rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-01-06 04:46:11 +01:00
Code Issues Projects Releases Wiki Activity
656 Commits 19 Branches 44 Tags 1.2 MiB
49ad48b3ef
Commit Graph

656 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Klas Lindfors
49ad48b3ef
Merge branch 'pr-130' 2017-12-15 08:08:55 +01:00
Robert Giles
504c838b5a Update ldap_bind_user to wrap in brackets, in the likely case the actually bind DN will reside in an OU with spaces in the name. 2017-12-14 11:51:20 -06:00
Robert Giles
c1995a70b7 Typo in asciidoc syntax. 2017-12-14 10:06:19 -06:00
Robert Giles
c0d1646853 Clarify documentation; this example configuration is also useful for just regular pam_yubico configuration elsewhere against AD, too. 2017-12-14 10:04:48 -06:00
Klas Lindfors
db0d7a548b
Merge branch 'pr-129' 2017-11-20 10:16:40 +01:00
Andy Neff
5003f3974d
Update Yubikey_and_SELinux_on_Fedora_18_and_up.adoc 
Added a quick explanation for what to do when you are using your own server that uses a custom port
 2017-11-15 15:46:46 -05:00
Klas Lindfors
9a674273e4
drop more text with unnecessary old version deps 2017-10-10 09:37:50 +02:00
Klas Lindfors
1bc784a4f0
drop outdated version recommendations 2017-10-06 10:12:50 +02:00
Klas Lindfors
dbaf857ef0
improved debug messages when getpwnam_r() doesn't return a user 2017-08-30 08:32:54 +02:00
Klas Lindfors
3d0d9f52e5
doc: fixup which proxy schemes are supported, add http and https 
fixes #127
 2017-08-07 12:39:58 +02:00
Klas Lindfors
39cfa7d939
Merge branch 'pr-121' 2017-06-26 10:07:09 +02:00
Larhard
42e8a06bfe add check_user_challenge_file tests 2017-06-24 08:31:55 +00:00
Larhard
d3f50c43ac clear check_user_challenge_file 2017-06-23 20:10:53 +00:00
Alessio Di Mauro
f3061d627e
Add message about project rewrite to README 2017-06-16 11:20:04 +02:00
Larhard
ff87bf0ac4 code cleanup 2017-04-09 17:13:19 +02:00
Larhard
1d62bec277 add nullok support to challenge-response mode 2017-04-09 03:36:40 +02:00
Klas Lindfors
2d312da9d5
add tests for use_first_pass 2017-03-06 10:10:56 +01:00
Klas Lindfors
3c201edd83
Merge branch 'mickael9-fix-issue-117' 2017-03-06 09:37:55 +01:00
Mickaël Thomas
d048a4a6e2 Add test for LDAP entries with empty token list 2017-02-27 00:21:15 +01:00
Mickaël Thomas
fc3b1e0076 Compare OTP IDs against yubi_attr only 
Currently we trust the LDAP server to only return the `yubi_attr`
attribute, yet we loop over all possible attributes when there should
only be one.

Since the bundled test LDAP server ignores the requested attributes list,
we must make sure to only match against the `yubi_attr` attibute as
opposed to "all of them".

This also fixes an issue where AUTH_NOT_FOUND was returned instead
of AUTH_NO_TOKENS when there were no values returned for `yubi_attr`
but another attribute's value was considered as a candidate token.
 2017-02-27 00:21:15 +01:00
Mickaël Thomas
7b6aad719a Return early if the user has no authorized tokens 
Currently, if a user has no associated tokens, we still prompt for an
OTP challenge and attempt to verify it.

This adds a check earlier to avoid the useless prompt in that case.

The `nullok` option is also added. It changes the return value from
PAM_USER_UNKNOWN to PAM_IGNORE. (fixes #97)

Finally, some constants have been turned to symbolic form for clarity
and debugging output is improved.
 2017-02-27 00:21:07 +01:00
Mickaël Thomas
0ce0e63d26 Perform OTP validation only if token is authorized 
When using `try_first_pass` or `use_first_pass`, the password we inherit
from PAM might not actually be an OTP challenge.

Currently, we happily leak it to the validation server without first
checking if it matches an authorized token ID.

