packages/kiran-authentication-service
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
kiran-authentication-service/0004-fix-multi-factor-Fixed-an-authentication-failure-cau.patch

228 lines
9.5 KiB
Diff
Raw Normal View History

fix(*): Fixed an issue with the first round of test in Part 2.5 - 修复部分第一轮测试出现的问题
2023-05-31 16:27:58 +08:00
From 945a85d4d7867d103d1a98093cc5122fadd55845 Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Wed, 31 May 2023 14:19:54 +0800
Subject: [PATCH 4/5] fix(multi factor): Fixed an authentication failure caused
by disabling all authentication modes during multi-factor authentication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- 修复多因子认证时关闭所有非密码认证认证失败的问题认证服务进行密码认证时放行密码认证流程由PAM模块以及PAM配置管理
Closes #I79I33
---
data/kiran-authentication-service | 7 +++--
src/daemon/auth-manager.cpp | 1 +
src/daemon/session.cpp | 29 +++++++++++++------
src/daemon/session.h | 1 +
src/pam/authentication-graphical.cpp | 1 -
src/pam/authentication-terminal.cpp | 1 -
src/pam/authentication.cpp | 6 ----
.../kiran-authentication-daemon.zh_CN.ts | 11 +++++--
8 files changed, 35 insertions(+), 22 deletions(-)
diff --git a/data/kiran-authentication-service b/data/kiran-authentication-service
index afc7e17..e0f2763 100644
--- a/data/kiran-authentication-service
+++ b/data/kiran-authentication-service
@@ -1,5 +1,8 @@
-# NOTE:需要将/etc/pam.d/system-auth中pam_faillock中控制流程字段由required修改为requisite
+# NOTE:
+# 需要将/etc/pam.d/system-auth中pam_faillock中控制流程字段由required修改为requisite
# 若不修改,用户已锁定也能开始认证,无论认证是否成功都会失败,并且无提示。
+# sudo 若用户已锁定,仍然会尝试多次
+# sudo visudo ,添加'Defaults passwd_tries=1'行将sudo尝试次数修改为1
# =========================认证配置项目================================ #
# 多路认证模式,成/功则认证通过,失败/切换到密码 跳过多因子认证模式
@@ -10,7 +13,7 @@ auth [success=done ignore=2 default=die] pam_kiran_authentication.so doauth
# 认证服务后续认证流程兼容走系统错误计数failock, pam_debug只是修改认证状态值为成功
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
-auth required pam_debug
+auth required pam_debug.so
# 认证成功,清理内部记录错误次数
account required pam_kiran_authentication.so authsucc
\ No newline at end of file
diff --git a/src/daemon/auth-manager.cpp b/src/daemon/auth-manager.cpp
index 7ebef89..3d7aaf0 100644
--- a/src/daemon/auth-manager.cpp
+++ b/src/daemon/auth-manager.cpp
@@ -196,6 +196,7 @@ QList<int> AuthManager::GetAuthTypeByApp(int32_t authApp)
enabledAuthTypeIter++;
}
+ sortedAuthTypes << KAD_AUTH_TYPE_PASSWORD;
KLOG_DEBUG() << "get auth types by app:" << authApp << "result:" << sortedAuthTypes;
return sortedAuthTypes;
}
diff --git a/src/daemon/session.cpp b/src/daemon/session.cpp
index f24a697..e8c516b 100644
--- a/src/daemon/session.cpp
+++ b/src/daemon/session.cpp
@@ -128,17 +128,11 @@ void Session::StartAuth()
DBUS_ERROR_REPLY_AND_RET(QDBusError::AccessDenied, KADErrorCode::ERROR_USER_IDENTIFIYING);
}
- if (this->m_authType == KAD_AUTH_TYPE_NONE || this->m_authType == KAD_AUTH_TYPE_PASSWORD)
- {
- KLOG_WARNING() << m_sessionID << "auth type is invalid" << this->m_authType << ",start auth failed";
- DBUS_ERROR_REPLY_AND_RET(QDBusError::Failed, KADErrorCode::ERROR_FAILED);
- }
-
KLOG_DEBUG() << m_sessionID << "start auth";
this->m_verifyInfo.m_inAuth = true;
this->m_verifyInfo.m_dbusMessage = this->message();
this->startPhaseAuth();
-}
+}
void Session::StopAuth()
{
@@ -258,11 +252,15 @@ void Session::startPhaseAuth()
// 开始阶段认证前,通知认证类型状态变更
emit this->m_dbusAdaptor->AuthTypeChanged(this->m_authType);
+
switch (this->m_authType)
{
case KAD_AUTH_TYPE_UKEY:
startUkeyAuth();
break;
+ case KAD_AUTH_TYPE_PASSWORD:
+ startPasswdAuth();
+ break;
default:
startGeneralAuth();
break;
@@ -282,6 +280,14 @@ void Session::startUkeyAuth()
Q_EMIT this->AuthPrompt(tr("please input ukey code."), KADPromptType::KAD_PROMPT_TYPE_SECRET);
}
+void Session::startPasswdAuth()
+{
+ KLOG_DEBUG() << "The authentication service does not take over password authentication,ignore!";
+ this->m_verifyInfo.m_inAuth = true;
+ this->m_verifyInfo.m_authenticatedUserName = m_userName;
+ this->finishPhaseAuth(true,false);
+}
+
void Session::startGeneralAuth(const QString &extraInfo)
{
auto deviceType = Utils::authType2DeviceType(this->m_authType);
@@ -299,7 +305,8 @@ void Session::startGeneralAuth(const QString &extraInfo)
{
auto authTypeStr = Utils::authTypeEnum2Str(this->m_authType);
