Opened 10 years ago
Closed 10 years ago
#729 closed enhancement (fixed)
Check YubiKey password before user password
| Reported by: | Nicklas Nordborg | Owned by: | Nicklas Nordborg |
|---|---|---|---|
| Priority: | critical | Milestone: | YubiKey v1.2 |
| Component: | net.sf.basedb.yubikey | Keywords: | |
| Cc: |
Description
The current implementation we first check if the regular user password is correct or not. If it is not correct an error message is displayed and the YubiKey OTP is never checked. This means that we are left with a valid YubiKey OTP not accounted for that could potentially be snapped up and used by someone else.
Ok, this is not as bad as it first sounds since YubiKey keeps track of the sequence of generated OTPs. Eg. an unusued OTP becomes invalid as soon as new OTP has been generated and validated against the server.
Note:
See TracTickets
for help on using tickets.
(In [3133]) Fixes #729: Check YubiKey password before user password
Re-ordered the checks in the
YubiKeyAuthenticationManagerso that the one-time-password is verified before the password.