rpms/sssd
5
0
Fork 0
Code Issues Pull Requests Releases Activity
70e9980ac6
sssd/0108-Add-cache_credentials_minimal_first_factor_length-co.patch
Lukas Slebodnik 70e9980ac6 Backport important patches from upstream 1.13 prerelease 
- Resolves: rhbz#1060325 - Does sssd-ad use the most suitable
                           attribute for group name
- Resolves: upstream #2335 - Investigate using the krb5 responder
                             for driving the PAM conversation with OTPs
- Enable cmocka tests for secondary architectures
2015-05-08 14:53:58 +02:00

146 lines
6.3 KiB
Diff
Raw Blame History

From ca95d0e56d59516fc294ae62489de5ea1cd1a864 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 24 Mar 2015 13:00:14 +0100
Subject: [PATCH 108/114] Add cache_credentials_minimal_first_factor_length
config option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 932c3e22e3c59a9c33f30dcc09e6bef257e14320)
---
src/confdb/confdb.c | 11 +++++++++++
src/confdb/confdb.h | 4 ++++
src/config/SSSDConfigTest.py | 2 ++
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 22 ++++++++++++++++++++++
src/util/domain_info_utils.c | 2 ++
6 files changed, 42 insertions(+)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index dd93410cfcac3040d5a72329929f99f43fc592f1..90d413f9ebf2ae72305e7281f03150b672c721bb 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -956,6 +956,17 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
goto done;
}
+ ret = get_entry_as_uint32(res->msgs[0],
+ &domain->cache_credentials_min_ff_length,
+ CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH,
+ CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Invalid value for %s\n",
+ CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH);
+ goto done;
+ }
+
ret = get_entry_as_bool(res->msgs[0], &domain->legacy_passwords,
CONFDB_DOMAIN_LEGACY_PASS, 0);
if(ret != EOK) {
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 19c56402069f9a7001188e91f77db8ad8525d690..c8c91288cd63df7629a98802b7b5373df92d6ca4 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -162,6 +162,9 @@
#define CONFDB_DOMAIN_MINID "min_id"
#define CONFDB_DOMAIN_MAXID "max_id"
#define CONFDB_DOMAIN_CACHE_CREDS "cache_credentials"
+#define CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH \
+ "cache_credentials_minimal_first_factor_length"
+#define CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH 8
#define CONFDB_DOMAIN_LEGACY_PASS "store_legacy_passwords"
#define CONFDB_DOMAIN_MPG "magic_private_groups"
#define CONFDB_DOMAIN_FQ "use_fully_qualified_names"
@@ -221,6 +224,7 @@ struct sss_domain_info {
uint32_t id_max;
bool cache_credentials;
+ uint32_t cache_credentials_min_ff_length;
bool legacy_passwords;
bool case_sensitive;
bool case_preserve;
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 3a5312ea945b5247c69e97b73565b7061e037b69..db16bc433cf4c47c6a15760d85b322a6655aa0c1 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -494,6 +494,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'command',
'enumerate',
'cache_credentials',
+ 'cache_credentials_minimal_first_factor_length',
'store_legacy_passwords',
'use_fully_qualified_names',
'ignore_group_members',
@@ -853,6 +854,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'command',
'enumerate',
'cache_credentials',
+ 'cache_credentials_minimal_first_factor_length',
'store_legacy_passwords',
'use_fully_qualified_names',
'ignore_group_members',
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 4fa542704fbd3af065843e777b84b6305ec3e78b..f1ac6366c73c03fe5c60c79bfe7b15fde9382215 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -110,6 +110,7 @@ subdomain_enumerate = str, None, false
force_timeout = int, None, false
offline_timeout = int, None, false
cache_credentials = bool, None, false
+cache_credentials_minimal_first_factor_length = int, None, false
store_legacy_passwords = bool, None, false
use_fully_qualified_names = bool, None, false
ignore_group_members = bool, None, false
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index bb4c1d3c65818d8d949482569868e14cf60c5db5..ce21956c0ea8af3ccf2c764aad7906b0d7a7f655 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1389,6 +1389,28 @@ pam_account_expired_message = Account expired, please call help desk.
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>cache_credentials_minimal_first_factor_length (int)</term>
+ <listitem>
+ <para>
+ If 2-Factor-Authentication (2FA) is used and
+ credentials should be saved this value determines
+ the minimal lenght the first authentication factor
+ (long term password) must have to be saved as SHA512
+ hash into the cache.
+ </para>
+ <para>
+ This should avoid that the short PINs of a PIN based
+ 2FA scheme are saved in the cache which would make
+ them easy targets for brute-force attacks.
+ </para>
+ <para>
+ Default: 8
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>account_cache_expiration (integer)</term>
<listitem>
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 9fb2110eb34c7e7f5d9933f1aabed43970be1149..c25ef53e280785e81e36f111c2bf09fd88148292 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -288,6 +288,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
dom->id_max = parent->id_max ? parent->id_max : 0xffffffff;
dom->pwd_expiration_warning = parent->pwd_expiration_warning;
dom->cache_credentials = parent->cache_credentials;
+ dom->cache_credentials_min_ff_length =
+ parent->cache_credentials_min_ff_length;
dom->case_sensitive = false;
dom->user_timeout = parent->user_timeout;
dom->group_timeout = parent->group_timeout;
--
2.4.0
Reference in New Issue View Git Blame Copy Permalink