Fix OTP bug

- Resolves: upstream #2729 - Do not send SSS_OTP if both factors were entered separately
2015-09-10 14:26:47 +02:00 · 2015-09-10 14:26:47 +02:00 · 996f9ec8f7
commit 996f9ec8f7
parent cc6c9ff159
2 changed files with 40 additions and 1 deletions
--- a/0015-krb5-do-not-send-SSS_OTP-if-two-factors-were-used.patch
+++ b/0015-krb5-do-not-send-SSS_OTP-if-two-factors-were-used.patch
@ -0,0 +1,33 @@
+From 560c4cdf6568c049102ccf47cb302f2e10de023a Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 23 Jul 2015 15:56:44 +0200
+Subject: [PATCH 15/15] krb5: do not send SSS_OTP if two factors were used
+
+Resolves https://fedorahosted.org/sssd/ticket/2729
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+---
+ src/providers/krb5/krb5_auth.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
+index 8886456c00c86914da364fd08efc25a488b0e686..d1bf4025b052d82413d1f370a36b0b99720d6f05 100644
+--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
+@@ -1091,7 +1091,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
+         krb5_auth_store_creds(state->domain, pd);
+     }
+ 
+-    if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE) {
+    /* The SSS_OTP message will prevent pam_sss from putting the entered
+     * password on the PAM stack for other modules to use. This is not needed
+     * when both factors were entered separately because here the first factor
+     * (long term password) can be passed to the other modules. */
+    if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE
+            && sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_2FA) {
+         uint32_t otp_flag = 1;
+         ret = pam_add_response(pd, SSS_OTP, sizeof(uint32_t),
+                                (const uint8_t *) &otp_flag);
+-- 
+2.5.0
+
--- a/sssd.spec
+++ b/sssd.spec
@ -29,7 +29,7 @@

 Name: sssd
 Version: 1.13.0
-Release: 5%{?dist}
+Release: 6%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@ -52,6 +52,7 @@ Patch0011: 0011-LDAP-use-ldb_binary_encode-when-printing-attribute-v.patch
 Patch0012: 0012-IPA-Change-the-default-of-ldap_user_certificate-to-u.patch
 Patch0013: 0013-UTIL-Provide-a-common-interface-to-safely-create-tem.patch
 Patch0014: 0014-IPA-Always-re-fetch-the-keytab-from-the-IPA-server.patch
+Patch0015: 0015-krb5-do-not-send-SSS_OTP-if-two-factors-were-used.patch

 ### Dependencies ###
 Requires: sssd-common = %{version}-%{release}
@ -1024,6 +1025,11 @@ fi
                                %{_libdir}/%{name}/modules/libwbclient.so

 %changelog
+* Thu Sep 10 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.0-6
+- Fix OTP bug
+- Resolves: upstream #2729 - Do not send SSS_OTP if both factors were
+                             entered separately
+
 * Mon Sep 07 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.0-5
 - Backport upstream patches required by FreeIPA 4.2.1