packages/kiran-authentication-service
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!30 修复部分第一轮测试出现的问题

Browse Source 
From: @liubuguiii 
Reviewed-by: @tangjie02 
Signed-off-by: @tangjie02
This commit is contained in:
openeuler-ci-bot 2023-05-31 11:54:37 +00:00 committed by Gitee
commit ff4d153b98
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
6 changed files with 651 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
0001-fix-auth-terminal-Repair-authentication-type-check.patch Normal file
View File

@ -0,0 +1,32 @@
From 313ce71e34f4af75f0b0ccbb954ffc89ff86fee6 Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Mon, 29 May 2023 20:32:15 +0800
Subject: [PATCH 1/5] fix(auth terminal): Repair authentication type check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- 修复命令行认证,认证类型检查问题
Closes #I792B4
---
src/pam/authentication-terminal.cpp | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/pam/authentication-terminal.cpp b/src/pam/authentication-terminal.cpp
index c6df098..5db6b1c 100644
--- a/src/pam/authentication-terminal.cpp
+++ b/src/pam/authentication-terminal.cpp
@@ -93,7 +93,8 @@ int32_t AuthenticationTerminal::requestAuthType()
authType == KADAuthType::KAD_AUTH_TYPE_FINGERPRINT ||
authType == KADAuthType::KAD_AUTH_TYPE_FINGERVEIN ||
authType == KADAuthType::KAD_AUTH_TYPE_UKEY ||
- authType == KADAuthType::KAD_AUTH_TYPE_FACE)
+ authType == KADAuthType::KAD_AUTH_TYPE_FACE ||
+ authType == KADAuthType::KAD_AUTH_TYPE_IRIS)
{
return authType;
}
--
2.33.0

46
0002-fix-pam-conf-Adjust-the-number-of-non-password-authe.patch Normal file
View File

@ -0,0 +1,46 @@
From e9d570e068bbb5ae1fd91a86b186cecf488ac771 Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Tue, 30 May 2023 09:25:03 +0800
Subject: [PATCH 2/5] fix(pam conf): Adjust the number of non-password
authentication failures recorded in the PAM configuration file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- 调整PAM配置文件多路认证非密码认证失败记录错误次数
Closes #I7937W
---
data/kiran-authentication-service | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/data/kiran-authentication-service b/data/kiran-authentication-service
index e5d0f98..afc7e17 100644
--- a/data/kiran-authentication-service
+++ b/data/kiran-authentication-service
@@ -1,11 +1,16 @@
-# 多路认证模式,成/功则认证通过,失败/切换到密码 跳过多因子认证模式
-auth [success=done ignore=ignore default=die] pam_kiran_authentication.so doauth
+# NOTE:需要将/etc/pam.d/system-auth中pam_faillock中控制流程字段由required修改为requisite
+# 若不修改,用户已锁定也能开始认证,无论认证是否成功都会失败,并且无提示。
+# =========================认证配置项目================================ #
+# 多路认证模式,成/功则认证通过,失败/切换到密码 跳过多因子认证模式
+auth [success=done ignore=2 default=die] pam_kiran_authentication.so doauth
# 多因子认证模式, 成功继续执行PAM流程栈,失败或默认值都为失败
-#auth requisite pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60
#auth [success=2 default=bad] pam_kiran_authentication.so doauth
-#auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
-#auth required pam_debug
+# ==================================================================== #
+
+# 认证服务后续认证流程兼容走系统错误计数failock, pam_debug只是修改认证状态值为成功
+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
+auth required pam_debug
# 认证成功,清理内部记录错误次数
account required pam_kiran_authentication.so authsucc
\ No newline at end of file
--
2.33.0

300
0003-fix-Interface-permission-Upgrade-the-permission-of-s.patch Normal file
View File

@ -0,0 +1,300 @@
