On Fri, 2014-06-27 at 19:55 +0300, Alexander Bokovoy wrote: > On Fri, 27 Jun 2014, Martin Kosek wrote: > >Hello team, > > > >As we are about to very soon release the FreeIPA 4.0, I triaged all the > >pending > >tickets and divided them to following milestones: > > > >1) FreeIPA 4.0 GA - last work that is required for the release. When this > >milestone is completed, we will release. All tickets in this milestone are > >thus > >the top priority for people working on 4.0 - this applies both for > >development > >and for reviews. > Endi found that with TOTP we don't yet enforce a requirement to prevent > reuse of OTP code multiple times within the same time step (you are able > to login with TOTP and reuse it for password change within 30 seconds, > for example). RFC3268 part 5.2 clearly says that the verifier MUST NOT > allow this behavior. > > I'll look into this case on Monday but so far this is a release blocker.
This is a well known limitation. The reason we allow for it is due to performance issues with replication if we did so, we do not have a good way to mark used values in a distributed fashion. It's for the same reason that we have not implemented HOTP yet. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel