[Freeipa-devel] [PATCH 0051] Validate OTP during password change requests
Nathaniel McCallum
npmccallum at redhat.com
Tue May 6 12:28:42 UTC 2014
The pwdch extop would just validate the old password before setting the
new one. Becuase this operation returns INVALID_CREDENTIALS when the
password is wrong, it provides an opportunity to brute force the first
factor distinct from the second factor.
This patch causes the pwdch extop to validate the OTP as well. This
closes the above attack vector. It is also, conveniently, the behavior
most users will probably expect.
https://fedorahosted.org/freeipa/ticket/4248
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-npmccallum-0051-Validate-OTP-during-password-change-requests.patch
Type: text/x-patch
Size: 16790 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140506/c7f2107f/attachment.bin>
More information about the Freeipa-devel
mailing list