Pam-pkcs#11 needs a new maintainer(s) soon, or it will die

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Pam-pkcs#11 needs a new maintainer(s) soon, or it will die

Ludovic Rousseau
Hello,

PAM PKCS#11 [1] is a Pluggable Authentication Module (PAM) using a
PKCS#11 library (smart card, crypto token, etc.). The purpose is to be
able to use a smart card to login to a GNU/Linux system.

With the introduction of OpenSSL 1.1.0 the API has changed and many
software, including pam-pkcs#11, need to be updated to use the new
API. For example see [2] for a patch for OpenSC.

I am the only maintainer of pam-pkcs11 project. I do not use this
software myself any more.
I do not have the free time (and motivation) to invest in a code
change of pam-pkcs11 to support the new OpenSSL API.
If nobody volunteers to do this work then:
- pam-pkcs11 will not work with OpenSSL 1.1.0
- pam-pkcs11 will be removed from the GNU/Linux distributions
- pam-pkcs11 will not be usable any more.

A bug [3] has been opened for Debian: "pam-pkcs11: FTBFS with openssl 1.1.0"
FTBFS is Fails To Build From Source.
When OpenSSL 1.1.0 will be included in Debian pam-pkcs11 will be
removed from Debian, unless someone adds support of the new OpenSSL
API.

If you (or your company) use pam-pkcs11 you should worry about the situation.

RedHat provides [4] pam-pkcs11 to its customers. It could be a good
idea for RedHat to invest some R&D time to take maintenance of the
software to keep its (paying) customers happy.

Regards,

[1] https://github.com/OpenSC/pam_pkcs11/wiki
[2] https://github.com/OpenSC/OpenSC/pull/749/files
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828487
[4] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html

--
 Dr. Ludovic Rousseau

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Pcsclite-muscle] Pam-pkcs#11 needs a new maintainer(s) soon, or it will die

David Woodhouse
On Thu, 2016-06-30 at 11:41 +0200, Nikos Mavrogiannopoulos wrote:

> On Thu, 2016-06-30 at 09:51 +0200, Ludovic Rousseau wrote:
>
> > A bug [3] has been opened for Debian: "pam-pkcs11: FTBFS with openssl
> > 1.1.0"
> > FTBFS is Fails To Build From Source.
> > When OpenSSL 1.1.0 will be included in Debian pam-pkcs11 will be
> > removed from Debian, unless someone adds support of the new OpenSSL
> > API.
> >
> > If you (or your company) use pam-pkcs11 you should worry about the
> > situation.
> >
> > RedHat provides [4] pam-pkcs11 to its customers. It could be a good
> > idea for RedHat to invest some R&D time to take maintenance of the
> > software to keep its (paying) customers happy.
>
> Note that in Red Hat we use pam-pkcs11 with NSS and not openssl. That
> option (to my knowledge) seems to work even today.
FSVO "seems to work" which I wouldn't necessarily advocate because it
doesn't actually comply with that distribution's own packaging
guidelines — it doesn't load the correct modules according to the
system's PKCS#11 configuration. Hence
https://bugzilla.redhat.com/show_bug.cgi?id=1173548

Like many packages in Fedora, we should probably move *away* from NSS
unless it gets fixed to comply with the distribution's guidelines.

I have a GSoC student working on supporting RFC7512 URIs in NSS this
year, but not a lot of progress on loading the correct tokens by
default.

--
David Woodhouse                            Open Source Technology Centre
[hidden email]                              Intel Corporation
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Pam-pkcs#11 needs a new maintainer(s) soon, or it will die

Ludovic Rousseau
In reply to this post by Ludovic Rousseau
Hello,

After 2 months with no volunteer to take care of pam-pkcs#11 I created a new README.md page on the github project to indicate the project is no more maintained.
https://github.com/OpenSC/pam_pkcs11/blob/master/README.md

I will also orphan the Debian package.
I guess the Debian (and Ubuntu) package will be remove once OpenSSL 1.1.0 is included in Debian and pam-pkcs#11 can't be rebuild.

Regards,

2016-06-30 9:51 GMT+02:00 Ludovic Rousseau <[hidden email]>:
Hello,

PAM PKCS#11 [1] is a Pluggable Authentication Module (PAM) using a
PKCS#11 library (smart card, crypto token, etc.). The purpose is to be
able to use a smart card to login to a GNU/Linux system.

With the introduction of OpenSSL 1.1.0 the API has changed and many
software, including pam-pkcs#11, need to be updated to use the new
API. For example see [2] for a patch for OpenSC.

I am the only maintainer of pam-pkcs11 project. I do not use this
software myself any more.
I do not have the free time (and motivation) to invest in a code
change of pam-pkcs11 to support the new OpenSSL API.
If nobody volunteers to do this work then:
- pam-pkcs11 will not work with OpenSSL 1.1.0
- pam-pkcs11 will be removed from the GNU/Linux distributions
- pam-pkcs11 will not be usable any more.

