Klas Lindfors
77c152df6f
move protocol inside HAVE_LIBLDAP
...
to avoid warning of unused variable
2015-03-04 09:57:22 +01:00
Klas Lindfors
336351188b
drop password parameter for authorized_user_token_ldap()
2015-03-04 09:27:21 +01:00
Klas Lindfors
5709a4479a
drop the ldap_bind_no_anonymous feature
...
Sending the users password out in another direction is scary and
requires more thought. Ideally this should be solved by using ldap
GSSAPI or similar instead of sending a cleartext password over the
network.
2015-03-04 09:14:53 +01:00
Klas Lindfors
0d3a4f4f75
consider all success as valid session
2015-03-04 09:14:14 +01:00
Klas Lindfors
f6e1ec9483
don't throw const away in cast
2015-03-04 09:11:09 +01:00
Klas Lindfors
311958093d
client_id is supposed to be unsigned
2015-03-04 08:59:55 +01:00
Klas Lindfors
6c121c8da3
make sure rc is initialized before using
2015-03-04 08:50:08 +01:00
Klas Lindfors
663fa9a8a4
don't use c++ style comments
2015-03-04 08:47:11 +01:00
Klas Lindfors
3819b40430
don't use c++ style comments
2015-03-04 08:46:52 +01:00
Klas Lindfors
4faddc54f4
conform to other code
2015-03-04 08:45:03 +01:00
Klas Lindfors
878c62dd56
drop extra options for bind dn and password
2015-02-16 10:10:53 +01:00
Klas Lindfors
f579f256c0
Merge commit 'aa87979eb84adb3adef170dac6ff2285ba43cd26' into features/ldap
...
Conflicts:
README
2015-02-16 09:03:45 +01:00
Klas Lindfors
3b3a96efc2
add ykclient_global_init() and ykclient_global_done() calls
2015-02-16 08:19:59 +01:00
Klas Lindfors
ebb024f340
add debug print with version
2015-02-13 12:33:43 +01:00
Klas Lindfors
b02ab9902a
free more unfreed memory in the pam_response structure
2015-01-21 09:57:02 +01:00
Klas Lindfors
057c3743c9
fixup a memory leak
...
the caller is responsible for freeing the pam_response from
conversations
2015-01-16 10:14:22 +01:00
Meno Abels
aa87979eb8
integrate https://github.com/Yubico/yubico-pam/pull/39/files
2014-11-20 23:59:36 +01:00
Meno Abels
37553c41ce
enable that openvpn can now run without any local user
2014-11-20 23:22:59 +01:00
Meno Abels
dae9380ac7
added a better ldap handling, and to allow query active directory
2014-11-20 23:15:39 +01:00
Klas Lindfors
d9780eacd9
move check_user_token() to util
...
for testability..
2014-08-27 10:45:42 +02:00
Klas Lindfors
83a9b93d5b
re-add libyubikey, needed.
2014-08-27 10:25:01 +02:00
Klas Lindfors
6dbcb903a5
move includes around in an attempt to include less
2014-08-27 09:44:49 +02:00
Klas Lindfors
79612b5b29
break out util.c into it's own temporary library
...
to make testing easier
2014-08-27 09:37:38 +02:00
Klas Lindfors
376bf33f9a
correctly mark strings in cfg struct as const
2014-07-29 09:25:39 +02:00
Klas Lindfors
54989c3f3f
fixup so urllist data is kept within it's own memory before strtok
...
fixes #41
2014-07-29 09:23:10 +02:00
Alex Fisher
d35d5bfb30
Fix segfault whilst freeing urls
2014-06-02 11:32:08 +01:00
Simon Josefsson
43cd3b4621
Update copyright years.
2014-04-30 13:16:09 +02:00
Klas Lindfors
431e96033d
fixup strtok of url templates
2014-03-26 11:00:39 +01:00
Klas Lindfors
8f6717b13e
fixup urllist feature (hopefully)
2014-03-26 10:53:40 +01:00
Klas Lindfors
602905c51d
spelling
2014-03-26 09:40:01 +01:00
Klas Lindfors
3be440ec80
add urllist feature
...
allowing up to 10 urls to be specified in config
2014-03-12 15:00:22 +01:00
Simon Josefsson
387db3eba0
Merge pull request #14 from BinetReseau/master
...
