On 29/11/16 12:57, Callum Guy wrote:
Hi Alexander,
I can confirm that I am using version 4.2.0.
The bug link provided mentions that it caused GA to fail to scan the codes.
In my situation it is FreeIPA (or related service) which appears to fail to
validate codes generated, meaning that only OTP codes generated using sha1
are validated and accepted.
Just for clarity I can confirm that I have only tested OTP codes generated
and configured via the FreeIPA web interface. I will check the command line
generation and let you know if this makes a difference.
Best Regards,
Callum
Hello Callum,
I've tried it with FreeIPA 4.3.2 (stock Fedora 24) and FreeOTP. I've
generated 3 OTPs (with sha256, sha384 and sha512) for tuser in the WebUI
and was then able to login into WebUI without problems.
$ ipa otptoken-find --owner tuser --all
--------------------
3 OTP tokens matched
--------------------
dn:
ipatokenuniqueid=3c899764-7abf-459d-bf2b-7ba4af978a8b,cn=otp,dc=dom-058-216,dc=example,dc=com
Unique ID: 3c899764-7abf-459d-bf2b-7ba4af978a8b
Type: TOTP
Owner: tuser
Key: U5XDN0BYc9KbvG1iYuVPuVHB448=
Algorithm: sha256
Digits: 6
Clock offset: 0
Clock interval: 30
ipatokentotpwatermark: 49349880
objectclass: top, ipatokentotp, ipatoken
dn:
ipatokenuniqueid=40ad189b-7b7c-44b9-8450-b3eb78057ef6,cn=otp,dc=dom-058-216,dc=example,dc=com
Unique ID: 40ad189b-7b7c-44b9-8450-b3eb78057ef6
Type: TOTP
Owner: tuser
Key: C79y2W+I0z429eRzsRP7qdpROaI=
Algorithm: sha512
Digits: 6
Clock offset: 0
Clock interval: 30
ipatokentotpwatermark: 49349882
objectclass: top, ipatokentotp, ipatoken
dn:
ipatokenuniqueid=baf6d329-61ad-46f1-beca-6ddb55ba9bb4,cn=otp,dc=dom-058-216,dc=example,dc=com
Unique ID: baf6d329-61ad-46f1-beca-6ddb55ba9bb4
Type: TOTP
Owner: tuser
Key: 2hxrsJjQ6e+3qzVPZremtsB/NCg=
Algorithm: sha384
Digits: 6
Clock offset: 0
Clock interval: 30
ipatokentotpwatermark: 49349881
objectclass: top, ipatokentotp, ipatoken
On Tue, Nov 29, 2016 at 11:51 AM Alexander Bokovoy <aboko...@redhat.com>
wrote:
On ti, 29 marras 2016, Callum Guy wrote:
Hi Petr,
Thanks for coming back to me on this.
I have only tried using Google Authenticator. The generated QR code
successfully scans and codes are then generated on the GA device as
normal.
The problem is that the codes simply do not work.
My current thinking is that the service which interprets the codes
server-side is not configured to use the same algorithm meaning that it is
trying to validate sha256/sha512 (both tested and not functional for me)
etc codes against codes perhaps generated with sha1 (the only algorithm
that appears to work).
I apologise in advance for my naive interpretation of the situation, this
really isn't an area where i have experience. I'd love to understand whats
going on however I can't find what i need in the OTP documentation.
Which IPA version we are talking about? There was a case when the URI
generated by 'ipa otptoken-add' was using a wrong case in the algorithm
value and this was breaking Google Authenticator.
https://fedorahosted.org/freeipa/ticket/5047
This bug was fixed since 4.1.5 release.
Best Regards,
Callum
On Tue, Nov 29, 2016 at 11:10 AM Petr Vobornik <pvobo...@redhat.com>
wrote:
On 11/28/2016 01:03 PM, Callum Guy wrote:
Hi All,
I wanted to ask a quick question - perhaps a more experienced user
will
be able
to help or point me to the correct documentation.
Basically we have implemented password+OTP type authentication which
works great.
When adding a OTP code using the admin login you can choose an
algorithm. For us
the generated codes only work properly if the weakest sha1 algorithm
is
chosen/
To be clear the code generation works fine but the codes are not valid
when
logging in. Is there a related setting we must change?
Thanks,
Callum
What type of otp token do you use? Does it work with some different?
E.g. FreeOTP vs Google Authenticator ...
--
Petr Vobornik
--
*0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> | **
<https://twitter.com/xonuk>
<http://www.linkedin.com/company/x-on/products>
<https://www.facebook.com/XonTel> *
X-on is a trading name of Storacall Technology Ltd a limited company
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the
addressee(s) only. If you are not the intended recipient, please notify
X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
delete the
message from your computer. If you are not a named addressee you must not
use, disclose, disseminate, distribute, copy, print or reply to this
email. Views
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its
associated companies. Although X-on routinely screens for viruses,
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of
viruses in this email or any attachments.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
