[Freeipa-devel] [PATCH 0076] Ensure that a password exists after OTP validation
Alexander Bokovoy
abokovoy at redhat.com
Thu Nov 6 11:35:55 UTC 2014
On Thu, 06 Nov 2014, thierry bordaz wrote:
>On 11/05/2014 09:14 PM, Nathaniel McCallum wrote:
>>Before this patch users could log in using only the OTP value. This
>>arose because ipapwd_authentication() successfully determined that
>>an empty password was invalid, but 389 itself would see this as an
>>anonymous bind. An anonymous bind would never even get this far in
>>this code, so we simply deny requests with empty passwords.
>>
>>This patch resolves CVE-2014-7828.
>>
>>https://fedorahosted.org/freeipa/ticket/4690
>>
>>
>>_______________________________________________
>>Freeipa-devel mailing list
>>Freeipa-devel at redhat.com
>>https://www.redhat.com/mailman/listinfo/freeipa-devel
>Hello Nathaniel,
>
> With the DS flag 'nsslapd-allow-unauthenticated-binds', customer
> have the ability to allows unauthenticated binds and connections.
> With the fix, a ldapclient bind containing only OTP part will fail
> even if the flag was set.
By definition of nsslapd-allow-unauthenticated-binds, it requires a BIND
with name but no password. Specifying OTP value will make password
non-empty and thus failing unauthenticated bind request definition.
> When ipapwd_pre_bind, stipping the OTP part, detects that the
> password is zero length, I wonder if it should not test that flag to
> determine if it should fail or succeed.
Since original password was non-empty it wouldn't make sense to check
the value for empty password after stripping the OTP part as it is not
an unauthenticated password in the first place.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list