On 05/28/2015 10:40 AM, Sumit Bose wrote:
On Wed, May 20, 2015 at 04:54:41PM +0200, Pavel Reichl wrote:
>
> On 05/20/2015 04:51 PM, Pavel Reichl wrote:
>>
>> On 04/22/2015 11:09 AM, Sumit Bose wrote:
>> [snip]
>>> I wonder what should happen after a local password change. We save the
>>> hash of the new password to the cache but I think we do not change the
>>> last online auth time here. Shall we do cached authentication with the
>>> new password immediately here or shall we go to the backend at least
>>> once to make sure the backend knows about the new password. I think I
>>> would prefer the latter. Please add test with wrong password as well to
>>> check if offline_failed_login_attempts and offline_failed_login_delay
>>> are respected here as well
>> How exactly should be offline_failed_login_attempts and
>> offline_failed_login_delay respected?
>>
>> In my current implementation cached authentication is tried no matter the
>> value of offline_failed_login_attempt. If cached authentication fails
>> offline_failed_login_attempt is increased and online authentication is
>> tried. So currently offline_failed_login_delay has no influence for cached
>> authentication. I don't consider this as as a security problem because
>> online authentication is performed for every cached authentication
>> attempt.
> Oh, sorry, correct wording should have been "online authentication is
> performed for every *failed* cached authentication attempt"
>> Do you agree?
yes, so the offline_* parameters are kept for real offline
authentication only. Would it be possible (without major changes) to not
increase offline_failed_login_attempts if cached authentication fails?
Thanks for
the comment. I'm not sure how hard it will be. I'll look into
it and do my best while addressing reviewers concerns with the first
version of patches which is already on list.
bye,
Sumit
>>> (I have not doubt about this because the same code patch will be used
>>> but better be on the save side and be able to detect regression early).
>>> As an alternative we might want to send the request to the backend if
>>> cached authentication fails. This would cover the case where the user
>>> changed the password on the server and tries to login in to a system
>>> where the cached_authentication_timeout is not expired yet with the new
>>> password.
>> _______________________________________________
>> sssd-devel mailing list
>> sssd-devel(a)lists.fedorahosted.org
>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
> _______________________________________________
> sssd-devel mailing list
> sssd-devel(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel