[Freeipa-users] OTP Algorithm
Alexander Bokovoy
abokovoy at redhat.com
Tue Nov 29 11:51:26 UTC 2016
On ti, 29 marras 2016, Callum Guy wrote:
>Hi Petr,
>
>Thanks for coming back to me on this.
>
>I have only tried using Google Authenticator. The generated QR code
>successfully scans and codes are then generated on the GA device as normal.
>The problem is that the codes simply do not work.
>
>My current thinking is that the service which interprets the codes
>server-side is not configured to use the same algorithm meaning that it is
>trying to validate sha256/sha512 (both tested and not functional for me)
>etc codes against codes perhaps generated with sha1 (the only algorithm
>that appears to work).
>
>I apologise in advance for my naive interpretation of the situation, this
>really isn't an area where i have experience. I'd love to understand whats
>going on however I can't find what i need in the OTP documentation.
Which IPA version we are talking about? There was a case when the URI
generated by 'ipa otptoken-add' was using a wrong case in the algorithm
value and this was breaking Google Authenticator.
https://fedorahosted.org/freeipa/ticket/5047
This bug was fixed since 4.1.5 release.
>
>Best Regards,
>
>Callum
>
>
>On Tue, Nov 29, 2016 at 11:10 AM Petr Vobornik <pvoborni at redhat.com> wrote:
>
>> On 11/28/2016 01:03 PM, Callum Guy wrote:
>> > Hi All,
>> >
>> > I wanted to ask a quick question - perhaps a more experienced user will
>> be able
>> > to help or point me to the correct documentation.
>> >
>> > Basically we have implemented password+OTP type authentication which
>> works great.
>> >
>> > When adding a OTP code using the admin login you can choose an
>> algorithm. For us
>> > the generated codes only work properly if the weakest sha1 algorithm is
>> chosen/
>> > To be clear the code generation works fine but the codes are not valid
>> when
>> > logging in. Is there a related setting we must change?
>> >
>> > Thanks,
>> >
>> > Callum
>> >
>>
>> What type of otp token do you use? Does it work with some different?
>> E.g. FreeOTP vs Google Authenticator ...
>>
>>
>> --
>> Petr Vobornik
>>
>
>--
>
>
>
>*0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> | **
><https://twitter.com/xonuk>
><http://www.linkedin.com/company/x-on/products>
><https://www.facebook.com/XonTel> *
>X-on is a trading name of Storacall Technology Ltd a limited company
>registered in England and Wales.
>Registered Office : Avaland House, 110 London Road, Apsley, Hemel
>Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
>The information in this e-mail is confidential and for use by the
>addressee(s) only. If you are not the intended recipient, please notify
>X-on immediately on +44(0)333 332 0000 and delete the
>message from your computer. If you are not a named addressee you must not
>use, disclose, disseminate, distribute, copy, print or reply to this email. Views
>or opinions expressed by an individual
>within this email may not necessarily reflect the views of X-on or its
>associated companies. Although X-on routinely screens for viruses,
>addressees should scan this email and any attachments
>for viruses. X-on makes no representation or warranty as to the absence of
>viruses in this email or any attachments.
>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list