No match between user and token detailed pam values
2013-09-27 02:11:20 -07:00
Klas Lindfors
7fa8cbbd46
a PAM_MODUTIL_DEV_PRIVS structure can't be reused
...
so we have to allocate a second one and point to
that for the second time we want to drop privs.
relates to #28
2013-09-23 08:56:49 +02:00
Klas Lindfors
1b2a8fdf30
reimplement drop_privs to implement the pam_modutils interface
...
Original patch from maxime.deroucy@gmail.com .
http://code.google.com/p/yubico-pam/issues/detail?id=49
fixes #19
2013-09-20 10:54:13 +02:00
Klas Lindfors
eb1ba8a52a
update copyright years
2013-09-19 08:35:15 +02:00
Eugene Crosser
2aaf0fdc23
Stop leaks of memory and of privileges
...
Fix several memory leaks and mishandling of the privilege status
where a function returned failure indication, and previously
allocated memory was not freed (and the referece was lost), or
previously droped privileges where not restored.
2013-09-18 14:22:41 +02:00
Klas Lindfors
f617829f10
fixup warnings
2013-09-18 14:10:35 +02:00
Klas Lindfors
fb6b0911fd
use pbkdf2 to process the exepected response
...
this bumps the version on the state file to 2
old files can still be read but new files will use the new format
2013-09-18 14:10:35 +02:00
Klas Lindfors
eb78d4882b
refactor to use chalresp function from ykpers
...
so challenge_response() now calls yk_challenge_response() to
do the yubikey internal stuff.
2013-09-18 14:10:35 +02:00
Christian Hesse
7dc5c6a155
print information only if debug is specified
...
The pam module is very informative. I do not want it to print any
information unless debug is specified. An attacker should not get any
information.
2013-05-13 15:47:59 +02:00
Pierre-Alain Dupont
21c4dd3fa3
A more precise handling of user-token match errors
...
Signed-off-by: Pierre-Alain Dupont <pad@melix.net>
2013-01-26 15:59:23 +00:00
Vincent Brillault
96252b6f2b
Verify the otp_length given by the configuration
...
Avoid out of bound writing at ligne -920,1 +927,1:
strncpy (otp_id, password + skip_bytes, cfg->token_id_length);
2012-08-07 19:18:43 +02:00
Klas Lindfors
2ffd54a24c
use errstr to communicate with the user
2012-06-14 09:25:38 +02:00
Klas Lindfors
a5f2e9e333
check for same response in pam module, output debug for the user
2012-06-08 13:20:07 +02:00
Klas Lindfors
41c576e0cf
replace fopen with open+fdopen to set more restrictive bits
2012-06-08 10:45:59 +02:00
Fredrik Thulin
da246e240c
load_chalresp_state: Debug message was always shown.
2012-02-13 14:24:31 +01:00
Fredrik Thulin
82296f4632
do_challenge_response: Clear errno when done.
2012-02-10 15:13:42 +01:00
Fredrik Thulin
2c077fba4e
DBG format fix
2012-02-10 14:13:24 +01:00
Fredrik Thulin
fb6281fa3f
Fix clang indicated printf format warnings.
2012-02-08 15:53:18 +01:00
Fredrik Thulin
3275b38d59
Fix debug-logging of chalresp_path. Oddity reported by clang.
2012-02-06 11:37:42 +01:00
Fredrik Thulin
dc9146ffcb
snprintf returns an int, not a size_t. reported by clang.
2012-02-06 11:31:23 +01:00
Fredrik Thulin
bfbcda54ad
Merge branch 'master' of https://github.com/remim/yubico-pam
2012-02-02 13:16:05 +01:00
Remi Mollon
3e1f5f6925
renaming yubi_prefix to yubi_Attr_prefix and changing debug
2012-02-01 09:29:05 +01:00
Clemens Lang
d2c14efdd4
Add missing headers
...
fcntl.h in pam_yubico.c is needed on OS X with clang for the build to
succeed, while unistd.h in util.c is required so clang doesn't complain
about implicit declarations of ftruncate and fsync.
2012-01-28 00:30:34 +01:00
Fredrik Thulin
73369beba9
Avoid double fclose() in some error cases.
...
Problem reported (and patched) by Lingzhu Xiang <xianglingzhu@gmail.com>
in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657524
2012-01-27 12:33:53 +01:00
Remi Mollon
fd465d1261
add comment
2012-01-24 17:42:49 +01:00
Simon Josefsson
3828953374
Bump version. Use silent rules. Bump copyright years.
