On Apr 23, 2013, at 4:13 AM, "Bennett, Steve" <s.benn...@lancaster.ac.uk> wrote:
> Hi Andrew,
>
> I'm just putting up some new CoSign servers (trying to get out of the
> "CoSign-shaped hole" that I dug myself :-), and I thought I'd make sure that
> I had the fixed functionality referred to in this bug report (it could be
> really useful to us).
> I can't see the fix applied in Git. Is this my incompetence at using Git
> (quite possible, really), or has the fix not been applied there?
It's there:
<http://cosign.git.sourceforge.net/git/gitweb.cgi?p=cosign/cosign;a=blobdiff;f=cgi/cgi.c;h=3b55d19015f3c2e5815217b763a7fbf0deb429a5;hp=5c35f2778d39b31d9d2af8ef11a2104744c036e9;hb=63d20e90ce2915f300a973c3ab0be3f7178ed96a;hpb=8339e7b90e4632d3f5adb9c771b8538b86076cd7>
andrew
>
> Steve.
>
> -----Original Message-----
> From: Andrew Mortensen [mailto:and...@weblogin.org]
> Sent: 19 September 2012 16:11
> To: Jason Noble
> Cc:
> Subject: Re: [Cosign-discuss] Multiple factor bug
>
> Thanks for the patch. I looked back through the history of that code, and
> it's always behaved that way, showing the login screen if any factor
> execution fails.
>
> I don't see any reason why it should continue to, though. A check after the
> factorlist loop ensures that the user authenticated somehow. I've committed
> the patch to the master branch.
>
> andrew
>
>
> On Sep 18, 2012, at 4:22 PM, Jason Noble <ja...@infininull.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I believe I have found a bug in the way factors are processed in
>> cosign.cgi. The manpage has the following documentation:
>>
>> If authentication is successful, the external authenticator writes the
>> factor name on stdout (file descriptor 1) and exits with a value of 0.
>> If an error occurs, the external authenticator writes an error message
>> on stdout and exits with a value of 1. If the user's password has
>> expired, the external authenticator writes an error message on stdout
>> and exits with a value of 2. All other exit values are reserved for
>> future use.
>>
>> - From that documentation, I would assume that the following lines in
>> cosign.conf would allow a login from factor1 *or* factor2 so long as
>> one of them exited with code 0 and wrote the factor name on stdout.
>>
>> factor /usr/local/lib/cosign/factor/factor1 login password factor
>> /usr/local/lib/cosign/factor/factor2 login password
>>
>> I find this to not be the case. I believe the goto loginscreen is
>> being called prematurely, causing the for loop over the factors to be
>> terminated as soon as a single factor fails. I have tested the
>> attached patch and it provides the behavior I was expecting, where
>> valid credentials supplied for factor1 *or* factor2 result in a
>> successful login. I submit this patch for the review of the Cosign
>> maintainers.
>>
>> Cheers,
>> Jason
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>>
>> iQEcBAEBAgAGBQJQWNfoAAoJEFBPX7xqwa0XFgQH/0DaFEynGzysVFzz8ly/ckjE
>> Ni4LrbUIWNTdZ5RkYXqy4tXz0cPn4mdXv06ySx0ulkfsQ9FLbBKwbPGGTbQeRD5g
>> 0gJgoz4XTqrbh7StEg1eUci8R24wUdQrHpRHj0uYGd/oY7mAOx/D9Si5dflZFyzy
>> tgJm9E3tYZz7dc0sHzzkj0KYv11wcLUZ7KrW5kHHFTUZ+VcHe6tUfi7DPaBcJV68
>> sy1nwhsiBHyBb6ekj/TIQyyznGZ2VWBGsisFw++Cdqlk1KafeBd5NpDnbY7gsC0O
>> pmdrqvghc3LqJi1gSOVBV29CsrRVRo9ajB4i7GqIW6flwK2/n25jC6ameXSbz4I=
>> =/65f
>> -----END PGP SIGNATURE-----
>> <multiple_factor.patch>-----------------------------------------------
>> -------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond.
>> Discussions will include endpoint security, mobile security and the
>> latest in malware threats.
>> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_____________
>> __________________________________
>> Cosign-discuss mailing list
>> Cosign-discuss@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/cosign-discuss
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and threat
> landscape has changed and how IT managers can respond. Discussions will
> include endpoint security, mobile security and the latest in malware threats.
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Cosign-discuss mailing list
> Cosign-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/cosign-discuss
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
