Standards compliant TLS clients require
that IP addresses be compared against
IP type SAN fields.
However, some firmware ignores IP fields and only checks DNS fields.
Workaround and provide compatibility
by duplicating the IP as DNS and IP fields.
Also, clean up the temporary config file when done.
The plan is to have 'discovery'
data only on DISCOVER, but
still parse and be able to react to
REQUEST packets.
Additionally add the attributes
to control deployment state and
permissible protocols.
We have now done IP_PKTINFO, but there is a potential TODO
if wanting to properly honor unicast request.
For now, will just do always-broadcast as the options to do unicast
are more complex to do (either construct the packets or inject neigh
entry manually)
Move from a clock based expiration to a simpler 'once' versus
'continous' model. 'once' is intended to be used generally, 'continuous'
for stateless without benefit of TPM. The goal would be to use TPM
to seal a key to avoid continuous.
The password policy was incorrectly logging out in the
middle of the flow when a forced password change occurred.
Fix by externally managing the web session.
PrivateDevices breaks pam_unix, for some reason. Remove this
protection. We still have DevicePolicy closed and running as non-root,
so this should still be relatively safe.i
If doing PAM authentication, we
can setuid to the target user and then
pam_unix will use unix_chkpwd on
our behalf.
Problems with this working in the lab
was resolved by a yum reinstall pam,
so it was presumably due to messed up
setcap or similar experiments.
It's tricky. On Redhat platforms, we need the CAP_DAC_READ_SEARCH
capability. Unfortunately this is one of the nicest capabilities to have.
For now add it to ambient set so that PAM can work on redhat platforms.
Mitigate this risk by safeguarding the license handling code, which
is the only known place that can read a file and send it to somewhere.
If we could drop the capability from effective set and add it back in when
needed, that would be nice, but that appears not to be possible.
Short of that, having a separate authentication process
running and dropping privilege would potentially work.
For one, remove the password cache cleaning, as it no longer is run.
For another, skip the fork if uid is already 0.
Finally, wrap the check in a try/finally to keep the privileged process
more certain in exiting.
