Merge pull request #39 from gravitational/alex/ssh-agent

Now HOTP server checks 3 tokens ahead and syncs with client
2024-10-20 17:23:22 +00:00 · 2015-10-26 13:58:27 -07:00 · 2015-10-26 13:58:27 -07:00 · d110d94ab4
parent 92e775a2d2 ce9e265c86
commit d110d94ab4
3 changed files with 26 additions and 11 deletions
--- a/lib/auth/srv_test.go
+++ b/lib/auth/srv_test.go
@ -232,12 +232,19 @@ func (s *APISuite) TestPasswordCRUD(c *C) {
 	c.Assert(s.clt.CheckPassword("user1", pass, token2), IsNil)
 	c.Assert(s.clt.CheckPassword("user1", pass, token1), NotNil)

-	token3 := otp.OTP()
-	token4 := otp.OTP()
-	c.Assert(s.clt.CheckPassword("user1", pass, token4), NotNil)
-	c.Assert(s.clt.CheckPassword("user1", pass, token3), IsNil)
+	_ = otp.OTP()
+	_ = otp.OTP()
+	_ = otp.OTP()
+	token6 := otp.OTP()
+	token7 := otp.OTP()
+	c.Assert(s.clt.CheckPassword("user1", pass, token7), NotNil)
+	c.Assert(s.clt.CheckPassword("user1", pass, token6), IsNil)
 	c.Assert(s.clt.CheckPassword("user1", pass, "123456"), NotNil)
-	c.Assert(s.clt.CheckPassword("user1", pass, token4), IsNil)
+	c.Assert(s.clt.CheckPassword("user1", pass, token7), IsNil)
+
+	_ = otp.OTP()
+	token9 := otp.OTP()
+	c.Assert(s.clt.CheckPassword("user1", pass, token9), IsNil)
 }

 func (s *APISuite) TestSessions(c *C) {
--- a/lib/services/test_suite.go
+++ b/lib/services/test_suite.go
@ -363,12 +363,20 @@ func (s *ServicesTestSuite) PasswordCRUD(c *C) {
 	c.Assert(s.WebS.CheckPassword("user1", pass, token2), IsNil)
 	c.Assert(s.WebS.CheckPassword("user1", pass, token1), FitsTypeOf, &teleport.BadParameterError{})

-	token3 := otp.OTP()
-	token4 := otp.OTP()
-	c.Assert(s.WebS.CheckPassword("user1", pass, token4), FitsTypeOf, &teleport.BadParameterError{})
-	c.Assert(s.WebS.CheckPassword("user1", pass, token3), IsNil)
+	_ = otp.OTP()
+	_ = otp.OTP()
+	_ = otp.OTP()
+	token6 := otp.OTP()
+	token7 := otp.OTP()
+	c.Assert(s.WebS.CheckPassword("user1", pass, token7), FitsTypeOf, &teleport.BadParameterError{})
+	c.Assert(s.WebS.CheckPassword("user1", pass, token6), IsNil)
 	c.Assert(s.WebS.CheckPassword("user1", pass, "123456"), FitsTypeOf, &teleport.BadParameterError{})
-	c.Assert(s.WebS.CheckPassword("user1", pass, token4), IsNil)
+	c.Assert(s.WebS.CheckPassword("user1", pass, token7), IsNil)
+
+	_ = otp.OTP()
+	token9 := otp.OTP()
+	c.Assert(s.WebS.CheckPassword("user1", pass, token9), IsNil)
+
 }

 func (s *ServicesTestSuite) PasswordGarbage(c *C) {
--- a/lib/services/web.go
+++ b/lib/services/web.go
@ -256,7 +256,7 @@ func (s *WebService) CheckPassword(user string, password []byte, hotpToken strin
 	if err != nil {
 		return trace.Wrap(err)
 	}
-	if !otp.Check(hotpToken) {
+	if !otp.Scan(hotpToken, 4) {
 		return &teleport.BadParameterError{Err: "tokens do not match"}
 	}