Fincer
/
pam_usb
mirror of https://github.com/Fincer/pam_usb
1
0
Fork 0
Code Issues 0 Releases 4 Wiki Activity
Hardware authentication for Linux using ordinary USB Flash Drives.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
158 Commits
1 Branch
15 MiB
Tree: 0f5ce22469
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0f5ce22469'
${ noResults }
pam_usb/ChangeLog

205 lines
8.8 KiB
Raw Normal View History

- Added the pad_expiration option which tells pam_usb how often pads should be updated in order to reduce device writing. - Support for time options in the configuration parser (5s, 2h, 10m, etc)
17 years ago
Updated the ChangeLog
17 years ago
Tagged 0.4.2
17 years ago
Updated the ChangeLog
17 years ago
Updated ChangeLog
17 years ago
ChangeLog update
17 years ago
Updated the ChangeLog
17 years ago
- Added the pad_expiration option which tells pam_usb how often pads should be updated in order to reduce device writing. - Support for time options in the configuration parser (5s, 2h, 10m, etc)
17 years ago
Updated Changelog
17 years ago
ChangeLog update
17 years ago
Updated Changelog
17 years ago
Changelog -> ChangeLog
18 years ago
Pamusb -> pam_usb
18 years ago
Changelog -> ChangeLog
18 years ago
Updated the Changelog
17 years ago
Changelog -> ChangeLog
18 years ago
Updated the Changelog
17 years ago
Changelog -> ChangeLog
18 years ago
Updated the Changelog
17 years ago
Changelog -> ChangeLog
18 years ago
 
  1. * 0.4.2
  2. - Added the pad_expiration option which tells pam_usb how often pads
  3.   should be updated in order to reduce device writing.
  4. - Support for time options in the configuration parser (5s, 2h, 10m, etc)
  5. - Added the --verbose option to pamusb-conf
  6. - Added the --debug option to pamusb-check
  7. - Fixed the ElementTree import statement of pamusb-agent to work with
  8.   Python 2.5. Thanks to Donald Hayward <liquidsunshine@gmail.com> for
  9.   the patch.
  10. - Fixed pamusb-conf to work without vendor and product name
  11. - Improved the device detection to work with any removable storage device.
  12.   Thanks to Guillermo Antonio Amaral Bastidas <me@guillermoamaral.com>
  13.   for providing the patch.
  14. - Added a workaround for a DBUS bug that prevented pam_usb to work with su.
  15.   https://bugs.freedesktop.org/show_bug.cgi?id=11876
  16. - Disable log outputting if the application doesn't have any tty
  17.   attached (fixes gksudo and other software).
  18. - Various minor bugfix
  19. 

  20. * 0.4.1
  21. - Fixed a security issue related to OpenSSH authentication
  22. - Fixed the quiet option (now it is really quiet)
  23. - Support for devices without vendor/model information
  24. 

  25. * 0.4.0
  26. - Both pam_usb and its tools (adm, hotplug) have been redesigned from the
  27.   ground up and rewritten from scratch.
  28. - Hardware recognition is now done through HAL which provides a stable
  29.   interface over kernel changes.
  30. - Certificates have been replaced by one time pads. That will prevent
  31.   copies of the USB device to be used for authentication.
  32. - Device's manufacturer properties verification. pam_usb now verifies
  33.   device informations (vendor, product, serial number, UUID) in the
  34.   authentication process.
  35. - Configuration is now handled in a central place, the pamusb.conf
  36.   configuration file. This XML file contains configuration entries for
  37.   users, devices and services.
  38. - pamusb-agent (formely usbhotplug) make use of DBUS signals (sent by HAL)
  39.   instead of kernel hotplugging. Also, its configuration has been merged
  40.   into the pamusb.conf configuration file.
  41. - A new tool named pamusb-check has been added. It can perform authentication
  42.   the way the PAM module does. It can be useful for testing and scripting
  43.   purposes.
  44. 