KLOG_WARNING() << m_sessionID << "start phase auth failed,can not find device,auth type:" << m_authType;
- Q_EMIT this->AuthMessage(tr(QString("can not find %1 device").arg(authTypeStr).toStdString().c_str()), KADMessageType::KAD_MESSAGE_TYPE_ERROR);
+ Q_EMIT this->AuthMessage(QString(tr("can not find %1 device")).arg(Utils::authTypeEnum2LocaleStr(this->m_authType)),KADMessageType::KAD_MESSAGE_TYPE_ERROR);
+
this->finishPhaseAuth(false, false);
return;
}
@@ -352,7 +359,11 @@ void Session::finishPhaseAuth(bool isSuccess, bool recordFailure)
break;
case KADAuthMode::KAD_AUTH_MODE_AND:
{
- this->m_authOrderWaiting.removeOne(this->m_authType);
+ if( this->m_authOrderWaiting.size() > 0 )
+ {
+ this->m_authOrderWaiting.removeOne(this->m_authType);
+ }
+
if (this->m_authOrderWaiting.size() == 0)
{
this->finishAuth(isSuccess, recordFailure);
diff --git a/src/daemon/session.h b/src/daemon/session.h
index 2998f73..a850237 100644
--- a/src/daemon/session.h
+++ b/src/daemon/session.h
@@ -98,6 +98,7 @@ private:
private:
void startPhaseAuth();
void startUkeyAuth();
+ void startPasswdAuth();
void startGeneralAuth(const QString &extraInfo = QString());
void finishPhaseAuth(bool isSuccess,bool recordFailure = true);
diff --git a/src/pam/authentication-graphical.cpp b/src/pam/authentication-graphical.cpp
index 619f3cf..2f104ac 100644
--- a/src/pam/authentication-graphical.cpp
+++ b/src/pam/authentication-graphical.cpp
@@ -64,7 +64,6 @@ void AuthenticationGraphical::notifySupportAuthType()
{
auto authType = this->m_authManagerProxy->GetAuthTypeByApp(m_authApplication);
QList<int> authTypeList = authType.value();
- authTypeList << KAD_AUTH_TYPE_PASSWORD;
QStringList authTypeStrList;
for (auto authType : authTypeList)
diff --git a/src/pam/authentication-terminal.cpp b/src/pam/authentication-terminal.cpp
index 5db6b1c..01d66c6 100644
--- a/src/pam/authentication-terminal.cpp
+++ b/src/pam/authentication-terminal.cpp
@@ -34,7 +34,6 @@ void AuthenticationTerminal::notifySupportAuthType()
{
auto authType = this->m_authManagerProxy->GetAuthTypeByApp(m_authApplication);
QList<int> authTypeList = authType.value();
- authTypeList << KAD_AUTH_TYPE_PASSWORD;
QList<KADAuthType> tempAuthTypeList;
for (auto authType : authTypeList)
diff --git a/src/pam/authentication.cpp b/src/pam/authentication.cpp
index 6a165fd..06bc010 100644
--- a/src/pam/authentication.cpp
+++ b/src/pam/authentication.cpp
@@ -184,14 +184,8 @@ int Authentication::startAuthPre()
{
auto authTypeReply = m_authManagerProxy->GetAuthTypeByApp(m_authApplication);
QList<int> authTypeList = authTypeReply.value();
- if (m_authApplication == KAD_AUTH_APPLICATION_NONE || authTypeList.isEmpty())
- {
- this->m_pamHandle->syslog(LOG_DEBUG, QString("The pam service '%1' is unsupported or authentication type is not configured.").arg(this->m_serviceName));
- return PAM_IGNORE;
- }
this->notifyAuthMode();
-
RETURN_VAL_IF_TRUE(!this->initSession(), PAM_SYSTEM_ERR);
if (this->m_authManagerProxy->authMode() == KADAuthMode::KAD_AUTH_MODE_OR)
diff --git a/translations/kiran-authentication-daemon.zh_CN.ts b/translations/kiran-authentication-daemon.zh_CN.ts
index 4292ee7..8c03e2c 100644
--- a/translations/kiran-authentication-daemon.zh_CN.ts
+++ b/translations/kiran-authentication-daemon.zh_CN.ts
@@ -12,20 +12,25 @@
<context>
<name>Kiran::Session</name>
<message>
- <location filename="../src/daemon/session.cpp" line="201"/>
+ <location filename="../src/daemon/session.cpp" line="195"/>
<source>Please wait while the %1 request is processed</source>
<translation>%1认证请求正在等待处理</translation>
</message>
<message>
- <location filename="../src/daemon/session.cpp" line="281"/>
+ <location filename="../src/daemon/session.cpp" line="279"/>
<source>Insert the UKey and enter the PIN code</source>
<translation>请插入UKey并输入PIN码</translation>
</message>
<message>
- <location filename="../src/daemon/session.cpp" line="282"/>
+ <location filename="../src/daemon/session.cpp" line="280"/>
<source>please input ukey code.</source>
<translation>请输入PIN码。</translation>
</message>
+ <message>
+ <location filename="../src/daemon/session.cpp" line="308"/>
+ <source>can not find %1 device</source>
+ <translation>未能检测到%1设备</translation>
+ </message>
</context>
<context>
<name>Kiran::User</name>
--
2.33.0
Reference in New Issue Copy Permalink