#4690 When OTP is used the password is not required
Closed: Fixed None Opened 5 years ago by ctria.

When a user is configured to use OTP the expected provided password from the user is the combination of his password and the OTP tokencode.

It looks like it is possible to login by providing only the OTP tokencode.


CVE-2014-7828 is assigned.

master:

  • 79df668 Ensure that a password exists after OTP validation

ipa-4-1:

  • a601daa Ensure that a password exists after OTP validation

ipa-4-0:

  • 013e2ea Ensure that a password exists after OTP validation

This was fixed also in 4.0.5, fixing milestone.

Metadata Update from @ctria:
- Issue assigned to npmccallum
- Issue set to the milestone: FreeIPA 4.0.5

2 years ago

Login to comment on this ticket.

Metadata