From 26e06427772bfc7d9166bc31e0994ef7f5aa3c22 Mon Sep 17 00:00:00 2001 From: Ben Kibbey Date: Sun, 28 Sep 2008 17:56:08 -0400 Subject: [PATCH] Version 1.14. --- KnownBugs | 3 ++ NEWS | 11 ++++++++ TODO | 63 ++++++++++++++++++++++++++++------------- configure.ac | 2 +- debian/changelog | 6 ++++ doc/config.example | 16 +++++++---- doc/pwmd.1.in | 14 +++++++--- po/pwmd.pot | 82 +++++++++++++++++++++++++++--------------------------- 8 files changed, 126 insertions(+), 71 deletions(-) rewrite TODO (84%) diff --git a/KnownBugs b/KnownBugs index e69de29b..a5e5bc64 100644 --- a/KnownBugs +++ b/KnownBugs @@ -0,0 +1,3 @@ +The iteration setting is off by one. So 0 iterations is really 1 iteration and +-1 iteration will disable encryption. This will be fixed in v2.0 because it +will break data file compatibility. diff --git a/NEWS b/NEWS index 3b771276..b8cdb9ca 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,14 @@ +PWMD v1.14 +---------- +OPTION TIMEOUT will no longer be considered with the SAVE command. This should +be safe because it's normally an interactive command. + +The keepalive and cache timeout threads aren't terminated until after all +clients have exited even after receiving a quit signal. + +A few bug fixes. See ChangeLog for details. + + PWMD v1.13 ---------- Sorry about this second release in the same day but I didn't catch these two diff --git a/TODO b/TODO dissimilarity index 84% index 27544bc1..d49abd72 100644 --- a/TODO +++ b/TODO @@ -1,20 +1,43 @@ -Here are some ideas that might make it into later versions. Things that break -compatibility will definitely have to wait until 2.0. - -Port to pthreads. This will speed things up quite a bit and will let SSL and -DBUS work properly. - -Network socket support. Authentication will be done with public key encryption -(SSL). A client will need a key to connect. - -Use the DBUS protocol instead of libassuan. Better asynchronous IO. More -language bindings. Better handling of large amounts of data. - -Break data file compatibility: fix the minus 1 iterations file header bug, -include a flags variable (key, key file or both, and more), and an extra -variable for future expansion. - -Use libgpgme to encrypt the data file. This will let pwmd use a secret GnuPG -key and also use gpg-agent for password retrieval. We can't use gpg-agent -right now because of the limited support of symmetric password caching in -gpg-agent. +Here are some ideas that might make it into later versions. Things that break +compatibility will definitely have to wait until 2.0. + ++ = started +- = not started +? = not sure to included it + +? - Use the DBUS protocol instead of libassuan. Better asynchronous IO. More + language bindings. Better handling of large amounts of data. Might be + better to hack libassuan though since DBUS is a binary protocol. + +? - Port to pthreads. Depends on whether porting to DBUS or not. No real + reason to do it otherwise. Libpth has a nice message event design. + Pthreads is also alot faster but isn't really necessary. + ++ - Network socket support. Client certificate authentication has been started + (gnutls/v2 branch). + ++ - Break data file compatibility: fix the minus 1 iterations file header bug, + include a flags variable (key, key file or both, and more), and an extra + variable for future expansion. Started (v2 branch). + +? - Use libgpgme to encrypt the data file. This will let pwmd use