[Freeipa-users] Re: How to change default OTP algorithm from sha1 to sha256 or sha512

Sun, 17 Dec 2023 07:11:10 -0800 

On Няд, 17 сне 2023, Jeff Kirkley via FreeIPA-users wrote:

Hello,

 Very new to freeipa but find it to be very powerful and very capable.
 I have been using Keycloak for some time now and am interested in
 using FreeIPA as a OTP password provider (if possible).

 I am running FreeIPA 4.10.2 and am having problems with a
 plain/regular user creating a OTP token from the GUI and the created
 token is based as SHA1.  I would like for it to be either SHA256 or
 SHA512.  I have spent many hours scouring the web and am unable to
 find where this is a user-selectable option under the user's login.
 I am also unable to find it in any of the settings while logged in as
 admin.  I did make a change to:

/usr/share/ipa/ui/js/freeipa/app.js

and changed the default to sha512 and if I were to login as admin and
create a new token for a user (testuser), I do have a GUI ability to
choose the strength of the OTP token.  However, this is not presented
to a normal user (belonging to only ipausers group).

How do I change/enable this ability for a plain user to login to
freeipa server, create a OTP token and change the hash strength?


https://pagure.io/freeipa/issue/6430 covers our state. There is also a
helpful table in the link
https://gist.github.com/gwelch-contegix/afa52c7b45693a19c198ab0bfb886fe2
about the state of authenticators that support (or rather not) other OTP
algorithms. Until that state changes, making a different default is
counter-productive as in most cases people will have to handle an
increasing amount of end user complaints about them not being able to
use a new OTP token in their software.

There is currently no plan to change existing FreeIPA Web UI to add that
default. You can already choose OTP algorithm when creating a token
from IPA CLI/API. New Web UI which hopefully will be put in production
next year will have ability to select the OTP algorithm.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to