[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[OATH-Toolkit-help] [sr #109111] fail gracefully for missing users
From: |
anonymous |
Subject: |
[OATH-Toolkit-help] [sr #109111] fail gracefully for missing users |
Date: |
Mon, 1 Aug 2016 16:59:37 +0000 (UTC) |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 |
URL:
<http://savannah.nongnu.org/support/?109111>
Summary: fail gracefully for missing users
Project: OATH Toolkit
Submitted by: None
Submitted on: Mon 01 Aug 2016 04:59:34 PM UTC
Category: None
Priority: 5 - Normal
Severity: 1 - Wish
Status: None
Privacy: Public
Assigned to: None
Originator Email: address@hidden
Open/Closed: Open
Discussion Lock: Any
Operating System: GNU/Linux
_______________________________________________________
Details:
fail gracefully for missing users
when the pam module is enabled, it forces *all* users to immediately
start using OATH, or they can't login at all.
a more progressive approach would seem more reasonable to me,
especially since each user need to get an admin user to update the
central file for them.
this patch adds an early check to the users file and makes sure the
user exists before prompting for a password.
if the user is missing, it exits early with a standard error code
(PAM_USER_UNKNOWN) which can then be ignored in the PAM configuration
(as shown in the README file). this leaves the policy decision up to
the admin (and defaults to "fail closed").
if the user is present, the code path remains the same except the
usersfile is scanned twice, which may be a performance penalty on very
slow filesystems or very large files. the only workaround I can think
of for this would be to load the whole file into memory, but this
could have significant memory impact on large files.
the function used (`oath_authenticate_usersfile`) is a little overkill
as it actually goes and tries to authenticate the user with an empty
password. this is harmless because the file isn't updated if the OTP
is incorrect and because no warning is sent to syslog.
a possible improvement on this would be to have a warning shown to the
user inciting them to configure OATH or to warn them about a possible
typo in their username before they enter their regular passphrase
diffstat:
pam_oath/README | 2 +-
pam_oath/pam_oath.c | 17 +++++++++++++++++
2 files changed, 18 insertions(+), 1 deletion(-)
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Mon 01 Aug 2016 04:59:34 PM UTC Name:
0001-fail-gracefully-for-missing-users.patch Size: 3kB By: None
<http://savannah.nongnu.org/support/download.php?file_id=38066>
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/support/?109111>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [OATH-Toolkit-help] [sr #109111] fail gracefully for missing users,
anonymous <=