diff options
author | Sumit Bose <sbose@redhat.com> | 2015-03-24 13:00:14 +0100 |
---|---|---|
committer | Sumit Bose <sbose@redhat.com> | 2015-05-08 09:14:12 +0200 |
commit | 932c3e22e3c59a9c33f30dcc09e6bef257e14320 (patch) | |
tree | 133eca06e5885c538d6dc828447515285e9487a6 | |
parent | e5698314b87e147c0223d0d8bcac206733dfae8c (diff) | |
download | sssd-932c3e22e3c59a9c33f30dcc09e6bef257e14320.tar.gz sssd-932c3e22e3c59a9c33f30dcc09e6bef257e14320.tar.xz sssd-932c3e22e3c59a9c33f30dcc09e6bef257e14320.zip |
Add cache_credentials_minimal_first_factor_length config option
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-rw-r--r-- | src/confdb/confdb.c | 11 | ||||
-rw-r--r-- | src/confdb/confdb.h | 4 | ||||
-rwxr-xr-x | src/config/SSSDConfigTest.py | 2 | ||||
-rw-r--r-- | src/config/etc/sssd.api.conf | 1 | ||||
-rw-r--r-- | src/man/sssd.conf.5.xml | 22 | ||||
-rw-r--r-- | src/util/domain_info_utils.c | 2 |
6 files changed, 42 insertions, 0 deletions
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index 5aee1ee06..87960c4db 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -985,6 +985,17 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, goto done; } + ret = get_entry_as_uint32(res->msgs[0], + &domain->cache_credentials_min_ff_length, + CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH, + CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for %s\n", + CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH); + goto done; + } + ret = get_entry_as_bool(res->msgs[0], &domain->legacy_passwords, CONFDB_DOMAIN_LEGACY_PASS, 0); if(ret != EOK) { diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 19c564020..c8c91288c 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -162,6 +162,9 @@ #define CONFDB_DOMAIN_MINID "min_id" #define CONFDB_DOMAIN_MAXID "max_id" #define CONFDB_DOMAIN_CACHE_CREDS "cache_credentials" +#define CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH \ + "cache_credentials_minimal_first_factor_length" +#define CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH 8 #define CONFDB_DOMAIN_LEGACY_PASS "store_legacy_passwords" #define CONFDB_DOMAIN_MPG "magic_private_groups" #define CONFDB_DOMAIN_FQ "use_fully_qualified_names" @@ -221,6 +224,7 @@ struct sss_domain_info { uint32_t id_max; bool cache_credentials; + uint32_t cache_credentials_min_ff_length; bool legacy_passwords; bool case_sensitive; bool case_preserve; diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 3a5312ea9..db16bc433 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -494,6 +494,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'command', 'enumerate', 'cache_credentials', + 'cache_credentials_minimal_first_factor_length', 'store_legacy_passwords', 'use_fully_qualified_names', 'ignore_group_members', @@ -853,6 +854,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'command', 'enumerate', 'cache_credentials', + 'cache_credentials_minimal_first_factor_length', 'store_legacy_passwords', 'use_fully_qualified_names', 'ignore_group_members', diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 4fa542704..f1ac6366c 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -110,6 +110,7 @@ subdomain_enumerate = str, None, false force_timeout = int, None, false offline_timeout = int, None, false cache_credentials = bool, None, false +cache_credentials_minimal_first_factor_length = int, None, false store_legacy_passwords = bool, None, false use_fully_qualified_names = bool, None, false ignore_group_members = bool, None, false diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 92c64b9fd..fc34d8ee2 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1392,6 +1392,28 @@ pam_account_expired_message = Account expired, please call help desk. </para> </listitem> </varlistentry> + + <varlistentry> + <term>cache_credentials_minimal_first_factor_length (int)</term> + <listitem> + <para> + If 2-Factor-Authentication (2FA) is used and + credentials should be saved this value determines + the minimal lenght the first authentication factor + (long term password) must have to be saved as SHA512 + hash into the cache. + </para> + <para> + This should avoid that the short PINs of a PIN based + 2FA scheme are saved in the cache which would make + them easy targets for brute-force attacks. + </para> + <para> + Default: 8 + </para> + </listitem> + </varlistentry> + <varlistentry> <term>account_cache_expiration (integer)</term> <listitem> diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index 450b8ec5c..dc306848c 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -288,6 +288,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, dom->id_max = parent->id_max ? parent->id_max : 0xffffffff; dom->pwd_expiration_warning = parent->pwd_expiration_warning; dom->cache_credentials = parent->cache_credentials; + dom->cache_credentials_min_ff_length = + parent->cache_credentials_min_ff_length; dom->case_sensitive = false; dom->user_timeout = parent->user_timeout; dom->group_timeout = parent->group_timeout; |