Hide Forgot
Description of problem: The option --key of ipa otptoken-add is documented to accept the key encoded in Base32. In RHEL 7.2, this input value ended up Base32-encoded in the secret parameter of the displayed otpauth://hotp/ URL and Base64-encoded in the Key output of the ipa otptoken-add --type=hotp --key command and in the ipatokenOTPkey. In RHEL 7.3 nightly, the secret parameter of the otpauth: URL is different and the Key and ipatokenOTPkey show exactly this Base32-encoded string. The result is wrong codes generated by FreeOTP and failing authentication when correct codes are used. Version-Release number of selected component (if applicable): ipa-server-4.4.0-8.el7.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. ipa otptoken-add --type=hotp --key and enter (paste) GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ twice 2. ipa otptoken-find --raw --all Actual results: Key: Enter Key again to verify: ------------------ Added OTP token "" ------------------ Unique ID: 6f780b6a-9771-40bf-afa8-42060ceb7a03 Type: HOTP Owner: admin Manager: admin Key: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ Algorithm: sha1 Digits: 6 Counter: 0 URI: otpauth://hotp/admin:6f780b6a-9771-40bf-afa8-42060ceb7a03?digits=6&secret=DBDEGGGQKUMY3U2A4JIBQRSDDDIFKGMN2NAOEUA%3D&counter=0&algorithm=SHA1&issuer=admin%40EXAMPLE.TEST [ QR code ] ------------------- 1 OTP token matched ------------------- dn: ipatokenuniqueid=6f780b6a-9771-40bf-afa8-42060ceb7a03,cn=otp,dc=example,dc=test ipatokenuniqueid: 6f780b6a-9771-40bf-afa8-42060ceb7a03 type: HOTP ipatokenowner: uid=admin,cn=users,cn=accounts,dc=example,dc=test managedby: uid=admin,cn=users,cn=accounts,dc=example,dc=test ipatokenHOTPcounter: 0 ipatokenOTPalgorithm: sha1 ipatokenOTPdigits: 6 ipatokenOTPkey: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ objectclass: ipatokenhotp objectclass: ipatoken objectclass: top ---------------------------- Number of entries returned 1 ---------------------------- Expected results: This output comes from RHEL 7.2: [root@cloud-qe-4 ~]# ipa otptoken-add --type=hotp --keyKey: Enter Key again to verify: ------------------ Added OTP token "" ------------------ Unique ID: 7c00bb55-a14b-451b-9f6d-db6885c760e4 Type: HOTP Owner: admin Manager: admin Key: MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= Algorithm: sha1 Digits: 6 Counter: 0 URI: otpauth://hotp/admin:7c00bb55-a14b-451b-9f6d-db6885c760e4?digits=6&secret=GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ&counter=0&algorithm=SHA1&issuer=admin%40EXAMPLE.TEST [ QR code ] ------------------- 1 OTP token matched ------------------- dn: ipatokenuniqueid=7c00bb55-a14b-451b-9f6d-db6885c760e4,cn=otp,dc=example,dc=test ipatokenuniqueid: 7c00bb55-a14b-451b-9f6d-db6885c760e4 type: HOTP ipatokenowner: uid=admin,cn=users,cn=accounts,dc=example,dc=test ipatokenHOTPcounter: 0 ipatokenOTPalgorithm: sha1 ipatokenOTPdigits: 6 ipatokenOTPkey: MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= managedby: uid=admin,cn=users,cn=accounts,dc=example,dc=test objectclass: ipatokenhotp objectclass: ipatoken objectclass: top ---------------------------- Number of entries returned 1 ---------------------------- Additional info:
Note: $ echo GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ | base64 -d | base32 DBDEGGGQKUMY3U2A4JIBQRSDDDIFKGMN2NAOEUA=
