The function returned different output when TOTP was configured and not
which is not what it should do.
This version will now try to add the TOTP configuration, or will add
nothing it if fails to do so.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Move reading of environment in it's own function because not all
events have a ENV block following and thus always reading the ENV
will cause RuntimeError("Unexpected environment line ...").
These configuration option are required to make the client authenticate
itself against the server.
The server may then accept those credentials without any further ado or
ask for a OTP.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This script runs aside of OpenVPN and connects to the management socket.
On the socket, OpenVPN will post any new clients trying to authenticate
which will be handled by the authenticator.
If a client has 2FA enabled, it will be challanged for the current token
which will then be checked in a second pass.
Clients which do not have 2FA enabled will just be authenticated no
matter what and tls-verify will have handled the rest.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Although Perl modules tend to take a long time to load, it is better to
do this at the beginning so that loading the script will show any
errors.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Add two-factor authentication (2FA) to OpenVPN host connections with
one-time passwords.
The 2FA can be enabled or disabled per host connection and requires the
client to download it's configuration again after 2FA has beend enabled
for it.
Additionally the client needs to configure an TOTP application, like
"Google Authenticator" which then provides the second factor.
To faciliate this every connection with enabled 2FA
gets an "show qrcode" button after the "show file" button in the
host connection list to show the 2FA secret and an 2FA configuration QRCode.
When 2FA is enabled, the client needs to provide the second factor plus
the private key password (if set) to successfully authorize.
This only supports time based one-time passwords, TOTP with 30s
window and 6 digits, for now but we may update this in the future.
Signed-off-by: Timo Eissler <timo.eissler@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.30/doc/arm/html/notes.html#notes-for-bind-9-16-30
"Bug Fixes
The fetches-per-server quota is designed to adjust itself downward
automatically when an authoritative server times out too frequently.
Due to a coding error, that adjustment was applied incorrectly,
so that the quota for a congested server was always set to 1. This
has been fixed. [GL #3327]
DNSSEC-signed catalog zones were not being processed correctly. This
has been fixed. [GL #3380]
Key files were updated every time the dnssec-policy key manager ran,
whether the metadata had changed or not. named now checks whether
changes were applied before writing out the key files. [GL #3302]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Full changelog as retrived from https://cisofy.com/changelog/lynis/#308:
- MALW-3274 - Detect McAfee VirusScan Command Line Scanner
- PKGS-7346 Check Alpine Package Keeper (apk)
- PKGS-7395 Check Alpine upgradeable packages
- EOL for Alpine Linux 3.14 and 3.15
- AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2)
- FILE-7524 - Test enhanced to support symlinks
- HTTP-6643 - Support ModSecurity version 2 and 3
- KRNL-5788 - Only run relevant tests and improved logging
- KRNL-5820 - Additional path for security/limits.conf
- KRNL-5830 - Check for /var/run/needs_restarting (Slackware)
- KRNL-5830 - Add a presence check for /boot/vmlinuz
- PRNT-2308 - Bugfix that prevented test from storing values correctly
- Extended location of PAM files for AARCH64
- Some messages in log improved
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
While IPFire 2.x' web interface does not support IPv6, users can
technically run it with IPv6 by conducting the necessary configuration
changes manually.
To provide these systems as well, we should disable acceptance of ICMPv6
redirect packets - which is apparently not default in Linux, yet. :-/
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
