[Freeipa-devel] [PATCH 0062] Use delete/add for OTP counter/watermark updates
Nathaniel McCallum
npmccallum at redhat.com
Fri Sep 19 17:41:17 UTC 2014
On Thu, 2014-09-18 at 14:20 -0400, Simo Sorce wrote:
> On Thu, 18 Sep 2014 13:59:34 -0400
> Nathaniel McCallum <npmccallum at redhat.com> wrote:
>
> > On Thu, 2014-09-18 at 14:00 +0200, Petr Vobornik wrote:
> > > On 15.9.2014 21:08, Nathaniel McCallum wrote:
> > > > On Thu, 2014-08-28 at 22:54 -0400, Nathaniel McCallum wrote:
> > > >> This prevents any local attempt at rapid token code replay. If
> > > >> two token codes hit the system at roughly the same moment, only
> > > >> the first write will succeed. All subsequent authentications
> > > >> will fail.
> > > >>
> > > >> This obviates the need for an OTP authentication lock.
> > > >>
> > > >> https://fedorahosted.org/freeipa/ticket/4493
> > > >
> > > > I still need a review of this. This is targeted for 4.1.
> > > >
> > > > Nathaniel
> > > >
> > >
> > >
> > > Works fine with HTOP but fails for new TOTP tokens.
> > >
> > > New TOTP token doesn't have a watermark attribute set so there is
> > > nothing to delete and therefore standard login procedure fails on
> > > writeattr call (libotp.c:223).
> >
> > I have fixed this by making ipatokenTOTPwatermark a required attribute
> > (MAY -> MUST). I did this in a separate patch (0066) because I thought
> > it was cleaner.
>
> This can easily break stuff, and is not allowed, sorry you need to find
> a way that will not cause objects, even temporarily to be incomplete.
>
> (think of a replica getting the new schema while an older one pushes
> the object via replication)
I rescind this patch. It is no longer necessary.
More information about the Freeipa-devel
mailing list