Fredrik Thulin
69ec1bf8a0
Further cleanups to challenge response code, and move more code to util.c.
2011-03-18 22:56:41 +01:00
Fredrik Thulin
cb16817047
Revert "Wait with declaring PAM_SUCCESS on challenge-response until new"
...
Tollef has argued that the login should not fail if, for example, the
disk is full. I'd rather fail on the cautious side and make sure we
don't end up always sending the same challenge to the YubiKey, but I'll
leave it up to Tollef to decide for now.
This reverts commit 14e917ffae
.
Conflicts:
pam_yubico.c
2011-03-18 22:50:23 +01:00
Fredrik Thulin
721866df0b
Move more challenge-response code to util.c.
2011-03-18 21:52:07 +01:00
Fredrik Thulin
c557249503
Move soon-to-be commonly used code to util.c
2011-03-18 21:49:23 +01:00
Tollef Fog Heen
1130d47bb2
Use a temporary file to ensure we always have a challenge
...
If we use ftruncate we might end up in the situation that we do not
have a challenge on disk, leading to the user being unable to log in.
By using a temporary file, fsync and rename we avoid this problem.
2011-03-17 21:51:35 +01:00
Fredrik Thulin
e2968a1bf8
Add ykpamcfg - C/R setup command line utility.
2011-03-17 18:23:40 +01:00
Fredrik Thulin
c1f8ba8804
Make get_user_challenge_file() also include YubiKey serial number,
...
and move it to util.c.
2011-03-17 17:55:04 +01:00
Fredrik Thulin
fe12e98e38
Version-tag challenge-response state file contents.
...
Helps in case we ever want to change the file format.
2011-03-17 16:12:19 +01:00
Fredrik Thulin
ab47c06c20
Further cleanups to challenge response code, and move more code
...
to util.c.
2011-03-17 16:10:42 +01:00
Fredrik Thulin
319fee4e08
Revert "Wait with declaring PAM_SUCCESS on challenge-response until new"
...
Tollef has argued that the login should not fail if, for example, the
disk is full. I'd rather fail on the cautious side and make sure we
don't end up always sending the same challenge to the YubiKey, but I'll
leave it up to Tollef to decide for now.
This reverts commit 14e917ffae
.
Conflicts:
pam_yubico.c
2011-03-17 15:08:23 +01:00
Fredrik Thulin
0cf57429a8
Move more challenge-response code to util.c.
2011-03-17 15:04:29 +01:00
Fredrik Thulin
42ebcb3b86
Move soon-to-be commonly used code to util.c
2011-03-17 15:04:08 +01:00
Fredrik Thulin
3abc5b2d81
Remove hard coded values for challenge/responses.
...
Also do some input validation on what we read from the C/R file.
2011-03-16 22:52:36 +01:00
Fredrik Thulin
d73618f271
generate_challenge() only generated half as many bytes as it should.
...
Changed generate_challenge() to generating bytes instead of a hex
encoded string, to not have to decode what we just encoded - instead
just generate plain bytes of randomness and then encode them once.
2011-03-16 22:49:57 +01:00
Tollef Fog Heen
1364b39db7
Use a temporary file to ensure we always have a challenge
...
If we use ftruncate we might end up in the situation that we do not
have a challenge on disk, leading to the user being unable to log in.
By using a temporary file, fsync and rename we avoid this problem.
2011-03-16 22:49:51 +01:00
Fredrik Thulin
dc6cd95a98
fsync() wants file descriptor
...
Also, truncate file before writing if the challenge length has
changed (became shorter) or garbage has otherwise been appended.
2011-03-16 22:28:33 +01:00
Fredrik Thulin
ee2e8b42da
Don't generate new challenge on bad response.
2011-03-16 22:28:02 +01:00
Fredrik Thulin
7360223a14
Support challenge-response files outside user's home directory.
...
Having the challege-response data inside the home directory won't
work very well if the YubiKey is to unlock an ecryptfs encrypted
home directory.
2011-03-16 22:27:02 +01:00
Tollef Fog Heen
927735f54f
Merge remote branch 'origin/master'
2011-03-16 22:25:17 +01:00
Fredrik Thulin
2d9a704a87
Remove hard coded values for challenge/responses.
...
Also do some input validation on what we read from the C/R file.
2011-03-14 15:27:19 +01:00
Fredrik Thulin
0142f265e5
generate_challenge() only generated half as many bytes as it should.
...
Changed generate_challenge() to generating bytes instead of a hex
encoded string, to not have to decode what we just encoded - instead
just generate plain bytes of randomness and then encode them once.
2011-03-14 14:31:22 +01:00
Fredrik Thulin
14e917ffae
Wait with declaring PAM_SUCCESS on challenge-response until new
...
challenge-response has been stored properly on disk.
2011-03-14 13:50:30 +01:00
Fredrik Thulin
feb63ee472
fsync() wants file descriptor
...
Also, truncate file before writing if the challenge length has
changed (became shorter) or garbage has otherwise been appended.
