From 945a85d4d7867d103d1a98093cc5122fadd55845 Mon Sep 17 00:00:00 2001 From: liuxinhao Date: Wed, 31 May 2023 14:19:54 +0800 Subject: [PATCH 4/5] fix(multi factor): Fixed an authentication failure caused by disabling all authentication modes during multi-factor authentication MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 修复多因子认证时,关闭所有非密码认证,认证失败的问题,认证服务进行密码认证时放行,密码认证流程由PAM模块以及PAM配置管理 Closes #I79I33 --- data/kiran-authentication-service | 7 +++-- src/daemon/auth-manager.cpp | 1 + src/daemon/session.cpp | 29 +++++++++++++------ src/daemon/session.h | 1 + src/pam/authentication-graphical.cpp | 1 - src/pam/authentication-terminal.cpp | 1 - src/pam/authentication.cpp | 6 ---- .../kiran-authentication-daemon.zh_CN.ts | 11 +++++-- 8 files changed, 35 insertions(+), 22 deletions(-) diff --git a/data/kiran-authentication-service b/data/kiran-authentication-service index afc7e17..e0f2763 100644 --- a/data/kiran-authentication-service +++ b/data/kiran-authentication-service @@ -1,5 +1,8 @@ -# NOTE:需要将/etc/pam.d/system-auth中pam_faillock中控制流程字段由required修改为requisite +# NOTE: +# 需要将/etc/pam.d/system-auth中pam_faillock中控制流程字段由required修改为requisite # 若不修改,用户已锁定也能开始认证,无论认证是否成功都会失败,并且无提示。 +# sudo 若用户已锁定,仍然会尝试多次 +# sudo visudo ,添加'Defaults passwd_tries=1'行,将sudo尝试次数修改为1 # =========================认证配置项目================================ # # 多路认证模式,成/功则认证通过,失败/切换到密码 跳过多因子认证模式 @@ -10,7 +13,7 @@ auth [success=done ignore=2 default=die] pam_kiran_authentication.so doauth # 认证服务后续认证流程兼容,走系统错误计数failock, pam_debug只是修改认证状态值为成功 auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60 -auth required pam_debug +auth required pam_debug.so # 认证成功,清理内部记录错误次数 account required pam_kiran_authentication.so authsucc \ No newline at end of file diff --git a/src/daemon/auth-manager.cpp b/src/daemon/auth-manager.cpp index 7ebef89..3d7aaf0 100644 --- a/src/daemon/auth-manager.cpp +++ b/src/daemon/auth-manager.cpp @@ -196,6 +196,7 @@ QList AuthManager::GetAuthTypeByApp(int32_t authApp) enabledAuthTypeIter++; } + sortedAuthTypes << KAD_AUTH_TYPE_PASSWORD; KLOG_DEBUG() << "get auth types by app:" << authApp << "result:" << sortedAuthTypes; return sortedAuthTypes; } diff --git a/src/daemon/session.cpp b/src/daemon/session.cpp index f24a697..e8c516b 100644 --- a/src/daemon/session.cpp +++ b/src/daemon/session.cpp @@ -128,17 +128,11 @@ void Session::StartAuth() DBUS_ERROR_REPLY_AND_RET(QDBusError::AccessDenied, KADErrorCode::ERROR_USER_IDENTIFIYING); } - if (this->m_authType == KAD_AUTH_TYPE_NONE || this->m_authType == KAD_AUTH_TYPE_PASSWORD) - { - KLOG_WARNING() << m_sessionID << "auth type is invalid" << this->m_authType << ",start auth failed"; - DBUS_ERROR_REPLY_AND_RET(QDBusError::Failed, KADErrorCode::ERROR_FAILED); - } - KLOG_DEBUG() << m_sessionID << "start auth"; this->m_verifyInfo.m_inAuth = true; this->m_verifyInfo.m_dbusMessage = this->message(); this->startPhaseAuth(); -} +} void Session::StopAuth() { @@ -258,11 +252,15 @@ void Session::startPhaseAuth() // 开始阶段认证前,通知认证类型状态变更 emit this->m_dbusAdaptor->AuthTypeChanged(this->m_authType); + switch (this->m_authType) { case KAD_AUTH_TYPE_UKEY: startUkeyAuth(); break; + case KAD_AUTH_TYPE_PASSWORD: + startPasswdAuth(); + break; default: startGeneralAuth(); break; @@ -282,6 +280,14 @@ void Session::startUkeyAuth() Q_EMIT this->AuthPrompt(tr("please input ukey code."), KADPromptType::KAD_PROMPT_TYPE_SECRET); } +void Session::startPasswdAuth() +{ + KLOG_DEBUG() << "The authentication service does not take over password authentication,ignore!"; + this->m_verifyInfo.m_inAuth = true; + this->m_verifyInfo.m_authenticatedUserName = m_userName; + this->finishPhaseAuth(true,false); +} + void Session::startGeneralAuth(const QString &extraInfo) { auto deviceType = Utils::authType2DeviceType(this->m_authType); @@ -299,7 +305,8 @@ void Session::startGeneralAuth(const QString &extraInfo) { auto authTypeStr = Utils::authTypeEnum2Str(this->m_authType); KLOG_WARNING() << m_sessionID << "start phase auth failed,can not find device,auth type:" << m_authType; - Q_EMIT this->AuthMessage(tr(QString("can not find %1 device").arg(authTypeStr).toStdString().c_str()), KADMessageType::KAD_MESSAGE_TYPE_ERROR); + Q_EMIT this->AuthMessage(QString(tr("can not find %1 device")).arg(Utils::authTypeEnum2LocaleStr(this->m_authType)),KADMessageType::KAD_MESSAGE_TYPE_ERROR); + this->finishPhaseAuth(false, false); return; } @@ -352,7 +359,11 @@ void Session::finishPhaseAuth(bool isSuccess, bool recordFailure) break; case KADAuthMode::KAD_AUTH_MODE_AND: { - this->m_authOrderWaiting.removeOne(this->m_authType); + if( this->m_authOrderWaiting.size() > 0 ) + { + this->m_authOrderWaiting.removeOne(this->m_authType); + } + if (this->m_authOrderWaiting.size() == 0) { this->finishAuth(isSuccess, recordFailure); diff --git a/src/daemon/session.h b/src/daemon/session.h index 2998f73..a850237 100644 --- a/src/daemon/session.h +++ b/src/daemon/session.h @@ -98,6 +98,7 @@ private: private: void startPhaseAuth(); void startUkeyAuth(); + void startPasswdAuth(); void startGeneralAuth(const QString &extraInfo = QString()); void finishPhaseAuth(bool isSuccess,bool recordFailure = true); diff --git a/src/pam/authentication-graphical.cpp b/src/pam/authentication-graphical.cpp index 619f3cf..2f104ac 100644 --- a/src/pam/authentication-graphical.cpp +++ b/src/pam/authentication-graphical.cpp @@ -64,7 +64,6 @@ void AuthenticationGraphical::notifySupportAuthType() { auto authType = this->m_authManagerProxy->GetAuthTypeByApp(m_authApplication); QList authTypeList = authType.value(); - authTypeList << KAD_AUTH_TYPE_PASSWORD; QStringList authTypeStrList; for (auto authType : authTypeList) diff --git a/src/pam/authentication-terminal.cpp b/src/pam/authentication-terminal.cpp index 5db6b1c..01d66c6 100644 --- a/src/pam/authentication-terminal.cpp +++ b/src/pam/authentication-terminal.cpp @@ -34,7 +34,6 @@ void AuthenticationTerminal::notifySupportAuthType() { auto authType = this->m_authManagerProxy->GetAuthTypeByApp(m_authApplication); QList authTypeList = authType.value(); - authTypeList << KAD_AUTH_TYPE_PASSWORD; QList tempAuthTypeList; for (auto authType : authTypeList) diff --git a/src/pam/authentication.cpp b/src/pam/authentication.cpp index 6a165fd..06bc010 100644 --- a/src/pam/authentication.cpp +++ b/src/pam/authentication.cpp @@ -184,14 +184,8 @@ int Authentication::startAuthPre() { auto authTypeReply = m_authManagerProxy->GetAuthTypeByApp(m_authApplication); QList authTypeList = authTypeReply.value(); - if (m_authApplication == KAD_AUTH_APPLICATION_NONE || authTypeList.isEmpty()) - { - this->m_pamHandle->syslog(LOG_DEBUG, QString("The pam service '%1' is unsupported or authentication type is not configured.").arg(this->m_serviceName)); - return PAM_IGNORE; - } this->notifyAuthMode(); - RETURN_VAL_IF_TRUE(!this->initSession(), PAM_SYSTEM_ERR); if (this->m_authManagerProxy->authMode() == KADAuthMode::KAD_AUTH_MODE_OR) diff --git a/translations/kiran-authentication-daemon.zh_CN.ts b/translations/kiran-authentication-daemon.zh_CN.ts index 4292ee7..8c03e2c 100644 --- a/translations/kiran-authentication-daemon.zh_CN.ts +++ b/translations/kiran-authentication-daemon.zh_CN.ts @@ -12,20 +12,25 @@ Kiran::Session - + Please wait while the %1 request is processed %1认证请求正在等待处理 - + Insert the UKey and enter the PIN code 请插入UKey并输入PIN码 - + please input ukey code. 请输入PIN码。 + + + can not find %1 device + 未能检测到%1设备 + Kiran::User -- 2.33.0