From d498d7272d8de3e24afc442a3b001518fd98ebff Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Mon, 26 Feb 2018 09:48:22 -0500 Subject: [PATCH] Revert "Don't allow OTP or RADIUS in FIPS mode" This reverts commit 16a952a0a44a0ebee97029ea1d2f6b7593dd2622. OTP now works in FIPS mode. RADIUS can be made to be compliant by wrapping traffic in a VPN. https://pagure.io/freeipa/issue/7168 https://pagure.io/freeipa/issue/7243 Reviewed-By: Rob Crittenden --- ipaserver/plugins/baseuser.py | 3 --- ipaserver/plugins/config.py | 16 ---------------- 2 files changed, 19 deletions(-) diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index 58c3332d2..4dbf4b6f3 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -31,7 +31,6 @@ from .baseldap import ( LDAPAddAttributeViaOption, LDAPRemoveAttributeViaOption, add_missing_object_class) from ipaserver.plugins.service import (validate_realm, normalize_principal) -from ipaserver.plugins.config import check_fips_auth_opts from ipalib.request import context from ipalib import _ from ipalib.constants import PATTERN_GROUPUSER_NAME @@ -481,7 +480,6 @@ class baseuser_add(LDAPCreate): **options): assert isinstance(dn, DN) set_krbcanonicalname(entry_attrs) - check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options) self.obj.convert_usercertificate_pre(entry_attrs) def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options): @@ -605,7 +603,6 @@ class baseuser_mod(LDAPUpdate): assert isinstance(dn, DN) add_sshpubkey_to_attrs_pre(self.context, attrs_list) - check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options) self.check_namelength(ldap, **options) self.check_mail(entry_attrs) diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py index 3437cde97..33ed38ba0 100644 --- a/ipaserver/plugins/config.py +++ b/ipaserver/plugins/config.py @@ -85,20 +85,6 @@ EXAMPLES: register = Registry() - -def check_fips_auth_opts(fips_mode, **options): - """ - OTP and RADIUS are not allowed in FIPS mode since they use MD5 - checksums (OTP uses our RADIUS responder daemon ipa-otpd). - """ - if 'ipauserauthtype' in options and fips_mode: - if ('otp' in options['ipauserauthtype'] or - 'radius' in options['ipauserauthtype']): - raise errors.InvocationError( - 'OTP and RADIUS authentication in FIPS is ' - 'not yet supported') - - @register() class config(LDAPObject): """ @@ -412,8 +398,6 @@ class config_mod(LDAPUpdate): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) - check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options) - if 'ipadefaultprimarygroup' in entry_attrs: group=entry_attrs['ipadefaultprimarygroup'] try: