1
0
mirror of https://github.com/Yubico/yubico-pam.git synced 2024-12-12 03:08:50 +01:00
Commit Graph

118 Commits

Author SHA1 Message Date
Klas Lindfors
376bf33f9a correctly mark strings in cfg struct as const 2014-07-29 09:25:39 +02:00
Klas Lindfors
54989c3f3f fixup so urllist data is kept within it's own memory before strtok
fixes #41
2014-07-29 09:23:10 +02:00
Alex Fisher
d35d5bfb30 Fix segfault whilst freeing urls 2014-06-02 11:32:08 +01:00
Simon Josefsson
43cd3b4621 Update copyright years. 2014-04-30 13:16:09 +02:00
Klas Lindfors
431e96033d fixup strtok of url templates 2014-03-26 11:00:39 +01:00
Klas Lindfors
8f6717b13e fixup urllist feature (hopefully) 2014-03-26 10:53:40 +01:00
Klas Lindfors
602905c51d spelling 2014-03-26 09:40:01 +01:00
Klas Lindfors
3be440ec80 add urllist feature
allowing up to 10 urls to be specified in config
2014-03-12 15:00:22 +01:00
Simon Josefsson
387db3eba0 Merge pull request #14 from BinetReseau/master
No match between user and token detailed pam values
2013-09-27 02:11:20 -07:00
Klas Lindfors
7fa8cbbd46 a PAM_MODUTIL_DEV_PRIVS structure can't be reused
so we have to allocate a second one and point to
that for the second time we want to drop privs.
relates to #28
2013-09-23 08:56:49 +02:00
Klas Lindfors
1b2a8fdf30 reimplement drop_privs to implement the pam_modutils interface
Original patch from maxime.deroucy@gmail.com.
http://code.google.com/p/yubico-pam/issues/detail?id=49
fixes #19
2013-09-20 10:54:13 +02:00
Klas Lindfors
eb1ba8a52a update copyright years 2013-09-19 08:35:15 +02:00
Eugene Crosser
2aaf0fdc23 Stop leaks of memory and of privileges
Fix several memory leaks and mishandling of the privilege status
where a function returned failure indication, and previously
allocated memory was not freed (and the referece was lost), or
previously droped privileges where not restored.
2013-09-18 14:22:41 +02:00
Klas Lindfors
f617829f10 fixup warnings 2013-09-18 14:10:35 +02:00
Klas Lindfors
fb6b0911fd use pbkdf2 to process the exepected response
this bumps the version on the state file to 2
old files can still be read but new files will use the new format
2013-09-18 14:10:35 +02:00
Klas Lindfors
eb78d4882b refactor to use chalresp function from ykpers
so challenge_response() now calls yk_challenge_response() to
do the yubikey internal stuff.
2013-09-18 14:10:35 +02:00
Christian Hesse
7dc5c6a155 print information only if debug is specified
The pam module is very informative. I do not want it to print any
information unless debug is specified. An attacker should not get any
information.
2013-05-13 15:47:59 +02:00
Pierre-Alain Dupont
21c4dd3fa3 A more precise handling of user-token match errors
Signed-off-by: Pierre-Alain Dupont <pad@melix.net>
2013-01-26 15:59:23 +00:00
Vincent Brillault
96252b6f2b Verify the otp_length given by the configuration
Avoid out of bound writing at ligne -920,1 +927,1:
strncpy (otp_id, password + skip_bytes, cfg->token_id_length);
2012-08-07 19:18:43 +02:00
Klas Lindfors
2ffd54a24c use errstr to communicate with the user 2012-06-14 09:25:38 +02:00
Klas Lindfors
a5f2e9e333 check for same response in pam module, output debug for the user 2012-06-08 13:20:07 +02:00
Klas Lindfors
41c576e0cf replace fopen with open+fdopen to set more restrictive bits 2012-06-08 10:45:59 +02:00
Fredrik Thulin
da246e240c load_chalresp_state: Debug message was always shown. 2012-02-13 14:24:31 +01:00
Fredrik Thulin
82296f4632 do_challenge_response: Clear errno when done. 2012-02-10 15:13:42 +01:00
Fredrik Thulin
2c077fba4e DBG format fix 2012-02-10 14:13:24 +01:00
Fredrik Thulin
fb6281fa3f Fix clang indicated printf format warnings. 2012-02-08 15:53:18 +01:00
Fredrik Thulin
3275b38d59 Fix debug-logging of chalresp_path. Oddity reported by clang. 2012-02-06 11:37:42 +01:00
