diff options
| author | Nathaniel McCallum <npmccallum@redhat.com> | 2016-05-12 15:10:47 -0400 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-05-26 18:47:05 +0200 |
| commit | 168a6c7d4778a2a3c729e3ac24e4ad9dfacb46c0 (patch) | |
| tree | f753c7b71b1f721aa138088d87676859a5c97dfa /ipapython | |
| parent | cd9bc84240c99ed744e5ee44db18d925a5292ffd (diff) | |
| download | freeipa-168a6c7d4778a2a3c729e3ac24e4ad9dfacb46c0.tar.gz freeipa-168a6c7d4778a2a3c729e3ac24e4ad9dfacb46c0.tar.xz freeipa-168a6c7d4778a2a3c729e3ac24e4ad9dfacb46c0.zip | |
Ensure that ipa-otpd bind auths validate an OTP
Before this patch, if the user was configured for either OTP or password
it was possible to do a 1FA authentication through ipa-otpd. Because this
correctly respected the configuration, it is not a security error.
However, once we begin to insert authentication indicators into the
Kerberos tickets, we cannot allow 1FA authentications through this
code path. Otherwise the ticket would contain a 2FA indicator when
only 1FA was actually performed.
To solve this problem, we have ipa-otpd send a critical control during
the bind operation which informs the LDAP server that it *MUST* validate
an OTP token for authentication to be successful. Next, we implement
support for this control in the ipa-pwd-extop plugin. The end result is
that the bind operation will always fail if the control is present and
no OTP is validated.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'ipapython')
0 files changed, 0 insertions, 0 deletions