This postpones sending the actual request until we know the token ID is
authorized.
 2017-02-26 21:32:24 +01:00
Klas Lindfors
f3fc6e4c1a
Merge branch 'thomaspatzke-patch-1' 2017-02-23 12:18:33 +01:00
Thomas Patzke
0d61b263ca Security: Storage of challenges in path with restricted permissions 
The previous instructions create a global word-writeable path for challenge files. This is a security issue because all users and unprivileged processes can create challenge files for arbitrary users. This enables an attacker to bypass the second factor for authentication.
 2017-02-23 09:01:27 +01:00
Klas Lindfors
80b7bff40a
doc: fix typo 2017-01-03 09:06:45 +01:00
Klas Lindfors
b12ce0d1b2
more stuff to make a2x work properly on mac for tests 2016-11-25 13:02:41 +01:00
Klas Lindfors
1290aa3b62
install docbook-xsl on mac for tests 
will hopefully make the tests run smoother
 2016-11-25 11:08:49 +01:00
Klas Lindfors
8ffbec5360
bump versions 2016-11-25 10:18:57 +01:00
Klas Lindfors
2e0ca8acf1
NEWS for 2.24 2016-11-25 10:15:20 +01:00
Klas Lindfors
afb575a092
drop reference to dead google groups 
fixes #106
 2016-09-08 10:38:24 +02:00
Simon Josefsson
02e520c906
Fix typo. 2016-08-09 09:34:47 +02:00
Klas Lindfors
174b09e298 let debug_accept stdout. also check that file exists and is regular 2016-06-22 10:19:53 +02:00
Klas Lindfors
8850659b5f Merge branch 'debug_refactor' 2016-06-16 13:17:10 +02:00
Klas Lindfors
ebe6633425 Merge branch 'master' of github.com:Yubico/yubico-pam 2016-06-16 13:16:15 +02:00
Klas Lindfors
0c079febe2 documentation for debug_file option 2016-06-16 12:35:30 +02:00
Klas Lindfors
f7a9fc5169 print debug_file when printing configuration 2016-06-16 12:35:18 +02:00
Klas Lindfors
2cab7ac03e open debug file with "a" not "a+" 2016-06-16 11:06:41 +02:00
Klas Lindfors
3debbfa97a Merge pull request #101 from Yubico/user_unknown-fixes 
User unknown fixes
 2016-06-16 11:04:08 +02:00
Klas Lindfors
ead5337be1 fix typo 1 -> i 2016-06-16 10:26:30 +02:00
Klas Lindfors
5b36567820 cleanup debug_file after we're done 2016-06-16 10:07:56 +02:00
Klas Lindfors
cb4e1df68e fixup openpam drop_privs implementation to support debug_file 2016-06-16 10:07:38 +02:00
Klas Lindfors
fc9a4255f0 refactor the debug mode 
add a debug_file option for where to write debug info (default to stdout)
stop compiling with DEBUG_PAM and PAM_DEBUG
make debugging behave the same way on linux-pam and openpam
 2016-06-16 09:02:49 +02:00
Klas Lindfors
914fa62eb4 bump versions 2016-06-15 08:55:15 +02:00
Klas Lindfors
df36c1ce6e NEWS for 2.23 2016-06-15 08:54:20 +02:00
Klas Lindfors
4fb0be3870 add tests for empty OTP validation 
also fix around so ldap case checks with length of the authorized token,
not the length of the passed in id.
 2016-06-13 11:08:09 +02:00
Klas Lindfors
bda491c413 add tests for empty otp part to check_user_token() 2016-06-13 10:49:06 +02:00
Klas Lindfors
fee0bcc231 drop check for OTP length, should trigger error later anyways. 
relates #97
 2016-06-13 10:45:30 +02:00
Klas Lindfors
a21a20cb65 only process results of OTP check after user is found 
relates #97
 2016-06-13 10:45:30 +02:00
Klas Lindfors
33e7013916 install docbook-xsl instead of docbook-xml for travis 
seems to help with a2x hangs
 2016-06-13 10:45:10 +02:00
Klas Lindfors
9eb630a383 use umask instead of chmod to set file permissions 2016-06-03 09:08:22 +02:00