A bug [3] has been opened for Debian: "pam-pkcs11: FTBFS with openssl 1.1.0"
FTBFS is Fails To Build From Source.
When OpenSSL 1.1.0 will be included in Debian pam-pkcs11 will be
removed from Debian, unless someone adds support of the new OpenSSL
API.

If you (or your company) use pam-pkcs11 you should worry about the situation.

RedHat provides [4] pam-pkcs11 to its customers. It could be a good
idea for RedHat to invest some R&D time to take maintenance of the
software to keep its (paying) customers happy.

Regards,

[1] https://github.com/OpenSC/pam_pkcs11/wiki
[2] https://github.com/OpenSC/OpenSC/pull/749/files
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828487
[4] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html

--
 Dr. Ludovic Rousseau



--
 Dr. Ludovic Rousseau

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Pam-pkcs#11 needs a new maintainer(s) soon, or it will die

David Woodhouse
On Mon, 2016-08-22 at 11:12 +0200, Ludovic Rousseau wrote:
> Hello,
>
> After 2 months with no volunteer to take care of pam-pkcs#11 I
created a new README.md page on the github project to indicate the
project is no more maintained.
> https://github.com/OpenSC/pam_pkcs11/blob/master/README.md
>
> I will also orphan the Debian package.
> I guess the Debian (and Ubuntu) package will be remove once OpenSSL
1.1.0 is included in Debian and pam-pkcs#11 can't be rebuild.

I assume the Fedora package will remain for now, as it's built against
NSS and still works. We are getting closer to having NSS actually
working with RFC7512 PKCS#11 URIs and loading the right tokens
according to the system configuration too.

For the OpenSSL support, I am disinclined to fix it up as it stands — I
note it's doing everything for itself and not even using libp11.

I do still plan to fix up OpenSSL after the 1.1 release and basically
render libp11 obsolete by adding the same functionality natively to
crypto/pkcs11/ in OpenSSL (1.2) itself. At that point, maybe it makes
sense to resurrect the OpenSSL support in pam_pkcs11. But for now I
don't think it makes sense to patch it up.

If somebody really cared, migrating it to libp11 might be the way to
go. Because we *will* have a migration strategy for libp11 users to
OpenSSL 1.2, and the APIs may well end up being very similar.

--
dwmw2
------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Pam-pkcs#11 needs a new maintainer(s) soon, or it will die

Douglas E Engert
In reply to this post by Ludovic Rousseau
Looking at the code, it loos like it is only parsing the certificate and getting public keys and other values from the certificate.
It does not include rsa.h, but does include bn.h
It looks like it would not take very much effort to use a stripped down version of the cs-ossl-compat.h from OpenSC https://github.com/OpenSC/OpenSC/pull/853

I don't use it, so someone is still needed to do some testing.

 

On 8/22/2016 4:12 AM, Ludovic Rousseau wrote:
Hello,

After 2 months with no volunteer to take care of pam-pkcs#11 I created a new README.md page on the github project to indicate the project is no more maintained.
https://github.com/OpenSC/pam_pkcs11/blob/master/README.md

I will also orphan the Debian package.
I guess the Debian (and Ubuntu) package will be remove once OpenSSL 1.1.0 is included in Debian and pam-pkcs#11 can't be rebuild.

Regards,

2016-06-30 9:51 GMT+02:00 Ludovic Rousseau <[hidden email]>:
Hello,

PAM PKCS#11 [1] is a Pluggable Authentication Module (PAM) using a
PKCS#11 library (smart card, crypto token, etc.). The purpose is to be
able to use a smart card to login to a GNU/Linux system.

With the introduction of OpenSSL 1.1.0 the API has changed and many
software, including pam-pkcs#11, need to be updated to use the new
API. For example see [2] for a patch for OpenSC.

I am the only maintainer of pam-pkcs11 project. I do not use this
software myself any more.
I do not have the free time (and motivation) to invest in a code
change of pam-pkcs11 to support the new OpenSSL API.
If nobody volunteers to do this work then:
- pam-pkcs11 will not work with OpenSSL 1.1.0
- pam-pkcs11 will be removed from the GNU/Linux distributions
- pam-pkcs11 will not be usable any more.

A bug [3] has been opened for Debian: "pam-pkcs11: FTBFS with openssl 1.1.0"
FTBFS is Fails To Build From Source.
When OpenSSL 1.1.0 will be included in Debian pam-pkcs11 will be
removed from Debian, unless someone adds support of the new OpenSSL
API.

If you (or your company) use pam-pkcs11 you should worry about the situation.

RedHat provides [4] pam-pkcs11 to its customers. It could be a good
idea for RedHat to invest some R&D time to take maintenance of the
software to keep its (paying) customers happy.

Regards,

[1] https://github.com/OpenSC/pam_pkcs11/wiki
[2] https://github.com/OpenSC/OpenSC/pull/749/files
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828487
[4] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html

--
 Dr. Ludovic Rousseau



--
 Dr. Ludovic Rousseau


------------------------------------------------------------------------------


_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 

 Douglas E. Engert  [hidden email]
 

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel