areguera / rpms / ipa

Forked from rpms/ipa 5 years ago
Clone

Blame SOURCES/0041-Revert-Don-t-allow-OTP-or-RADIUS-in-FIPS-mode.patch

beb795
From 6d813f6b03811a285c3c6dae85942c0086b619a6 Mon Sep 17 00:00:00 2001
beb795
From: Nathaniel McCallum <npmccallum@redhat.com>
beb795
Date: Mon, 26 Feb 2018 09:48:22 -0500
beb795
Subject: [PATCH] Revert "Don't allow OTP or RADIUS in FIPS mode"
beb795
beb795
This reverts commit 16a952a0a44a0ebee97029ea1d2f6b7593dd2622.
beb795
beb795
OTP now works in FIPS mode. RADIUS can be made to be compliant by wrapping
beb795
traffic in a VPN.
beb795
beb795
https://pagure.io/freeipa/issue/7168
beb795
https://pagure.io/freeipa/issue/7243
beb795
beb795
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
beb795
Reviewed-By: Christian Heimes <cheimes@redhat.com>
beb795
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
beb795
---
beb795
 ipaserver/plugins/baseuser.py |  3 ---
beb795
 ipaserver/plugins/config.py   | 16 ----------------
beb795
 2 files changed, 19 deletions(-)
beb795
beb795
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
beb795
index bb8a73ded0fed135d5829ec0b0829a936f2196fb..bf24dbf542d3b481671dfe4e8cee14a2edcc26e0 100644
beb795
--- a/ipaserver/plugins/baseuser.py
beb795
+++ b/ipaserver/plugins/baseuser.py
beb795
@@ -32,7 +32,6 @@ from .baseldap import (
beb795
     add_missing_object_class)
beb795
 from ipaserver.plugins.service import (
beb795
    validate_certificate, validate_realm, normalize_principal)
beb795
-from ipaserver.plugins.config import check_fips_auth_opts
beb795
 from ipalib.request import context
beb795
 from ipalib import _
beb795
 from ipalib.constants import PATTERN_GROUPUSER_NAME
beb795
@@ -478,7 +477,6 @@ class baseuser_add(LDAPCreate):
beb795
                             **options):
beb795
         assert isinstance(dn, DN)
beb795
         set_krbcanonicalname(entry_attrs)
beb795
-        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
beb795
         self.obj.convert_usercertificate_pre(entry_attrs)
beb795
 
beb795
     def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
beb795
@@ -602,7 +600,6 @@ class baseuser_mod(LDAPUpdate):
beb795
         assert isinstance(dn, DN)
beb795
         add_sshpubkey_to_attrs_pre(self.context, attrs_list)
beb795
 
beb795
-        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
beb795
         self.check_namelength(ldap, **options)
beb795
 
beb795
         self.check_mail(entry_attrs)
beb795
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
beb795
index c9033fa8e7a2a0bfe77464fa4f9c62278bd814f6..ce15e6096f5b84dc45ee21d5aecc73ecf86eba07 100644
beb795
--- a/ipaserver/plugins/config.py
beb795
+++ b/ipaserver/plugins/config.py
beb795
@@ -85,20 +85,6 @@ EXAMPLES:
beb795
 
beb795
 register = Registry()
beb795
 
beb795
-
beb795
-def check_fips_auth_opts(fips_mode, **options):
beb795
-    """
beb795
-    OTP and RADIUS are not allowed in FIPS mode since they use MD5
beb795
-    checksums (OTP uses our RADIUS responder daemon ipa-otpd).
beb795
-    """
beb795
-    if 'ipauserauthtype' in options and fips_mode:
beb795
-        if ('otp' in options['ipauserauthtype'] or
beb795
-                'radius' in options['ipauserauthtype']):
beb795
-            raise errors.InvocationError(
beb795
-                'OTP and RADIUS authentication in FIPS is '
beb795
-                'not yet supported')
beb795
-
beb795
-
beb795
 @register()
beb795
 class config(LDAPObject):
beb795
     """
beb795
@@ -412,8 +398,6 @@ class config_mod(LDAPUpdate):
beb795
 
beb795
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
beb795
         assert isinstance(dn, DN)
beb795
-        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
beb795
-
beb795
         if 'ipadefaultprimarygroup' in entry_attrs:
beb795
             group=entry_attrs['ipadefaultprimarygroup']
beb795
             try:
beb795
-- 
beb795
2.14.3
beb795