  45. * 0.3.3
  46. - The option keypath is now splitted into local_keypath and device_keypath.
  47. - Fixed a bug that occurred when the TTY entry was empty.
  48. - pam_usb doesn't get anymore the tty name from PAM_TTY as it used to be
  49.   empty on some systems.
  50. - Better defaults. The default options have been set to fit most needs,
  51.   you are no longer required to use !check_device on 2.6.
  52. - Verbose mode. By default, pam_usb now prints some informations during
  53.   the login process (access granted, the reason why access was refused, etc).
  54.   This can be turned off using the brand new 'quiet' option.
  55. - Other small fixes.
  56. 

  57. * 0.3.2
  58. - Now pam_usb will also try to autodetect /dev/sdN devices (not just
  59.   /dev/sdNX). 
  60. - Fixed a bug that happened when the application using PAM didn't set
  61.   PAM_TTY correctly.
  62. - Added the use_first_pass and try_first_pass options.
  63.   Now if you enter your password on another PAM module (such as pam_mount
  64.   or pam_ssh), pam_usb will use that password to decrypt the private key.
  65. 

  66. * 0.3.1
  67. - Lot of misc fixes (memory management, Makefiles, sanity checks, etc).
  68.   I'd like to thank the PaX Team <pageexec@freemail.hu> who did almost
  69.   the whole job.
  70. - Added the hostname option which allows to select what hostname should
  71.   be used for authentication (useful for shared public keys over lan).
  72.   Thanks to Nicolas Chauvat <chauvat@nerim.net> who reported the issue,
  73.   the idea and the patch for this feature.
  74. 

  75. * 0.3.0
  76. - Not much changes in this version beside a gcc fix, but the 0.2 branch
  77.   reached too many new features so i wanted to name this release 0.3.0
  78.   as i should have done with 0.2.3
  79. - Fixed a gcc 3.3 compile issue, and all related warning.
  80.   I would like to thank the following guys for having reported this bug so fast:
  81.   Lalande Fabrice <fabrice.lalande@orange.fr>
  82.   Marco <gaedol@softhome.net>
  83.   Neil Dunbar <neil.dunbar@hp.com>
  84. 

  85. * 0.2.3
  86. - Added the usbhotplug tool. 
  87.   usbhotplug is a hotplug agent that will automagically start a lock handler 
  88.   when the usb device is removed and an unlock handler when the usb device 
  89.   is plugged back in and authenticated through pam_usb.
  90. 

  91.   The default handlers will start xlock when the usb device is removed,
  92.   and will kill it when the usb device is plugged back in and authenticated.
  93. 

  94.   I'd like to thank Wout Mertens <wmertens@cisco.com> as we had a couple
  95.   of discussions about hotplug which helped me implementing this tool.
  96. 

  97. - The parser can now understand "option" and "!option" instead of
  98.   option=1 and option=-1 (e.g. debug !check_device).
  99.   Thanks to Jean-Christophe JASKULA <jean.christophe.jasku-la@wanadoo.fr> who
  100.   suggested me that and provided an initial patch.
  101. 

  102. - Fixed a loop bug on serial number checking. Thanks to Zs <horzsol@freemail.hu>
  103.   for reporting the bug and a patch to fix it.
  104. 

  105. - Added the direct_open option which allows to open the private key
  106.   using O_DIRECT to avoid disk caching (works only on devices that
  107.   supports it). Thanks to myles <myles@tenhand.com> who suggested me that.
  108. 

  109. - Added some sanity checks here and there because it seems that the PAM
  110.   API can return weird stuff from time to time.
  111. 

  112. - Handling the mount point creation/remotion in a better way which seems
  113.   to fix a couple of mntpoint problems.
  114. 

  115. * 0.2.2
  116. - Added the keep_mounted option, which allows to not umount the mount point
  117.   once logged (useful if the gpg/ssh key is stored on there)
  118. 

  119. - Fixed the mntpoint option: do not delete the directory if it's not a
  120.   temporary one.
  121. 

  122. - Added the support to pass multiple filesystems name with the fs= 
  123.   option (comma separated list). Changed the default fs to "ext2,vfat"
  124. 

