Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Better token parsing in authorized_yubikeys file (check_user_token) #244

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

Wicwik
Copy link

@Wicwik Wicwik commented Nov 30, 2022

There is a possible bug while having /home/$USER/.yubico/authorized_yubikeys file longer than 1024 bytes in a single line. I can see that the authorized_yubikeys file is parsed by buffering 1024 bytes. The code relies on the fact that the first token is always the username. But when the file is larger than 1024 bytes, the second time called fgets returns the rest of the yubikeys line, but the rest of the line does (and probably shouldn't) start with the username. So when the yubikey is not found in the first 1025 bytes, the auth will fail. To fix the username problem I have added a check if the username is undefined (NULL), so it won't change the username every time a part of the file is loaded.

The second problem is that when the 1024 buffer cuts the token in two parts. For this, I have added a check that if the last token length is less than 12, it will move back the file pointer for the token length, so it can be read as a whole in the next fgets.

We have found this possible bug when creating a uthorized_yubikeys with many tokens so the final file size is larger than 1024 bytes. We have been able to hotfix this by splitting the file by '\n' character after the last correctly read token.

Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

1 participant