Pam-pkcs#11 needs a new maintainer(s) soon, or it will die

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Pam-pkcs#11 needs a new maintainer(s) soon, or it will die

Ludovic Rousseau
Hello,

PAM PKCS#11 [1] is a Pluggable Authentication Module (PAM) using a
PKCS#11 library (smart card, crypto token, etc.). The purpose is to be
able to use a smart card to login to a GNU/Linux system.

With the introduction of OpenSSL 1.1.0 the API has changed and many
software, including pam-pkcs#11, need to be updated to use the new
API. For example see [2] for a patch for OpenSC.

I am the only maintainer of pam-pkcs11 project. I do not use this
software myself any more.
I do not have the free time (and motivation) to invest in a code
change of pam-pkcs11 to support the new OpenSSL API.
If nobody volunteers to do this work then:
- pam-pkcs11 will not work with OpenSSL 1.1.0
- pam-pkcs11 will be removed from the GNU/Linux distributions
- pam-pkcs11 will not be usable any more.

A bug [3] has been opened for Debian: "pam-pkcs11: FTBFS with openssl 1.1.0"
FTBFS is Fails To Build From Source.
When OpenSSL 1.1.0 will be included in Debian pam-pkcs11 will be
removed from Debian, unless someone adds support of the new OpenSSL
API.

If you (or your company) use pam-pkcs11 you should worry about the situation.

RedHat provides [4] pam-pkcs11 to its customers. It could be a good
idea for RedHat to invest some R&D time to take maintenance of the
software to keep its (paying) customers happy.

Regards,

[1] https://github.com/OpenSC/pam_pkcs11/wiki
[2] https://github.com/OpenSC/OpenSC/pull/749/files
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828487
[4] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html

--
 Dr. Ludovic Rousseau

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle
Reply | Threaded
Open this post in threaded view
|

Re: Pam-pkcs#11 needs a new maintainer(s) soon, or it will die

Nikos Mavrogiannopoulos
On Thu, 2016-06-30 at 09:51 +0200, Ludovic Rousseau wrote:

> A bug [3] has been opened for Debian: "pam-pkcs11: FTBFS with openssl
> 1.1.0"
> FTBFS is Fails To Build From Source.
> When OpenSSL 1.1.0 will be included in Debian pam-pkcs11 will be
> removed from Debian, unless someone adds support of the new OpenSSL
> API.
>
> If you (or your company) use pam-pkcs11 you should worry about the
> situation.
>
> RedHat provides [4] pam-pkcs11 to its customers. It could be a good
> idea for RedHat to invest some R&D time to take maintenance of the
> software to keep its (paying) customers happy.

Note that in Red Hat we use pam-pkcs11 with NSS and not openssl. That
option (to my knowledge) seems to work even today.

regards,
Nikos


_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle
Reply | Threaded
Open this post in threaded view
|

Re: Pam-pkcs#11 needs a new maintainer(s) soon, or it will die

David Woodhouse
On Thu, 2016-06-30 at 11:41 +0200, Nikos Mavrogiannopoulos wrote:

> On Thu, 2016-06-30 at 09:51 +0200, Ludovic Rousseau wrote:
>
> > A bug [3] has been opened for Debian: "pam-pkcs11: FTBFS with openssl
> > 1.1.0"
> > FTBFS is Fails To Build From Source.
> > When OpenSSL 1.1.0 will be included in Debian pam-pkcs11 will be
> > removed from Debian, unless someone adds support of the new OpenSSL
> > API.
> >
> > If you (or your company) use pam-pkcs11 you should worry about the
> > situation.
> >
> > RedHat provides [4] pam-pkcs11 to its customers. It could be a good
> > idea for RedHat to invest some R&D time to take maintenance of the
> > software to keep its (paying) customers happy.
>
> Note that in Red Hat we use pam-pkcs11 with NSS and not openssl. That
> option (to my knowledge) seems to work even today.
FSVO "seems to work" which I wouldn't necessarily advocate because it
doesn't actually comply with that distribution's own packaging
guidelines — it doesn't load the correct modules according to the
system's PKCS#11 configuration. Hence
https://bugzilla.redhat.com/show_bug.cgi?id=1173548

Like many packages in Fedora, we should probably move *away* from NSS
unless it gets fixed to comply with the distribution's guidelines.

