Permalink
Commits on Mar 6, 2017
  1. add tests for use_first_pass

    klali committed Mar 6, 2017
Commits on Feb 26, 2017
  1. Compare OTP IDs against `yubi_attr` only

    Currently we trust the LDAP server to only return the `yubi_attr`
    attribute, yet we loop over all possible attributes when there should
    only be one.
    
    Since the bundled test LDAP server ignores the requested attributes list,
    we must make sure to only match against the `yubi_attr` attibute as
    opposed to "all of them".
    
    This also fixes an issue where AUTH_NOT_FOUND was returned instead
    of AUTH_NO_TOKENS when there were no values returned for `yubi_attr`
    but another attribute's value was considered as a candidate token.
    mickael9 committed Feb 26, 2017
  2. Return early if the user has no authorized tokens

    Currently, if a user has no associated tokens, we still prompt for an
    OTP challenge and attempt to verify it.
    
    This adds a check earlier to avoid the useless prompt in that case.
    
    The `nullok` option is also added. It changes the return value from
    PAM_USER_UNKNOWN to PAM_IGNORE. (fixes #97)
    
    Finally, some constants have been turned to symbolic form for clarity
    and debugging output is improved.
    mickael9 committed Feb 26, 2017
  3. Perform OTP validation only if token is authorized

    When using `try_first_pass` or `use_first_pass`, the password we inherit
    from PAM might not actually be an OTP challenge.
    
    Currently, we happily leak it to the validation server without first
    checking if it matches an authorized token ID.
    
    This postpones sending the actual request until we know the token ID is
    authorized.
    mickael9 committed Feb 26, 2017
Commits on Feb 23, 2017
  1. Security: Storage of challenges in path with restricted permissions

    The previous instructions create a global word-writeable path for challenge files. This is a security issue because all users and unprivileged processes can create challenge files for arbitrary users. This enables an attacker to bypass the second factor for authentication.
    thomaspatzke committed on GitHub Feb 23, 2017
Commits on Jan 3, 2017
  1. doc: fix typo

    klali committed Jan 3, 2017
Commits on Nov 25, 2016
  1. install docbook-xsl on mac for tests

    will hopefully make the tests run smoother
    klali committed Nov 25, 2016
  2. bump versions

    klali committed Nov 25, 2016
  3. NEWS for 2.24

    klali committed Nov 25, 2016
Commits on Sep 8, 2016
  1. drop reference to dead google groups

    fixes #106
    klali committed Sep 8, 2016
Commits on Aug 9, 2016
  1. Fix typo.

    jas4711 committed Aug 9, 2016
Commits on Jun 22, 2016
  1. let debug_accept stdout. also check that file exists and is regular

    klali committed Jun 22, 2016
Commits on Jun 16, 2016
  1. Merge branch 'debug_refactor'

    klali committed Jun 16, 2016
  2. documentation for debug_file option

    klali committed Jun 16, 2016
  3. open debug file with "a" not "a+"

    klali committed Jun 16, 2016
  4. Merge pull request #101 from Yubico/user_unknown-fixes

    User unknown fixes
    klali committed on GitHub Jun 16, 2016
  5. fix typo 1 -> i

    klali committed Jun 16, 2016
  6. cleanup debug_file after we're done

    klali committed Jun 16, 2016
  7. refactor the debug mode

    add a debug_file option for where to write debug info (default to stdout)
    stop compiling with DEBUG_PAM and PAM_DEBUG
    make debugging behave the same way on linux-pam and openpam
    klali committed Jun 16, 2016
Commits on Jun 15, 2016
  1. bump versions

    klali committed Jun 15, 2016
  2. NEWS for 2.23

    klali committed Jun 15, 2016
Commits on Jun 13, 2016
  1. add tests for empty OTP validation

    also fix around so ldap case checks with length of the authorized token,
    not the length of the passed in id.
    klali committed Jun 13, 2016
  2. add tests for empty otp part to check_user_token()

    klali committed Jun 13, 2016
  3. install docbook-xsl instead of docbook-xml for travis

    seems to help with a2x hangs
    klali committed Jun 13, 2016
Commits on Jun 3, 2016
  1. use umask instead of chmod to set file permissions

    klali committed Jun 3, 2016
Commits on May 23, 2016
  1. bump versions

    klali committed May 23, 2016