On 05/28/2015 10:40 AM, Sumit Bose wrote:
On Wed, May 20, 2015 at 04:54:41PM +0200, Pavel Reichl wrote:
On 05/20/2015 04:51 PM, Pavel Reichl wrote:
On 04/22/2015 11:09 AM, Sumit Bose wrote:
[snip]
I wonder what should happen after a local password change. We save the
hash of the new password to the cache but I think we do not change the
last online auth time here. Shall we do cached authentication with the
new password immediately here or shall we go to the backend at least
once to make sure the backend knows about the new password. I think I
would prefer the latter. Please add test with wrong password as well to
check if offline_failed_login_attempts and offline_failed_login_delay
are respected here as well
How exactly should be offline_failed_login_attempts and
offline_failed_login_delay respected?
In my current implementation cached authentication is tried no matter the
value of offline_failed_login_attempt. If cached authentication fails
offline_failed_login_attempt is increased and online authentication is
tried. So currently offline_failed_login_delay has no influence for cached
authentication. I don't consider this as as a security problem because
online authentication is performed for every cached authentication
attempt.
Oh, sorry, correct wording should have been "online authentication is
performed for every *failed* cached authentication attempt"
Do you agree?
yes, so the offline_* parameters are kept for real offline
authentication only. Would it be possible (without major changes) to not
increase offline_failed_login_attempts if cached authentication fails?
Thanks for the comment. I'm not sure how hard it will be. I'll look into
it and do my best while addressing reviewers concerns with the first
version of patches which is already on list.
bye,
Sumit
(I have not doubt about this because the same code patch will be used
but better be on the save side and be able to detect regression early).
As an alternative we might want to send the request to the backend if
cached authentication fails. This would cover the case where the user
changed the password on the server and tries to login in to a system
where the cached_authentication_timeout is not expired yet with the new
password.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
