mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
168a6c7d47
Before this patch, if the user was configured for either OTP or password it was possible to do a 1FA authentication through ipa-otpd. Because this correctly respected the configuration, it is not a security error. However, once we begin to insert authentication indicators into the Kerberos tickets, we cannot allow 1FA authentications through this code path. Otherwise the ticket would contain a 2FA indicator when only 1FA was actually performed. To solve this problem, we have ipa-otpd send a critical control during the bind operation which informs the LDAP server that it *MUST* validate an OTP token for authentication to be successful. Next, we implement support for this control in the ipa-pwd-extop plugin. The end result is that the bind operation will always fail if the control is present and no OTP is validated. https://fedorahosted.org/freeipa/ticket/433 Reviewed-By: Sumit Bose <sbose@redhat.com> |
||
|---|---|---|
| .. | ||
| common | ||
| ipa-cldap | ||
| ipa-dns | ||
| ipa-enrollment | ||
| ipa-extdom-extop | ||
| ipa-lockout | ||
| ipa-modrdn | ||
| ipa-otp-counter | ||
| ipa-otp-lasttoken | ||
| ipa-pwd-extop | ||
| ipa-range-check | ||
| ipa-sidgen | ||
| ipa-uuid | ||
| ipa-version | ||
| ipa-winsync | ||
| libotp | ||
| topology | ||
| Makefile.am | ||
| README | ||