1
0
mirror of https://github.com/Yubico/yubico-pam.git synced 2024-11-29 09:24:22 +01:00
Commit Graph

212 Commits

Author SHA1 Message Date
Klas Lindfors
3d8d06d949
use lstat() when checking for existance of user mapping file
this treats the existance of a symlink as an intent to configure the
mapping and will fail in check_user_token() instead
2019-06-26 14:58:45 +02:00
Klas Lindfors
f300115a64
check if user file exists before trying to open
and return AUTH_NO_TOKENS if file doesn't exist. This fixes issues in
the nullok case where this user should just be skipped over, handle
other issues with user file as an AUTH_ERROR.

fixes #194
2019-06-24 14:13:47 +02:00
Gabriel Kihlman
bec4e43732
Fix a TOCTOU case when opening the debug_file
This also unifies the code between pam-u2f and yubico-pam which means
removing the O_CREAT flag here. This is however in line with the README
and the behaviour of pam-u2f. Also, the previous code did lstat on the
path before and if it did not exist it would not have moved on to the
open() anyways.
2019-05-15 12:38:24 +02:00
Gabriel Kihlman
9531bc3c76
Fix pam_get_data stack overwrite by saving a heap pointer instead
The previous code was using a trick of saving the actual retval value
as the "pointer". The problem with that was when pam_get_data copied
it out it treated it as a void* which is 8 byte on 64 bit operating
system which meant it copied 8 byte to a 4 byte location and overwrote
the stack with 4 bytes.

The fix is using a heap pointer instead, influenced by the official
code in https://github.com/linux-pam/linux-pam/blob/master/modules/pam_unix/pam_unix_auth.c

With feedback from pedro martelletto, thanks.
2019-03-19 14:28:18 +01:00
Klas Lindfors
eca00d0a58
Merge branch 'pr-187' 2019-02-06 09:31:06 +01:00
Gabriel Kihlman
76034c1054
Scrub sensitive data from memory
Fixes issue #185
2019-02-04 19:50:30 +01:00
Gabriel Kihlman
5f7d7964de
Ensure that the debug log always outputs a valid OTP and not an accidental password
Fixes issue #184
2019-02-04 10:25:31 +01:00
James Magahern
413037c7e5 Fixes issue where if the challenge-response cannot be updated, the incorrect error message is displayed
If the PAM module cannot update the challenge response file (due to permissions errors, usually), the incorrect error message is displayed "Error communicating with YubiKey...".

