From edf37611b0eacb47b4d72bac97b9281231b4476f Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 24 Mar 2015 13:00:14 +0100 Subject: [PATCH 24/30] Add cache_credentials_minimal_first_factor_length config option MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Lukáš Slebodník (cherry picked from commit 932c3e22e3c59a9c33f30dcc09e6bef257e14320) --- src/confdb/confdb.c | 11 +++++++++++ src/confdb/confdb.h | 4 ++++ src/config/SSSDConfigTest.py | 2 ++ src/config/etc/sssd.api.conf | 1 + src/man/sssd.conf.5.xml | 22 ++++++++++++++++++++++ src/util/domain_info_utils.c | 2 ++ 6 files changed, 42 insertions(+) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index 9ce7b13114e1336a4b8ffb8fdfa13c49d2c0c006..2ebf6c15e060ad5899a60629aa6b28021d0f408d 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -956,6 +956,17 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, goto done; } + ret = get_entry_as_uint32(res->msgs[0], + &domain->cache_credentials_min_ff_length, + CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH, + CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for %s\n", + CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH); + goto done; + } + ret = get_entry_as_bool(res->msgs[0], &domain->legacy_passwords, CONFDB_DOMAIN_LEGACY_PASS, 0); if(ret != EOK) { diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index e97c46b34e34a02f80903c204e3a1744b0a5977e..93fbce5e5e46e4a7517d971f2ab886ded65a68f3 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -162,6 +162,9 @@ #define CONFDB_DOMAIN_MINID "min_id" #define CONFDB_DOMAIN_MAXID "max_id" #define CONFDB_DOMAIN_CACHE_CREDS "cache_credentials" +#define CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH \ + "cache_credentials_minimal_first_factor_length" +#define CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH 8 #define CONFDB_DOMAIN_LEGACY_PASS "store_legacy_passwords" #define CONFDB_DOMAIN_MPG "magic_private_groups" #define CONFDB_DOMAIN_FQ "use_fully_qualified_names" @@ -222,6 +225,7 @@ struct sss_domain_info { uint32_t id_max; bool cache_credentials; + uint32_t cache_credentials_min_ff_length; bool legacy_passwords; bool case_sensitive; bool case_preserve; diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index aed76e5a0dd695b1969f3946f245a80062627e24..2a5dc8d561ab88d888a0a33f091bac55be1d701f 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -494,6 +494,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'command', 'enumerate', 'cache_credentials', + 'cache_credentials_minimal_first_factor_length', 'store_legacy_passwords', 'use_fully_qualified_names', 'ignore_group_members', @@ -856,6 +857,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'command', 'enumerate', 'cache_credentials', + 'cache_credentials_minimal_first_factor_length', 'store_legacy_passwords', 'use_fully_qualified_names', 'ignore_group_members', diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 59d755c2668235d046781227568d7f9e805a45d0..7ad84cd826a648ca61d9d2ede70e7886049d469a 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -110,6 +110,7 @@ subdomain_enumerate = str, None, false force_timeout = int, None, false offline_timeout = int, None, false cache_credentials = bool, None, false +cache_credentials_minimal_first_factor_length = int, None, false store_legacy_passwords = bool, None, false use_fully_qualified_names = bool, None, false ignore_group_members = bool, None, false diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 4961d5b956f6d1736dc1e9967bd0115f4993ec77..fd05e3af20426121e2d6ec5943c9b70786a5db5f 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1420,6 +1420,28 @@ pam_account_expired_message = Account expired, please call help desk. + + + cache_credentials_minimal_first_factor_length (int) + + + If 2-Factor-Authentication (2FA) is used and + credentials should be saved this value determines + the minimal lenght the first authentication factor + (long term password) must have to be saved as SHA512 + hash into the cache. + + + This should avoid that the short PINs of a PIN based + 2FA scheme are saved in the cache which would make + them easy targets for brute-force attacks. + + + Default: 8 + + + + account_cache_expiration (integer) diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index e2dec04354e62bc8d135567fdbac88ea5da8cc00..1e2a473a7571a37bff5f10d66f917ed1f176f172 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -297,6 +297,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, dom->id_max = parent->id_max ? parent->id_max : 0xffffffff; dom->pwd_expiration_warning = parent->pwd_expiration_warning; dom->cache_credentials = parent->cache_credentials; + dom->cache_credentials_min_ff_length = + parent->cache_credentials_min_ff_length; dom->case_sensitive = false; dom->user_timeout = parent->user_timeout; dom->group_timeout = parent->group_timeout; -- 2.4.3