2012-01-23 20:25:06 +01:00
Remi Mollon
b42307d169
adding yubi_prefix parameter, when looking for token_id in ldap
2012-01-18 17:04:58 +01:00
Fredrik Thulin
263012f725
authorize_user_token: Don't drop privs for system-wide file.
2011-12-13 16:56:04 +01:00
Fredrik Thulin
43134038a5
do_challenge_response: Remove 2 unused variables.
2011-12-06 13:45:58 +01:00
Fredrik Thulin
b27599957c
Fix implicit yubikey_* declarations.
2011-12-06 13:31:25 +01:00
Fredrik Thulin
fa8a9ff074
Fix pointer signedness warnings.
2011-12-06 11:56:52 +01:00
Fredrik Thulin
f24f333867
Drop privileges before writing new C-R file.
2011-11-23 13:56:01 +01:00
Fredrik Thulin
94885d2d48
Verify that challenge-response file is a normal file.
2011-11-23 13:55:44 +01:00
Fredrik Thulin
d4acd495f0
improve debug messages
2011-11-23 13:46:26 +01:00
Fredrik Thulin
fcde64a93e
Use pam_modutil_drop_priv if it is available.
...
Utility functions for what was done in drop_priv.c appeared
in PAM 1.1.3. Use them when available.
2011-11-23 13:45:41 +01:00
Fredrik Thulin
b92902fd8f
Restore challenge-response functionality.
...
HAVE_LIBYKPERS_1 did not seem to ever get defined, so use HAVE_CR instead.
2011-11-23 13:26:02 +01:00
Ricky Zhou
a9892dbb44
Drop privileges before opening user files.
...
This change also ensures that user tokens are regular files. We may
want to add a similar check for user challenge files.
2011-11-23 10:16:00 +01:00
Fredrik Thulin
f92ee12aa9
Remove unused variable and extra undef.
2011-11-22 11:17:29 +01:00
Fredrik Thulin
47d883b600
pam_sm_authenticate: check strdup return value
2011-11-22 11:08:53 +01:00
Fredrik Thulin
57cf6ed5d6
authorize_user_token_ldap: check malloc return value
2011-11-22 11:08:28 +01:00
dr8
6dc10799b6
Bug fix: pam_yubico doesn't check server signature
...
Squashed commit of the following:
commit 9e7746bc53
Author: dr8 <github@dominicrutherford.co.uk>
Date: Mon Oct 31 14:27:47 2011 +0000
Bug fix: pam_yubico doesn't check server signature
commit 2f3d5e721c
Author: dr8 <github@dominicrutherford.co.uk>
Date: Sat Oct 29 16:59:08 2011 +0100
Bug fix: pam_yubico does not validate server signature
commit 58a1e6820a
Author: dr8 <github@dominicrutherford.co.uk>
Date: Fri Oct 28 22:09:49 2011 +0100
only validate server signature when key is specified
commit d705f429bc
Author: dr8 <github@dominicrutherford.co.uk>
Date: Tue Oct 25 22:45:22 2011 +0100
fix failure to validate server signature
2011-11-08 21:57:28 +01:00
Nanakos Chrysostomos
4712da70ca
Fix big security hole: Authentication succeeded when no password
...
was given, unless use_first_pass was being used.
This is fatal if pam_yubico is considered 'sufficient' in the PAM
configuration.
Signed-off-by: Nanakos Chrysostomos <nanakos@wired-net.gr>
2011-08-26 14:32:03 +03:00
Simon Josefsson
e469b630d5
Make dependency on libykpers optional.
...
Use --without-cr to force it. Reported by Jussi Sallinen <jussi@jus.si>.
2011-06-07 00:35:22 +02:00
Fredrik Thulin
eb438e782c
parse_cfg: Use memset to clear cfg struct.
...
The code will be easier to maintain if one does not have to remember
explicitly initializing all new members of the config struct.
2011-04-15 16:30:06 +02:00
Fredrik Thulin
804b537acf
Fix some D's that should've been DBG.
2011-04-15 16:28:00 +02:00
Fredrik Thulin
dfebd4173f
Make DBG macro unified.
...
Refactor authorize_user_token and authorize_user_token_ldap to take
a cfg argument instead of a number of elements from cfg.
