[Freeipa-devel] [PATCH] krb 1.12's OTP-Over-RADIUS
Sumit Bose
sbose at redhat.com
Fri Mar 8 12:12:50 UTC 2013
On Thu, Mar 07, 2013 at 06:36:58PM -0500, Nathaniel McCallum wrote:
> On Wed, 2013-03-06 at 13:04 -0500, Nathaniel McCallum wrote:
> > On Wed, 2013-03-06 at 12:56 -0500, Nathaniel McCallum wrote:
> > > Patch is attached.
> > >
> > > There are currently a few security downsides to this patch:
> > > 1. The daemon (ipa-otpd) runs as root and binds anonymously
> > > 2. ipatokenRadiusSecret is readable by an anonymous bind
> > >
> > > This patch also adds some new dependencies, namely:
> > > 1. libverto (a dependency of krb5)
> > > 2. systemd
> > > 3. a krb5 patched for libk5radius support [1]
> > >
> > > In the interest of trying to meet the Fedora Features deadline, I am
> > > providing the patch in spite of the above issues.
> > >
> > > Nathaniel
> > >
> > > 1 - http://bit.ly/ZqtK79
> >
> > Also, I assumed the usability of 2.16.840.1.113730.3.8.16 for the
> > schema. This will need to be verified and finalized.
>
> Updated version of the patch attached. Requires libk5radius from here:
> https://github.com/npmccallum/krb5/commits/otp
Do you already have krb5 packages with you patches available, or can you
make them available e.g. via koji scratch builds? I think this would
help a lot testing and reviewing your patches.
Btw, please do not fail during configure ifk5radius.h or libk5radius are
not available but only check if they are present and build ipa-otpd
condionally.
bye,
Sumit
>
> This new version fixes a bug which caused a hang in the case of no entry
> found during LDAP query.
>
> Nathaniel
>
More information about the Freeipa-devel
mailing list