Fix OTP bug
- Resolves: upstream #2729 - Do not send SSS_OTP if both factors were entered separately
This commit is contained in:
parent
cc6c9ff159
commit
996f9ec8f7
33
0015-krb5-do-not-send-SSS_OTP-if-two-factors-were-used.patch
Normal file
33
0015-krb5-do-not-send-SSS_OTP-if-two-factors-were-used.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
From 560c4cdf6568c049102ccf47cb302f2e10de023a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Thu, 23 Jul 2015 15:56:44 +0200
|
||||||
|
Subject: [PATCH 15/15] krb5: do not send SSS_OTP if two factors were used
|
||||||
|
|
||||||
|
Resolves https://fedorahosted.org/sssd/ticket/2729
|
||||||
|
|
||||||
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
---
|
||||||
|
src/providers/krb5/krb5_auth.c | 7 ++++++-
|
||||||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
||||||
|
index 8886456c00c86914da364fd08efc25a488b0e686..d1bf4025b052d82413d1f370a36b0b99720d6f05 100644
|
||||||
|
--- a/src/providers/krb5/krb5_auth.c
|
||||||
|
+++ b/src/providers/krb5/krb5_auth.c
|
||||||
|
@@ -1091,7 +1091,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
|
||||||
|
krb5_auth_store_creds(state->domain, pd);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE) {
|
||||||
|
+ /* The SSS_OTP message will prevent pam_sss from putting the entered
|
||||||
|
+ * password on the PAM stack for other modules to use. This is not needed
|
||||||
|
+ * when both factors were entered separately because here the first factor
|
||||||
|
+ * (long term password) can be passed to the other modules. */
|
||||||
|
+ if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE
|
||||||
|
+ && sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_2FA) {
|
||||||
|
uint32_t otp_flag = 1;
|
||||||
|
ret = pam_add_response(pd, SSS_OTP, sizeof(uint32_t),
|
||||||
|
(const uint8_t *) &otp_flag);
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
@ -29,7 +29,7 @@
|
|||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 1.13.0
|
Version: 1.13.0
|
||||||
Release: 5%{?dist}
|
Release: 6%{?dist}
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -52,6 +52,7 @@ Patch0011: 0011-LDAP-use-ldb_binary_encode-when-printing-attribute-v.patch
|
|||||||
Patch0012: 0012-IPA-Change-the-default-of-ldap_user_certificate-to-u.patch
|
Patch0012: 0012-IPA-Change-the-default-of-ldap_user_certificate-to-u.patch
|
||||||
Patch0013: 0013-UTIL-Provide-a-common-interface-to-safely-create-tem.patch
|
Patch0013: 0013-UTIL-Provide-a-common-interface-to-safely-create-tem.patch
|
||||||
Patch0014: 0014-IPA-Always-re-fetch-the-keytab-from-the-IPA-server.patch
|
Patch0014: 0014-IPA-Always-re-fetch-the-keytab-from-the-IPA-server.patch
|
||||||
|
Patch0015: 0015-krb5-do-not-send-SSS_OTP-if-two-factors-were-used.patch
|
||||||
|
|
||||||
### Dependencies ###
|
### Dependencies ###
|
||||||
Requires: sssd-common = %{version}-%{release}
|
Requires: sssd-common = %{version}-%{release}
|
||||||
@ -1024,6 +1025,11 @@ fi
|
|||||||
%{_libdir}/%{name}/modules/libwbclient.so
|
%{_libdir}/%{name}/modules/libwbclient.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Sep 10 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.0-6
|
||||||
|
- Fix OTP bug
|
||||||
|
- Resolves: upstream #2729 - Do not send SSS_OTP if both factors were
|
||||||
|
entered separately
|
||||||
|
|
||||||
* Mon Sep 07 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.0-5
|
* Mon Sep 07 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.0-5
|
||||||
- Backport upstream patches required by FreeIPA 4.2.1
|
- Backport upstream patches required by FreeIPA 4.2.1
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user