looks like thin-client related output decoding issue.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6247
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/386fdc1d77affc897b923a58602a9f14325216c6/
Verified ipa-server-4.4.0-12.el7.x86_64 [root@host108 ~]# ipa otptoken-add --type=hotp --key Key: Enter Key again to verify: ipa: WARNING: QR code width is greater than that of the output tty. Please resize your terminal. ------------------ Added OTP token "" ------------------ Unique ID: d33ea305-97b4-4837-9716-ff945a32fb5e Type: HOTP Owner: admin Manager: admin Key: MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= Algorithm: sha1 Digits: 6 Counter: 0 URI: otpauth://hotp/admin:d33ea305-97b4-4837-9716-ff945a32fb5e?digits=6&secret=GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ&counter=0&algorithm=SHA1&issuer=admin%40TESTRELM.TEST █████████████████████████████████████████████████████████████ █████████████████████████████████████████████████████████████ ████ ▄▄▄▄▄ █▄██▄▀█▄▄█▄█ ▀██▄█▀█▄▀█▄▄█▄▀▄▄ █▄▀ ▀██ ▄▄▄▄▄ ████ ████ █ █ █▀█▀█ ▀ ▄█ ▀▀ █ ▄▄▄██▄█ █▀▀ ██▀▀▄▀▄▀█ █ █ ████ ████ █▄▄▄█ █ ▀▄ ▄ ▀█▄██ ▄▄▄ █ █▀▀██▄ ▄█ ▄ ███ █▄▄▄█ ████ ████▄▄▄▄▄▄▄█ █▄▀ ▀▄▀ █ ▀ ▀▄▀ █▄█ █▄█▄▀ █ █▄▀▄█ ▀ █▄▄▄▄▄▄▄████ ████ ███ █▄▄▄▄▄▄▄█▀▄ █▄ ▄▄▀▀▄▄ ▄ █▄ ▄█▀▄ █▄▀▀▀ ▄ ▄█▀ ████ ████ ██▄▀█▄▄██████▀ ▄ ▀▀▄▄▀ ▄ █ ▀ ▀▄██ ▄▄▄▄▀▀█▀▄▀█▄████ █████▄▄█▀▀▄███ ██ ▄▄█▀▄ ██▄▀██▀▀ ▀█▄ █▀▀ █▀▀██ ▀▀█▄█▄█ ████ ████▀ ▀ ▄▄▄▄▄▀ ▀ █▀▄▄▀█▄▀ ▀▄██▄ █▀▄▀█▀ ▄▄██▄▀▄▄█ ▄█▄██▄████ ████ ▄▀▀ █▄▀▄▀█▄▀ ▄ ▄▄▀█▄██▄▀▀█▀ ▄ ▄███▀ █▄█▄ ▄▄ ▄█████▀████ █████▄▀ █▄▀ █▄ █ ██▄▄▄ ███ ███ ▀▄█▄ ▀▄▄█▄▀▄▄▀ █ ▄▄▄▄████ ████ ▀█▀▀▄▄ ▄ ▀█▀▄█ ▄▀█▀█▄ ▀ ▀█ ▀▄ ▀██ ▄▄ ▀▄ ▀▄▀████ ████ ▄ █▄▄▀▀███ ▄▄▀▄▄ ██ ▀███▄ ▄▄▄▀ ▀ ▀ █▄▀ █ ▄▄ ▄ ▄█ ████ ████▀▄ █ ▄▄▄ ▀ █ █▀ ▄▄▀ ▄▀▄▄ ▄▄▄ ▄▀▄ ███▄█▀▀▀ ▄ ▄▄▄ █▀▄█████ ████ ▄██ █▄█ █ ▀▀ ██▀▄█▀▄▀▄ █▄█ ▄█▀ ▄▄█▄▀▄▄ ▄ █▄█ ▀█▀▀████ ████▄ ▄█▄▄▄ ▄▀█▄▄▀█▀█ █ ▄▄▀▄ ▄ ▄▄█▀▀ ▀ █ █▄ ▀ ▀ ▄ ▄ ▄█▀▄ ████ ████ ███ ▀▄ ▄▀ █▀▄▄ ▄▄ ▄▀▄██▀▀█▀▄▀▄▀ █ ▄ █▄ ▄ ▄█▄▀▄ █▄▀█ ████ ████▀▄█▀ ▄▄█ ██▄█ █▄▀ ▀▄▀▄▄█▄ ▀▄▄ ▄██▄█ ▄▀██ ▀█ ▄█ ▀▄▄ ▀████ ██████▄▀▄▀▄ ▀ █▄▀▄ ███ ██▀██ █▄ ▀█▄█▀▀▀██ █▄▄▄ ▀▄▀█ ▄█ ████ ████▀▀ ▄▀▄▄█ ▀ ▄▄█ █ ▀█▀ █▀ ▀ ▄▄█▄▀ █ ██ ▀ ▀█▀ ▄▄▄ ▀ ▀█▄████ █████▀▄▀▄ ▄██▀▄▄ █▀ ▀ ▄ ▀▀█ ▄ █▀▀█▄▄▀ ▀▀▄▀▀▀▄▄█▄ ▀██ █▄ ████ ████▀█▀ ▀▀▄█▀ ▀▀███ ▄▄ ▄▄██▀▄▀▄▀▀█▄██▄ ▄▀█▄▄█ █▀▄█▀▄ ████ ████▄ ▀▄▄▄▄█▀▀▀█▀▀▄ ▄█ █▀▄ ▀ ▄█▄ ▀ ▀████▄▄█ ▀▄█▄▀▀ █ ▄████ ███████▄██▄▄▀▄ ██▄ ██▄ █▄▀█ ▄▄▄ ▄▀▀ ███ █ █▀ ▄▄▄ ▀██████ ████ ▄▄▄▄▄ █▄▀▄▀█▄██▀ ▀▄█▄ ▄ █▄█ ▄▄█▀▄▄▄▄█▄▄█ █ █▄█ ▀█▀▀████ ████ █ █ █▄▀ ██▄▀▀▀ ▄█▀▀█▄▄ ▄ ▄█ █▀▀ ███▀▄▀▀ ▀▄▄ ▄▄▄▀▀█████ ████ █▄▄▄█ ██▄▀▄█▀██▄▄ ██▄▀█ ██▀ █ ▀ █ ▄█▄ ▄ █ ▀▀██▀ ████ ████▄▄▄▄▄▄▄█▄▄▄████▄▄▄▄▄▄▄▄▄▄▄█▄▄██▄█▄▄▄▄█▄████▄▄██▄▄▄▄▄█████ █████████████████████████████████████████████████████████████ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ dn: ipatokenuniqueid=d33ea305-97b4-4837-9716-ff945a32fb5e,cn=otp,dc=testrelm,dc=test ipatokenuniqueid: d33ea305-97b4-4837-9716-ff945a32fb5e type: HOTP ipatokenowner: uid=admin,cn=users,cn=accounts,dc=testrelm,dc=test managedby: uid=admin,cn=users,cn=accounts,dc=testrelm,dc=test ipatokenHOTPcounter: 0 ipatokenOTPalgorithm: sha1 ipatokenOTPdigits: 6 ipatokenOTPkey: MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= objectclass: ipatokenhotp objectclass: ipatoken objectclass: top
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html