From 74cff73678e966b232d70aba787476f34fa0d584 Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Tue, 30 May 2023 11:11:48 +0800
Subject: [PATCH 3/5] fix(Interface permission): Upgrade the permission of some
interfaces of the authentication service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- 提升部分认证服务接口权限至root调用前需认证polkit
Closes #I795QI
---
data/com.kylinsec.Kiran.Authentication.xml | 7 ++-
src/daemon/auth-manager.cpp | 66 ++++++++++++++--------
src/daemon/auth-manager.h | 46 ++++++++++-----
src/daemon/user.cpp | 2 +-
src/pam/authentication.cpp | 1 -
5 files changed, 82 insertions(+), 40 deletions(-)
diff --git a/data/com.kylinsec.Kiran.Authentication.xml b/data/com.kylinsec.Kiran.Authentication.xml
index b575ebd..12b077f 100644
--- a/data/com.kylinsec.Kiran.Authentication.xml
+++ b/data/com.kylinsec.Kiran.Authentication.xml
@@ -51,7 +51,7 @@
</arg>
</method>
- <method name="SetDrivereEanbled">
+ <method name="SetDrivereEnabled">
<arg name="driver_name" direction="in" type="s">
<description>driver name</description>
</arg>
@@ -73,7 +73,7 @@
<arg name="auth_type" direction="in" type="i">
<description>The auth type. Refer to KADAuthType in kas-authentication-i.h</description>
</arg>
- <arg name="device_id" type="s">
+ <arg name="device_id" direction="in" type="s">
<description>The default device ID.</description>
</arg>
</method>
@@ -82,6 +82,9 @@
<arg name="auth_type" direction="in" type="i">
<description>The auth type. Refer to KADAuthType in kas-authentication-i.h</description>
</arg>
+ <arg name="device_id" direction="out" type="s">
+ <description>The default device ID.</description>
+ </arg>
</method>
<method name="SetAuthTypeEnabledForApp">
diff --git a/src/daemon/auth-manager.cpp b/src/daemon/auth-manager.cpp
index 0a74682..7ebef89 100644
--- a/src/daemon/auth-manager.cpp
+++ b/src/daemon/auth-manager.cpp
@@ -21,6 +21,7 @@
#include "src/daemon/device/device-adaptor-factory.h"
#include "src/daemon/error.h"
#include "src/daemon/proxy/dbus-daemon-proxy.h"
+#include "src/daemon/proxy/polkit-proxy.h"
#include "src/daemon/session.h"
#include "src/daemon/user-manager.h"
#include "src/utils/utils.h"
@@ -34,6 +35,9 @@
#include <QMetaEnum>
#include <QSettings>
#include <QTime>
+
+#define AUTH_USER_ADMIN "com.kylinsec.kiran.authentication.user-administration"
+
namespace Kiran
{
// 会话ID的最大值
@@ -85,7 +89,7 @@ QDBusObjectPath AuthManager::CreateSession(const QString &username, int timeout,
.arg(authApp)
.arg(this->message().service())
.arg(sessionID);
-
+
return QDBusObjectPath(session->getObjectPath());
}
@@ -108,15 +112,6 @@ QString AuthManager::GetDriversForType(int authType)
return DeviceAdaptorFactory::getInstance()->getDriversForType(authType);
}
-void AuthManager::SetDrivereEanbled(const QString &driverName, bool enabled)
-{
- if (!DeviceAdaptorFactory::getInstance()->setDrivereEanbled(driverName, enabled))
- {
- DBUS_ERROR_REPLY(QDBusError::InternalError,
- KADErrorCode::ERROR_FAILED);
- }
-}
-
QDBusObjectPath AuthManager::FindUserByID(qulonglong uid)
{
auto pwent = getpwuid(uid);
@@ -164,21 +159,11 @@ bool AuthManager::GetAuthTypeEnabled(int authType)
return m_authConfig->getAuthTypeEnable((KADAuthType)authType);
}
-void AuthManager::SetAuthTypeEnabled(int authType, bool enabled)
-{
- m_authConfig->setAuthTypeEnable((KADAuthType)authType, enabled);
-}
-
bool AuthManager::GetAuthTypeEnabledForApp(int authType, int authApp)