a secret + GnuPG key and also use gpg-agent for password retrieval and supports + smartcards. We can't use gpg-agent right now because of the limited + support of symmetric password caching in gpg-agent (presetting the + passphrase for example). + +? - Make a standard that applications should follow when accessing or storing + the XML elements. This way two clients (say, one for console and another + for GUI) that require the same data (mail client) could use the same + element paths and not duplicate each others data. + + For example, a POP3 client would require a hostname, username, password + and optional port along with an ssl request (fingerprint, certificate), + etc. The root element of the service might have an attribute + "service=pop3" along with "default=1" or "active=1" (if you have more than + one POP3 account) so all the client needs to get the pop3 server info is + the type of service ("pop3" here). The client would then loop through the + LIST command output and search for the required service attribute. Using + the XPATH command would be faster (especially over remote connections) but + it won't resolve "target" attributes and the output is raw XML which + doesn't have TAB delimited elements. diff --git a/configure.ac b/configure.ac index ba856d03..f64ad2fd 100644 --- a/configure.ac +++ b/configure.ac @@ -1,6 +1,6 @@ dnl Process this file with autoconf to produce a configure script. AC_PREREQ(2.59) -AC_INIT(pwmd, 1.13, [Ben Kibbey bjk@luxsci.net]) +AC_INIT(pwmd, 1.14, [Ben Kibbey bjk@luxsci.net]) AC_CONFIG_AUX_DIR(build) AC_CANONICAL_TARGET AM_INIT_AUTOMAKE([foreign]) diff --git a/debian/changelog b/debian/changelog index 3cdc6ca3..a640aa37 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +pwmd (1.14-1) testing; urgency=low + + * New upstream. + + -- Ben Kibbey Sun, 28 Sep 2008 17:55:38 -0400 + pwmd (1.13-1) testing; urgency=low * New upstream. diff --git a/doc/config.example b/doc/config.example index e92e1b3d..71d65309 100644 --- a/doc/config.example +++ b/doc/config.example @@ -27,7 +27,7 @@ #syslog=false # File and key cache size. Must be in multiples of your systems PAGE_SIZE. The -# default below on a x86 Linux system is one page. +# default below on a x86 Linux system is one page, or 59 files. #cache_size=4096 # Set to false to call mlockall(2) after a client connects. Uses alot more @@ -43,12 +43,13 @@ # The number of encryption iterations for new files. This is the number of # times the data will be encrypted. Setting this to a high value (10000 or # more) will slow down dictionary attacks. Setting to -1 will disable -# encryption. +# encryption. Note that setting to 0 (the default) is really one encryption +# iteration. This is a known bug. #iterations=0 -# After the set number of encryption or decryption iterations, a status -# message with the keyword ENCRYPT or DECRYPT will be sent. Set to 0 to -# disable. +# After the set number of encryption or decryption iterations have been +# processed, a status message with the keyword ENCRYPT or DECRYPT will be +# sent to the client. Set to 0 to disable. #iteration_progress=0 # A list of filenames separated by commas to add to the file cache upon @@ -85,6 +86,10 @@ # Sends a KEEPALIVE status message every N seconds. Set to 0 to disable. #keepalive=30 +# The priority or nice value of the server process. The default is inherited +# from the parent process. +#priority=10 + # END