Hi Andrew, I'm just putting up some new CoSign servers (trying to get out of the "CoSign-shaped hole" that I dug myself :-), and I thought I'd make sure that I had the fixed functionality referred to in this bug report (it could be really useful to us). I can't see the fix applied in Git. Is this my incompetence at using Git (quite possible, really), or has the fix not been applied there?
Steve. -----Original Message----- From: Andrew Mortensen [mailto:and...@weblogin.org] Sent: 19 September 2012 16:11 To: Jason Noble Cc: Subject: Re: [Cosign-discuss] Multiple factor bug Thanks for the patch. I looked back through the history of that code, and it's always behaved that way, showing the login screen if any factor execution fails. I don't see any reason why it should continue to, though. A check after the factorlist loop ensures that the user authenticated somehow. I've committed the patch to the master branch. andrew On Sep 18, 2012, at 4:22 PM, Jason Noble <ja...@infininull.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I believe I have found a bug in the way factors are processed in > cosign.cgi. The manpage has the following documentation: > > If authentication is successful, the external authenticator writes the > factor name on stdout (file descriptor 1) and exits with a value of 0. > If an error occurs, the external authenticator writes an error message > on stdout and exits with a value of 1. If the user's password has > expired, the external authenticator writes an error message on stdout > and exits with a value of 2. All other exit values are reserved for > future use. > > - From that documentation, I would assume that the following lines in > cosign.conf would allow a login from factor1 *or* factor2 so long as > one of them exited with code 0 and wrote the factor name on stdout. > > factor /usr/local/lib/cosign/factor/factor1 login password factor > /usr/local/lib/cosign/factor/factor2 login password > > I find this to not be the case. I believe the goto loginscreen is > being called prematurely, causing the for loop over the factors to be > terminated as soon as a single factor fails. I have tested the > attached patch and it provides the behavior I was expecting, where > valid credentials supplied for factor1 *or* factor2 result in a > successful login. I submit this patch for the review of the Cosign > maintainers. > > Cheers, > Jason > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ > > iQEcBAEBAgAGBQJQWNfoAAoJEFBPX7xqwa0XFgQH/0DaFEynGzysVFzz8ly/ckjE > Ni4LrbUIWNTdZ5RkYXqy4tXz0cPn4mdXv06ySx0ulkfsQ9FLbBKwbPGGTbQeRD5g > 0gJgoz4XTqrbh7StEg1eUci8R24wUdQrHpRHj0uYGd/oY7mAOx/D9Si5dflZFyzy > tgJm9E3tYZz7dc0sHzzkj0KYv11wcLUZ7KrW5kHHFTUZ+VcHe6tUfi7DPaBcJV68 > sy1nwhsiBHyBb6ekj/TIQyyznGZ2VWBGsisFw++Cdqlk1KafeBd5NpDnbY7gsC0O > pmdrqvghc3LqJi1gSOVBV29CsrRVRo9ajB4i7GqIW6flwK2/n25jC6ameXSbz4I= > =/65f > -----END PGP SIGNATURE----- > <multiple_factor.patch>----------------------------------------------- > ------------------------------- > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. > Discussions will include endpoint security, mobile security and the > latest in malware threats. > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_____________ > __________________________________ > Cosign-discuss mailing list > Cosign-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/cosign-discuss ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
