Commit Graph

38 Commits

Author SHA1 Message Date
Sumit Bose
8d12d497f6 ipa-otpd: add passkey_child_debug_level option
By setting passkey_child_debug_level in default.conf the debug level for
the passkey_child helper utility can be set.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Sumit Bose
b252988da6 ipa-otpd: add support for passkey authentication
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Sumit Bose
a02fd5305e ipa-otpd: make get_krad_attr_from_packet() public
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Sumit Bose
62e28e4247 ipa-otpd: make auth_type_is(), get_string() and get_string_array() public
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Sumit Bose
e7a69b3d9f ipa-otpd: make add_krad_attr_to_set() public
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Sumit Bose
9caea3205c ipa-otpd: suppress "function declaration isn't a prototype" warning
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Sudhir Menon
b0ba520860 Fixes: ipa-otpd@.service: deprecated syslog setting
This patch updates the deprecated syslog setting i.e
StandardError=syslog with StandardError=journal

Pagure: https://pagure.io/freeipa/issue/9279
Ref: https://github.com/systemd/systemd/pull/15812

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Peter Keresztes Schmidt <carbenium@outlook.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-12-19 08:06:52 +01:00
Alexander Bokovoy
ad8f90f816 ipa-otpd: initialize local pointers and handle gcc 10
oauth2_on_child_readable() does not use the main verto context and used
to drop the argument name to signify that. This is a feature of C2X
standard by default and is not enabled in gcc before 11 by default (it
is enabled in RHEL 8's gcc 8.5).

Add a simple 'if the context is missing, get out' code to use 'ctx'.
This allows to avoid enabling C2X features.

Initialize local pointers to prevent use before initialization on exit
paths in abnormal situations as well.

Fixes: https://pagure.io/freeipa/issue/9230

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2022-08-29 17:34:20 +02:00
Alexander Bokovoy
3f6656e09a ipa-otpd: add support for SSSD OIDC helper
SSSD OIDC helper is used for negotiating with OAUTH2 or OIDC end points
of external identity providers (IdPs).

ipa-otpd daemon now is capable to take either Issuer URL or individual
endpoints and call SSSD OIDC helper accordingly.

Communication with SSSD OIDC helper can be debugged with the use of a
debug variable set in /etc/ipa/default.conf. Man page for
default.conf(5) has been updated to provide this information.

Fixes: https://pagure.io/freeipa/issue/8805

Signed-off-by: Sumit Bose <sbose@redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
2022-05-10 15:52:41 +03:00
Stanislav Levin
5a00882eab pylint: Fix useless-suppression
Cleanup up no longer used Pylint's disables where possible.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Alexander Bokovoy
1cc2671182 ipa-otpd: handle LDAP timeout in a better way
When LDAP server disconnects ipa-otpd client connection due to a
timeout, ipa-otpd instance would stop and report an issue. This confuses
systemd service reporting, so for these situations we better to shut
down gracefully.

Fixes: https://pagure.io/freeipa/issue/6587

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2021-04-23 11:13:36 +03:00
Alexander Bokovoy
38a86e3367 systemd: enforce en_US.UTF-8 locale in systemd units
Python code does detection of the system encoding based on the locale
settings. On RHEL 8.4 development images we somehow get LANG=en_US which
defaults to iso8859-1 _inside_ the systemd-started service, even though
the whole environment defaults to LANG=en_US.UTF-8.

When instrumented with ExecStartPre=/usr/bin/locale, the following
output can be seen:

locale[45481]: LANG=en_US
locale[45481]: LC_CTYPE="en_US"
locale[45481]: LC_NUMERIC="en_US"
locale[45481]: LC_TIME="en_US"
locale[45481]: LC_COLLATE="en_US"
locale[45481]: LC_MONETARY="en_US"
locale[45481]: LC_MESSAGES="en_US"
locale[45481]: LC_PAPER="en_US"
locale[45481]: LC_NAME="en_US"
locale[45481]: LC_ADDRESS="en_US"
locale[45481]: LC_TELEPHONE="en_US"
locale[45481]: LC_MEASUREMENT="en_US"
locale[45481]: LC_IDENTIFICATION="en_US"
locale[45481]: LC_ALL=
ipactl[45483]: Unexpected error
ipactl[45483]: SystemEncodingError: System encoding must be UTF-8, 'iso8859-1' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".
systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE

Set the environment to explicit LC_ALL=C.UTF-8 to please the Python
code. FreeIPA server side only cares about actual encoding, not the
language itself. We already use LC_ALL=C.UTF-8 in httpd service snippet.

