Bug 1200867

Summary: [RFE] Make OTP validation window configurable
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: drieden, rcritten
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-0.1.alpha1.el7 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:02:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1181710    

Description Martin Kosek 2015-03-11 14:26:54 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4511

Currently, the OTP token validation window is hard-coded. Admin should be able ton configure the windows (time window for TOTP or number of tries for HOTP tokens) in UI/CLI.
Comment 1 Martin Kosek 2015-04-13 08:21:13 UTC 
Fixed upstream:

master:
9baa93da1cbf56c2a6f7e82e099bc3ff3f19e2e4 Make token auth and sync windows configurable
b01767c69d69806b3c701242d617b6fa08e7d882 Create an OTP help topic

ipa-4-1:
3013385ca4a28a4f203fae6dbef34321720d8879 Make token auth and sync windows configurable
f5ae902eb5c391bd6150c99d5b3316be937aa459 Create an OTP help topic
Comment 5 Namita Soman 2015-09-21 20:31:41 UTC 
Verified using ipa-server-4.2.0-10.el7.x86_64

added a totp token for a user, and by default - auth window is 5 min.
test - change time on server machine to +3; auth with current token
test - change time on server machine to +6; failed to auth with current token
test - change auth window to 2; change time on server machine to +3; failed to auth with current token
test - change time on server machine to +2; auth with current token
test - change auth window to +11: no error. thought - max allowed is 10; allowed to change to +100 min as well.
test - change window to 0; error that min is 5
test - change window to non numeric or blank or negative number - error as expected.

added a totp token for a user, and by default - sync window is 1 day.
test: change time on server machine to +10; sync to current token using ipa otptoken-sync interactively
# ipa  otptoken-show --all <token id> shows clock offset as 4294966636 (have bz1217009 for this issue)
test: changed time to current time. auth failed with current token - that is expected...because now the token is synced for current+10 min; auth window is 5 min.
test - change window to 90000
test - change window to 0; error that min is 5
test - change window to non numeric or blank or negative number - error as expected.
Comment 6 errata-xmlrpc 2015-11-19 12:02:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html