Fredrik Thulin
dc9146ffcb snprintf returns an int, not a size_t. reported by clang. 2012-02-06 11:31:23 +01:00
Fredrik Thulin
bfbcda54ad Merge branch 'master' of https://github.com/remim/yubico-pam 2012-02-02 13:16:05 +01:00
Remi Mollon
3e1f5f6925 renaming yubi_prefix to yubi_Attr_prefix and changing debug 2012-02-01 09:29:05 +01:00
Clemens Lang
d2c14efdd4 Add missing headers
fcntl.h in pam_yubico.c is needed on OS X with clang for the build to
succeed, while unistd.h in util.c is required so clang doesn't complain
about implicit declarations of ftruncate and fsync.
2012-01-28 00:30:34 +01:00
Fredrik Thulin
73369beba9 Avoid double fclose() in some error cases.
Problem reported (and patched) by Lingzhu Xiang <xianglingzhu@gmail.com>
in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657524
2012-01-27 12:33:53 +01:00
Remi Mollon
fd465d1261 add comment 2012-01-24 17:42:49 +01:00
Simon Josefsson
3828953374 Bump version. Use silent rules. Bump copyright years. 2012-01-23 20:25:06 +01:00
Remi Mollon
b42307d169 adding yubi_prefix parameter, when looking for token_id in ldap 2012-01-18 17:04:58 +01:00
Fredrik Thulin
263012f725 authorize_user_token: Don't drop privs for system-wide file. 2011-12-13 16:56:04 +01:00
Fredrik Thulin
43134038a5 do_challenge_response: Remove 2 unused variables. 2011-12-06 13:45:58 +01:00
Fredrik Thulin
b27599957c Fix implicit yubikey_* declarations. 2011-12-06 13:31:25 +01:00
Fredrik Thulin
fa8a9ff074 Fix pointer signedness warnings. 2011-12-06 11:56:52 +01:00
Fredrik Thulin
f24f333867 Drop privileges before writing new C-R file. 2011-11-23 13:56:01 +01:00
Fredrik Thulin
94885d2d48 Verify that challenge-response file is a normal file. 2011-11-23 13:55:44 +01:00
Fredrik Thulin
d4acd495f0 improve debug messages 2011-11-23 13:46:26 +01:00
Fredrik Thulin
fcde64a93e Use pam_modutil_drop_priv if it is available.
Utility functions for what was done in drop_priv.c appeared
in PAM 1.1.3. Use them when available.
2011-11-23 13:45:41 +01:00
Fredrik Thulin
b92902fd8f Restore challenge-response functionality.
HAVE_LIBYKPERS_1 did not seem to ever get defined, so use HAVE_CR instead.
2011-11-23 13:26:02 +01:00
Ricky Zhou
a9892dbb44 Drop privileges before opening user files.
This change also ensures that user tokens are regular files.  We may
want to add a similar check for user challenge files.
2011-11-23 10:16:00 +01:00
Fredrik Thulin
f92ee12aa9 Remove unused variable and extra undef. 2011-11-22 11:17:29 +01:00
Fredrik Thulin
47d883b600 pam_sm_authenticate: check strdup return value 2011-11-22 11:08:53 +01:00
Fredrik Thulin
57cf6ed5d6 authorize_user_token_ldap: check malloc return value 2011-11-22 11:08:28 +01:00
dr8
6dc10799b6 Bug fix: pam_yubico doesn't check server signature
Squashed commit of the following:

commit 9e7746bc53
Author: dr8 <github@dominicrutherford.co.uk>
Date:   Mon Oct 31 14:27:47 2011 +0000

    Bug fix: pam_yubico doesn't check server signature

commit 2f3d5e721c
Author: dr8 <github@dominicrutherford.co.uk>
Date:   Sat Oct 29 16:59:08 2011 +0100

    Bug fix: pam_yubico does not validate server signature

commit 58a1e6820a
Author: dr8 <github@dominicrutherford.co.uk>
Date:   Fri Oct 28 22:09:49 2011 +0100

    only validate server signature when key is specified

commit d705f429bc
Author: dr8 <github@dominicrutherford.co.uk>
Date:   Tue Oct 25 22:45:22 2011 +0100

    fix failure to validate server signature
2011-11-08 21:57:28 +01:00
Nanakos Chrysostomos
4712da70ca Fix big security hole: Authentication succeeded when no password
was given, unless use_first_pass was being used.
This is fatal if pam_yubico is considered 'sufficient' in the PAM
configuration.

Signed-off-by: Nanakos Chrysostomos <nanakos@wired-net.gr>
2011-08-26 14:32:03 +03:00