-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for the quick response!
- --Jason On 9/19/12 11:11 AM, Andrew Mortensen wrote: > Thanks for the patch. I looked back through the history of that > code, and it's always behaved that way, showing the login screen if > any factor execution fails. > > I don't see any reason why it should continue to, though. A check > after the factorlist loop ensures that the user authenticated > somehow. I've committed the patch to the master branch. > > andrew > > > On Sep 18, 2012, at 4:22 PM, Jason Noble <ja...@infininull.com> > wrote: > > I believe I have found a bug in the way factors are processed in > cosign.cgi. The manpage has the following documentation: > > If authentication is successful, the external authenticator writes > the factor name on stdout (file descriptor 1) and exits with a > value of 0. If an error occurs, the external authenticator writes > an error message on stdout and exits with a value of 1. If the > user’s password has expired, the external authenticator writes an > error message on stdout and exits with a value of 2. All other exit > values are reserved for future use. > > From that documentation, I would assume that the following lines > in cosign.conf would allow a login from factor1 *or* factor2 so > long as one of them exited with code 0 and wrote the factor name on > stdout. > > factor /usr/local/lib/cosign/factor/factor1 login password factor > /usr/local/lib/cosign/factor/factor2 login password > > I find this to not be the case. I believe the goto loginscreen is > being called prematurely, causing the for loop over the factors to > be terminated as soon as a single factor fails. I have tested the > attached patch and it provides the behavior I was expecting, where > valid credentials supplied for factor1 *or* factor2 result in a > successful login. I submit this patch for the review of the Cosign > maintainers. > > Cheers, Jason >> <multiple_factor.patch>------------------------------------------------------------------------------ >> >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. >> Discussions will include endpoint security, mobile security and >> the latest in malware threats. >> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________ >> >> Cosign-discuss mailing list >> Cosign-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/cosign-discuss > > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQWegMAAoJEFBPX7xqwa0X4ukH/A3jjMGREubOSwlfxieMw9fT aOsQn1l1aK3pRurEqEb42GzPIEL2uocqz/Tp0hduh38a4YA4c1vp4fHT3qVBFEy7 YD+tomy1t8oEqbZeovYPuxfVuisuPe3XYaurcYGEGZRJYUkJ0HJT8r5a3Swo7SsD nZyBJ/ya5alwy1yFsFnOlORIRid70wuocCi7eeIYIHZLH0naE0bF6L8KvP/BVFY3 CYv2mLQQlhvt9xZaxZpQ2hXdoKHtiqgrgCOnFfvTqbujsqCkd1TXewR2IiQb1t9D YgmpOYjrbauroIALO67uSLvIVBXGQSF6q/C+DOzanm4W//cCp27WBgybbNSSa3o= =39i/ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