{
return m_authConfig->getAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp);
}
-void AuthManager::SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled)
-{
- m_authConfig->setAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp, enabled);
-}
-
/// @brief 通过认证应用枚举获取支持的认证类型或认证顺序
/// @param authApp 应用程序所属的认证应用类型
/// @return 与模式下为需认证类型的认证顺序,或模式下为可选的认证类型
@@ -202,9 +187,9 @@ QList<int> AuthManager::GetAuthTypeByApp(int32_t authApp)
auto sortedAuthTypes = authOrder;
auto enabledAuthTypeIter = enabledAuthTypes.begin();
- while(enabledAuthTypeIter != enabledAuthTypes.end())
+ while (enabledAuthTypeIter != enabledAuthTypes.end())
{
- if(!sortedAuthTypes.contains(*enabledAuthTypeIter))
+ if (!sortedAuthTypes.contains(*enabledAuthTypeIter))
{
sortedAuthTypes << *enabledAuthTypeIter;
}
@@ -257,6 +242,10 @@ void AuthManager::onNameLost(const QString &serviceName)
}
}
+CHECK_AUTH_WITH_2ARGS(AuthManager, SetDrivereEnabled, onSetDriverEnabled, AUTH_USER_ADMIN, const QString &, bool);
+CHECK_AUTH_WITH_2ARGS(AuthManager, SetAuthTypeEnabled, onSetAuthTypeEnabled, AUTH_USER_ADMIN, int, bool);
+CHECK_AUTH_WITH_3ARGS(AuthManager, SetAuthTypeEnabledForApp, onSetAuthTypeEnabledForApp, AUTH_USER_ADMIN, int, int, bool);
+
void AuthManager::init()
{
auto systemConnection = QDBusConnection::systemBus();
@@ -276,6 +265,11 @@ void AuthManager::init()
connect(m_authConfig, SIGNAL(defaultDeviceChanged(int, QString)), this, SIGNAL(defaultDeviceChanged(int, QString)));
}
+QString AuthManager::calcAction(const QString &originAction)
+{
+ return AUTH_USER_ADMIN;
+}
+
int32_t AuthManager::generateSessionID()
{
// 最多生成10次超过次数则返回失败
@@ -288,4 +282,32 @@ int32_t AuthManager::generateSessionID()
}
return -1;
}
+
+void AuthManager::onSetDriverEnabled(const QDBusMessage &message, const QString &driverName, bool enabled)
+{
+ if (!DeviceAdaptorFactory::getInstance()->setDrivereEanbled(driverName, enabled))
+ {
+ DBUS_ERROR_REPLY_ASYNC(message, QDBusError::InternalError, KADErrorCode::ERROR_FAILED);
+ }
+
+ auto replyMessage = message.createReply();
+ QDBusConnection::systemBus().send(replyMessage);
+}
+
+void AuthManager::onSetAuthTypeEnabled(const QDBusMessage &message, int authType, bool enabled)
+{
+ m_authConfig->setAuthTypeEnable((KADAuthType)authType, enabled);
+
+ auto replyMessage = message.createReply();
+ QDBusConnection::systemBus().send(replyMessage);
+}
+
+void AuthManager::onSetAuthTypeEnabledForApp(const QDBusMessage &message, int authType, int authApp, bool enabled)
+{
+ m_authConfig->setAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp, enabled);
+
+ auto replyMessage = message.createReply();
+ QDBusConnection::systemBus().send(replyMessage);
+}
+
} // namespace Kiran
diff --git a/src/daemon/auth-manager.h b/src/daemon/auth-manager.h
index 696dc96..e707e0b 100644
--- a/src/daemon/auth-manager.h
+++ b/src/daemon/auth-manager.h
@@ -48,46 +48,64 @@ public:
int getMaxFailures();
public Q_SLOTS: // DBUS METHODS
+ /// normal
+ // 获取认证服务中用户DBUS对象
+ QDBusObjectPath FindUserByID(qulonglong uid);
+ QDBusObjectPath FindUserByName(const QString &userName);
+
// 认证会话创建以及销毁
QDBusObjectPath CreateSession(const QString &userName, int timeout,int authApp);
void DestroySession(uint sessionID);
+ // 根据认证类型获取驱动列表
QString GetDriversForType(int authType);
- void SetDrivereEanbled(const QString& driverName,bool enabled);
- // 获取认证服务中用户DBUS对象
