Bug 4561 - OTP support for the HTML5 client
Summary: OTP support for the HTML5 client
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Web Access (show other bugs)
Version: 3.2.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.1.0
Assignee: Peter Åstrand
URL:
Keywords: hean01_tester
Depends on: 4132
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-21 12:32 CET by Peter Åstrand
Modified: 2016-02-25 12:49 CET (History)
0 users

See Also:
Acceptance Criteria:


Attachments

Description Peter Åstrand cendio 2013-03-21 12:32:44 CET
At some point, we need to implement OTP support for the HTML5 client.
Comment 1 Peter Åstrand cendio 2013-04-15 15:51:53 CEST
Fixed in:
r27076
r27077
r27078

Time reporting on bug 4132. The tester should check:

* Authentication with normal passwords, as well as extra prompts ie OTP
* Cleanup of stale "pamtester" processes and FIFOs in /tmp
* Bonus: Authentication with passwordless username
* Security aspects
* Error handling
Comment 2 Henrik Andersson cendio 2013-05-02 15:48:57 CEST
(In reply to comment #1)
> * Authentication with normal passwords, as well as extra prompts ie OTP

Work as expected, tested using pam_prompt.so.

> * Bonus: Authentication with passwordless username

Works in a strange way, empty password from login form is passed as
response to OTP prompt, however the thinlinc client works this way too.
Comment 3 Henrik Andersson cendio 2013-05-03 10:48:19 CEST
> * Error handling

I configured pam_radius module for sshd which pointed out a non existing radius server, pamtester auth failures log auth failures into the html page but no trace in /var/log/tlwebaccess.log
Comment 4 Henrik Andersson cendio 2013-05-03 10:59:14 CEST
While using pam_prompt and at login form when prompt for second input I stopped pamtester 'kill -STOP <pid>'. Then i continued with the login form filling in a prompt and continue, the form hangs forever (>60 secs).

Maybe we should have a timeout for IPC tlwebaccess <-> pamtester
Comment 5 Henrik Andersson cendio 2013-05-03 11:15:06 CEST
> * Cleanup of stale "pamtester" processes and FIFOs in /tmp

After the stop of pamtester process in comment #4 it took some time for cleanup but /tmp was cleaned up from .err/.in/.out fifos, however the tlwebaccess process which wants to communicate with pamtester seems to never die.
Comment 6 Peter Åstrand cendio 2013-05-03 11:33:46 CEST
(In reply to comment #3)
> > * Error handling
> 
> I configured pam_radius module for sshd which pointed out a non existing radius
> server, pamtester auth failures log auth failures into the html page but no
> trace in /var/log/tlwebaccess.log

Moved to bug https://www.cendio.com/bugzilla/show_bug.cgi?id=4632.
Comment 7 Peter Åstrand cendio 2013-05-03 12:03:14 CEST
(In reply to comment #5)
> > * Cleanup of stale "pamtester" processes and FIFOs in /tmp
> 
> After the stop of pamtester process in comment #4 it took some time for cleanup
> but /tmp was cleaned up from .err/.in/.out fifos, however the tlwebaccess
> process which wants to communicate with pamtester seems to never die.

This and comment #4 should be fixed in 27303.
Comment 8 Henrik Andersson cendio 2013-05-06 09:21:33 CEST
(In reply to comment #7)
> (In reply to comment #5)
> > > * Cleanup of stale "pamtester" processes and FIFOs in /tmp
> > 
> > After the stop of pamtester process in comment #4 it took some time for cleanup
> > but /tmp was cleaned up from .err/.in/.out fifos, however the tlwebaccess
> > process which wants to communicate with pamtester seems to never die.
> 
> This and comment #4 should be fixed in 27303.

Using build 3937, Verified that there is a 120 seconds timeout for IPC communications tlwebaccess <-> pamtester.

Upon timeout, the rendered html page shows an error message.
Comment 9 Henrik Andersson cendio 2013-05-06 10:37:16 CEST
Also tested to login steps until the OTP prompt, were i went back to main login form (a few times), leaving a few tlwebaccess+pamtester alive but not used. 

Those left overs where successfully removed after a timeout.

After these tests and fixes it seems to work fine. Closing this bug as fixed.

Note You need to log in before you can comment on or make changes to this bug.