  125. - Added the log_file option. Takes a filename as a argument. 
  126.   Combined with debug=1 it can log debug messages to a file.
  127. 

  128. - Not mounting the device as read-only anymore. Instead, the mount_opts 
  129.   option has been created. It accepts a comma separated list of mount 
  130.   options (accepted options are: ro,bind,sync,remount,nosuid,noexec,nodev).
  131. 

  132. - Fixed an issue which made the allow_remote feature not working correctly
  133.   with gdm/kdm.
  134. 

  135. - Introduced the local_hosts and local_consoles options. They contain a
  136.   comma separated lists of hosts and consoles allowed to log in while using
  137.   allow_remote=-1
  138. 

  139. * 0.2.1
  140. - Changed the naming method from x.y to x.y.z
  141. 

  142. - pam_usb is now able to distinguish local users from remote (as in
  143.   logged via ssh), and denies the authentication of non-local users.
  144.   Setting allow_remote to 1 disable this feature.
  145. 

  146. - Mounting is now done in read-only.
  147. 

  148. - Added the missing mandatory PAM functions.
  149. 

  150. * 0.2_rc2
  151. - Workaround to make pam_usb not use /proc so it can run on Linux 2.6
  152.   By setting check_device to -1, pam_usb will neither check the device's 
  153.   serial number, nor if it's attached. It's not a real problem if you 
  154.   don't need serial number checking, but don't combine it with 
  155.   check_if_mounted.
  156. 

  157. - Added the force_device capability. Now you can specify a device that 
  158.   will be mounted without going in guessing mode. If the device cannot 
  159.   be mounted, it'll switch back to the default guess mode.
  160.   Useful if guess mode fails, if you don't want it to try several 
  161.   devices before getting the right one (so you can login faster), or if 
  162.   you want to login using a floppy disk, a cdrom or whatever you want.
  163. 

  164. - Modified the serial number authentication method so now if no serial 
  165.   numbers are avaible on a device, it will try to use the GUID.
  166.   Thanks to Damien Braillard <damien.b@freesurf.ch> who reported the 
  167.   issue, suggested a way to fix it, and provided a first patch for it.
  168. 

  169. * 0.2_rc1
  170. - Radically changed the way pam_usb authenticates the user on the 
  171.   system. Now it works with a pair of DSA keys.
  172. 

  173.   Thanks to Wout Mertens <wmertens@cisco.com> who told me that i could 
  174.   use a couple of SSH keys to fix the authentication issue.
  175.   That gave me the idea to use a set of private/public keys.
  176. 

  177.   Thanks to Ilkka Mattila <ilkka@lyseo.edu.ouka.fi> who helped me to 
  178.   find out a better way to implement the key challenge: extracting the 
  179.   public key was inadequate.
  180. 

  181.   Also thanks to those who brought up weird scenarios and/or tested 
  182.   pre-releases of pam_usb, in alphabetical order:
  183. 

  184.   Ilkka Mattila <ilkka@lyseo.edu.ouka.fi>
  185.   Joonas Kortesalmi
  186.   Thomas Stewart <thomas@stewarts.org.uk>
  187.   Tuure Laurinolli <tuure@laurinolli.net>
  188. 

  189. * 0.1:
  190. - Now pam_usb doesn't require a mount point. Instead, it creates 
  191.   a temporary directory under /tmp. 
  192.   Thanks to Loic Jaquemet <jaquemet@fiifo.u-psud.fr> who gave me the idea.
  193. 

  194. - Compiles with gcc 2.95 thanks to Tobias Bayer <tobi.bayer@gmx.de> bug 
  195.   report.
  196. 

  197. * 0.1-beta2:
  198. - procfile and device entries autodetection have been fixed thanks to 
  199.   Thomas Stewart <thomas@stewarts.org.uk> bug reports.
  200. 

  201. - devfs support added. Thanks to Loic Jaquemet <jaquemet@fiifo.u-psud.fr> 
  202.   for the bug report.
  203. 

  204. * 0.1-beta1: 
  205. - Initial release