From 6d813f6b03811a285c3c6dae85942c0086b619a6 Mon Sep 17 00:00:00 2001

From: Nathaniel McCallum <npmccallum@redhat.com>

Date: Mon, 26 Feb 2018 09:48:22 -0500

Subject: [PATCH] Revert "Don't allow OTP or RADIUS in FIPS mode"

This reverts commit 16a952a0a44a0ebee97029ea1d2f6b7593dd2622.

OTP now works in FIPS mode. RADIUS can be made to be compliant by wrapping

traffic in a VPN.

https://pagure.io/freeipa/issue/7168

https://pagure.io/freeipa/issue/7243

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

Reviewed-By: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 ipaserver/plugins/baseuser.py |  3 ---

 ipaserver/plugins/config.py   | 16 ----------------

 2 files changed, 19 deletions(-)

diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py

index bb8a73ded0fed135d5829ec0b0829a936f2196fb..bf24dbf542d3b481671dfe4e8cee14a2edcc26e0 100644

--- a/ipaserver/plugins/baseuser.py

+++ b/ipaserver/plugins/baseuser.py

@@ -32,7 +32,6 @@ from .baseldap import (

     add_missing_object_class)

 from ipaserver.plugins.service import (

    validate_certificate, validate_realm, normalize_principal)

-from ipaserver.plugins.config import check_fips_auth_opts

 from ipalib.request import context

 from ipalib import _

 from ipalib.constants import PATTERN_GROUPUSER_NAME

@@ -478,7 +477,6 @@ class baseuser_add(LDAPCreate):

                             **options):

         assert isinstance(dn, DN)

         set_krbcanonicalname(entry_attrs)

-        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)

         self.obj.convert_usercertificate_pre(entry_attrs)

     def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):

@@ -602,7 +600,6 @@ class baseuser_mod(LDAPUpdate):

         assert isinstance(dn, DN)

         add_sshpubkey_to_attrs_pre(self.context, attrs_list)

-        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)

         self.check_namelength(ldap, **options)

         self.check_mail(entry_attrs)

diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py

index c9033fa8e7a2a0bfe77464fa4f9c62278bd814f6..ce15e6096f5b84dc45ee21d5aecc73ecf86eba07 100644

--- a/ipaserver/plugins/config.py

+++ b/ipaserver/plugins/config.py

@@ -85,20 +85,6 @@ EXAMPLES:

 register = Registry()

-

-def check_fips_auth_opts(fips_mode, **options):

-    """

-    OTP and RADIUS are not allowed in FIPS mode since they use MD5

-    checksums (OTP uses our RADIUS responder daemon ipa-otpd).

-    """

-    if 'ipauserauthtype' in options and fips_mode:

-        if ('otp' in options['ipauserauthtype'] or

-                'radius' in options['ipauserauthtype']):

-            raise errors.InvocationError(

-                'OTP and RADIUS authentication in FIPS is '

-                'not yet supported')

-

-

 @register()

 class config(LDAPObject):

     """

@@ -412,8 +398,6 @@ class config_mod(LDAPUpdate):

     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):

         assert isinstance(dn, DN)

-        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)

-

         if 'ipadefaultprimarygroup' in entry_attrs:

             group=entry_attrs['ipadefaultprimarygroup']

             try:

-- 

2.14.3