Fix OTP bug

- Resolves: upstream #2729 - Do not send SSS_OTP if both factors were
                             entered separately
This commit is contained in:
Lukas Slebodnik 2015-09-10 14:26:47 +02:00
parent cc6c9ff159
commit 996f9ec8f7
2 changed files with 40 additions and 1 deletions

View File

@ -0,0 +1,33 @@
From 560c4cdf6568c049102ccf47cb302f2e10de023a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 23 Jul 2015 15:56:44 +0200
Subject: [PATCH 15/15] krb5: do not send SSS_OTP if two factors were used
Resolves https://fedorahosted.org/sssd/ticket/2729
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/krb5/krb5_auth.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 8886456c00c86914da364fd08efc25a488b0e686..d1bf4025b052d82413d1f370a36b0b99720d6f05 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1091,7 +1091,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
krb5_auth_store_creds(state->domain, pd);
}
- if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE) {
+ /* The SSS_OTP message will prevent pam_sss from putting the entered
+ * password on the PAM stack for other modules to use. This is not needed
+ * when both factors were entered separately because here the first factor
+ * (long term password) can be passed to the other modules. */
+ if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE
+ && sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_2FA) {
uint32_t otp_flag = 1;
ret = pam_add_response(pd, SSS_OTP, sizeof(uint32_t),
(const uint8_t *) &otp_flag);
--
2.5.0

View File

@ -29,7 +29,7 @@
Name: sssd Name: sssd
Version: 1.13.0 Version: 1.13.0
Release: 5%{?dist} Release: 6%{?dist}
Group: Applications/System Group: Applications/System
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPLv3+ License: GPLv3+
@ -52,6 +52,7 @@ Patch0011: 0011-LDAP-use-ldb_binary_encode-when-printing-attribute-v.patch
Patch0012: 0012-IPA-Change-the-default-of-ldap_user_certificate-to-u.patch Patch0012: 0012-IPA-Change-the-default-of-ldap_user_certificate-to-u.patch
Patch0013: 0013-UTIL-Provide-a-common-interface-to-safely-create-tem.patch Patch0013: 0013-UTIL-Provide-a-common-interface-to-safely-create-tem.patch
Patch0014: 0014-IPA-Always-re-fetch-the-keytab-from-the-IPA-server.patch Patch0014: 0014-IPA-Always-re-fetch-the-keytab-from-the-IPA-server.patch
Patch0015: 0015-krb5-do-not-send-SSS_OTP-if-two-factors-were-used.patch
### Dependencies ### ### Dependencies ###
Requires: sssd-common = %{version}-%{release} Requires: sssd-common = %{version}-%{release}
@ -1024,6 +1025,11 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so %{_libdir}/%{name}/modules/libwbclient.so
%changelog %changelog
* Thu Sep 10 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.0-6
- Fix OTP bug
- Resolves: upstream #2729 - Do not send SSS_OTP if both factors were
entered separately
* Mon Sep 07 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.0-5 * Mon Sep 07 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.0-5
- Backport upstream patches required by FreeIPA 4.2.1 - Backport upstream patches required by FreeIPA 4.2.1