Bug 1217009

Summary: OTP sync in UI does not work for TOTP tokens
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: dpal, jcholast, lmiksik, mkosek, npmccallum, rcritten, tbabej
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-13.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:03:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2015-04-29 12:05:19 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4990

Use case:

 * Log into UI as admin
 * Create user and assign him password and a TOTP token 
 * Logout
 * Login as user with password, change password
 * Logout
 * Log as an admin, make OTP required for the user
 * Logout
 * As a user select to sync the token - token sync fails

In the same scenario user can login successfully without token synchronization.

I also tried to login with HOTP token. Sync did not work the first time. It might have been the typo. I tried again and it worked. I created another user with another token and it worked again. So seems that it was a typo on my side.
However I think I found another issue. I will open another ticket.
Comment 1 Petr Vobornik 2015-05-05 09:54:32 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/978298882b06dcf8a86a8d6ec60d7f1266aac697
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/352360a879dde3bc68cf0753bc9ba7623f5d0759
Comment 3 Namita Soman 2015-09-21 20:27:14 UTC 
Using ipa-server-4.2.0-10.el7.x86_64

Followed steps in description, user can sync token and can successfully log in as well. 

But clock offset is not set correctly

# ipa  otptoken-show --all <token id> shows clock offset as 4294966636

or log back in as admin, and check the token's clock offset in UI.

Expected it to be 10 min or 600 (which is what the token was sync'd to)
Comment 5 Martin Kosek 2015-09-23 12:01:19 UTC 
Nathaniel, can you please advise? The patches linked to 4990 should be already in 4.2 rebase.
Comment 6 Nathaniel McCallum 2015-09-25 16:21:32 UTC 
I was able to reproduce the issue. A fix is now awaiting upstream review:
https://www.redhat.com/archives/freeipa-devel/2015-September/msg00350.html

I confirmed the fix with the following scratch build:
https://brewweb.devel.redhat.com/taskinfo?taskID=9888335

I do not have permissions to merge the patch in RHEL.
Comment 7 Jan Cholasta 2015-09-30 05:53:23 UTC 
*** Bug 1267253 has been marked as a duplicate of this bug. ***
Comment 8 Jan Cholasta 2015-09-30 05:55:02 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5333
Comment 9 Jan Cholasta 2015-09-30 05:55:50 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/9e3eeadeb3120f3577e00ab9cb410eccf8d71de0
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/7db0a8e8512733ff91462b9b3b20c21ad6ec4212
Comment 11 Namita Soman 2015-10-13 00:57:49 UTC 
Verified using ipa-server-4.2.0-13.el7.x86_64

# ipa user-add one

# ipa passwd one

# kinit one

# kinit admin

#  ipa otptoken-add --type=totp --owner=one --desc="My soft token"
------------------
Added OTP token ""
------------------
  Unique ID: f6fc2b0f-ce0e-44ae-b0a9-c85d7cd3343d
  Type: TOTP
  Description: My soft token
  Owner: one
  Key: EydVIL+y+tBp/Yn284MlMD4ioy4=
  Algorithm: sha1
  Digits: 6
  Clock offset: 0
  Clock interval: 30
  URI: otpauth://totp/one:f6fc2b0f-ce0e-44ae-b0a9-c85d7cd3343d?digits=6&secret=CMTVKIF7WL5NA2P5RH3PHAZFGA7CFIZO&period=30&algorithm=SHA1&issuer=one%40TESTRELM.TEST


# ipa user-mod one --user-auth-type=otp
-------------------
Modified user "one"
-------------------
  User login: one
  First name: one
  Last name: one
  Home directory: /home/one
  Login shell: /bin/sh
  Email address: one
  UID: 206600001
  GID: 206600001
  User authentication types: otp
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin

Valid starting       Expires              Service principal
10/12/2015 20:07:52  10/13/2015 20:07:49  krbtgt/TESTRELM.TEST


# kinit -T KEYRING:persistent:0:0 one
Enter OTP Token Value: 

# ipa otptoken-find
-------------------
1 OTP token matched
-------------------
  Unique ID: f6fc2b0f-ce0e-44ae-b0a9-c85d7cd3343d
  Type: TOTP
  Description: My soft token
  Owner: one
----------------------------
Number of entries returned 1
----------------------------


# date
Mon Oct 12 20:34:56 EDT 2015

# date +%T -s 20:45:00
20:45:00


# ipa otptoken-sync f6fc2b0f-ce0e-44ae-b0a9-c85d7cd3343d 
User ID: one
Password: 
First Code: 
Second Code: 
Token synchronized.

# kinit admin


# ipa otptoken-show f6fc2b0f-ce0e-44ae-b0a9-c85d7cd3343d --all 
  dn: ipatokenuniqueid=f6fc2b0f-ce0e-44ae-b0a9-c85d7cd3343d,cn=otp,dc=testrelm,dc=test
  Unique ID: f6fc2b0f-ce0e-44ae-b0a9-c85d7cd3343d
  Type: TOTP
  Description: My soft token
  Owner: one
  Key: EydVIL+y+tBp/Yn284MlMD4ioy4=
  Algorithm: sha1
  Digits: 6
  Clock offset: -330
  Clock interval: 30
  ipatokentotpwatermark: 48156562
  objectclass: top, ipatokentotp, ipatoken


Verified Clock offset is displayed correctly
Comment 12 errata-xmlrpc 2015-11-19 12:03:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html