[Freeipa-users] 4.1.4 and OTP

Janelle janellenicole80 at gmail.com
Mon May 18 12:59:51 UTC 2015 

> On May 18, 2015, at 04:31, Martin Kosek <mkosek at redhat.com> wrote:
> 
>> On 05/18/2015 01:49 AM, Janelle wrote:
>>> On 4/28/15 6:44 AM, Nathaniel McCallum wrote:
>>>> On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote:
>>>>> On 4/17/15 5:59 PM, Dmitri Pal wrote:
>>>>>> On 04/17/2015 08:07 PM, Janelle wrote:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On Apr 17, 2015, at 16:36, Dmitri Pal <dpal at redhat.com> wrote:
>>>>>> 
>> <snip> for shorter thread....
>>>>>> Simple. And my test made it simple.
>>>>>> Stand up new vm running fc21/freeipa.
>>>>>> Configure user.
>>>>>> Add password.
>>>>>> Add token.
>>>>>> 
>>>>>> Login to the vm with the user created using password. Kerberos
>>>>>> ticket assigned, all is well.
>>>>>> 
>>>>>> Login to web interface with admin. Change user to OTP only.
>>>>>> Go to web UI and click sync OTP.
>>>>>> Enter username, password and 2 OTP sequences. Click sync. Error
>>>>>> appears.
>>>>>> 
>>>>>> Now, ssh to same vm using OTP username. Enter password + OTP
>>>>>> value.
>>>>>> Login successful.
>>>>> I can reproduce this issue with demo instance.
>>>>> I will file a bug later today.
>>>>> I think it is a bug with sync.
>>>>> Which token do you use time based or event based?
>>>> TOTP...
>>>> 
>>>> Hmm, makes me wonder - with HOTP fail the same? Off to try it.
>>> This should just affect TOTP. I have posted a patch that should fix
>>> this problem. Are you able to test it?
>>> 
>>> https://www.redhat.com/archives/freeipa-devel/2015-April/msg00282.html
>>> 
>>> 
>> Sorry - I just got around to testing this and it does resolve the problem -
>> HOWEVER, you took away the ability to "Name" the tokens? They are now
>> "assigned" unique IDs??
>> 
>> Was this intentional?
> 
> It was, we track this (half-done) change in this ticket:
> https://fedorahosted.org/freeipa/ticket/4456
> 
> The main problem here is that user token names share the same name space and we
> thus do not want to create completely arbitrary names as they would collide.
> 
> Applications like FreeOTP allow users to set own labels, so this is IMO the way
> how to add friendly names to the OTP tokens.
> 
> Martin
> 

Makes sense, my only concern is syncing tokens.  Once you add a second to,en and want to sync it you have to give it a token ID, otherwise it does not know which to sync. In the past if you named it, that was easy, but it does not seem to take description field as a token name. Guess I need to tell my users it is cut/paste time, or is there another option perhaps?

Also, I was wondering, looking for a way to use both FreeOTP and yubikey and wondering if anyone has tried this and possible caveats?

Janelle

More information about the Freeipa-users mailing list