ChangeLog / TODO ================ [+] New functionality [!] Fixed error [%] Found bug [*] Changes in existing functionality [-] Feature in TODO [?] New feature in TODO [$] Idea which was given up Trying to sort tasks according to their priority. 2013-10-23 0.8 Preparing distributable, convoyable, usable and likable version. Big version jump because of quite a long time from previous changes. 0.8 can be thought as a release candidate for 0.9 - I'm trying to keep versioning simple to ease packaging. * [!] In not mandatory mode will fail if user HOME is not found. * [%] PAM module maybe should mmap memory not to let key be additionaly swapped to disc. It's is on the disc in plaintext but the less copies the better. * [*] By default running in DB=user. Trying to get it work out-of-the-box. * [*] Fixing default options to let otpasswd be more easily tested. * [*] Updated package name convention, new package script * [*] Move sources to src/ subdirectory. * [-] Approach to agent data passing is overcomplicated. stdin/stdout substitution causes problems with communication and as it turns out - valgrind. Would better keep stdin/stdout, but maybe not use them(?) Best to review. * [+] Review documentation and ensure it's up to date. * [+] Update Polish translation * [-] Relicense so it can be used more universally - will require changing of sha256 implementation, but it would be best to use system openssl lib probably. * [+] Check how SUID version works. Update: Was fine. * [-] Update defaults for OOB. Explain better how to configure OOB messaging. Add otpasswd_oob checks to --check-config 2010-03-31 0.7_rc2 Done: * [!] On DB=user when administrator creates a key with -u option user can't access that state. * [!] Fixed security bug in static password handling. * [+] Dropping dependency on GMP. Cleaning up "num" interface. - Clean memory so there're no key/counter leaks * [+] Do not store things in mpz_t which don't need it (spass) * [+] Sanitize gettext environment * [+] Accept 2G[2] passcode specification entries. * [+] All previous functionality is now finally implemented. All implemented testcases where successfully run after The Split. * [+] Backward skipping removed from configuration. * [+] Printing with -l when skipped to the last passcard fixed . * [+] OOB Channel usage time updates + DoS security * [+] Ensure config privilege checking * [+] --info should print information whether static password is set. * [+] Write testcases for static password * [+] Make otpasswd work with su. Tested under Gentoo and works BUT without OOB (permission denied) * [+] "Problem solving section" in docs, mentioning use of -v on errors in the first place. This was done on the webpage. * [+] policy checking regarding salt. (won't fail sometimes) (Seems ok to me. Tested) * [$] Global DB should work with users which aren't in /etc/passwd. Should it? * [$] Add error_t and bool_t to differentiate differently used ints? (bool_t is very rarely used. It will better be left to documentation) In progress: * [?] Cleanup PPP interface. This should look like follows. "State" is class implementing some basic features of state management. From this 'class' ppp is derived. ppp implements high-level functions which should be used explicitly to manage state information unless something more fine-grained is necessary. State on the other hand uses 'db' backend for operating on files/databases. * Lots of things done in direction to finish this task * [?] Security: Do we need to change something regarding ulimits? TODO Major: * [?] Double passcode logging scheme * [%] Parameter -c alphabet=3,codelenght=8 is sometimes accepted but doesn't work. * [?] Parametrize PAM messages. * [?] Static password expire warnings + enforcement. * [?] Logging warnings printed to user at WARN level * [?] Key quality checking (duplicates) * [?] Check if lock files are links. if so. fail. Or rather always unlink before overwriting. * [?] Logging into syslog from utility if agent is SUID. * [?] Admin function to scan all states for things invalidating policy. This could be implemented in agent similar to --check-config * [-] Scan all FIXME/TODO entries (Especially OOB related) * [?] SELinux compatibility. * [?] Import/export of ascii state lines... * [?] Check if User can lock OTPasswd when working with su (stdout issue). We must NOT keep locks when