GLOBAL SETTINGS # File specific settings are allowed by placing the filename in braces. Each @@ -96,4 +101,5 @@ #key_file=/path/to/file.key #compression_level=0 #enable_pinentry=true +#pinentry_timeout=20 #backup=true diff --git a/doc/pwmd.1.in b/doc/pwmd.1.in index 68b451c7..b2afabbd 100644 --- a/doc/pwmd.1.in +++ b/doc/pwmd.1.in @@ -15,7 +15,7 @@ \\$2 \(laURL: \\$1 \(ra\\$3 .. .if \n[.g] .mso www.tmac -.TH PWMD 1 "21 Jun 2008" "Password Manager Daemon" "Password Manager Daemon" +.TH PWMD 1 "27 Sep 2008" "Password Manager Daemon" "Password Manager Daemon" .SH NAME pwmd \- local socket data server @@ -28,7 +28,8 @@ pwmd \- local socket data server is a daemon that listens for connections on a local socket. Clients connect to the server and can retrieve or modify "account" data. The word "account" is just a placeholder for the element describing and item. But what the data -actually is can be anything. The data is stored in an AES encrypted XML file. +actually is can be anything. The data is stored in an (optionally AES256 +encrypted) XML file. .SH OPTIONS The following are the available command line options. Remaining arguments are @@ -39,7 +40,8 @@ Specify an alternate configuration file. The default is \fI~/.pwmd/config\fR. .TP .I "\-I filename" Import an XML file prompting for a key to use for encryption. The encrypted -data will be written to stdout. +data will be written to stdout. This output should be redirected to a file +which is placed in the configured \fIdata_directory\fP. .TP .I "\-i iterations The number of encryption iterations when importing. When not specified, the @@ -203,7 +205,7 @@ If using an X11 pinentry. .B PATH The full path to the pinentry binary. The default is \fI@pinentry@\fP. .P -The file is read only once after a client first connects. Note that if your +The file is read only once after each client first connects. Note that if your not using a \fBDISPLAY\fP, then both \fBTTYNAME\fP and \fBTTYTYPE\fP should be set otherwise you'll get a segfault from ncurses. @@ -215,6 +217,10 @@ be required for the next \fBOPEN\fP or \fBSAVE\fP command. .TP .B SIGHUP Reloads the configuration file. +.TP +.B SIGTERM and SIGINT +Disallows new connections and waits for all clients to disconnect before +terminating. .SH FILES .TP diff --git a/po/pwmd.pot b/po/pwmd.pot index 452e35d1..61127a2f 100644 --- a/po/pwmd.pot +++ b/po/pwmd.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: bjk@luxsci.net\n" -"POT-Creation-Date: 2008-08-17 18:37-0400\n" +"POT-Creation-Date: 2008-09-28 17:55-0400\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -31,7 +31,7 @@ msgstr "" msgid "%s(): cache mutex LOCKED" msgstr "" -#: src/cache.h:36 src/pwmd.c:312 +#: src/cache.h:36 src/pwmd.c:328 msgid "Waiting for lock" msgstr "" @@ -40,16 +40,16 @@ msgstr "" msgid "%s: %p not found" msgstr "" -#: src/pwmd.c:88 +#: src/pwmd.c:94 #, c-format msgid "reloading configuration file '%s'" msgstr "" -#: src/pwmd.c:153 +#: src/pwmd.c:161 msgid "logfile" msgstr "" -#: src/pwmd.c:214 +#: src/pwmd.c:228 #, c-format msgid "" "Usage: %s [-hvDn] [-f ] [-I [-i ]] [file1] [...]