[Freeipa-devel] [PATCH 0062] Use delete/add for OTP counter/watermark updates
Nathaniel McCallum
npmccallum at redhat.com
Thu Sep 18 17:59:34 UTC 2014
On Thu, 2014-09-18 at 14:00 +0200, Petr Vobornik wrote:
> On 15.9.2014 21:08, Nathaniel McCallum wrote:
> > On Thu, 2014-08-28 at 22:54 -0400, Nathaniel McCallum wrote:
> >> This prevents any local attempt at rapid token code replay. If two
> >> token codes hit the system at roughly the same moment, only the
> >> first write will succeed. All subsequent authentications will fail.
> >>
> >> This obviates the need for an OTP authentication lock.
> >>
> >> https://fedorahosted.org/freeipa/ticket/4493
> >
> > I still need a review of this. This is targeted for 4.1.
> >
> > Nathaniel
> >
>
>
> Works fine with HTOP but fails for new TOTP tokens.
>
> New TOTP token doesn't have a watermark attribute set so there is
> nothing to delete and therefore standard login procedure fails on
> writeattr call (libotp.c:223).
I have fixed this by making ipatokenTOTPwatermark a required attribute
(MAY -> MUST). I did this in a separate patch (0066) because I thought
it was cleaner.
https://www.redhat.com/archives/freeipa-devel/2014-September/msg00386.html
There is no change to this patch, but it now depends on my patch 0066
(linked above).
Nathaniel
More information about the Freeipa-devel
mailing list