[Freeipa-users] 4.1.4 and OTP
Nathaniel McCallum
npmccallum at redhat.com
Mon May 18 13:46:21 UTC 2015
On Mon, 2015-05-18 at 07:59 -0500, Janelle wrote:
> >
> > On May 18, 2015, at 04:31, Martin Kosek <mkosek at redhat.com> wrote:
> >
> > > On 05/18/2015 01:49 AM, Janelle wrote:
> > > > On 4/28/15 6:44 AM, Nathaniel McCallum wrote:
> > > > > On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote:
> > > > > > On 4/17/15 5:59 PM, Dmitri Pal wrote:
> > > > > > > On 04/17/2015 08:07 PM, Janelle wrote:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Apr 17, 2015, at 16:36, Dmitri Pal <dpal at redhat.com>
> > > > > > > wrote:
> > > > > > >
> > > <snip> for shorter thread....
> > > > > > > Simple. And my test made it simple.
> > > > > > > Stand up new vm running fc21/freeipa.
> > > > > > > Configure user.
> > > > > > > Add password.
> > > > > > > Add token.
> > > > > > >
> > > > > > > Login to the vm with the user created using password.
> > > > > > > Kerberos
> > > > > > > ticket assigned, all is well.
> > > > > > >
> > > > > > > Login to web interface with admin. Change user to OTP
> > > > > > > only.
> > > > > > > Go to web UI and click sync OTP.
> > > > > > > Enter username, password and 2 OTP sequences. Click sync.
> > > > > > > Error
> > > > > > > appears.
> > > > > > >
> > > > > > > Now, ssh to same vm using OTP username. Enter password +
> > > > > > > OTP
> > > > > > > value.
> > > > > > > Login successful.
> > > > > > I can reproduce this issue with demo instance.
> > > > > > I will file a bug later today.
> > > > > > I think it is a bug with sync.
> > > > > > Which token do you use time based or event based?
> > > > > TOTP...
> > > > >
> > > > > Hmm, makes me wonder - with HOTP fail the same? Off to try
> > > > > it.
> > > > This should just affect TOTP. I have posted a patch that should
> > > > fix
> > > > this problem. Are you able to test it?
> > > >
> > > > https://www.redhat.com/archives/freeipa-devel/2015
> > > > -April/msg00282.html
> > > >
> > > >
> > > Sorry - I just got around to testing this and it does resolve the
> > > problem -
> > > HOWEVER, you took away the ability to "Name" the tokens? They are
> > > now
> > > "assigned" unique IDs??
> > >
> > > Was this intentional?
> >
> > It was, we track this (half-done) change in this ticket:
> > https://fedorahosted.org/freeipa/ticket/4456
> >
> > The main problem here is that user token names share the same name
> > space and we
> > thus do not want to create completely arbitrary names as they would
> > collide.
> >
> > Applications like FreeOTP allow users to set own labels, so this is
> > IMO the way
> > how to add friendly names to the OTP tokens.
> >
> > Martin
> >
>
> Makes sense, my only concern is syncing tokens. Once you add a
> second to,en and want to sync it you have to give it a token ID,
> otherwise it does not know which to sync. In the past if you named
> it, that was easy, but it does not seem to take description field as
> a token name. Guess I need to tell my users it is cut/paste time, or
> is there another option perhaps?
You do not need to specify the token id when syncing. It is optional.
If you leave it blank, FreeIPA will do the right thing.
> Also, I was wondering, looking for a way to use both FreeOTP and
> yubikey and wondering if anyone has tried this and possible caveats?
There shouldn't be any caveats. Yubikey is just an HOTP token.
Nathaniel
More information about the Freeipa-users
mailing list