Bug#792665: marked as done (python-yubico-tools: yubikey-totp output depends on local time (timezone))

Fri, 09 Oct 2015 01:51:50 -0700 

Your message dated Fri, 9 Oct 2015 10:50:01 +0200
with message-id 
<CAFnvKc0vjQ0BGbC=f+jrtpsjwj716ekgxxkmp9wg7hf5sos...@mail.gmail.com>
and subject line python-yubico-tools: yubikey-totp output depends on local time 
(timezone)
has caused the Debian Bug report #792665,
regarding python-yubico-tools: yubikey-totp output depends on local time 
(timezone)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
792665: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792665
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: python-yubico-tools
Version: 1.1.0-2
Severity: normal

Dear Maintainer,

when using TOTP (time based), the PIN output by yubikey-totp depends on the 
timezone the tool is running in:

kosh@cindy:~$ echo $TZ; yubikey-totp; TZ=UTC yubikey-totp; yubikey-totp
Europe/Berlin
050816
934513
050816

(the first and last should be the same as the one in the middle)

I think this is in violation of RFC6238.

I suspect the cause can be seen in the output of --help, as the tool clearly 
doesn't calculate "seconds since the epoch" correctly:

kosh@cindy:~$ echo $TZ; yubikey-totp --help; TZ=UTC yubikey-totp --help; 
yubikey-totp --help; date +%s
Europe/Berlin
usage: yubikey-totp [-h] [-v] [--debug] [--time TIME] [--step STEP]
                    [--digits DIGITS] [--slot SLOT]

Generate OATH TOTP codes using a YubiKey

optional arguments:
  -h, --help       show this help message and exit
  -v, --verbose    Enable verbose operation (default: False)
  --debug          Enable debug operation (default: False)
  --time TIME      Time to use as number of seconds since epoch (default:
                   1437119455)
  --step STEP      Time step in use (in seconds) (default: 30)
  --digits DIGITS  Length of OTP in decimal digits (default: 6)
  --slot SLOT      YubiKey slot configured for Challenge-Response (default: 2)
usage: yubikey-totp [-h] [-v] [--debug] [--time TIME] [--step STEP]
                    [--digits DIGITS] [--slot SLOT]

Generate OATH TOTP codes using a YubiKey

optional arguments:
  -h, --help       show this help message and exit
  -v, --verbose    Enable verbose operation (default: False)
  --debug          Enable debug operation (default: False)
  --time TIME      Time to use as number of seconds since epoch (default:
                   1437123055)
  --step STEP      Time step in use (in seconds) (default: 30)
  --digits DIGITS  Length of OTP in decimal digits (default: 6)
  --slot SLOT      YubiKey slot configured for Challenge-Response (default: 2)
usage: yubikey-totp [-h] [-v] [--debug] [--time TIME] [--step STEP]
                    [--digits DIGITS] [--slot SLOT]

Generate OATH TOTP codes using a YubiKey

optional arguments:
  -h, --help       show this help message and exit
  -v, --verbose    Enable verbose operation (default: False)
  --debug          Enable debug operation (default: False)
  --time TIME      Time to use as number of seconds since epoch (default:
                   1437119455)
  --step STEP      Time step in use (in seconds) (default: 30)
  --digits DIGITS  Length of OTP in decimal digits (default: 6)
  --slot SLOT      YubiKey slot configured for Challenge-Response (default: 2)
1437123055

The "default" for "number of seconds since epoch" in the description of the 
--time parameter clearly changes with TZ, which is wrong. Compare the output of 
"date +%s" which returns the same value "TZ=UTC yubikey-totp --help" returns.

The fix is rather trivial:

--- yubikey-totp.old    2012-06-08 14:21:39.000000000 +0200
+++ yubikey-totp        2015-07-17 11:06:39.265867405 +0200
@@ -41,7 +41,7 @@
 import argparse
 
 default_slot=2
-default_time=int(time.mktime(time.gmtime()))
+default_time=int(time.time())
 default_step=30
 default_digits=6

Cheers,
Marc




-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (500, 'stable'), (255, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages python-yubico-tools depends on:
ii  libpython2.7-stdlib [python-argparse]  2.7.9-2
ii  python                                 2.7.9-1
ii  python-yubico                          1.1.0-2

python-yubico-tools recommends no packages.

python-yubico-tools suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: python-yubico
Source-Version: 1.2.3-1

This was fixed in upstream release 1.2.2 (released 2015-02-11).
See: 
https://github.com/Yubico/python-yubico/commit/eb44291928575ba0b0c4d982239985f232f3101d

--- End Message ---

Reply via email to