Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Always verify the old password when changing it #38203

Merged
merged 2 commits into from
Feb 15, 2024
Merged

Always verify the old password when changing it #38203

merged 2 commits into from
Feb 15, 2024

Conversation

bl-nero
Copy link
Contributor

@bl-nero bl-nero commented Feb 14, 2024

Fixes https://github.com/gravitational/teleport-private/issues/1369

Approved for fixing directly on OSS by @jentfoo.

Note that the logic here will be further amended by the upcoming implementation of RFD 0159; this change is a trimmed down subset of it that will need to be privately backported to all of the supported branches.

Tested locally; the following cases were covered:

Changing password with MFA, through the exploit mentioned in the attached issue.
Changing password without MFA (success, wrong password).
Changing password with an authenticator app (success, wrong old password, wrong app token).
Changing password with an MFA device (success, wrong password).
Changing password with an passwordless device (success, wrong password).
The behavior was verified both by looking at success/error messages, as well as an attempt to sign in using the new password.

Changelog: Fixed an issue where it was possible to skip providing old password when setting a new one.

@bl-nero bl-nero requested a review from jentfoo February 14, 2024 12:18
zmb3
zmb3 approved these changes Feb 14, 2024
View reviewed changes
lib/auth/password_test.go Outdated Show resolved Hide resolved
codingllama
codingllama approved these changes Feb 14, 2024
View reviewed changes
Copy link
Contributor

@codingllama codingllama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the quick fix!

lib/auth/password_test.go Outdated Show resolved Hide resolved
lib/auth/password_test.go Outdated Show resolved Hide resolved
lib/auth/password_test.go Outdated Show resolved Hide resolved
lib/auth/password_test.go Outdated Show resolved Hide resolved
@codingllama
Copy link
Contributor

Added backport tags to active versions.

@bl-nero bl-nero added this pull request to the merge queue Feb 15, 2024
Merged via the queue into master with commit 8d3e48a Feb 15, 2024
34 checks passed
@bl-nero bl-nero deleted the bl-nero/fix-change-password branch February 15, 2024 13:43
@public-teleport-github-review-bot
Copy link

@bl-nero See the table below for backport results.

Branch Result
branch/v13 Create PR
branch/v14 Create PR
branch/v15 Create PR

marcoandredinis pushed a commit that referenced this pull request Feb 19, 2024
@bl-nero @marcoandredinis
Always verify the old password when changing it (#38203)
91aff1e 
* Always verify the old password when changing it

* review
This was referenced Mar 5, 2024
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jentfoo jentfoo jentfoo approved these changes

@zmb3 zmb3 zmb3 approved these changes

@codingllama codingllama codingllama approved these changes

Assignees
No one assigned
Labels
backport/branch/v13 backport/branch/v14 backport/branch/v15 size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@bl-nero @codingllama @jentfoo @zmb3