[Freeipa-devel] [PATCH 0076] Ensure that a password exists after OTP validation
thierry bordaz
tbordaz at redhat.com
Thu Nov 6 11:19:38 UTC 2014
On 11/05/2014 09:14 PM, Nathaniel McCallum wrote:
> Before this patch users could log in using only the OTP value. This
> arose because ipapwd_authentication() successfully determined that
> an empty password was invalid, but 389 itself would see this as an
> anonymous bind. An anonymous bind would never even get this far in
> this code, so we simply deny requests with empty passwords.
>
> This patch resolves CVE-2014-7828.
>
> https://fedorahosted.org/freeipa/ticket/4690
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
Hello Nathaniel,
With the DS flag 'nsslapd-allow-unauthenticated-binds', customer
have the ability to allows unauthenticated binds and connections.
With the fix, a ldapclient bind containing only OTP part will fail
even if the flag was set.
When ipapwd_pre_bind, stipping the OTP part, detects that the
password is zero length, I wonder if it should not test that flag to
determine if it should fail or succeed.
thanks
thierry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141106/251b6b73/attachment.htm>
More information about the Freeipa-devel
mailing list