URL: https://github.com/freeipa/freeipa/pull/1244 Author: stlaz Title: #1244: Don't allow OTP or RADIUS in FIPS mode Action: opened
PR body: """ RADIUS, which is also internally used in the process of OTP authentication by ipa-otpd, requires MD5 checksums which makes it impossible to be used in FIPS mode. Don't allow users setting OTP or RADIUS authentication if in FIPS mode. https://pagure.io/freeipa/issue/7168 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1244/head:pr1244 git checkout pr1244
From a67fff41bb9d774bad4b3ec3d0d702c270c76a58 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 7 Nov 2017 14:42:12 +0100 Subject: [PATCH] Don't allow OTP or RADIUS in FIPS mode RADIUS, which is also internally used in the process of OTP authentication by ipa-otpd, requires MD5 checksums which makes it impossible to be used in FIPS mode. Don't allow users setting OTP or RADIUS authentication if in FIPS mode. https://pagure.io/freeipa/issue/7168 --- ipaserver/plugins/baseuser.py | 14 ++++++++++++++ ipaserver/plugins/config.py | 9 +++++++++ 2 files changed, 23 insertions(+) diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index ef5585822f..039494d5a0 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -471,6 +471,18 @@ def convert_attribute_members(self, entry_attrs, *keys, **options): except KeyError: pass + def check_fips_options(self, **options): + """ + OTP and RADIUS are not allowed in FIPS mode since they use MD5 + checksums (OTP uses our RADIUS responder daemon ipa-otpd). + """ + if 'ipauserauthtype' in options and self.api.env.fips_mode: + if ('otp' in options['ipauserauthtype'] or + 'radius' in options['ipauserauthtype']): + raise errors.InvocationError( + 'OTP and RADIUS authentication in FIPS is ' + 'not yet supported') + class baseuser_add(LDAPCreate): """ @@ -480,6 +492,7 @@ def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) set_krbcanonicalname(entry_attrs) + self.obj.check_fips_options(**options) self.obj.convert_usercertificate_pre(entry_attrs) def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options): @@ -603,6 +616,7 @@ def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, assert isinstance(dn, DN) add_sshpubkey_to_attrs_pre(self.context, attrs_list) + self.obj.check_fips_options(**options) self.check_namelength(ldap, **options) self.check_mail(entry_attrs) diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py index ce15e6096f..dec2fc28d0 100644 --- a/ipaserver/plugins/config.py +++ b/ipaserver/plugins/config.py @@ -398,6 +398,15 @@ class config_mod(LDAPUpdate): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) + if 'ipauserauthtype' in options and self.api.env.fips_mode: + # OTP and RADIUS are not allowed in FIPS mode since they use MD5 + # checksums (OTP uses our RADIUS responder daemon ipa-otpd). + if ('otp' in options['ipauserauthtype'] or + 'radius' in options['ipauserauthtype']): + raise errors.InvocationError( + 'OTP and RADIUS authentication in FIPS is ' + 'not yet supported') + if 'ipadefaultprimarygroup' in entry_attrs: group=entry_attrs['ipadefaultprimarygroup'] try:
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org