-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I believe I have found a bug in the way factors are processed in
cosign.cgi. The manpage has the following documentation:
If authentication is successful, the external authenticator writes the
factor name on stdout (file descriptor 1) and exits with a value of 0.
If an error occurs, the external authenticator writes an error message
on stdout and exits with a value of 1. If the user’s password has
expired, the external authenticator writes an error message on stdout
and exits with a value of 2. All other exit values are reserved for
future use.
- From that documentation, I would assume that the following lines in
cosign.conf would allow a login from factor1 *or* factor2 so long as
one of them exited with code 0 and wrote the factor name on stdout.
factor /usr/local/lib/cosign/factor/factor1 login password
factor /usr/local/lib/cosign/factor/factor2 login password
I find this to not be the case. I believe the goto loginscreen is
being called prematurely, causing the for loop over the factors to be
terminated as soon as a single factor fails. I have tested the
attached patch and it provides the behavior I was expecting, where
valid credentials supplied for factor1 *or* factor2 result in a
successful login. I submit this patch for the review of the Cosign
maintainers.
Cheers,
Jason
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQEcBAEBAgAGBQJQWNfoAAoJEFBPX7xqwa0XFgQH/0DaFEynGzysVFzz8ly/ckjE
Ni4LrbUIWNTdZ5RkYXqy4tXz0cPn4mdXv06ySx0ulkfsQ9FLbBKwbPGGTbQeRD5g
0gJgoz4XTqrbh7StEg1eUci8R24wUdQrHpRHj0uYGd/oY7mAOx/D9Si5dflZFyzy
tgJm9E3tYZz7dc0sHzzkj0KYv11wcLUZ7KrW5kHHFTUZ+VcHe6tUfi7DPaBcJV68
sy1nwhsiBHyBb6ekj/TIQyyznGZ2VWBGsisFw++Cdqlk1KafeBd5NpDnbY7gsC0O
pmdrqvghc3LqJi1gSOVBV29CsrRVRo9ajB4i7GqIW6flwK2/n25jC6ameXSbz4I=
=/65f
-----END PGP SIGNATURE-----
diff --git a/cgi/cgi.c b/cgi/cgi.c
index a2d8a0f..9f094d2 100755
--- a/cgi/cgi.c
+++ b/cgi/cgi.c
@@ -818,7 +818,7 @@ loggedin:
} else {
sl[ SL_TITLE ].sl_data = "Authentication Required";
}
- goto loginscreen;
+ continue;
}
for ( i = 0; i < COSIGN_MAXFACTORS - 1; i++ ) {
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