outputing something to user. user * [?] OTPasswd when used with su should probably elevate it's rights with setuid() and then return back to original rights. * [?] I don't remember how I've done it and therefore I need to review security aspects of DB=user mode when user can mangle state file which is then accessed by uid0 PAM process. Todo Minor: * [?] Will we be pppv3 compatible on big-endian? * [?] Sourced key generation (from file, string...) * [?] Improve LaTeX output (some colors, borders?) * [?] Incorporate SSH key fingerprints on passcards? Use some file as passcard background, allow hook regenerating this passcard * [-] Keep lines below 75 columns? Or 80? 2010-01-24 v0.5rc1 Done: * [+] Check bit distribution for alphabets not divisible by 2 * [+] Remove dont-skip option. * [+] GMP might leak information with reallocs of it's mpz_t Fixed by substituting alloc functions. num_init() must be called before any other gmp functions. * [+] Testcases added into make, with coverage measurement. They will modify your state data though so beware! PAM testcase added! Including coverage support, whoa! * [!] Bug in num.c/reallocate fixed. Did not exist in 0.4 * [!] New testcase allowed to detect some memory leaks. Possibly exist in 0.4 * [+] Improve error messages when state file is not found. * [+] Config file in /etc/security pam_access parses this file itself; samba(winbind) uses iniparser library (on MIT license) * [+] See how functions in otpasswd_actions initialize and deinitialize state, see if they can use ppp_, if not make them so they can. Or write some local static functions to handle errors during lock&load. * [+] Fix db* functions to return values from enum in ppp_common.h * [!] Skipping to 'next' not by 6... * [+] Removed dependency - OpenSSL * [+] Modify build config to work with CMake v2.4.7 * [+] Config file revised. * [+] Multiple alphabet support * [+] Passing -f, -d, -c along with the -k. * [+] Partial policy implemented. Ensure that if the invalid state is read from file that the authentication will never succeed. * [+] Check if OOB script is not SUID? * [+] Ensure that PAM session can display warning in three calls to conversation function. If not, we must build a buffer (See for example how winscp shows that warning) (FIXED by simplifying warnings) * [+] Because of signals - redo permissions. (SUID required) * [+] The key/counter length is not checked when read from file. * [+] Big thing - Move state files to /etc + SUID. * [+] Manuals - Plenty of things finished thanks to Hannes Beinert. * [+] fsync before rename/unlock (see ext4 problem) sync() call inserted after fclose and before rename. * [+] First unlink lock file, then unlock to omit race condition? * [+] Add -r option to remove key and disable OTP. * [+] Fix user interface a bit. * [+] Keeping track of failures. Implemented, but not tested. * [+] Any possibility to change directory from /etc/otpasswd? This is going to be compile time option. Also otshadow will be required to reside inside. * [+] right trim values from config? * [+] Check custom alphabet correction (whitespaces or multiple occurences of same character not allowed. * [!] Should we start suid root then drop to some config-defined user so attacker who breaks otpasswd can't modify the executable? Probably yes. Two modes of operation. * [+] Skip policy; deny skipping backwards. Add some semantic for skipping count of passcards? WARNING: Might be removed and 'skipping backwards' will be totally locked. * [+] Implement static passwords; They might be required always or just to perform some commands like second-channel usage. * [+] Use locales for user messages [_("")? ]. Now do translations... * [+] Locale might mess up isalpha and isprint. Fixed by adding isascii() before. * [!] User can always remove DISABLED flag if he can regenerate state. Should he be allowed to do this? More important question: What are we trying to disable? Disabling accounts is done with other utilities. * [!] Can user lock program on some printf with some control of stdout? Probably yes. stdout buffering, not printing while locked or two-proc. FIXED: reopened /dev/tty. Does it suffice? Should be more less ok, but still it would be ok to limit number of outputed messages while state files are locked. * [!] Verify SIGCHLD won't clobber anything. FIXED: It shouldn't as we take care