Table of Contents
This report covers the period from May 9th, 2002 to June 30th, 2002. A total of 119.5 hours were spent on PAM-related work during this period, most of it in the month of June.
All work this period was performed by Dag-Erling Smørgrav.
During the period covered by this activity report, two new OpenPAM releases wer rolled (Cinquefoil on 2002-05-24 and Citronella on 2002-06-30.) The major changes in these two releases were minor bugfixes, documentation improvements, and Solaris 9 compatibility (based on discussions with Sun staff in charge of Solaris PAM.)
Progress was made with the PAM article, in the form of additional sample code and an in-depth discussion of the dispatcher. In addition, work was begun on a paper describing the various authentication mechanisms which are available in FreeBSD 5.0, or will be when it is released. The abstract has been submitted to the BSDCon Europe 2002 program committee.
Two new PAM modules were added to FreeBSD: pam_echo(8) and pam_exec(8). The former simply echoes its arguments to the user, while the latter executes an arbitrary command.
A 40-hour contract extension was granted for the purpose of rewriting netstat(1), vmstat(8), fstat(1), and pstat(8) so they would not require elevated privileges to run. This work is under way but has not yet been completed.
A 60-hour contract extension was granted for the purpose of extending OpenSSH's privilege separation mechanism to cover all authentication methods used in FreeBSD, and merging the resulting code into FreeBSD-STABLE. Work is well under way and is expected to be completed shortly.
A significant amount of time was dedicated to research into hardware authentication tokens, in an attempt to determine which ones FreeBSD would benefit most from supporting, and the best way in which to implement such support. A number of vendors were contacted with requests for documentation and product samples. So far, two vendors have expressed interest, and one (the Israeli company Aladdin Knowledge Systems) has donated a development kit including two functioning tokens.
Work has begun on an implementation of PKCS#11 (Cryptoki) and an ISO7816 stack to provide software support for smart card readers and USB authentication tokens (most of which emulate smart card readers.)
The following is a list of some of the major remaining tasks:
Complete the PAM article and the authentication paper.
Fully inventorize and test PAM consumers in the ports collection, and update or correct them as necessary.
Investigate Apple's CDSA technology and its advantages or disadvantages compared to PAM. Investigate the possibility and usefulness of a CDSA compatibility layer in FreeBSD.
Implement support for at least two hardware authentication tokens and / or biometric devices.
Remove the need for special privilege from netstat(1), vmstat(8), fstat(1), and pstat(8) on FreeBSD.
Extend the OpenSSH privilege separation mechanism to cover all authentication methods used in FreeBSD without loss of functionality. Merge the resulting code, and any support code deemed necessary, into FreeBSD-STABLE.
To date, 384 of the 675 contracted hours (575 in the initial contract, and 100 in contract extensions) have been spent. There remain 291 hours in which to perform the tasks listed above.