This patch makes it so the correct error message is sent to the PAM client, which makes resolving this issue a lot easier.
2019-01-14 11:23:56 -08:00
Stephen Gelman
1c693f562c Add always_prompt configuration option to skip initial check for YubiKey
As raised in #174, ldap_bind_as_user cannot be used if this module is
set to get YubiKey+OTP because the initial ldap lookup fails (since the
password is not set yet).  `always_prompt` will stil the initial lookup,
meaning that the user will be given the chance to enter their password.
2019-01-08 04:51:13 +00:00
Tero Paloheimo
be2fdfdada Fix implicit declaration warning of mkostemp
mkostemp() requires the _GNU_SOURCE feature test macro.
See man 3 mkostemp.
2019-01-01 21:54:47 +02:00
Stephen Gelman
c8c76fbf4c Add support for LDAP client certificate authentication
This adds support for using a client cert/key to authenticate to an LDAP
server.  It is separate from binding with a username and password and
can either be used alongside it or with an anonymous bind to the server.
2018-11-12 18:28:56 +00:00
Stephen Gelman
fc2dc1a025 Add STARTTLS support for LDAP
This allows connecting to LDAP servers that only listen on port 389 but
use STARTTLS to get a TLS connection
2018-11-12 18:28:56 +00:00
Stephen Gelman
8512e5cee8 Add ldap_bind_as_user support
This allows using the authenticating user's username and password to
bind to the LDAP server.  This is desirable because it allows for
looking up the yubikey attributes without needing to create a service
account.
2018-11-12 18:28:50 +00:00
Karol Babioch
6be87e75af Close file descriptors in case fdopen() fails
This makes sure that file descriptors will be closed, even if the
fdopen() call failes, which was overlooked in some cases beforehand.
Should be not an issue in the real world, but let's be as clean as
possible.
2018-05-22 17:27:21 +02:00
Klas Lindfors
b240534c46
Merge branch 'pr-163' 2018-05-18 12:26:50 +02:00
Karol Babioch
a68d3be1bc Make code C90 compliant
This moves variable declrations to the beginning of a block to be C90-compliant.
2018-05-18 12:22:07 +02:00
Karol Babioch
80e7484aea pam_yubico.c: Check for return codes of snprintf() 2018-05-17 16:31:36 +02:00
Karol Babioch
f94095879a pam_yubico.c: Use snprintf() instead of sprintf() 2018-05-17 16:18:53 +02:00
Karol Babioch
b9aaee97ab Remove double space after periods 2018-05-04 10:45:52 +02:00
Karol Babioch
320f487265 Spell YubiKey consistently
This makes sure that YubiKey is spelled consistently throughout the project,
since it was spelled in many different ways beforehand.
2018-05-03 10:59:44 +02:00
Karol Babioch
bb3e2030eb Fix a couple of typos and spell phrases more consistently
Certain phrases (Challenge-response) were not spelled consistently
throughout the project. This commit adjusts for that and fixes a
couple of typos along the way and uses the base form of verbs in
case of error messages.
2018-04-25 15:22:30 +02:00
Klas Lindfors
3ad6fe72e7
debug: add ykpers library version to debug output where applicable 2018-04-24 08:41:03 +02:00
Karol Babioch
e5bd2ef844 Open file handlers manually using open() and fdopen() instead of using fopen()
A previous commit (d51124e) added the `e` flag to the `fopen()` calls. However
this flag is not supported on all platforms (MacOS) and will be silently
dropped (see #145). This patch works around those issues by manually opening
the file descriptor using `open()` with the `O_CLOEXEC` flag, and invoking
`fd_open()` on the resulting file descriptor to open an appropriate `FILE`
stream.

This makes sure that all files used by pam_yubico will be opened with the
`O_CLOEXEC` flag on all supported platforms to mitigate issues with missing
`fclose()` invocation (see #136).
2018-04-11 14:15:53 +02:00
Karol Babioch
0b595ee1cd Use mkotemp() instead of mkstemp()
This uses mkostemp() instead of mkstemp(), passing along the `O_CLOEXEC` flag,
which makes sure that the file descriptor is closed and won't be leaked into
any child process, which was previously an issue due to a missing fclose()
(#136).
2018-04-10 11:28:06 +02:00
Karol Babioch
d51124e884 Add "e" flag to fopen() calls
This adds the `e` flag to fopen() calls, making sure the `O_CLOEXEC` flag is
used. This makes sure that the file descriptor is being closed and not leaked
into child processes. This was an issues previously due to a missing fclose()
(#136).
2018-04-10 11:28:03 +02:00
Karol Babioch
079b975469 Open file descriptors with O_CLOEXEC
This opens any file descriptors with the O_CLOEXEC flag, which will make sure
that file descriptors won't be leaked into any child process. This was
previously an issue due to a forgotten fclose() (#136).
2018-04-10 11:27:56 +02:00
Karol Babioch
1aacb11538 Fix several format string specifiers
This fixes several specifiers to better represent the data type, which fixes
multiple compiler warnings.
2018-04-09 17:18:36 +02:00
Karol Babioch
b791091502 Print out nullok parameter in debug mode
This prints out the nullok parameter in debug mode, which was introduced
previously.
2018-03-20 13:53:09 +01:00
Klas Lindfors
dbaf857ef0
improved debug messages when getpwnam_r() doesn't return a user 2017-08-30 08:32:54 +02:00
Larhard
1d62bec277 add nullok support to challenge-response mode 2017-04-09 03:36:40 +02:00
Mickaël Thomas
fc3b1e0076 Compare OTP IDs against yubi_attr only
Currently we trust the LDAP server to only return the `yubi_attr`
attribute, yet we loop over all possible attributes when there should
only be one.

