully converted to PAM. In the process, denial-of-service vulnerabilities were found in two of these daemons, and immediately corrected.
FreeBSD's passwd(1) command was fully converted to PAM. The conversion itself was simple, but required a fair amount of behind-the-scenes work to make the PAM modules properly support password changing.
As previously mentioned, all passwd file manipulation and NIS handling code was factored out of pam_unix(8) and various password-related utilities ( passwd(1), chpass(1), vipw(8)) and moved into shared libraries. This required a fair amount of cleanup and restructuring in the aforementioned utilities, as well as in portions of the NIS and RPC code, to sort out a confused web of interdependencies.
The following is a list of some of the major remaining tasks:
Complete the PAM article which was begun late last year.
Fully inventorize and test PAM consumers in the ports collection, and update or correct them as necessary.
Investigate Apple's CDSA technology and its advantages or disadvantages compared to PAM. Investigate the possibility and usefulness of a CDSA compatibility layer in FreeBSD.
Implement support for at least two hardware authentication tokens and / or biometric devices.
In addition, the following task was added to the contract on May 2, 2002, extending it by 40 hours:
Remove the need for special privilege from netstat(1), vmstat(8), fstat(1), and pstat(8) on FreeBSD. Do this by updating these utilities, and as necessary the kernel, to manage the distribution of this information using less privilege-intensive mechanisms, such as sysctl(3).
This list is essentially unchanged from last month.
To date, 263.5 of the 615 contracted hours have been spent. There remain 351.5 hours to perform the tasks listed above.