of our child (kill it when it's useless and wait for it) * [+] ssh config info to .ebuild elog! TODO Major: * [?] Accept 2G[2] passcode specification entries. * [?] Parametrize PAM messages. * [?] OOB Channel usage time updates + DoS security * [?] Static password expire warnings + enforcement. * [?] Do not store things in mpz_t which don't need it (spass) * [?] Sanitize gettext environment * [?] Logging warnings printed to user at WARN level * [?] Key quality checking (duplicates) * [?] "Problem solving section" in docs, mentioning use of -v on errors in the first place. * [?] Global DB should work with users which aren't in passwd. Should it? * [?] Check if lock files are links. if so. fail. Or rather always unlink before overwriting. * [?] Logging into syslog from utility if SUID; Also deny -v. * [?] Security: Do we need to change something regarding ulimits? * [?] Admin function to scan all states for things invalidating policy. * [?] Cleanup PPP interface. This should look like follows. "State" is class implementing some basic features of state management. From this 'class' ppp is derived. ppp implements high-level functions which should be used explicitly to manage state information unless something more fine-grained is necessary. State on the other hand uses 'db' backend for operating on files/databases. * Lots of things done in direction to finish this task * [-] Scan all FIXME/TODO entries (Especially OOB related) * [?] SELinux compatibility. * [?] Import/export of ascii state lines... * [?] Make otpasswd work with su (there's additional information 'who is trying to get authenticated'. Just test it. setuid() required probably (Maybe only on SELINUX) Todo Minor: * [?] policy checking regarding salt. (won't fail sometimes) * [?] Will we be pppv3 compatible on big-endian? * [?] Sourced key generation (from file, string...) * [?] Add error_t and bool_t to differentiate differently used ints? * [?] Improve LaTeX output (some colors, borders?) * [?] Incorporate SSH key fingerprints on passcards? Use some file as passcard background, allow hook regenerating this passcard * [-] Keep lines below 75 columns? Or 80? 2009-12-13 v0.4 * [!] Fixed some memory leaks. * [!] Ensure state loaded correctly when label/caption full * [+] Improve testcases so when they fail it's clearly visible. * [+] Fixed licensing so the project can be hosted on Savannah * [+] CHECK: Can pam module use openlog()? Maybe the log is already opened? I guess so... Seems ok. pam_unix defines pam_syslog as openlog, vsyslog, closelog. * [+] Warnings when on last passcard * [+] Add information to state files about last usage of second channel. Important to limit number of e.g. sent sms. Second-channel itself still not implemented * [+] Calling external script for mailing/sms * [+] Key generation might be to slow on systems without mouse... Maybe use openssl prng and initialize it from urandom? Also is there any reason to use SHA256 on RANDOM data? Maybe few bytes from rng + some from prng and SHA out of it? * [+] Place common functions inside a shared library * [+] Check bit distribution for alphabets not divisible by 2 Added separate testcase evaluating character distribution instead of bits. This testcase shows that distribution is in correct range. * [-] Keeping track of failures. Started (place in state files created) * [-] Implement static passwords; They might be required always or just to perform some commands like second-channel usage. * [%] GMP might leak information with reallocs of it's mpz_t * [?] Cleanup PPP interface. This should look like follows. "State" is class implementing some basic features of state management. From this 'class' ppp is derived. ppp implements high-level functions which should be used explicitly to manage state information unless something more fine-grained is necessary. * [-] Scan all FIXME/TODO entries * [-] Manuals * [-] Improve error messages when state file is not found. * [?] Big thing - Move state files to /etc + SUID. * [?] Use locales for user messages [_("")? ] * [?] Config file in /etc/security pam_access parses this file itself; samba(winbind) uses iniparser library (on MIT license) * [%] Ensure that PAM session can display warning in three calls to conversation function. If not, we must build a buffer (See for example how winscp shows that warning) * [?] Use PAM_SERVICE_ERR