On Fri, 2014-06-27 at 19:19 +0200, Petr Vobornik wrote: > On 27.6.2014 19:00, Simo Sorce wrote: > > On Fri, 2014-06-27 at 19:55 +0300, Alexander Bokovoy wrote: > >> On Fri, 27 Jun 2014, Martin Kosek wrote: > >>> Hello team, > >>> > >>> As we are about to very soon release the FreeIPA 4.0, I triaged all the > >>> pending > >>> tickets and divided them to following milestones: > >>> > >>> 1) FreeIPA 4.0 GA - last work that is required for the release. When this > >>> milestone is completed, we will release. All tickets in this milestone > >>> are thus > >>> the top priority for people working on 4.0 - this applies both for > >>> development > >>> and for reviews. > >> Endi found that with TOTP we don't yet enforce a requirement to prevent > >> reuse of OTP code multiple times within the same time step (you are able > >> to login with TOTP and reuse it for password change within 30 seconds, > >> for example). RFC3268 part 5.2 clearly says that the verifier MUST NOT > >> allow this behavior. > >> > >> I'll look into this case on Monday but so far this is a release blocker. > > > > This is a well known limitation. > > > > The reason we allow for it is due to performance issues with replication > > if we did so, we do not have a good way to mark used values in a > > distributed fashion. > > > > > It's for the same reason that we have not implemented HOTP yet. > > Not entirely true: > http://www.redhat.com/archives/freeipa-devel/2014-January/msg00069.html
I should probably have said we have not implemented it *for* HOTP. That said using HOTP is not really something I would recommend at this point as each authentication will cause a replication event to be fired. That is probably ok if you have very few users/authentications, but in large domains it would quickly be problematic. Responding to Alexander, yes we need to document that we have this limitation. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
