[Freeipa-devel] [PATCH] krb 1.12's OTP-Over-RADIUS
Nathaniel McCallum
npmccallum at redhat.com
Thu Mar 7 23:36:58 UTC 2013
On Wed, 2013-03-06 at 13:04 -0500, Nathaniel McCallum wrote:
> On Wed, 2013-03-06 at 12:56 -0500, Nathaniel McCallum wrote:
> > Patch is attached.
> >
> > There are currently a few security downsides to this patch:
> > 1. The daemon (ipa-otpd) runs as root and binds anonymously
> > 2. ipatokenRadiusSecret is readable by an anonymous bind
> >
> > This patch also adds some new dependencies, namely:
> > 1. libverto (a dependency of krb5)
> > 2. systemd
> > 3. a krb5 patched for libk5radius support [1]
> >
> > In the interest of trying to meet the Fedora Features deadline, I am
> > providing the patch in spite of the above issues.
> >
> > Nathaniel
> >
> > 1 - http://bit.ly/ZqtK79
>
> Also, I assumed the usability of 2.16.840.1.113730.3.8.16 for the
> schema. This will need to be verified and finalized.
Updated version of the patch attached. Requires libk5radius from here:
https://github.com/npmccallum/krb5/commits/otp
This new version fixes a bug which caused a hang in the case of no entry
found during LDAP query.
Nathaniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-support-for-krb5-1.12-s-OTP-Over-RADIUS.patch
Type: text/x-patch
Size: 65774 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130307/a8ed3247/attachment.bin>
More information about the Freeipa-devel
mailing list