Bug 1217009
Summary: | OTP sync in UI does not work for TOTP tokens | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.1 | CC: | dpal, jcholast, lmiksik, mkosek, npmccallum, rcritten, tbabej |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.2.0-13.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-19 12:03:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Petr Vobornik
2015-04-29 12:05:19 UTC
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/978298882b06dcf8a86a8d6ec60d7f1266aac697 ipa-4-1: https://fedorahosted.org/freeipa/changeset/352360a879dde3bc68cf0753bc9ba7623f5d0759 Using ipa-server-4.2.0-10.el7.x86_64 Followed steps in description, user can sync token and can successfully log in as well. But clock offset is not set correctly # ipa otptoken-show --all <token id> shows clock offset as 4294966636 or log back in as admin, and check the token's clock offset in UI. Expected it to be 10 min or 600 (which is what the token was sync'd to) Nathaniel, can you please advise? The patches linked to 4990 should be already in 4.2 rebase. I was able to reproduce the issue. A fix is now awaiting upstream review: https://www.redhat.com/archives/freeipa-devel/2015-September/msg00350.html I confirmed the fix with the following scratch build: https://brewweb.devel.redhat.com/taskinfo?taskID=9888335 I do not have permissions to merge the patch in RHEL. *** Bug 1267253 has been marked as a duplicate of this bug. *** Upstream ticket: https://fedorahosted.org/freeipa/ticket/5333 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/9e3eeadeb3120f3577e00ab9cb410eccf8d71de0 ipa-4-2: https://fedorahosted.org/freeipa/changeset/7db0a8e8512733ff91462b9b3b20c21ad6ec4212 Verified using ipa-server-4.2.0-13.el7.x86_64 # ipa user-add one # ipa passwd one # kinit one # kinit admin # ipa otptoken-add --type=totp --owner=one --desc="My soft token" ------------------ Added OTP token "" ------------------ Unique ID: f6fc2b0f-ce0e-44ae-b0a9-c85d7cd3343d Type: TOTP Description: My soft token Owner: one Key: EydVIL+y+tBp/Yn284MlMD4ioy4= Algorithm: sha1 Digits: 6 Clock offset: 0 Clock interval: 30 URI: otpauth://totp/one:f6fc2b0f-ce0e-44ae-b0a9-c85d7cd3343d?digits=6&secret=CMTVKIF7WL5NA2P5RH3PHAZFGA7CFIZO&period=30&algorithm=SHA1&issuer=one%40TESTRELM.TEST # ipa user-mod one --user-auth-type=otp ------------------- Modified user "one" ------------------- User login: one First name: one Last name: one Home directory: /home/one Login shell: /bin/sh Email address: one UID: 206600001 GID: 206600001 User authentication types: otp Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True # klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin Valid starting Expires Service principal 10/12/2015 20:07:52 10/13/2015 20:07:49 krbtgt/TESTRELM.TEST # kinit -T KEYRING:persistent:0:0 one Enter OTP Token Value: # ipa otptoken-find ------------------- 1 OTP token matched ------------------- Unique ID: f6fc2b0f-ce0e-44ae-b0a9-c85d7cd3343d Type: TOTP Description: My soft token Owner: one ---------------------------- Number of entries returned 1 ---------------------------- # date Mon Oct 12 20:34:56 EDT 2015 # date +%T -s 20:45:00 20:45:00 # ipa otptoken-sync f6fc2b0f-ce0e-44ae-b0a9-c85d7cd3343d User ID: one Password: First Code: Second Code: Token synchronized. # kinit admin # ipa otptoken-show f6fc2b0f-ce0e-44ae-b0a9-c85d7cd3343d --all dn: ipatokenuniqueid=f6fc2b0f-ce0e-44ae-b0a9-c85d7cd3343d,cn=otp,dc=testrelm,dc=test Unique ID: f6fc2b0f-ce0e-44ae-b0a9-c85d7cd3343d Type: TOTP Description: My soft token Owner: one Key: EydVIL+y+tBp/Yn284MlMD4ioy4= Algorithm: sha1 Digits: 6 Clock offset: -330 Clock interval: 30 ipatokentotpwatermark: 48156562 objectclass: top, ipatokentotp, ipatoken Verified Clock offset is displayed correctly Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html |