On 05/13/2016 05:24 PM, Thomas Heil wrote: > Hi, > > On 13.05.2016 16:12, Petr Spacek wrote: >> On 13.5.2016 15:25, Thomas Heil wrote: >>> Hi, >>> >>> I would like to reduce the vector of brute force attacks in my web >>> application written in php. Users can login via passord and otp which >>> are hosted on freeipa. >>> >>> To achieve this I would like to check the otp first, so no password auth >>> is done on the freeipa server and no user can be locked out. >>> >>> If the otp is correct, the user is now allowed to to login via password+otp. >>> >>> unfortunately, there is no api method that can check only the otp for a >>> user with an identity. >>> >>> Would it be possible to expose such a new method? >> >> This would open a new attack vector so it is a bad idea. >> >> Attacker must not be able to distinguish case where password OR OTP is >> correct/wrong. If you allow this, the attacker will be able to crack OTP >> first >> and then continue with password, so you are making it easier. > > Okay you are right with that. Sorry. > > My intention is to avoid to be vulnerable for brute force attacks. I > have a trust with an active directory and want to avoid that the user on > ad side is locked if otp is wrong. > > Is this possible?
Not at the moment. We have an RFE filed, but we cannot augment AD user authentication with OTP yet: https://fedorahosted.org/freeipa/ticket/4876 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project