diff options
author | Nathaniel McCallum <npmccallum@redhat.com> | 2016-05-12 15:10:47 -0400 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-05-26 18:47:05 +0200 |
commit | 168a6c7d4778a2a3c729e3ac24e4ad9dfacb46c0 (patch) | |
tree | f753c7b71b1f721aa138088d87676859a5c97dfa /daemons/ipa-otpd | |
parent | cd9bc84240c99ed744e5ee44db18d925a5292ffd (diff) | |
download | freeipa-168a6c7d4778a2a3c729e3ac24e4ad9dfacb46c0.tar.gz freeipa-168a6c7d4778a2a3c729e3ac24e4ad9dfacb46c0.tar.xz freeipa-168a6c7d4778a2a3c729e3ac24e4ad9dfacb46c0.zip |
Ensure that ipa-otpd bind auths validate an OTP
Before this patch, if the user was configured for either OTP or password
it was possible to do a 1FA authentication through ipa-otpd. Because this
correctly respected the configuration, it is not a security error.
However, once we begin to insert authentication indicators into the
Kerberos tickets, we cannot allow 1FA authentications through this
code path. Otherwise the ticket would contain a 2FA indicator when
only 1FA was actually performed.
To solve this problem, we have ipa-otpd send a critical control during
the bind operation which informs the LDAP server that it *MUST* validate
an OTP token for authentication to be successful. Next, we implement
support for this control in the ipa-pwd-extop plugin. The end result is
that the bind operation will always fail if the control is present and
no OTP is validated.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'daemons/ipa-otpd')
-rw-r--r-- | daemons/ipa-otpd/bind.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/daemons/ipa-otpd/bind.c b/daemons/ipa-otpd/bind.c index c985ccd7e..022525b78 100644 --- a/daemons/ipa-otpd/bind.c +++ b/daemons/ipa-otpd/bind.c @@ -26,9 +26,12 @@ */ #include "internal.h" +#include "../ipa-slapi-plugins/ipa-pwd-extop/otpctrl.h" static void on_bind_writable(verto_ctx *vctx, verto_ev *ev) { + LDAPControl control = { OTP_REQUIRED_OID, {}, true }; + LDAPControl *ctrls[] = { &control, NULL }; struct otpd_queue *push = &ctx.stdio.responses; const krb5_data *data; struct berval cred; @@ -55,7 +58,7 @@ static void on_bind_writable(verto_ctx *vctx, verto_ev *ev) cred.bv_val = data->data; cred.bv_len = data->length; i = ldap_sasl_bind(verto_get_private(ev), item->user.dn, LDAP_SASL_SIMPLE, - &cred, NULL, NULL, &item->msgid); + &cred, ctrls, NULL, &item->msgid); if (i != LDAP_SUCCESS) { otpd_log_err(errno, "Unable to initiate bind: %s", ldap_err2string(i)); verto_break(ctx.vctx); |