[Freeipa-devel] [PATCH 0062] Use delete/add for OTP counter/watermark updates
Simo Sorce
simo at redhat.com
Thu Sep 18 18:20:14 UTC 2014
On Thu, 18 Sep 2014 13:59:34 -0400
Nathaniel McCallum <npmccallum at redhat.com> wrote:
> On Thu, 2014-09-18 at 14:00 +0200, Petr Vobornik wrote:
> > On 15.9.2014 21:08, Nathaniel McCallum wrote:
> > > On Thu, 2014-08-28 at 22:54 -0400, Nathaniel McCallum wrote:
> > >> This prevents any local attempt at rapid token code replay. If
> > >> two token codes hit the system at roughly the same moment, only
> > >> the first write will succeed. All subsequent authentications
> > >> will fail.
> > >>
> > >> This obviates the need for an OTP authentication lock.
> > >>
> > >> https://fedorahosted.org/freeipa/ticket/4493
> > >
> > > I still need a review of this. This is targeted for 4.1.
> > >
> > > Nathaniel
> > >
> >
> >
> > Works fine with HTOP but fails for new TOTP tokens.
> >
> > New TOTP token doesn't have a watermark attribute set so there is
> > nothing to delete and therefore standard login procedure fails on
> > writeattr call (libotp.c:223).
>
> I have fixed this by making ipatokenTOTPwatermark a required attribute
> (MAY -> MUST). I did this in a separate patch (0066) because I thought
> it was cleaner.
This can easily break stuff, and is not allowed, sorry you need to find
a way that will not cause objects, even temporarily to be incomplete.
(think of a replica getting the new schema while an older one pushes
the object via replication)
Simo.
> https://www.redhat.com/archives/freeipa-devel/2014-September/msg00386.html
>
> There is no change to this patch, but it now depends on my patch 0066
> (linked above).
>
> Nathaniel
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list