Since the bundled test LDAP server ignores the requested attributes list,
we must make sure to only match against the `yubi_attr` attibute as
opposed to "all of them".

This also fixes an issue where AUTH_NOT_FOUND was returned instead
of AUTH_NO_TOKENS when there were no values returned for `yubi_attr`
but another attribute's value was considered as a candidate token.
2017-02-27 00:21:15 +01:00
Mickaël Thomas
7b6aad719a Return early if the user has no authorized tokens
Currently, if a user has no associated tokens, we still prompt for an
OTP challenge and attempt to verify it.

This adds a check earlier to avoid the useless prompt in that case.

The `nullok` option is also added. It changes the return value from
PAM_USER_UNKNOWN to PAM_IGNORE. (fixes #97)

Finally, some constants have been turned to symbolic form for clarity
and debugging output is improved.
2017-02-27 00:21:07 +01:00
Mickaël Thomas
0ce0e63d26 Perform OTP validation only if token is authorized
When using `try_first_pass` or `use_first_pass`, the password we inherit
from PAM might not actually be an OTP challenge.

Currently, we happily leak it to the validation server without first
checking if it matches an authorized token ID.

This postpones sending the actual request until we know the token ID is
authorized.
2017-02-26 21:32:24 +01:00
Simon Josefsson
02e520c906
Fix typo. 2016-08-09 09:34:47 +02:00
Klas Lindfors
174b09e298 let debug_accept stdout. also check that file exists and is regular 2016-06-22 10:19:53 +02:00
Klas Lindfors
8850659b5f Merge branch 'debug_refactor' 2016-06-16 13:17:10 +02:00
Klas Lindfors
f7a9fc5169 print debug_file when printing configuration 2016-06-16 12:35:18 +02:00
Klas Lindfors
2cab7ac03e open debug file with "a" not "a+" 2016-06-16 11:06:41 +02:00
Klas Lindfors
ead5337be1 fix typo 1 -> i 2016-06-16 10:26:30 +02:00
Klas Lindfors
5b36567820 cleanup debug_file after we're done 2016-06-16 10:07:56 +02:00
Klas Lindfors
fc9a4255f0 refactor the debug mode
add a debug_file option for where to write debug info (default to stdout)
stop compiling with DEBUG_PAM and PAM_DEBUG
make debugging behave the same way on linux-pam and openpam
2016-06-16 09:02:49 +02:00
Klas Lindfors
4fb0be3870 add tests for empty OTP validation
also fix around so ldap case checks with length of the authorized token,
not the length of the passed in id.
2016-06-13 11:08:09 +02:00
Klas Lindfors
fee0bcc231 drop check for OTP length, should trigger error later anyways.
relates #97
2016-06-13 10:45:30 +02:00
Klas Lindfors
a21a20cb65 only process results of OTP check after user is found
relates #97
2016-06-13 10:45:30 +02:00
Klas Lindfors
2343b25d23 Merge branch 'chalresp_ownership' 2016-04-01 09:35:19 +02:00
Klas Lindfors
051dd2a5b2 switch pam_modutils_getpwnam()/getpwnam() to always use getpwnam_r() 2016-03-31 09:51:22 +02:00
Klas Lindfors
155b485ba7 copy ownership and modes of old challenge file when creating a new one
fixes #92
2016-03-30 08:59:06 +02:00
Klas Lindfors
a6ea0e7053 pass cfg->debug to check_firmware_version() and let it use D macro 2016-02-19 11:03:52 +01:00
王邈
2b33aafdb9 add check for NULL conv 2016-02-16 20:05:50 +08:00
mikemn
6b46103dbc Add proxy support via Curl 2015-11-16 09:07:49 +01:00