2011-04-15 15:24:50 +02:00
Romain Riviere
1ec6d2df92
Debug: adding a dbg flag and macro so as to disable unwanted debug messages
2011-04-15 14:17:23 +02:00
Tollef Fog Heen
7923496375
Tell the user if something goes wrong after authenticating
...
If we successfully authenticate, but something then goes wrong, such
as failure to generate a new challenge, failure to update the
challenge and so on, tell the user.
2011-03-18 23:05:26 +01:00
Tollef Fog Heen
72d1f4bba9
Move code around slightly to make merging with Fredrik easier
2011-03-18 23:01:46 +01:00
Fredrik Thulin
b20c0ed678
Make get_user_challenge_file() also include YubiKey serial number,
...
and move it to util.c.
2011-03-18 22:57:22 +01:00
Fredrik Thulin
69ec1bf8a0
Further cleanups to challenge response code, and move more code to util.c.
2011-03-18 22:56:41 +01:00
Fredrik Thulin
cb16817047
Revert "Wait with declaring PAM_SUCCESS on challenge-response until new"
...
Tollef has argued that the login should not fail if, for example, the
disk is full. I'd rather fail on the cautious side and make sure we
don't end up always sending the same challenge to the YubiKey, but I'll
leave it up to Tollef to decide for now.
This reverts commit 14e917ffae
.
Conflicts:
pam_yubico.c
2011-03-18 22:50:23 +01:00
Fredrik Thulin
721866df0b
Move more challenge-response code to util.c.
2011-03-18 21:52:07 +01:00
Fredrik Thulin
c557249503
Move soon-to-be commonly used code to util.c
2011-03-18 21:49:23 +01:00
Fredrik Thulin
3abc5b2d81
Remove hard coded values for challenge/responses.
...
Also do some input validation on what we read from the C/R file.
2011-03-16 22:52:36 +01:00
Fredrik Thulin
d73618f271
generate_challenge() only generated half as many bytes as it should.
...
Changed generate_challenge() to generating bytes instead of a hex
encoded string, to not have to decode what we just encoded - instead
just generate plain bytes of randomness and then encode them once.
2011-03-16 22:49:57 +01:00
Tollef Fog Heen
1364b39db7
Use a temporary file to ensure we always have a challenge
...
If we use ftruncate we might end up in the situation that we do not
have a challenge on disk, leading to the user being unable to log in.
By using a temporary file, fsync and rename we avoid this problem.
2011-03-16 22:49:51 +01:00
Fredrik Thulin
dc6cd95a98
fsync() wants file descriptor
...
Also, truncate file before writing if the challenge length has
changed (became shorter) or garbage has otherwise been appended.
2011-03-16 22:28:33 +01:00
Fredrik Thulin
ee2e8b42da
Don't generate new challenge on bad response.
2011-03-16 22:28:02 +01:00
Fredrik Thulin
7360223a14
Support challenge-response files outside user's home directory.
...
Having the challege-response data inside the home directory won't
work very well if the YubiKey is to unlock an ecryptfs encrypted
home directory.
2011-03-16 22:27:02 +01:00
Tollef Fog Heen
d9ee08b97f
Add challenge-response authentication
2011-03-12 15:57:07 +01:00
Tollef Fog Heen
ed1ce7e6e7
Undef USERFILE when we don't need it any more
2011-03-12 15:57:02 +01:00
Tollef Fog Heen
49c923a99d
Get rid of unimplemented PAM functions
2011-03-12 15:56:48 +01:00
Fredrik Thulin
e338807cc8
Merge branch 'fix/various_ldap_fixes'
2011-03-10 20:50:48 +01:00
Fredrik Thulin
a59c6c4d71
Ignore errors from pam_get_data().
2011-03-04 15:52:02 +01:00
Fredrik Thulin
f91a7dc99a
Correct debug log message for too short OTPs.
2011-03-03 15:45:00 +01:00
Fredrik Thulin
a5594fa09c
Merge branch 'devel/avoid_logging_passwords'
2011-03-03 15:07:53 +01:00
Fredrik Thulin
702ac98b21
Bugfix getting option token_id_length.
2011-03-03 15:06:15 +01:00
Fredrik Thulin
ac76947e8a
Avoid logging passwords when debug is enabled.
...
Problem reported in
http://code.google.com/p/yubico-pam/issues/detail?id=28
2011-03-03 15:00:05 +01:00