On Wed, May 20, 2015 at 04:54:41PM +0200, Pavel Reichl wrote: > > > On 05/20/2015 04:51 PM, Pavel Reichl wrote: > > > > > >On 04/22/2015 11:09 AM, Sumit Bose wrote: > >[snip] > >>I wonder what should happen after a local password change. We save the > >>hash of the new password to the cache but I think we do not change the > >>last online auth time here. Shall we do cached authentication with the > >>new password immediately here or shall we go to the backend at least > >>once to make sure the backend knows about the new password. I think I > >>would prefer the latter. Please add test with wrong password as well to > >>check if offline_failed_login_attempts and offline_failed_login_delay > >>are respected here as well > >How exactly should be offline_failed_login_attempts and > >offline_failed_login_delay respected? > > > >In my current implementation cached authentication is tried no matter the > >value of offline_failed_login_attempt. If cached authentication fails > >offline_failed_login_attempt is increased and online authentication is > >tried. So currently offline_failed_login_delay has no influence for cached > >authentication. I don't consider this as as a security problem because > >online authentication is performed for every cached authentication > >attempt. > Oh, sorry, correct wording should have been "online authentication is > performed for every *failed* cached authentication attempt" > >Do you agree?
yes, so the offline_* parameters are kept for real offline authentication only. Would it be possible (without major changes) to not increase offline_failed_login_attempts if cached authentication fails? bye, Sumit > > > >>(I have not doubt about this because the same code patch will be used > >>but better be on the save side and be able to detect regression early). > >>As an alternative we might want to send the request to the backend if > >>cached authentication fails. This would cover the case where the user > >>changed the password on the server and tries to login in to a system > >>where the cached_authentication_timeout is not expired yet with the new > >>password. > > > >_______________________________________________ > >sssd-devel mailing list > >sssd-devel@lists.fedorahosted.org > >https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
