On Sun, Jan 05, 2014 at 12:26:05PM +0000, Stuart Henderson wrote:
> On 2014/01/05 13:10, Remi Locherer wrote:
> > + /* only test the password if yubikey auth was successful */
>
> This should be done even if Yubikey auth fails, to avoid disclosing
> information due to timing.
Good point! I changed it to this:
ret = pwd_login(username, password_pwd, wheel, lastchance, class);
ret_yubi = yubikey_login(username, password_yubikey);
if (ret_yubi != AUTH_OK)
ret = AUTH_FAILED;
This does not work because pwd_login writes directly to the back channel. To
make it work correct I would need to change login_passwd.c (maybe with
#ifdev YUBIKEY).
But I try to implement Ryan's idea instead with a passphrase that encrypts the
user.key file.
