Thanks for the patch. I looked back through the history of that code, and it's always behaved that way, showing the login screen if any factor execution fails.
I don't see any reason why it should continue to, though. A check after the factorlist loop ensures that the user authenticated somehow. I've committed the patch to the master branch. andrew On Sep 18, 2012, at 4:22 PM, Jason Noble <ja...@infininull.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I believe I have found a bug in the way factors are processed in > cosign.cgi. The manpage has the following documentation: > > If authentication is successful, the external authenticator writes the > factor name on stdout (file descriptor 1) and exits with a value of 0. > If an error occurs, the external authenticator writes an error message > on stdout and exits with a value of 1. If the user’s password has > expired, the external authenticator writes an error message on stdout > and exits with a value of 2. All other exit values are reserved for > future use. > > - From that documentation, I would assume that the following lines in > cosign.conf would allow a login from factor1 *or* factor2 so long as > one of them exited with code 0 and wrote the factor name on stdout. > > factor /usr/local/lib/cosign/factor/factor1 login password > factor /usr/local/lib/cosign/factor/factor2 login password > > I find this to not be the case. I believe the goto loginscreen is > being called prematurely, causing the for loop over the factors to be > terminated as soon as a single factor fails. I have tested the > attached patch and it provides the behavior I was expecting, where > valid credentials supplied for factor1 *or* factor2 result in a > successful login. I submit this patch for the review of the Cosign > maintainers. > > Cheers, > Jason > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ > > iQEcBAEBAgAGBQJQWNfoAAoJEFBPX7xqwa0XFgQH/0DaFEynGzysVFzz8ly/ckjE > Ni4LrbUIWNTdZ5RkYXqy4tXz0cPn4mdXv06ySx0ulkfsQ9FLbBKwbPGGTbQeRD5g > 0gJgoz4XTqrbh7StEg1eUci8R24wUdQrHpRHj0uYGd/oY7mAOx/D9Si5dflZFyzy > tgJm9E3tYZz7dc0sHzzkj0KYv11wcLUZ7KrW5kHHFTUZ+VcHe6tUfi7DPaBcJV68 > sy1nwhsiBHyBb6ekj/TIQyyznGZ2VWBGsisFw++Cdqlk1KafeBd5NpDnbY7gsC0O > pmdrqvghc3LqJi1gSOVBV29CsrRVRo9ajB4i7GqIW6flwK2/n25jC6ameXSbz4I= > =/65f > -----END PGP SIGNATURE----- > <multiple_factor.patch>------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________ > Cosign-discuss mailing list > Cosign-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/cosign-discuss ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