2011-03-14 13:48:10 +01:00
Fredrik Thulin
71d68484f9
Don't generate new challenge on bad response.
2011-03-14 12:44:57 +01:00
Fredrik Thulin
68cdb39132
Support challenge-response files outside user's home directory.
...
Having the challege-response data inside the home directory won't
work very well if the YubiKey is to unlock an ecryptfs encrypted
home directory.
2011-03-14 10:17:12 +01:00
Fredrik Thulin
98e5e17bdc
Merge remote branch 'remim/master'
2011-03-14 09:07:45 +01:00
Tollef Fog Heen
d9ee08b97f
Add challenge-response authentication
2011-03-12 15:57:07 +01:00
Tollef Fog Heen
ed1ce7e6e7
Undef USERFILE when we don't need it any more
2011-03-12 15:57:02 +01:00
Tollef Fog Heen
e143afb050
Look for libykpers-1, which we will need for challenge-response
2011-03-12 15:56:51 +01:00
Tollef Fog Heen
49c923a99d
Get rid of unimplemented PAM functions
2011-03-12 15:56:48 +01:00
Fredrik Thulin
e338807cc8
Merge branch 'fix/various_ldap_fixes'
2011-03-10 20:50:48 +01:00
Fredrik Thulin
27346d9be9
sync
2011-03-10 10:48:20 +01:00
Fredrik Thulin
a59c6c4d71
Ignore errors from pam_get_data().
2011-03-04 15:52:02 +01:00
Fredrik Thulin
f91a7dc99a
Correct debug log message for too short OTPs.
2011-03-03 15:45:00 +01:00
Fredrik Thulin
a5594fa09c
Merge branch 'devel/avoid_logging_passwords'
2011-03-03 15:07:53 +01:00
Fredrik Thulin
952668811d
Merge branch 'feature/non_static_id_length'
2011-03-03 15:06:22 +01:00
Fredrik Thulin
702ac98b21
Bugfix getting option token_id_length.
2011-03-03 15:06:15 +01:00
Fredrik Thulin
ac76947e8a
Avoid logging passwords when debug is enabled.
...
Problem reported in
http://code.google.com/p/yubico-pam/issues/detail?id=28
2011-03-03 15:00:05 +01:00
Fredrik Thulin
60d9e6063b
Merge branch 'feature/non_static_id_length'
2011-03-03 14:45:52 +01:00
Fredrik Thulin
abb0b7e4e4
authorize_user_token_ldap: Only fetch the attribute we're interested in.
...
Previous version fetched ALL attributes of the identified object,
and treated them all equal when looking for the YubiKey token identifier.
2011-03-03 14:18:00 +01:00
Fredrik Thulin
a9ef97ea4c
authorize_user_token_ldap: Don't leak memory on failures.
2011-03-03 12:48:43 +01:00
Fredrik Thulin
0bb1630abf
authorize_user_token_ldap: sr was under-allocated by one byte.
...
Also change strcat's to sprintf to make code easier to maintain.
2011-03-03 12:38:34 +01:00
Fredrik Thulin
bfd8efd682
Don't segfault on unset LDAP parameters.
...
When ldapserver / ldap_uri was specified, but not for example
user_attr, authorize_user_token_ldap() used to cause a segmentation
fault.
2011-03-03 10:58:34 +01:00
Fredrik Thulin
01897ebb9e
Use LDAPv3 instead of LDAPv2.
...
LDAPv2 was declared historical in 2003, and is now not supported by
for example Mac OS X Server's Open Directory.
Patch by maxsanna81@gmail.com .
2011-03-03 10:31:30 +01:00
Fredrik Thulin
90a7fd0f0a
Avoid LDAP warnings about deprecated functions.
...
Patch by judas.iscariote.
2011-03-03 10:19:55 +01:00
Fredrik Thulin
6a0c8fc82b
authorize_user_token_ldap: Use correct LDAP free function.
...
Patch by judas.iscariote.
2011-03-03 10:11:16 +01:00
Fredrik Thulin
336f794b42
Make length of public ID part of tokens configurable.
...
Now that we support setting URL, not all public ID's can be expected
to be six bytes (the length used in the YubiCloud validation service).
Unfortunately we can't support OTPs of different lengths at once,
because there is code supporting users entering their (other)
password followed by the OTP from the YubiKey.
Patch by fraser.scott@gmail.com in
http://code.google.com/p/yubico-pam/issues/detail?id=19
2011-03-02 22:08:58 +01:00
Fredrik Thulin
ff14ae114c
Check for ykclient-2.4+, since we use new ca_path function.
2011-03-02 21:51:38 +01:00
Fredrik Thulin
bdfa3891e2
Add debug output of url and capath.
2011-02-28 15:42:56 +01:00
Fredrik Thulin
9d9228bd46
Merge branch 'master' of github.com:Yubico/yubico-pam
2011-02-22 15:31:35 +01:00