Don't allow OTP or RADIUS in FIPS mode

RADIUS, which is also internally used in the process of OTP authentication by ipa-otpd, requires MD5 checksums which makes it impossible to be used in FIPS mode. Don't allow users setting OTP or RADIUS authentication if in FIPS mode. https://pagure.io/freeipa/issue/7168 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-01-26 16:16:31 -06:00 · 2017-11-07 14:42:12 +01:00 · 2017-11-07 14:42:12 +01:00 · 16a952a0a4
commit 16a952a0a4
parent 9345142c2b
2 changed files with 19 additions and 0 deletions
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@ -31,6 +31,7 @@ from .baseldap import (
    LDAPAddAttributeViaOption, LDAPRemoveAttributeViaOption,
    add_missing_object_class)
 from ipaserver.plugins.service import (validate_realm, normalize_principal)
+from ipaserver.plugins.config import check_fips_auth_opts
 from ipalib.request import context
 from ipalib import _
 from ipalib.constants import PATTERN_GROUPUSER_NAME
@ -480,6 +481,7 @@ class baseuser_add(LDAPCreate):
                            **options):
        assert isinstance(dn, DN)
        set_krbcanonicalname(entry_attrs)
+        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
        self.obj.convert_usercertificate_pre(entry_attrs)

    def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
@ -603,6 +605,7 @@ class baseuser_mod(LDAPUpdate):
        assert isinstance(dn, DN)
        add_sshpubkey_to_attrs_pre(self.context, attrs_list)

+        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
        self.check_namelength(ldap, **options)

        self.check_mail(entry_attrs)
--- a/ipaserver/plugins/config.py
+++ b/ipaserver/plugins/config.py
@ -85,6 +85,20 @@ EXAMPLES:

 register = Registry()

+
+def check_fips_auth_opts(fips_mode, **options):
+    """
+    OTP and RADIUS are not allowed in FIPS mode since they use MD5
+    checksums (OTP uses our RADIUS responder daemon ipa-otpd).
+    """
+    if 'ipauserauthtype' in options and fips_mode:
+        if ('otp' in options['ipauserauthtype'] or
+                'radius' in options['ipauserauthtype']):
+            raise errors.InvocationError(
+                'OTP and RADIUS authentication in FIPS is '
+                'not yet supported')
+
+
@register()
 class config(LDAPObject):
    """
@ -398,6 +412,8 @@ class config_mod(LDAPUpdate):

    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
        assert isinstance(dn, DN)
+        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
+
        if 'ipadefaultprimarygroup' in entry_attrs:
            group=entry_attrs['ipadefaultprimarygroup']
            try: