So I noticed tonight that yesterday a new Linux-PAM (in portage as a generic sys-libs/pam, even though I want to change it one day) was released: 1.1.0. I actually was scared that it was a big overhaul, it seems instead to be little more than a feature release of the previous release, so it’s fine.
All my patches from pre-1.0 (as well as the one to disable NIS support when not found) are still outstanding and they still apply cleanly. I guess I’ll have to harass upstream more about them and see that they are applied, maybe for 1.1.1 or something.
At any rate, the new release does have a few interesting changes, like a new pam_tally module that is now wordsize-independent (that is, it works the same way both in 32- and 64- bit configurations), for this reason I’m now preparing a new pambase to make use of it instead of the old one by default if present. Unfortunately I’m finding a couple of issues that make it not easy to solve.
There is another change that might be worth nothing: I have already blogged about the sha512 support that Linux-PAM 1.0.1 has provided us with. Well, with this new release, together with sha512, sha256 and md5 hashing… there’s blowfish!
But pambase is not going to provide a way to enable it. It’s not that I don’t want people to use blowfish, but rather that upstream relies on the crypt()
function provided by the C library: when it supports the above algorithms, then pam_unix will support them as well, otherwise, you’re out of luck. Since Gentoo does not provide a blowfish-patched glibc, then it won’t support the blowfish method. Until that time, this post will serve as an answer for those interested in the matter, who think that by just using “blowfish” you can gain stronger hashing.
Since this is a minor version bump (compared to the previous 1.0), I’ve also decided to change a bit the ebuild too; I’ve removed the warnings for pam_userdb and other modules that have been moved in separate packages, since they were only checked for when updating from pre-1.0 versions. I’m almost tempted to remove the safechecks for pam_stack, pam_pwdb, and pam_console; the pam_timestamp checks have been dropped because that particular module, initially present in our older versions of PAM which applied RedHat-supplied patches, is now present upstream.
I’m going to try mediating with Kukuk about the patches we apply, dropping a few, merging a few more. It’s more time spent on stuff I don’t care much about (PAM is something people detest and I don’t really have a good use for it myself), but I guess it’s something that Gentoo needs. As usual, kudos and gifts are very welcome (the latter in particular because with the recent expenses I’ve had to take care of my leisure budget reduced considerably).
Time to get going to work then, I’m afraid I’ll have to bump the pambase version to 20090621, I don’t think I can fix it before night!