- QDBusObjectPath FindUserByID(qulonglong uid);
- QDBusObjectPath FindUserByName(const QString &userName);
-
- // 获取认证设备
+ // 根据认证类型获取设备列表
QString GetDevicesForType(int authType);
- // 获取默认认证设备
- QString GetDefaultDeviceID(int authType);
- // 设置默认设备ID
- void SetDefaultDeviceID(int authType, const QString &deviceID);
- // 认证类型总开关
+ // 获取认证类型是否启用
bool GetAuthTypeEnabled(int authType);
- void SetAuthTypeEnabled(int authType,bool enabled);
- // 获取/设置指定认证场景下认证类型的开关
+ // 获取认证类型认证场景(认证应用)是否启用
bool GetAuthTypeEnabledForApp(int authType,int authApp);
- void SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled);
+
+ // 默认设备
+ QString GetDefaultDeviceID(int authType);
+ void SetDefaultDeviceID(int authType, const QString &deviceID);
// 通过pam服务名查询属于哪个认证场景
+ // 例如:
+ // lightdm->KAD_AUTH_APPLICATION_LOGIN,
+ // iran-screensaver->KAD_AUTH_APPLICATION_UNLOCK
int QueryAuthApp(const QString &pamServiceName);
+
// 通过指定的认证应用获取支持的认证类型,返回值为有序列表
QList<int> GetAuthTypeByApp(int32_t authApp);
void onNameLost(const QString &serviceName);
+ // root
+ // 设备驱动控制
+ void SetDrivereEnabled(const QString& driverName,bool enabled);
+
+ // 认证类型总开关
+ void SetAuthTypeEnabled(int authType,bool enabled);
+
+ // 获取/设置指定认证场景下认证类型的开关
+ void SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled);
+
signals:
void defaultDeviceChanged(int authType,const QString& deviceID,QPrivateSignal);
private:
void init();
+ // 需要管理员权限
+ QString calcAction(const QString &originAction);
// 生成一个唯一的会话ID
int32_t generateSessionID();
+ void onSetDriverEnabled(const QDBusMessage &message,const QString& driverName,bool enabled);
+ void onSetAuthTypeEnabled(const QDBusMessage &message,int authType,bool enabled);
+ void onSetAuthTypeEnabledForApp(const QDBusMessage &message,int authType, int authApp, bool enabled);
private:
static AuthManager *m_instance;
diff --git a/src/daemon/user.cpp b/src/daemon/user.cpp
index 1b77bf0..c9d98bb 100644
--- a/src/daemon/user.cpp
+++ b/src/daemon/user.cpp
@@ -290,7 +290,7 @@ void User::onDeleteIdentification(const QDBusMessage &message, const QString &ii
if (!getIIDs().contains(iid))
{
USER_WARNING() << "delete identification" << iid << "error,can not find!";
- DBUS_ERROR_REPLY_AND_RET(QDBusError::InvalidArgs, KADErrorCode::ERROR_INVALID_ARGUMENT);
+ DBUS_ERROR_REPLY_ASYNC_AND_RET(message,QDBusError::InvalidArgs, KADErrorCode::ERROR_INVALID_ARGUMENT);
}
USER_DEBUG() << "delete identification" << iid;
diff --git a/src/pam/authentication.cpp b/src/pam/authentication.cpp
index 192a1b1..6a165fd 100644
--- a/src/pam/authentication.cpp
+++ b/src/pam/authentication.cpp
@@ -42,7 +42,6 @@ Authentication::Authentication(PAMHandle *pamHandle,
{
}
-// TODO polkit 认证 超时,未结束认证
Authentication::~Authentication()
{
if (this->m_authSessionProxy && this->m_authManagerProxy)
--
2.33.0

227
0004-fix-multi-factor-Fixed-an-authentication-failure-cau.patch Normal file
View File

@ -0,0 +1,227 @@
From 945a85d4d7867d103d1a98093cc5122fadd55845 Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Wed, 31 May 2023 14:19:54 +0800
Subject: [PATCH 4/5] fix(multi factor): Fixed an authentication failure caused
by disabling all authentication modes during multi-factor authentication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- 修复多因子认证时关闭所有非密码认证认证失败的问题认证服务进行密码认证时放行密码认证流程由PAM模块以及PAM配置管理
Closes #I79I33
---
data/kiran-authentication-service | 7 +++--
src/daemon/auth-manager.cpp | 1 +
