rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-01-20 10:52:16 +01:00
Code Issues Projects Releases Wiki Activity

Perform OTP validation only if token is authorized

Browse Source 
When using `try_first_pass` or `use_first_pass`, the password we inherit
from PAM might not actually be an OTP challenge.

Currently, we happily leak it to the validation server without first
checking if it matches an authorized token ID.

This postpones sending the actual request until we know the token ID is
authorized.
This commit is contained in:
Mickaël Thomas 2017-02-26 05:04:45 +01:00
parent f3fc6e4c1a
commit 0ce0e63d26
1 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pam_yubico.c
View File

@ -1058,12 +1058,6 @@ pam_sm_authenticate (pam_handle_t * pamh,
else else
password = NULL; password = NULL;
rc = ykclient_request (ykc, otp);
DBG ("ykclient return value (%d): %s", rc,
ykclient_strerror (rc));
DBG ("ykclient url used: %s", ykclient_get_last_url(ykc));
/* authorize the user with supplied token id */ /* authorize the user with supplied token id */
if (cfg->ldapserver != NULL || cfg->ldap_uri != NULL) if (cfg->ldapserver != NULL || cfg->ldap_uri != NULL)
valid_token = authorize_user_token_ldap (cfg, user, otp_id); valid_token = authorize_user_token_ldap (cfg, user, otp_id);
@ -1073,6 +1067,10 @@ pam_sm_authenticate (pam_handle_t * pamh,
switch(valid_token) switch(valid_token)
{ {
case 1: case 1:
rc = ykclient_request (ykc, otp);
DBG ("ykclient return value (%d): %s", rc, ykclient_strerror (rc));
DBG ("ykclient url used: %s", ykclient_get_last_url(ykc));
switch (rc) switch (rc)
{ {
case YKCLIENT_OK: case YKCLIENT_OK: