forked from OpenSC/pam_pkcs11
-
Notifications
You must be signed in to change notification settings - Fork 0
/
TODO
69 lines (54 loc) · 2.31 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
0.6 will be a finish-code release. Fix source tree estructure,
define devel api and code all to-be-written mappers are task to do
Expected things to be done in 0.6 release:
- Create and Define a pam-pkcs11 mapper API & library.
This is mostly done at 0.5.3, but some cleaning is needed.
* Create a mapper "devel" package
* Use OpenSC libp11 pkcs11 library
- Add remote CA's and CRL's lookups
Actually, CA's and local CRL's are stored as hash dir. Need
to recode to use URL's as data sources
- Finish mapper coding
* opensc:
- Generic mapping files
0.5.3 searches in ${HOME}/.eid/authorized_certificates. Needs
an additional tool to manage a "global" certificate file with
user mappings
* openssh:
- Same as opensc. Hint: use "comment" field on ssh public keys
to store login name
* ldap mapper:
- Allow use of any certificate content to make queries
- find() function is too expensive when navigate across
databases of thousand of users. Need to optimize search
filters.
* database mapper:
- Define and create a UnixODBC based database mapper
* Compile as static all mappers that does not depend on extra
libraries
- Debian packaging
Sorry: I only know on RPM packaging. Any volunteer?
0.7 is a try to real-life implementation: MS Active directory
configuration, NSS aware configurations, LDAP settings,
many samples and docs, general cleanups, etc.
Things to be done in 0.7 release:
- Review all mappers that depends on remote connections.
* conditional queries instead of getpwent() query loop
- Allow pam-pkcs11 login against MS Active Directory
* Changes to MS_mapper to real use of UPN Domain
* Documentation and samples
- Manuals on LDAP, NSS and so installations
- ncurses (gtk?) tool to create/edit mapfiles
0.8 will be a major cleanup: bugfixes, optimizations, pam-session
handling. Most important: pkinit aware pam module is to be scheduled
here
Things to be done in 0.8 release
- Call for pin only when needed
- Use certificate only if available for authentication
- Implement of Kerberos PKINIT specification. Rewrite of kpn mapper
- Check content-type of cert fields instead assume utf-8
- proper handle of free() calls when needed
0.9 will be a preview version. No more items are expected to add,
just bugfixes and feedbacks from users.
Perhaps it's time for i18n issues
1.0 That's all folks!