freeipa/daemons
Nathaniel McCallum 79df668b5d Ensure that a password exists after OTP validation
Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.

This patch resolves CVE-2014-7828.

https://fedorahosted.org/freeipa/ticket/4690

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-06 10:56:19 +01:00
..
dnssec DNSSEC: remove container_dnssec_keys 2014-10-21 12:23:39 +02:00
ipa-kdb Fix possible NULL dereference in ipa-kdb 2014-11-05 15:28:27 +01:00
ipa-otpd Move ipa-otpd socket directory 2014-02-11 17:36:19 +01:00
ipa-sam ipa-sam: cache gid to sid and uid to sid requests in idmap cache 2014-03-12 12:19:06 +01:00
ipa-slapi-plugins Ensure that a password exists after OTP validation 2014-11-06 10:56:19 +01:00
configure.ac Create ipa-otp-counter 389DS plugin 2014-10-20 10:12:36 +02:00
ipa-version.h.in Fix typos 2011-09-07 13:20:42 +02:00
Makefile.am Add the krb5/FreeIPA RADIUS companion daemon 2013-05-17 09:30:51 +02:00