www.cendio.com
Bug 4561 - OTP support for the HTML5 client
: OTP support for the HTML5 client
Status: CLOSED FIXED
: ThinLinc
Web Access
: 3.2.0
: PC Unknown
: P2 Normal
: 4.1.0
Assigned To:
:
:
: 4132
:
  Show dependency treegraph
 
Reported: 2013-03-21 12:32 by
Modified: 2016-02-25 12:49 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2013-03-21 12:32:44
At some point, we need to implement OTP support for the HTML5 client.
------- Comment #1 From cendio 2013-04-15 15:51:53 -------
Fixed in:
r27076
r27077
r27078

Time reporting on bug 4132. The tester should check:

* Authentication with normal passwords, as well as extra prompts ie OTP
* Cleanup of stale "pamtester" processes and FIFOs in /tmp
* Bonus: Authentication with passwordless username
* Security aspects
* Error handling
------- Comment #2 From cendio 2013-05-02 15:48:57 -------
(In reply to comment #1)
> * Authentication with normal passwords, as well as extra prompts ie OTP

Work as expected, tested using pam_prompt.so.

> * Bonus: Authentication with passwordless username

Works in a strange way, empty password from login form is passed as
response to OTP prompt, however the thinlinc client works this way too.
------- Comment #3 From cendio 2013-05-03 10:48:19 -------
> * Error handling

I configured pam_radius module for sshd which pointed out a non existing radius
server, pamtester auth failures log auth failures into the html page but no
trace in /var/log/tlwebaccess.log
------- Comment #4 From cendio 2013-05-03 10:59:14 -------
While using pam_prompt and at login form when prompt for second input I stopped
pamtester 'kill -STOP <pid>'. Then i continued with the login form filling in a
prompt and continue, the form hangs forever (>60 secs).

Maybe we should have a timeout for IPC tlwebaccess <-> pamtester
------- Comment #5 From cendio 2013-05-03 11:15:06 -------
> * Cleanup of stale "pamtester" processes and FIFOs in /tmp

After the stop of pamtester process in comment #4 it took some time for cleanup
but /tmp was cleaned up from .err/.in/.out fifos, however the tlwebaccess
process which wants to communicate with pamtester seems to never die.
------- Comment #6 From cendio 2013-05-03 11:33:46 -------
(In reply to comment #3)
> > * Error handling
> 
> I configured pam_radius module for sshd which pointed out a non existing radius
> server, pamtester auth failures log auth failures into the html page but no
> trace in /var/log/tlwebaccess.log

Moved to bug https://www.cendio.com/bugzilla/show_bug.cgi?id=4632.
------- Comment #7 From cendio 2013-05-03 12:03:14 -------
(In reply to comment #5)
> > * Cleanup of stale "pamtester" processes and FIFOs in /tmp
> 
> After the stop of pamtester process in comment #4 it took some time for cleanup
> but /tmp was cleaned up from .err/.in/.out fifos, however the tlwebaccess
> process which wants to communicate with pamtester seems to never die.

This and comment #4 should be fixed in 27303.
------- Comment #8 From cendio 2013-05-06 09:21:33 -------
(In reply to comment #7)
> (In reply to comment #5)
> > > * Cleanup of stale "pamtester" processes and FIFOs in /tmp
> > 
> > After the stop of pamtester process in comment #4 it took some time for cleanup
> > but /tmp was cleaned up from .err/.in/.out fifos, however the tlwebaccess
> > process which wants to communicate with pamtester seems to never die.
> 
> This and comment #4 should be fixed in 27303.

Using build 3937, Verified that there is a 120 seconds timeout for IPC
communications tlwebaccess <-> pamtester.

Upon timeout, the rendered html page shows an error message.
------- Comment #9 From cendio 2013-05-06 10:37:16 -------
Also tested to login steps until the OTP prompt, were i went back to main login
form (a few times), leaving a few tlwebaccess+pamtester alive but not used. 

Those left overs where successfully removed after a timeout.

After these tests and fixes it seems to work fine. Closing this bug as fixed.