From be18d6c15a2557e8f45e41efc81f1c005958c690 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Tue, 7 Nov 2017 14:42:12 +0100 Subject: [PATCH] Don't allow OTP or RADIUS in FIPS mode RADIUS, which is also internally used in the process of OTP authentication by ipa-otpd, requires MD5 checksums which makes it impossible to be used in FIPS mode. Don't allow users setting OTP or RADIUS authentication if in FIPS mode. https://pagure.io/freeipa/issue/7168 Reviewed-By: Alexander Bokovoy --- ipaserver/plugins/baseuser.py | 3 +++ ipaserver/plugins/config.py | 16 ++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index bf24dbf542d3b481671dfe4e8cee14a2edcc26e0..bb8a73ded0fed135d5829ec0b0829a936f2196fb 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -32,6 +32,7 @@ from .baseldap import ( add_missing_object_class) from ipaserver.plugins.service import ( validate_certificate, validate_realm, normalize_principal) +from ipaserver.plugins.config import check_fips_auth_opts from ipalib.request import context from ipalib import _ from ipalib.constants import PATTERN_GROUPUSER_NAME @@ -477,6 +478,7 @@ class baseuser_add(LDAPCreate): **options): assert isinstance(dn, DN) set_krbcanonicalname(entry_attrs) + check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options) self.obj.convert_usercertificate_pre(entry_attrs) def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options): @@ -600,6 +602,7 @@ class baseuser_mod(LDAPUpdate): assert isinstance(dn, DN) add_sshpubkey_to_attrs_pre(self.context, attrs_list) + check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options) self.check_namelength(ldap, **options) self.check_mail(entry_attrs) diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py index ce15e6096f5b84dc45ee21d5aecc73ecf86eba07..c9033fa8e7a2a0bfe77464fa4f9c62278bd814f6 100644 --- a/ipaserver/plugins/config.py +++ b/ipaserver/plugins/config.py @@ -85,6 +85,20 @@ EXAMPLES: register = Registry() + +def check_fips_auth_opts(fips_mode, **options): + """ + OTP and RADIUS are not allowed in FIPS mode since they use MD5 + checksums (OTP uses our RADIUS responder daemon ipa-otpd). + """ + if 'ipauserauthtype' in options and fips_mode: + if ('otp' in options['ipauserauthtype'] or + 'radius' in options['ipauserauthtype']): + raise errors.InvocationError( + 'OTP and RADIUS authentication in FIPS is ' + 'not yet supported') + + @register() class config(LDAPObject): """ @@ -398,6 +412,8 @@ class config_mod(LDAPUpdate): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) + check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options) + if 'ipadefaultprimarygroup' in entry_attrs: group=entry_attrs['ipadefaultprimarygroup'] try: -- 2.13.6