src/daemon/session.cpp | 29 +++++++++++++------
src/daemon/session.h | 1 +
src/pam/authentication-graphical.cpp | 1 -
src/pam/authentication-terminal.cpp | 1 -
src/pam/authentication.cpp | 6 ----
.../kiran-authentication-daemon.zh_CN.ts | 11 +++++--
8 files changed, 35 insertions(+), 22 deletions(-)
diff --git a/data/kiran-authentication-service b/data/kiran-authentication-service
index afc7e17..e0f2763 100644
--- a/data/kiran-authentication-service
+++ b/data/kiran-authentication-service
@@ -1,5 +1,8 @@
-# NOTE:需要将/etc/pam.d/system-auth中pam_faillock中控制流程字段由required修改为requisite
+# NOTE:
+# 需要将/etc/pam.d/system-auth中pam_faillock中控制流程字段由required修改为requisite
# 若不修改,用户已锁定也能开始认证,无论认证是否成功都会失败,并且无提示。
+# sudo 若用户已锁定,仍然会尝试多次
+# sudo visudo ,添加'Defaults passwd_tries=1'行将sudo尝试次数修改为1
# =========================认证配置项目================================ #
# 多路认证模式,成/功则认证通过,失败/切换到密码 跳过多因子认证模式
@@ -10,7 +13,7 @@ auth [success=done ignore=2 default=die] pam_kiran_authentication.so doauth
# 认证服务后续认证流程兼容走系统错误计数failock, pam_debug只是修改认证状态值为成功
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
-auth required pam_debug
+auth required pam_debug.so
# 认证成功,清理内部记录错误次数
account required pam_kiran_authentication.so authsucc
\ No newline at end of file
diff --git a/src/daemon/auth-manager.cpp b/src/daemon/auth-manager.cpp
index 7ebef89..3d7aaf0 100644
--- a/src/daemon/auth-manager.cpp
+++ b/src/daemon/auth-manager.cpp
@@ -196,6 +196,7 @@ QList<int> AuthManager::GetAuthTypeByApp(int32_t authApp)
enabledAuthTypeIter++;
}
+ sortedAuthTypes << KAD_AUTH_TYPE_PASSWORD;
KLOG_DEBUG() << "get auth types by app:" << authApp << "result:" << sortedAuthTypes;
return sortedAuthTypes;
}
diff --git a/src/daemon/session.cpp b/src/daemon/session.cpp
index f24a697..e8c516b 100644
--- a/src/daemon/session.cpp
+++ b/src/daemon/session.cpp
@@ -128,17 +128,11 @@ void Session::StartAuth()
DBUS_ERROR_REPLY_AND_RET(QDBusError::AccessDenied, KADErrorCode::ERROR_USER_IDENTIFIYING);
}
- if (this->m_authType == KAD_AUTH_TYPE_NONE || this->m_authType == KAD_AUTH_TYPE_PASSWORD)
- {
- KLOG_WARNING() << m_sessionID << "auth type is invalid" << this->m_authType << ",start auth failed";
- DBUS_ERROR_REPLY_AND_RET(QDBusError::Failed, KADErrorCode::ERROR_FAILED);
- }
-
KLOG_DEBUG() << m_sessionID << "start auth";
this->m_verifyInfo.m_inAuth = true;
this->m_verifyInfo.m_dbusMessage = this->message();
this->startPhaseAuth();
-}
+}
void Session::StopAuth()
{
@@ -258,11 +252,15 @@ void Session::startPhaseAuth()
// 开始阶段认证前,通知认证类型状态变更
emit this->m_dbusAdaptor->AuthTypeChanged(this->m_authType);
+
switch (this->m_authType)
{
case KAD_AUTH_TYPE_UKEY:
startUkeyAuth();
break;
+ case KAD_AUTH_TYPE_PASSWORD:
+ startPasswdAuth();
+ break;
default:
startGeneralAuth();
break;
@@ -282,6 +280,14 @@ void Session::startUkeyAuth()
Q_EMIT this->AuthPrompt(tr("please input ukey code."), KADPromptType::KAD_PROMPT_TYPE_SECRET);
}
+void Session::startPasswdAuth()
+{
+ KLOG_DEBUG() << "The authentication service does not take over password authentication,ignore!";
+ this->m_verifyInfo.m_inAuth = true;
+ this->m_verifyInfo.m_authenticatedUserName = m_userName;
+ this->finishPhaseAuth(true,false);
+}
+
void Session::startGeneralAuth(const QString &extraInfo)
{
auto deviceType = Utils::authType2DeviceType(this->m_authType);
@@ -299,7 +305,8 @@ void Session::startGeneralAuth(const QString &extraInfo)
{
