freeipa/daemons/ipa-slapi-plugins/ipa-pwd-extop
Nathaniel McCallum 168a6c7d47 Ensure that ipa-otpd bind auths validate an OTP
Before this patch, if the user was configured for either OTP or password
it was possible to do a 1FA authentication through ipa-otpd. Because this
correctly respected the configuration, it is not a security error.

However, once we begin to insert authentication indicators into the
Kerberos tickets, we cannot allow 1FA authentications through this
code path. Otherwise the ticket would contain a 2FA indicator when
only 1FA was actually performed.

To solve this problem, we have ipa-otpd send a critical control during
the bind operation which informs the LDAP server that it *MUST* validate
an OTP token for authentication to be successful. Next, we implement
support for this control in the ipa-pwd-extop plugin. The end result is
that the bind operation will always fail if the control is present and
no OTP is validated.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-26 18:47:05 +02:00
..
common.c Use only AES enctypes by default 2016-01-13 15:24:53 +01:00
encoding.c Improve keytab code to select the right principal. 2016-02-01 13:28:39 +01:00
ipa_pwd_extop.c Improve keytab code to select the right principal. 2016-02-01 13:28:39 +01:00
ipapwd.h Improve keytab code to select the right principal. 2016-02-01 13:28:39 +01:00
Makefile.am Rename syncreq.[ch] to otpctrl.[ch] 2016-05-26 18:47:05 +02:00
otpctrl.c Rename syncreq.[ch] to otpctrl.[ch] 2016-05-26 18:47:05 +02:00
otpctrl.h Ensure that ipa-otpd bind auths validate an OTP 2016-05-26 18:47:05 +02:00
prepost.c Ensure that ipa-otpd bind auths validate an OTP 2016-05-26 18:47:05 +02:00
pwd-extop-conf.ldif Enable transactions by default, make password and modrdn TXN-aware 2012-11-21 14:55:12 +01:00
README Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00