[Freeipa-devel] [PATCH 0076] Ensure that a password exists after OTP validation
Alexander Bokovoy
abokovoy at redhat.com
Wed Nov 5 20:45:27 UTC 2014
On Wed, 05 Nov 2014, Simo Sorce wrote:
>On Wed, 5 Nov 2014 22:22:16 +0200
>Alexander Bokovoy <abokovoy at redhat.com> wrote:
>
>> On Wed, 05 Nov 2014, Nathaniel McCallum wrote:
>> >Before this patch users could log in using only the OTP value. This
>> >arose because ipapwd_authentication() successfully determined that
>> >an empty password was invalid, but 389 itself would see this as an
>> >anonymous bind. An anonymous bind would never even get this far in
>> >this code, so we simply deny requests with empty passwords.
>> >
>> >This patch resolves CVE-2014-7828.
>> >
>> >https://fedorahosted.org/freeipa/ticket/4690
>> ACK.
>
>Code sounds good, but I haven't tested it.
>
>> We need to do release for 4.0 and 4.1 first thing tomorrow.
>
>Yes.
>
>> A possible workaround is to disable 2FA for users in mean time.
>
>We should send a warning to freeipa-users mailing list that we are
>preparing a release and they should consider disabling 2FA ion the
>meanwhile if they are using it.
Done.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list