auto authTypeStr = Utils::authTypeEnum2Str(this->m_authType);
KLOG_WARNING() << m_sessionID << "start phase auth failed,can not find device,auth type:" << m_authType;
- Q_EMIT this->AuthMessage(tr(QString("can not find %1 device").arg(authTypeStr).toStdString().c_str()), KADMessageType::KAD_MESSAGE_TYPE_ERROR);
+ Q_EMIT this->AuthMessage(QString(tr("can not find %1 device")).arg(Utils::authTypeEnum2LocaleStr(this->m_authType)),KADMessageType::KAD_MESSAGE_TYPE_ERROR);
+
this->finishPhaseAuth(false, false);
return;
}
@@ -352,7 +359,11 @@ void Session::finishPhaseAuth(bool isSuccess, bool recordFailure)
break;
case KADAuthMode::KAD_AUTH_MODE_AND:
{
- this->m_authOrderWaiting.removeOne(this->m_authType);
+ if( this->m_authOrderWaiting.size() > 0 )
+ {
+ this->m_authOrderWaiting.removeOne(this->m_authType);
+ }
+
if (this->m_authOrderWaiting.size() == 0)
{
this->finishAuth(isSuccess, recordFailure);
diff --git a/src/daemon/session.h b/src/daemon/session.h
index 2998f73..a850237 100644
--- a/src/daemon/session.h
+++ b/src/daemon/session.h
@@ -98,6 +98,7 @@ private:
private:
void startPhaseAuth();
void startUkeyAuth();
+ void startPasswdAuth();
void startGeneralAuth(const QString &extraInfo = QString());
void finishPhaseAuth(bool isSuccess,bool recordFailure = true);
diff --git a/src/pam/authentication-graphical.cpp b/src/pam/authentication-graphical.cpp
index 619f3cf..2f104ac 100644
--- a/src/pam/authentication-graphical.cpp
+++ b/src/pam/authentication-graphical.cpp
@@ -64,7 +64,6 @@ void AuthenticationGraphical::notifySupportAuthType()
{
auto authType = this->m_authManagerProxy->GetAuthTypeByApp(m_authApplication);
QList<int> authTypeList = authType.value();
- authTypeList << KAD_AUTH_TYPE_PASSWORD;
QStringList authTypeStrList;
for (auto authType : authTypeList)
diff --git a/src/pam/authentication-terminal.cpp b/src/pam/authentication-terminal.cpp
index 5db6b1c..01d66c6 100644
--- a/src/pam/authentication-terminal.cpp
+++ b/src/pam/authentication-terminal.cpp
@@ -34,7 +34,6 @@ void AuthenticationTerminal::notifySupportAuthType()
{
auto authType = this->m_authManagerProxy->GetAuthTypeByApp(m_authApplication);
QList<int> authTypeList = authType.value();
- authTypeList << KAD_AUTH_TYPE_PASSWORD;
QList<KADAuthType> tempAuthTypeList;
for (auto authType : authTypeList)
diff --git a/src/pam/authentication.cpp b/src/pam/authentication.cpp
index 6a165fd..06bc010 100644
--- a/src/pam/authentication.cpp
+++ b/src/pam/authentication.cpp
@@ -184,14 +184,8 @@ int Authentication::startAuthPre()
{
auto authTypeReply = m_authManagerProxy->GetAuthTypeByApp(m_authApplication);
QList<int> authTypeList = authTypeReply.value();
- if (m_authApplication == KAD_AUTH_APPLICATION_NONE || authTypeList.isEmpty())
- {
- this->m_pamHandle->syslog(LOG_DEBUG, QString("The pam service '%1' is unsupported or authentication type is not configured.").arg(this->m_serviceName));
- return PAM_IGNORE;
- }
this->notifyAuthMode();
-
RETURN_VAL_IF_TRUE(!this->initSession(), PAM_SYSTEM_ERR);
if (this->m_authManagerProxy->authMode() == KADAuthMode::KAD_AUTH_MODE_OR)
diff --git a/translations/kiran-authentication-daemon.zh_CN.ts b/translations/kiran-authentication-daemon.zh_CN.ts
index 4292ee7..8c03e2c 100644
--- a/translations/kiran-authentication-daemon.zh_CN.ts
+++ b/translations/kiran-authentication-daemon.zh_CN.ts
@@ -12,20 +12,25 @@
<context>
<name>Kiran::Session</name>
<message>