\n" @@ -63,138 +63,138 @@ msgid "" " -h this help text\n" msgstr "" -#: src/pwmd.c:245 +#: src/pwmd.c:259 msgid "Required AES cipher not supported by libgcrypt." msgstr "" -#: src/pwmd.c:365 +#: src/pwmd.c:381 #, c-format msgid "exiting, fd=%i" msgstr "" -#: src/pwmd.c:753 +#: src/pwmd.c:777 #, c-format msgid "%s: skipping empty file" msgstr "" -#: src/pwmd.c:769 +#: src/pwmd.c:793 #, c-format msgid "Password for '%s': " msgstr "" -#: src/pwmd.c:773 +#: src/pwmd.c:797 #, c-format msgid "%s: skipping file" msgstr "" -#: src/pwmd.c:783 src/pwmd.c:1218 src/pwmd.c:1237 +#: src/pwmd.c:807 src/pwmd.c:1242 src/pwmd.c:1261 #, c-format msgid "%s: invalid password, skipping" msgstr "" -#: src/pwmd.c:788 +#: src/pwmd.c:812 #, c-format msgid "%s: invalid password" msgstr "" -#: src/pwmd.c:830 +#: src/pwmd.c:854 msgid "New password: " msgstr "" -#: src/pwmd.c:831 +#: src/pwmd.c:855 msgid "Invalid password." msgstr "" -#: src/pwmd.c:836 +#: src/pwmd.c:860 msgid "Verify password: " msgstr "" -#: src/pwmd.c:837 src/pwmd.c:844 +#: src/pwmd.c:861 src/pwmd.c:868 msgid "Passwords do not match." msgstr "" -#: src/pwmd.c:1137 +#: src/pwmd.c:1161 #, c-format msgid "%s: invalid characters in filename" msgstr "" -#: src/pwmd.c:1146 +#: src/pwmd.c:1170 #, c-format msgid "%s: file already cached, skipping" msgstr "" -#: src/pwmd.c:1223 +#: src/pwmd.c:1247 msgid "Incorrect password. Please try again." msgstr "" -#: src/pwmd.c:1253 +#: src/pwmd.c:1277 #, c-format msgid "%s: file added to the cache" msgstr "" -#: src/pwmd.c:1304 +#: src/pwmd.c:1328 msgid "pth_spawn() failed" msgstr "" -#: src/pwmd.c:1309 +#: src/pwmd.c:1333 #, c-format msgid "new tid=%s, fd=%i" msgstr "" -#: src/pwmd.c:1350 +#: src/pwmd.c:1423 #, c-format msgid "%s started for user %s" msgstr "" -#: src/pwmd.c:1415 +#: src/pwmd.c:1457 #, c-format msgid "caught signal %i (%s)" msgstr "" -#: src/pwmd.c:1432 +#: src/pwmd.c:1475 msgid "clearing file cache" msgstr "" -#: src/pwmd.c:1459 +#: src/pwmd.c:1500 msgid "waiting for all threads to terminate" msgstr "" -#: src/pwmd.c:1465 +#: src/pwmd.c:1506 #, c-format msgid "%i threads remain" msgstr "" -#: src/pwmd.c:1635 +#: src/pwmd.c:1682 #, c-format msgid "%s: socket_path not defined" msgstr "" -#: src/pwmd.c:1647 +#: src/pwmd.c:1694 #, c-format msgid "%s: data_directory not defined" msgstr "" -#: src/pwmd.c:1668 +#: src/pwmd.c:1715 #, c-format msgid "cache size must be in multiples of %li" msgstr "" -#: src/pwmd.c:1732 +#: src/pwmd.c:1779 msgid "Done. Daemonizing..." msgstr "" -#: src/pwmd.c:1732 +#: src/pwmd.c:1779 msgid "Done. Waiting for connections..." msgstr "" -#: src/pwmd.c:1759 +#: src/pwmd.c:1806 #, c-format msgid "" "Either there is another pwmd running or '%s' is a \n" "stale socket. Please remove it manually." msgstr "" -#: src/pwmd.c:1867 +#: src/pwmd.c:1914 msgid "pwmd exiting normally" msgstr "" @@ -222,36 +222,36 @@ msgstr "" msgid "File modified" msgstr "" -#: src/pinentry.c:238 +#: src/pinentry.c:243 msgid "Password mismatch, please try again." msgstr "" -#: src/pinentry.c:240 +#: src/pinentry.c:245 msgid "Password Manager Daemon" msgstr "" -#: src/pinentry.c:245 +#: src/pinentry.c:250 msgid "Password:" msgstr "" -#: src/pinentry.c:249 +#: src/pinentry.c:254 #, c-format msgid "" "A password is required to open the file \"%s\". Please%%0Aenter the password " "below." msgstr "" -#: src/pinentry.c:250 +#: src/pinentry.c:255 #, c-format msgid "" "A password is required to save to the file \"%s\". Please%%0Aenter the " "password below." msgstr "" -#: src/pinentry.c:254 +#: src/pinentry.c:259 msgid "Please type the password again for confirmation." msgstr "" -#: src/pinentry.c:663 +#: src/pinentry.c:666 msgid "pth_read(): short byte count" msgstr "" -- 2.11.4.GIT