Low-priority: * [?] Improve LaTeX output (some colors, borders?) * [?] Incorporate SSH key fingerprints on passcards? * [-] Keep lines below 75 columns? Or 80? * [-] off-by-one testcases; a bit tests done. To be removed: * [-] Single-authentication/locking per user option to prevent DoS This would enable attacker to perform just another DoS attack. * [-] Share objects between targets (CMake) Splitting project into shared lib, util + pam is better 2008-12-02 v0.3 * [!] Fixed some memory leaks. * [!] Ensure state loaded correctly when label/caption full * [+] Fixed licensing so the project can be hosted on Savannah * [-] CHECK: Can pam module use openlog()? Maybe the log is already opened? I guess so... * [-] Warnings when on last passcard * [-] Calling external script for mailing/sms * [-] Share objects between targets (CMake) I'll rather ignore it. .so must have -fPIC, util shouldn't... * [?] Scan all FIXME/TODO entries * [?] Keep lines below 75 columns? Or 80? * [?] off-by-one testcase; a bit done * [?] manuals * [%] GMP might leak information with reallocs of it's mpz_t * [?] Single-authentication/locking per user option to prevent DoS * [?] Check bit distribution for alphabets not divisible by 2 * [?] Error messages when no state file. * [?] Key generation might be to slow on systems without mouse... Maybe use openssl prng and initialize it from urandom? Also is there any reason to use SHA256 on RANDOM data? Maybe few bytes from rng + some from prng and SHA out of it? * [?] Keeping track of failures. Started (place in state files created) 2009-12-01 v0.2 * [!] One off-by-one error fixed * [+] Implement label and contact setting * [+] Differentiate abnormal errors from normal errors * [+] 'next' behaviour with LaTeX (+6!) * [+] Decide on state file look, add version * [+] ppp testcase - statistical * [+] Check all assertions! If they don't contain anything important * [%] Ensure state loaded correctly when label/caption full * [-] CHECK: Can pam module use openlog()? Maybe the log is already opened? I guess so... * [-] Warnings when on last passcard * [-] Calling external script for mailing/sms * [-] Share objects between targets (CMake) * [-] Using Gecos field for phone information? * [?] Scan all FIXME/TODO entries * [?] Keep lines below 75 columns? Or 80? * [?] off-by-one testcase; a bit done * [?] manuals * [%] GMP might leak information with reallocs of it's mpz_t 2009-12-01 v0.1 first working version * [!] CHECK: Make testcase to check if locking file and then rewritting it has any sense. It didn't; rewritten code uses .lck file * [+] Implement/debug Retries * [+] Implement skipping * [+] Implement next functionality * [+] Printing 'next' passcard. * [+] Ensure passcards/codes passed by user are in range and won't get larger because of increments. Needs debuging. Especially internal incrementation. * [+] Ensure file permissions are always set correctly * [+] If not locked when storing/loading lock it for this procedure. * [-] CHECK: Can pam module use openlog()? Maybe the log is already opened? I guess so... * [-] Warnings when on last passcard * [-] Decide on state file look, add version * [-] Implement label and contact setting * [-] Calling external script for mailing/sms * [-] Share objects between targets (CMake) * [-] Using Gecos field for phone information? * [?] Keep lines below 75 columns? Or 80? * [?] 'next' behaviour with LaTeX (+6!) * [?] ppp testcase - statistical * [?] off-by-one testcase * [?] manuals 2009-11-24 intro/rapid-development TODO == "Roadmap" to v1.0 == * [-] CHECK: Can pam module use openlog()? Maybe the log is already opened? I guess so... * [-] CHECK: Make testcase to check if locking file and then rewritting it has any sense. * [-] Implement/debug Retries * [-] Implement skipping * [-] Implement next functionality * [-] Warnings when on last passcard * [-] Printing 'next' passcard. * [-] Ensure passcards/codes passed by user are in range and won't get larger because of increments. * [-] Ensure file permissions are always set correctly * [-] If not locked when storing/loading lock it for this procedure. * [-] Decide on state file look, add version * [-] Implement label and contact setting * [-] Calling external script for mailing/sms * [-] Share objects between targets (CMake) * [-] Using Gecos field for phone information? vim: expandtab:ts=8