[Freeipa-users] 4.1.4 and OTP

[Martin Kosek]

On 05/18/2015 01:49 AM, Janelle wrote:
> On 4/28/15 6:44 AM, Nathaniel McCallum wrote:
>> On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote:
>>> On 4/17/15 5:59 PM, Dmitri Pal wrote:
>>>> On 04/17/2015 08:07 PM, Janelle wrote:
>>>>>
>>>>>
>>>>>
>>>>> On Apr 17, 2015, at 16:36, Dmitri Pal <dpal at redhat.com> wrote:
>>>>>
> <snip> for shorter thread....
>>>>> Simple. And my test made it simple.
>>>>> Stand up new vm running fc21/freeipa.
>>>>> Configure user.
>>>>> Add password.
>>>>> Add token.
>>>>>
>>>>> Login to the vm with the user created using password. Kerberos
>>>>> ticket assigned, all is well.
>>>>>
>>>>> Login to web interface with admin. Change user to OTP only.
>>>>> Go to web UI and click sync OTP.
>>>>> Enter username, password and 2 OTP sequences. Click sync. Error
>>>>> appears.
>>>>>
>>>>> Now, ssh to same vm using OTP username. Enter password + OTP
>>>>> value.
>>>>> Login successful.
>>>> I can reproduce this issue with demo instance.
>>>> I will file a bug later today.
>>>> I think it is a bug with sync.
>>>> Which token do you use time based or event based?
>>> TOTP...
>>>
>>> Hmm, makes me wonder - with HOTP fail the same? Off to try it.
>> This should just affect TOTP. I have posted a patch that should fix
>> this problem. Are you able to test it?
>>
>> https://www.redhat.com/archives/freeipa-devel/2015-April/msg00282.html
>>
>>
> Sorry - I just got around to testing this and it does resolve the problem -
> HOWEVER, you took away the ability to "Name" the tokens? They are now
> "assigned" unique IDs??
> 
> Was this intentional?

It was, we track this (half-done) change in this ticket:
https://fedorahosted.org/freeipa/ticket/4456

The main problem here is that user token names share the same name space and we
thus do not want to create completely arbitrary names as they would collide.

Applications like FreeOTP allow users to set own labels, so this is IMO the way
how to add friendly names to the OTP tokens.

Martin