[Freeipa-devel] [PATCH 0051] Validate OTP during password change requests
Nathaniel McCallum
npmccallum at redhat.com
Tue May 6 13:18:14 UTC 2014
On Tue, 2014-05-06 at 08:28 -0400, Nathaniel McCallum wrote:
> The pwdch extop would just validate the old password before setting the
> new one. Becuase this operation returns INVALID_CREDENTIALS when the
> password is wrong, it provides an opportunity to brute force the first
> factor distinct from the second factor.
>
> This patch causes the pwdch extop to validate the OTP as well. This
> closes the above attack vector. It is also, conveniently, the behavior
> most users will probably expect.
>
> https://fedorahosted.org/freeipa/ticket/4248
This patch was posted for posterity/record. However, on the call this
morning we decided NOT to do this validation. Please do not review this
patch. :)
Nathaniel
More information about the Freeipa-devel
mailing list