On 05/20/2015 04:51 PM, Pavel Reichl wrote:
On 04/22/2015 11:09 AM, Sumit Bose wrote:
[snip]
I wonder what should happen after a local password change. We save
the hash of the new password to the cache but I think we do not
change the last online auth time here. Shall we do cached
authentication with the new password immediately here or shall we go
to the backend at least once to make sure the backend knows about the
new password. I think I would prefer the latter. Please add test with
wrong password as well to check if offline_failed_login_attempts and
offline_failed_login_delay are respected here as well
How exactly should be offline_failed_login_attempts and
offline_failed_login_delay respected?
In my current implementation cached authentication is tried no matter
the value of offline_failed_login_attempt. If cached authentication
fails offline_failed_login_attempt is increased and online
authentication is tried. So currently offline_failed_login_delay has
no influence for cached authentication. I don't consider this as as a
security problem because online authentication is performed for every
cached authentication attempt.
Oh, sorry, correct wording should have been "online authentication is
performed for every *failed* cached authentication attempt"
Do you agree?
(I have not doubt about this because the same code patch will be used
but better be on the save side and be able to detect regression
early). As an alternative we might want to send the request to the
backend if cached authentication fails. This would cover the case
where the user changed the password on the server and tries to login
in to a system where the cached_authentication_timeout is not expired
yet with the new password.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