Fixes: https://pagure.io/freeipa/issue/8617
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2020-12-10 14:38:05 +02:00
Alexander Bokovoy
b36f224892 ipa-otpd: fix gcc complaints in Rawhide
In file included from /usr/include/string.h:519,
                 from /usr/include/lber.h:30,
                 from /usr/include/ldap.h:30,
                 from internal.h:27,
                 from main.c:31:
In function 'strncpy',
    inlined from 'main' at main.c:237:5:
/usr/include/bits/string_fortified.h:91:10: warning: 'strncpy' specified bound 255 equals destination size [-Wstringop-truncation]
   91 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Christian Heimes
727a2ffb93 Easier to use ipa_gethostfqdn()
ipa_gethostfqdn() now returns a pointer to a statically allocated buffer
or NULL in case of an error. The caller no longer has to supply a
correctly allocated buffer.

Rename IPA_HOST_HOST to_LEN IPA_HOST_FQDN_LEN and use IPA_HOST_FQDN_LEN
wherever code copies a hostname supplied from ipa_gethostfqdn().

Clarify that MAXHOSTNAMELEN and MAXHOSTFQDNLEN are different things.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Christian Heimes
e28ec76898 Unify access to FQDN
FreeIPA's Python and C code used different approaches to get the FQDN of
the host. Some places assumed that gethostname() returns a FQDN. Other
code paths used glibc's resolver to resolve the current node name to a
FQDN.

Python code now uses the ipalib.constants.FQDN where a fully qualified
domain name is expected. The variable is initialized only once and avoids
potential DNS lookups.

C code uses a new helper function ipa_gethostfqdn() in util package. The
function implements similar logic as gethostfqdn() except it uses more
modern getaddrinfo(). The result is cached as well.

Fixes: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Christian Heimes
be47ec9799 libotp: Replace NSS with OpenSSL HMAC
Use OpenSSL's HMAC API instead of NSS.

Fixes: Fixes: https://pagure.io/freeipa/issue/6857
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-08 20:04:18 +03:00
Christian Heimes
15d5e44ee8 Py3: Replace six.moves imports
Replace six.moves and six.StringIO/BytesIO imports with cannonical
Python 3 packages.

Note: six.moves.input behaves differently than builtin input function.
Therefore I left six.moves.input for now.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-10-05 12:06:19 +02:00
Robbie Harwood
ab636682c4 Add cmocka unit tests for ipa otpd queue code
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-08-31 21:01:46 +02:00
Robbie Harwood
fe650087b0 Clear next field when returnining list elements in queue.c
The ipa-otpd code occasionally removes elements from one queue,
inspects and modifies them, and then inserts them into
another (possibly identical, possibly different) queue.  When the next
pointer isn't cleared, this can result in element membership in both
queues, leading to double frees, or even self-referential elements,
causing infinite loops at traversal time.

Rather than eliminating the pattern, make it safe by clearing the next
field any time an element enters or exits a queue.

Related https://pagure.io/freeipa/issue/7262

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-08-31 21:01:46 +02:00
Christian Heimes
9c86d35a3f Cleanup shebang and executable bit
- Add missing executable bits to all scripts
- Remove executable bits from all files that are not scripts,
  e.g. js, html, and Python libraries.
- Remove Python shebang from all Python library files.

It's frown upon to have executable library files in site-packages.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-07-05 19:46:42 +02:00
Robbie Harwood
a2e8d989a3 Fix elements not being removed in otpd_queue_pop_msgid()
If the element being removed were not the queue head,
otpd_queue_pop_msgid() would not actually remove the element, leading
to potential double frees and request replays.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-05-31 11:53:25 -04:00
Stanislav Laznicka
f31797c70a Have all the scripts run in python 3 by default
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-15 18:43:12 +01:00
Timo Aaltonen
076eb409a0
ipa-otpd.socket.in: Use a platform specific value for KDC service file
https://pagure.io/freeipa/issue/6845

