[Freeipa-devel] [PATCH 0068] Move OTP synchronization step to after counter writeback
thierry bordaz
tbordaz at redhat.com
Thu Sep 25 13:15:20 UTC 2014
On 09/19/2014 07:53 PM, Nathaniel McCallum wrote:
> This prevents synchronization when an authentication collision occurs.
>
> https://fedorahosted.org/freeipa/ticket/4493
>
> NOTE: this patch is related to the above ticket, but does not solve it.
> For the solution, please see patch 0064. This behavior fix is from patch
> 0062 (rescinded) and is worth keeping.
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
Hello Nathaniel,
.
My understanding is that during a pre_bind, the plugins validates
token codes (for example "HOTP") checking that step ranges [-25..+25].
As soon as the token is valid, the new HOTPcounter is written in the
entry.
But in case of negative steps,I believe the otp-decrement plugin
will reject this update.
If TOTPwatermark is updated and there is a second token code, then
clockOffset is also updated.
This update is done during a pre_bind, so if there are parallel
binds on the server, there is a possibility that TOTPwatermark is
updated from a bind and 'clockOffset' updated from an other bind.
An option is to do a single internal modify to update both.
thanks
thierry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140925/9b983a26/attachment.htm>
More information about the Freeipa-devel
mailing list