From 0ce0e63d269dba2c75e8df06e8100d63dad39472 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20Thomas?= Date: Sun, 26 Feb 2017 05:04:45 +0100 Subject: [PATCH] Perform OTP validation only if token is authorized When using `try_first_pass` or `use_first_pass`, the password we inherit from PAM might not actually be an OTP challenge. Currently, we happily leak it to the validation server without first checking if it matches an authorized token ID. This postpones sending the actual request until we know the token ID is authorized. --- pam_yubico.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/pam_yubico.c b/pam_yubico.c index 59b27bc..b5544f0 100644 --- a/pam_yubico.c +++ b/pam_yubico.c @@ -1058,12 +1058,6 @@ pam_sm_authenticate (pam_handle_t * pamh, else password = NULL; - rc = ykclient_request (ykc, otp); - - DBG ("ykclient return value (%d): %s", rc, - ykclient_strerror (rc)); - DBG ("ykclient url used: %s", ykclient_get_last_url(ykc)); - /* authorize the user with supplied token id */ if (cfg->ldapserver != NULL || cfg->ldap_uri != NULL) valid_token = authorize_user_token_ldap (cfg, user, otp_id); @@ -1073,6 +1067,10 @@ pam_sm_authenticate (pam_handle_t * pamh, switch(valid_token) { case 1: + rc = ykclient_request (ykc, otp); + DBG ("ykclient return value (%d): %s", rc, ykclient_strerror (rc)); + DBG ("ykclient url used: %s", ykclient_get_last_url(ykc)); + switch (rc) { case YKCLIENT_OK: