1wilkens / pam

Safe Rust API to the Linux Pluggable Authentication Modules (PAM)
https://docs.rs/pam/
Apache License 2.0
87 stars 36 forks source link

New version #23

Open Xiretza opened 3 years ago

Xiretza commented 3 years ago

Hi! Please create a new release tag and push it to crates.io. The latest version at this time, 0.7.0, is ancient and bears little resemblance to git master, which has received a ton of improvements and new features over the last 2.5 years.

lechner commented 3 years ago

Hi @1wilkens,

Not sure if this error is still relevant, but I wrote a very similar module definition . It was originally separate but now works with your version 0.7.0 (I discovered your crate yesterday) if you would like to have a look before cutting a new release.

Kind regards Felix Lechner

1wilkens commented 3 years ago

@Xiretza Hey I'm sorry I haven't gotten around to making a new release. I was planning to merge or address the pending PRs before doing that, but haven't had much time recently.

I'll try to review pending changes and push a new release next week!

@lechner I am also not sure if this is still relevant :sweat_smile: The module part hasn't gotten enough love, as I personally don't have a use-case for it yet. I'll gladly take a look at your approach :)

lechner commented 3 years ago

@1wilkens Hi, that's are a good match. I only work on modules.

As a first step, could you perhaps update pam-sys (and make any changes needed here)?

I found an incongruence (PR coming) that is possibly related to this pending change over there. You may also need this. Credit for both changes goes to SpaceManiac on ##rust.

I would then submit my other changes to this repo over time, or I could create a new crate pam-modules (your choice). Besides the module code, I would like to suggest a few modest changes to the "Rustified" function bindings.

VuiMuich commented 3 years ago

Hi, please excuse my ignorance, but do I get the idea of modules right as it would allow to use configs in /etc/pam.d/? One of my projects is a screenlocker for x11 seesions. At the moment it is basically a refactored and extended fork of SilverSoldier/rlock and I'd love to have PAM supporting biometric authentication.

So I would be quite excited for the service module support, as my Rust abilities are yet to novice to get it done by foot at this point, I guess.

lechner commented 3 years ago

@VuiMuich Programs seeking authentication—like your screen locker—can always be configured to use installed service modules. You would use the module feature here to support a new authentication method or session facilities that can then be used by programs.

Hope that helps!

VuiMuich commented 3 years ago

Ok, thanks. So I would I just nee pam-sys? Or would I still use pam but implement my on conversation handler? Sorry for asking stupid questions..

Edit: in order to keep this issue clean, I opened my issue No.1 . If you would be so kind to help me figuring this one out, would be greatly appreciated!

lechner commented 3 years ago

I am not sure what you would like to achieve, but any Rust program would benefit from the Rustified API in pam (vs. pam-sys). Your system's authentication methods, on the other hand, are configured in /etc/pam.d (or in Debian, also in /usr/share/pam-configs). They have little to do with this Git repo. You can read up on everything here.

VuiMuich commented 3 years ago

Well my final goal is to use whatever the "default" authentication method of the system is, to unlock the screen. Be it a password (and by entering a password I actually can unlock the screen), be it a fingerprint reader (which e.g. can unlock i3lock but in my case does not work), or be it anything else like a chipcard or whatever. And I believe slowly I start to get what the problem might be: the fingerprint-service needs to either return PAM_SUCCESS or the decrypted password, I guess.

lechner commented 3 years ago

You won't be writing any modules.

Fingerprint setups vary, but PAM is often configured as (password OR fingerprint). The fingerprint may or may not yield the token needed to decrypt a drive, or similar.

1wilkens commented 3 years ago

Sorry for the late reply, I am finally getting around to review some more changes (yay for vacation time).

@1wilkens Hi, that's are a good match. I only work on modules.

Great, some more eyes (and hands) are always appreciated!

As a first step, could you perhaps update pam-sys (and make any changes needed here)?

For pam-sys the 1.0.0 alphas are published and we are just sorting out some issues related to correctly handling non-Linux platforms.

I found an incongruence (PR coming) that is possibly related to this pending change over there. You may also need this. Credit for both changes goes to SpaceManiac on ##rust.

Yeah that should be related to the changed in pam-sys you mentioned. However, the changes for FreeBSD and other OS might also affect signedness so I am slightly hesitant to merge the change right away before pam-sys settles. Please do open the PR, so we can merge when this is done.

I would then submit my other changes to this repo over time, or I could create a new crate pam-modules (your choice). Besides the module code, I would like to suggest a few modest changes to the "Rustified" function bindings.

I appreciate any ideas regarding the API design in general as well as module-specific changes. Regarding the client API there is already some discussion in #14 that are quite stale (I should get around to change that). Regarding the module API I looked at some other crates that also but didn't get to a satisfying solution, so any ideas (and PRs!) are welcome! Tl;dr: I'd like for pam to be the one-stop-shop for all things PAM so I'd happily include your changes!

1wilkens commented 3 years ago

Also @Xiretza sorry for another delay, but I'd like to wait for the pending changes in pam-sys before cutting a new release, so it'll take some more time. In the meantime you could probably use a git dependency to use the current state?

Xiretza commented 3 years ago

No worries, I just opened the issue to get a discussion going, I'm not in a hurry.

Will-Shanks commented 1 year ago

@1wilkens any update on a new version? There hasn't been one in 4 years so the crate appears dead, but it looks like there is still work going on in this repo.

Decodetalkers commented 1 year ago

0.7.0 on crate do not have features "client", seems need a new version

ariel-miculas commented 1 year ago

@1wilkens I'm also wondering whether this crate is dead or if you're planning on maintaining it.

Goorzhel commented 1 year ago

I've emailed him so nobody else in the thread has to.

1wilkens commented 1 year ago

Hey there, sorry for the complete radio silence. Daylife got the better of me! I finished my degree and changed jobs.

Anyway, I want to come back to this crate (and pam-sys which I've just release a small patch release) but might add a co-maintainer to prevent such a situation in the future.

Regarding the new release I was always hesitant as pam-sys was (and still is to some degree) in-flux. However, the situation is obviously not great right now with the last release from 4(!) years ago.. I'll cut a release right now (as current master is building with the bumped pam-sys) and try to catch up on the list of open PRs and discussions.

Ideally, I'd like to bring pam-sys to a 1.0 release this year and figure our a sensible path forward with this crate.

Sorry again for the huge delay!