Add support of Mysql/Mariadb for the yubikey_mapping
Mise à jour sql complete, manque la documentation
Final
clean
Add packages dependency
actions: apt update
Fix bool variable cause error build travis
Fix job #2
Fix job #3Fix#4
fix &null
fix &null
fix &null
Fix line 257 %s
test Apple integration
test Apple integration
Timeout Travis extend
Timeout travis extend
Fix klali comment
Fix warning
fix configure.ac
fix configure.ac
Update configure.ac
Update util.c
Update util.h
Update util.c
Update util.c
Update util.c
Update util.c
Fix white space
fix left column
and return AUTH_NO_TOKENS if file doesn't exist. This fixes issues in
the nullok case where this user should just be skipped over, handle
other issues with user file as an AUTH_ERROR.
fixes#194
This also unifies the code between pam-u2f and yubico-pam which means
removing the O_CREAT flag here. This is however in line with the README
and the behaviour of pam-u2f. Also, the previous code did lstat on the
path before and if it did not exist it would not have moved on to the
open() anyways.
The previous code was using a trick of saving the actual retval value
as the "pointer". The problem with that was when pam_get_data copied
it out it treated it as a void* which is 8 byte on 64 bit operating
system which meant it copied 8 byte to a 4 byte location and overwrote
the stack with 4 bytes.
The fix is using a heap pointer instead, influenced by the official
code in https://github.com/linux-pam/linux-pam/blob/master/modules/pam_unix/pam_unix_auth.c
With feedback from pedro martelletto, thanks.
If the PAM module cannot update the challenge response file (due to permissions errors, usually), the incorrect error message is displayed "Error communicating with YubiKey...".
This patch makes it so the correct error message is sent to the PAM client, which makes resolving this issue a lot easier.
As raised in #174, ldap_bind_as_user cannot be used if this module is
set to get YubiKey+OTP because the initial ldap lookup fails (since the
password is not set yet). `always_prompt` will stil the initial lookup,
meaning that the user will be given the chance to enter their password.
This adds support for using a client cert/key to authenticate to an LDAP
server. It is separate from binding with a username and password and
can either be used alongside it or with an anonymous bind to the server.
This allows using the authenticating user's username and password to
bind to the LDAP server. This is desirable because it allows for
looking up the yubikey attributes without needing to create a service
account.
This makes sure that file descriptors will be closed, even if the
fdopen() call failes, which was overlooked in some cases beforehand.
Should be not an issue in the real world, but let's be as clean as
possible.
Certain phrases (Challenge-response) were not spelled consistently
throughout the project. This commit adjusts for that and fixes a
couple of typos along the way and uses the base form of verbs in
case of error messages.
A previous commit (d51124e) added the `e` flag to the `fopen()` calls. However
this flag is not supported on all platforms (MacOS) and will be silently
dropped (see #145). This patch works around those issues by manually opening
the file descriptor using `open()` with the `O_CLOEXEC` flag, and invoking
`fd_open()` on the resulting file descriptor to open an appropriate `FILE`
stream.
This makes sure that all files used by pam_yubico will be opened with the
`O_CLOEXEC` flag on all supported platforms to mitigate issues with missing
`fclose()` invocation (see #136).
This uses mkostemp() instead of mkstemp(), passing along the `O_CLOEXEC` flag,
which makes sure that the file descriptor is closed and won't be leaked into
any child process, which was previously an issue due to a missing fclose()
(#136).
This adds the `e` flag to fopen() calls, making sure the `O_CLOEXEC` flag is
used. This makes sure that the file descriptor is being closed and not leaked
into child processes. This was an issues previously due to a missing fclose()
(#136).
This opens any file descriptors with the O_CLOEXEC flag, which will make sure
that file descriptors won't be leaked into any child process. This was
previously an issue due to a forgotten fclose() (#136).
Currently we trust the LDAP server to only return the `yubi_attr`
attribute, yet we loop over all possible attributes when there should
only be one.
Since the bundled test LDAP server ignores the requested attributes list,
we must make sure to only match against the `yubi_attr` attibute as
opposed to "all of them".
This also fixes an issue where AUTH_NOT_FOUND was returned instead
of AUTH_NO_TOKENS when there were no values returned for `yubi_attr`
but another attribute's value was considered as a candidate token.
Currently, if a user has no associated tokens, we still prompt for an
OTP challenge and attempt to verify it.
This adds a check earlier to avoid the useless prompt in that case.
The `nullok` option is also added. It changes the return value from
PAM_USER_UNKNOWN to PAM_IGNORE. (fixes#97)
Finally, some constants have been turned to symbolic form for clarity
and debugging output is improved.
When using `try_first_pass` or `use_first_pass`, the password we inherit
from PAM might not actually be an OTP challenge.
Currently, we happily leak it to the validation server without first
checking if it matches an authorized token ID.
This postpones sending the actual request until we know the token ID is
authorized.
add a debug_file option for where to write debug info (default to stdout)
stop compiling with DEBUG_PAM and PAM_DEBUG
make debugging behave the same way on linux-pam and openpam
