[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[OATH-Toolkit-help] Bug#807990: fail gracefully for missing users: redid
From: |
Antoine Beaupré |
Subject: |
[OATH-Toolkit-help] Bug#807990: fail gracefully for missing users: redid the patch |
Date: |
Sun, 21 Aug 2016 08:22:46 -0400 |
User-agent: |
Notmuch/0.22 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu) |
On 2016-08-19 22:10:36, Antoine Beaupré wrote:
> i would like to do a NMU for this to deploy this change, any objections?
Here's the debdiff of the package I would upload:
diff -Nru oath-toolkit-2.6.1/debian/changelog
oath-toolkit-2.6.1/debian/changelog
--- oath-toolkit-2.6.1/debian/changelog 2015-07-31 17:10:44.000000000 -0400
+++ oath-toolkit-2.6.1/debian/changelog 2016-08-20 09:53:10.000000000 -0400
@@ -1,3 +1,10 @@
+oath-toolkit (2.6.1-1.1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * patch: fail gracefully for missing users (Closes: #807990)
+
+ -- Antoine Beaupré <address@hidden> Sat, 20 Aug 2016 09:51:41 -0400
+
oath-toolkit (2.6.1-1) unstable; urgency=low
* New upstream release.
diff -Nru
oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch
oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch
---
oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch
1969-12-31 19:00:00.000000000 -0500
+++
oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch
2016-08-20 09:53:10.000000000 -0400
@@ -0,0 +1,83 @@
+From 509c4cda7e08384d7cd16dfdb3917b4373f1e36e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <address@hidden>
+Date: Mon, 1 Aug 2016 12:25:10 -0400
+Subject: [PATCH] fail gracefully for missing users
+
+when the pam module is enabled, it forces *all* users to immediately
+start using OATH, or they can't login at all.
+
+a more progressive approach would seem more reasonable to me,
+especially since each user need to get an admin user to update the
+central file for them.
+
+this patch adds an early check to the users file and makes sure the
+user exists before prompting for a password.
+
+if the user is missing, it exits early with a standard error code
+(PAM_USER_UNKNOWN) which can then be ignored in the PAM configuration
+(as shown in the README file). this leaves the policy decision up to
+the admin (and defaults to "fail closed").
+
+if the user is present, the code path remains the same except the
+usersfile is scanned twice, which may be a performance penalty on very
+slow filesystems or very large files. the only workaround I can think
+of for this would be to load the whole file into memory, but this
+could have significant memory impact on large files.
+
+the function used (`oath_authenticate_usersfile`) is a little overkill
+as it actually goes and tries to authenticate the user with an empty
+password. this is harmless because the file isn't updated if the OTP
+is incorrect and because no warning is sent to syslog.
+
+a possible improvement on this would be to have a warning shown to the
+user inciting them to configure OATH or to warn them about a possible
+typo in their username before they enter their regular passphrase
+---
+ pam_oath/README | 2 +-
+ pam_oath/pam_oath.c | 17 +++++++++++++++++
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/pam_oath/README b/pam_oath/README
+index bef4265..24b9f8b 100644
+--- a/pam_oath/README
++++ b/pam_oath/README
+@@ -23,7 +23,7 @@ window open before making any changes!
+
+ ---------
+ # head -1 /etc/pam.d/su
+-auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20
++auth [user_unknown=ignore success=ok] pam_oath.so debug
usersfile=/etc/users.oath window=20
+ #
+ ---------
+
+diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
+index 2820318..25a3452 100644
+--- a/pam_oath/pam_oath.c
++++ b/pam_oath/pam_oath.c
+@@ -162,6 +162,23 @@ pam_sm_authenticate (pam_handle_t * pamh,
+ }
+ DBG (("get user returned: %s", user));
+
++ // quick check to skip unconfigured users before prompting for password
++ {
++ time_t last_otp;
++ otp[0] = '\0';
++ rc = oath_authenticate_usersfile (cfg.usersfile,
++ user,
++ otp, cfg.window, onlypasswd, &last_otp);
++
++ DBG (("authenticate first pass rc %d (%s: %s) last otp %s", rc,
++ oath_strerror_name (rc) ? oath_strerror_name (rc) : "UNKNOWN",
++ oath_strerror (rc), ctime (&last_otp)));
++ if (rc == OATH_UNKNOWN_USER)
++ {
++ return PAM_USER_UNKNOWN;
++ }
++ }
++
+ if (cfg.try_first_pass || cfg.use_first_pass)
+ {
+ retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password);
+--
+2.1.4
+
diff -Nru oath-toolkit-2.6.1/debian/patches/series
oath-toolkit-2.6.1/debian/patches/series
--- oath-toolkit-2.6.1/debian/patches/series 1969-12-31 19:00:00.000000000
-0500
+++ oath-toolkit-2.6.1/debian/patches/series 2016-08-20 09:53:10.000000000
-0400
@@ -0,0 +1 @@
+0001-fail-gracefully-for-missing-users.patch
thanks
--
To be naive and easily deceived is impermissible, today more than
ever, when the prevailing untruths may lead to a catastrophe because
they blind people to real dangers and real possibilities.
- Erich Fromm