I have a GSoC student working on supporting RFC7512 URIs in NSS this
year, but not a lot of progress on loading the correct tokens by
default.

--
David Woodhouse                            Open Source Technology Centre
[hidden email]                              Intel Corporation
_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Pam-pkcs#11 needs a new maintainer(s) soon, or it will die

Ludovic Rousseau
In reply to this post by Ludovic Rousseau
Hello,

After 2 months with no volunteer to take care of pam-pkcs#11 I created a new README.md page on the github project to indicate the project is no more maintained.
https://github.com/OpenSC/pam_pkcs11/blob/master/README.md

I will also orphan the Debian package.
I guess the Debian (and Ubuntu) package will be remove once OpenSSL 1.1.0 is included in Debian and pam-pkcs#11 can't be rebuild.

Regards,

2016-06-30 9:51 GMT+02:00 Ludovic Rousseau <[hidden email]>:
Hello,

PAM PKCS#11 [1] is a Pluggable Authentication Module (PAM) using a
PKCS#11 library (smart card, crypto token, etc.). The purpose is to be
able to use a smart card to login to a GNU/Linux system.

With the introduction of OpenSSL 1.1.0 the API has changed and many
software, including pam-pkcs#11, need to be updated to use the new
API. For example see [2] for a patch for OpenSC.

I am the only maintainer of pam-pkcs11 project. I do not use this
software myself any more.
I do not have the free time (and motivation) to invest in a code
change of pam-pkcs11 to support the new OpenSSL API.
If nobody volunteers to do this work then:
- pam-pkcs11 will not work with OpenSSL 1.1.0
- pam-pkcs11 will be removed from the GNU/Linux distributions
- pam-pkcs11 will not be usable any more.

A bug [3] has been opened for Debian: "pam-pkcs11: FTBFS with openssl 1.1.0"
FTBFS is Fails To Build From Source.
When OpenSSL 1.1.0 will be included in Debian pam-pkcs11 will be
removed from Debian, unless someone adds support of the new OpenSSL
API.

If you (or your company) use pam-pkcs11 you should worry about the situation.

RedHat provides [4] pam-pkcs11 to its customers. It could be a good
idea for RedHat to invest some R&D time to take maintenance of the
software to keep its (paying) customers happy.

Regards,

[1] https://github.com/OpenSC/pam_pkcs11/wiki
[2] https://github.com/OpenSC/OpenSC/pull/749/files
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828487
[4] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html

--
 Dr. Ludovic Rousseau



--
 Dr. Ludovic Rousseau

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle
Reply | Threaded
Open this post in threaded view
|

Re: [Opensc-devel] Pam-pkcs#11 needs a new maintainer(s) soon, or it will die

David Woodhouse
On Mon, 2016-08-22 at 11:12 +0200, Ludovic Rousseau wrote:
> Hello,
>
> After 2 months with no volunteer to take care of pam-pkcs#11 I
created a new README.md page on the github project to indicate the
project is no more maintained.
> https://github.com/OpenSC/pam_pkcs11/blob/master/README.md
>
> I will also orphan the Debian package.
> I guess the Debian (and Ubuntu) package will be remove once OpenSSL
1.1.0 is included in Debian and pam-pkcs#11 can't be rebuild.

I assume the Fedora package will remain for now, as it's built against
NSS and still works. We are getting closer to having NSS actually
working with RFC7512 PKCS#11 URIs and loading the right tokens
according to the system configuration too.

For the OpenSSL support, I am disinclined to fix it up as it stands — I
note it's doing everything for itself and not even using libp11.

I do still plan to fix up OpenSSL after the 1.1 release and basically
render libp11 obsolete by adding the same functionality natively to
crypto/pkcs11/ in OpenSSL (1.2) itself. At that point, maybe it makes
sense to resurrect the OpenSSL support in pam_pkcs11. But for now I
don't think it makes sense to patch it up.

If somebody really cared, migrating it to libp11 might be the way to
go. Because we *will* have a migration strategy for libp11 users to
OpenSSL 1.2, and the APIs may well end up being very similar.

--
dwmw2
_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle

smime.p7s (7K) Download Attachment