- <location filename="../src/daemon/session.cpp" line="201"/>
+ <location filename="../src/daemon/session.cpp" line="195"/>
<source>Please wait while the %1 request is processed</source>
<translation>%1认证请求正在等待处理</translation>
</message>
<message>
- <location filename="../src/daemon/session.cpp" line="281"/>
+ <location filename="../src/daemon/session.cpp" line="279"/>
<source>Insert the UKey and enter the PIN code</source>
<translation>请插入UKey并输入PIN码</translation>
</message>
<message>
- <location filename="../src/daemon/session.cpp" line="282"/>
+ <location filename="../src/daemon/session.cpp" line="280"/>
<source>please input ukey code.</source>
<translation>请输入PIN码。</translation>
</message>
+ <message>
+ <location filename="../src/daemon/session.cpp" line="308"/>
+ <source>can not find %1 device</source>
+ <translation>未能检测到%1设备</translation>
+ </message>
</context>
<context>
<name>Kiran::User</name>
--
2.33.0

31
0005-fix-auth-order-Adjust-the-authentication-sequence.patch Normal file
View File

@ -0,0 +1,31 @@
From 169a18a2d098edf8ba869368d52ea5719509a10d Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Wed, 31 May 2023 14:23:51 +0800
Subject: [PATCH 5/5] fix(auth order): Adjust the authentication sequence
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- 依据需求文档调整认证顺序
Closes #I79FVY
---
data/kad.ini | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/data/kad.ini b/data/kad.ini
index eaaa05a..5c7b281 100644
--- a/data/kad.ini
+++ b/data/kad.ini
@@ -2,7 +2,7 @@
#多因子认证,需多个认证方式认证通过,And
#多路认证,多个认证方式选择一个通过即可,Or
AuthMode=Or
-AuthOrder=fingerprint,fingervein,face,iris,ukey
+AuthOrder=iris,face,fingerprint,fingervein,ukey
#内置最大错误次数判断,错误超过该次数后,该用户将无法使用生物认证(认证服务提供的认证方式)
#只针对与多路认证,多因子认证错误次数不由认证服务接管
MaxFailures=3
--
2.33.0

17
kiran-authentication-service.spec
View File

@ -1,12 +1,18 @@
Name: kiran-authentication-service
Version: 2.5.1
Release: 2
Release: 3
Summary: Kiran Desktop kiran authentication service
License: MulanPSL-2.0
URL: http://www.kylinsec.com.cn
Source0: %{name}-%{version}.tar.gz
Patch0001: 0001-fix-auth-terminal-Repair-authentication-type-check.patch
Patch0002: 0002-fix-pam-conf-Adjust-the-number-of-non-password-authe.patch
Patch0003: 0003-fix-Interface-permission-Upgrade-the-permission-of-s.patch
Patch0004: 0004-fix-multi-factor-Fixed-an-authentication-failure-cau.patch
Patch0005: 0005-fix-auth-order-Adjust-the-authentication-sequence.patch
BuildRequires: systemd
BuildRequires: systemd-devel
BuildRequires: gcc
@ -81,7 +87,14 @@ systemctl enable kiran-authentication-daemon.service
%{_includedir}/kiran-authentication-service/kas-authentication-i.h
%changelog
* Wed May 24 2023 liuxinhao <liuxinhao@Kylinsec.com.cn> - 2.5.1-2
* Wed May 31 2023 liuxinhao <liuxinhao@kylinsec.com.cn> - 2.5.1-3
- KYOS-B: fix terminl authentication type check (#I792B4)
- KYOS-B: Adjust the number of non-password authentication failures recorded in the PAM configuration file(#I7937W)
- KYOS-B: Upgrade the permission of some interfaces of the authentication service(#I795QI)
- KYOS-B: Fixed an authentication failure caused by disabling all authentication modes during multi-factor authentication(#I79I33)
- KYOS-B: Adjust the authentication sequence(#I79FVY)
* Wed May 24 2023 liuxinhao <liuxinhao@kylinsec.com.cn> - 2.5.1-2
- KYOS-F: Remove Require kiran-control-panel
* Wed May 24 2023 liuxinhao <liuxinhao@kylinsec.com.cn> - 2.5.1-1