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-04-12 16:17:51 +02:00
Nathaniel McCallum
d05d1115e4 Use RemoveOnStop to cleanup systemd sockets
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-02-17 15:19:07 +01:00
Christian Heimes
a8376a2447 Add main guards to a couple of Python scripts
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-24 16:35:43 +01:00
Petr Spacek
152ed75ff6 Build: add missing KRB5_LIBS to daemons/ipa-otpd
It was working accidentally because krb5 libs are part of OPENLDAP_LIBS.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-18 10:47:59 +02:00
Timo Aaltonen
6c09d6f878 Move ipa-otpd to $libexecdir/ipa
This is more consistent with the other daemons.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-13 20:55:14 +02:00
Nathaniel McCallum
0756ce7d53 Properly handle LDAP socket closures in ipa-otpd
In at least one case, when an LDAP socket closes, a read event is fired
rather than an error event. Without this patch, ipa-otpd silently
ignores this event and enters a state where all bind auths fail.

To remedy this problem, we pass error events along the same path as read
events. Should the actual read fail, we exit.

https://bugzilla.redhat.com/show_bug.cgi?id=1377858
https://fedorahosted.org/freeipa/ticket/6368

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-06 10:35:25 +02:00
Nathaniel McCallum
4bafba06f2 Migrate from #ifndef guards to #pragma once
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.

This patch does not change the autogenerated files: asn1/asn1c/*.h.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-05-29 14:04:45 +02:00
Nathaniel McCallum
168a6c7d47 Ensure that ipa-otpd bind auths validate an OTP
Before this patch, if the user was configured for either OTP or password
it was possible to do a 1FA authentication through ipa-otpd. Because this
correctly respected the configuration, it is not a security error.

However, once we begin to insert authentication indicators into the
Kerberos tickets, we cannot allow 1FA authentications through this
code path. Otherwise the ticket would contain a 2FA indicator when
only 1FA was actually performed.

To solve this problem, we have ipa-otpd send a critical control during
the bind operation which informs the LDAP server that it *MUST* validate
an OTP token for authentication to be successful. Next, we implement
support for this control in the ipa-pwd-extop plugin. The end result is
that the bind operation will always fail if the control is present and
no OTP is validated.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-26 18:47:05 +02:00
Nathaniel McCallum
563bddce6d Don't error when find_base() fails if a base is not required
We always have to call find_base() in order to force libldap to open
the socket. However, if no base is actually required then there is
no reason to error out if find_base() fails. This condition can arise
when anonymous binds are disabled.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-12 12:28:44 +01:00
Petr Viktorin
65e3b9edc6 Use six.Stringio instead of StringIO.StringIO
The StringIO class was moved to the io module.
(In Python 2, io.StringIO is available, but is Unicode-only.)

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-10-07 10:27:20 +02:00
Nathaniel McCallum
6c500ccf05 Move ipa-otpd socket directory
https://fedorahosted.org/freeipa/ticket/4167
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-11 17:36:19 +01:00
Xiao-Long Chen
5e96fbc22a Use /usr/bin/python2
Part of the effort to port FreeIPA to Arch Linux,
where Python 3 is the default.

FreeIPA hasn't been ported to Python 3, so the code must be modified to
run /usr/bin/python2

https://fedorahosted.org/freeipa/ticket/3438

Updated by pviktori@redhat.com
2014-01-03 09:46:05 +01:00
Jan Cholasta
5e2f7b68f0 Remove CFLAGS duplication.
https://fedorahosted.org/freeipa/ticket/3896
2013-12-06 14:44:41 +01:00
Jan Cholasta
75dadc1d8f Include LDFLAGS provided by rpmbuild in global LDFLAGS in the spec file.
Remove explicitly specified hardening flags from LDFLAGS in ipa-otpd.

https://fedorahosted.org/freeipa/ticket/3896
2013-12-06 14:44:40 +01:00
Jan Cholasta
652c4e6ace Use hardening flags for ipa-optd.
https://fedorahosted.org/freeipa/ticket/4010
2013-12-02 12:37:41 +01:00
Nathaniel McCallum
203754691c Add the krb5/FreeIPA RADIUS companion daemon
This daemon listens for RADIUS packets on a well known
UNIX domain socket. When a packet is received, it queries
LDAP to see if the user is configured for RADIUS authentication.
If so, then the packet is forwarded to the 3rd party RADIUS server.
Otherwise, a bind is attempted against the LDAP server.

https://fedorahosted.org/freeipa/ticket/3366
http://freeipa.org/page/V3/OTP
2013-05-17 09:30:51 +02:00