Add cache_credentials_minimal_first_factor_length config option

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

6 files changed, 42 insertions, 0 deletions

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 5aee1ee06..87960c4db 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -985,6 +985,17 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
         goto done;
     }
 
+    ret = get_entry_as_uint32(res->msgs[0],
+                              &domain->cache_credentials_min_ff_length,
+                              CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH,
+                              CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              "Invalid value for %s\n",
+              CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH);
+        goto done;
+    }
+
     ret = get_entry_as_bool(res->msgs[0], &domain->legacy_passwords,
                             CONFDB_DOMAIN_LEGACY_PASS, 0);
     if(ret != EOK) {
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 19c564020..c8c91288c 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -162,6 +162,9 @@
 #define CONFDB_DOMAIN_MINID "min_id"
 #define CONFDB_DOMAIN_MAXID "max_id"
 #define CONFDB_DOMAIN_CACHE_CREDS "cache_credentials"
+#define CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH \
+                                 "cache_credentials_minimal_first_factor_length"
+#define CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH 8
 #define CONFDB_DOMAIN_LEGACY_PASS "store_legacy_passwords"
 #define CONFDB_DOMAIN_MPG "magic_private_groups"
 #define CONFDB_DOMAIN_FQ "use_fully_qualified_names"
@@ -221,6 +224,7 @@ struct sss_domain_info {
     uint32_t id_max;
 
     bool cache_credentials;
+    uint32_t cache_credentials_min_ff_length;
     bool legacy_passwords;
     bool case_sensitive;
     bool case_preserve;
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 3a5312ea9..db16bc433 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -494,6 +494,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
             'command',
             'enumerate',
             'cache_credentials',
+            'cache_credentials_minimal_first_factor_length',
             'store_legacy_passwords',
             'use_fully_qualified_names',
             'ignore_group_members',
@@ -853,6 +854,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
             'command',
             'enumerate',
             'cache_credentials',
+            'cache_credentials_minimal_first_factor_length',
             'store_legacy_passwords',
             'use_fully_qualified_names',
             'ignore_group_members',
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 4fa542704..f1ac6366c 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -110,6 +110,7 @@ subdomain_enumerate = str, None, false
 force_timeout = int, None, false
 offline_timeout = int, None, false
 cache_credentials = bool, None, false
+cache_credentials_minimal_first_factor_length = int, None, false
 store_legacy_passwords = bool, None, false
 use_fully_qualified_names = bool, None, false
 ignore_group_members = bool, None, false
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 92c64b9fd..fc34d8ee2 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1392,6 +1392,28 @@ pam_account_expired_message = Account expired, please call help desk.
                         </para>
                     </listitem>
                 </varlistentry>
+
+                <varlistentry>
+                    <term>cache_credentials_minimal_first_factor_length (int)</term>
+                    <listitem>
+                        <para>
+                            If 2-Factor-Authentication (2FA) is used and
+                            credentials should be saved this value determines
+                            the minimal lenght the first authentication factor
+                            (long term password) must have to be saved as SHA512
+                            hash into the cache.
+                        </para>
+                        <para>
+                            This should avoid that the short PINs of a PIN based
+                            2FA scheme are saved in the cache which would make
+                            them easy targets for brute-force attacks.
+                        </para>
+                        <para>
+                            Default: 8
+                        </para>
+                    </listitem>
+                </varlistentry>
+
                 <varlistentry>
                     <term>account_cache_expiration (integer)</term>
                     <listitem>
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 450b8ec5c..dc306848c 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -288,6 +288,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
     dom->id_max = parent->id_max ? parent->id_max : 0xffffffff;
     dom->pwd_expiration_warning = parent->pwd_expiration_warning;
     dom->cache_credentials = parent->cache_credentials;
+    dom->cache_credentials_min_ff_length =
+                                        parent->cache_credentials_min_ff_length;
     dom->case_sensitive = false;
     dom->user_timeout = parent->user_timeout;
     dom->group_timeout = parent->group_timeout;