Hide Forgot
Adding an IdM OTP token with a custom key works as expected When the user executed the "ipa otptoken-add" command with the "--key" option to add a new one-time password (OTP) token, the Identity Management (IdM) command line converted the token key provided by the user incorrectly. Consequently, the OTP token created in IdM was invalid, and attempts to authenticate using the OTP token failed. This update fixes the bug, and OTP tokens created in this situation are valid.
Description of problem: The option --key of ipa otptoken-add is documented to accept the key encoded in Base32. In RHEL 7.2, this input value ended up Base32-encoded in the secret parameter of the displayed otpauth://hotp/ URL and Base64-encoded in the Key output of the ipa otptoken-add --type=hotp --key command and in the ipatokenOTPkey. In RHEL 7.3 nightly, the secret parameter of the otpauth: URL is different and the Key and ipatokenOTPkey show exactly this Base32-encoded string. The result is wrong codes generated by FreeOTP and failing authentication when correct codes are used. Version-Release number of selected component (if applicable): ipa-server-4.4.0-8.el7.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. ipa otptoken-add --type=hotp --key and enter (paste) GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ twice 2. ipa otptoken-find --raw --all Actual results: Key: Enter Key again to verify: ------------------ Added OTP token "" ------------------ Unique ID: 6f780b6a-9771-40bf-afa8-42060ceb7a03 Type: HOTP Owner: admin Manager: admin Key: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ Algorithm: sha1 Digits: 6 Counter: 0 URI: otpauth://hotp/admin@EXAMPLE.TEST:6f780b6a-9771-40bf-afa8-42060ceb7a03?digits=6&secret=DBDEGGGQKUMY3U2A4JIBQRSDDDIFKGMN2NAOEUA%3D&counter=0&algorithm=SHA1&issuer=admin%40EXAMPLE.TEST [ QR code ] ------------------- 1 OTP token matched ------------------- dn: ipatokenuniqueid=6f780b6a-9771-40bf-afa8-42060ceb7a03,cn=otp,dc=example,dc=test ipatokenuniqueid: 6f780b6a-9771-40bf-afa8-42060ceb7a03 type: HOTP ipatokenowner: uid=admin,cn=users,cn=accounts,dc=example,dc=test managedby: uid=admin,cn=users,cn=accounts,dc=example,dc=test ipatokenHOTPcounter: 0 ipatokenOTPalgorithm: sha1 ipatokenOTPdigits: 6 ipatokenOTPkey: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ objectclass: ipatokenhotp objectclass: ipatoken objectclass: top ---------------------------- Number of entries returned 1 ---------------------------- Expected results: This output comes from RHEL 7.2: [root@cloud-qe-4 ~]# ipa otptoken-add --type=hotp --keyKey: Enter Key again to verify: ------------------ Added OTP token "" ------------------ Unique ID: 7c00bb55-a14b-451b-9f6d-db6885c760e4 Type: HOTP Owner: admin Manager: admin Key: MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= Algorithm: sha1 Digits: 6 Counter: 0 URI: otpauth://hotp/admin@EXAMPLE.TEST:7c00bb55-a14b-451b-9f6d-db6885c760e4?digits=6&secret=GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ&counter=0&algorithm=SHA1&issuer=admin%40EXAMPLE.TEST [ QR code ] ------------------- 1 OTP token matched ------------------- dn: ipatokenuniqueid=7c00bb55-a14b-451b-9f6d-db6885c760e4,cn=otp,dc=example,dc=test ipatokenuniqueid: 7c00bb55-a14b-451b-9f6d-db6885c760e4 type: HOTP ipatokenowner: uid=admin,cn=users,cn=accounts,dc=example,dc=test ipatokenHOTPcounter: 0 ipatokenOTPalgorithm: sha1 ipatokenOTPdigits: 6 ipatokenOTPkey: MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= managedby: uid=admin,cn=users,cn=accounts,dc=example,dc=test objectclass: ipatokenhotp objectclass: ipatoken objectclass: top ---------------------------- Number of entries returned 1 ---------------------------- Additional info:
Note: $ echo GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ | base64 -d | base32 DBDEGGGQKUMY3U2A4JIBQRSDDDIFKGMN2NAOEUA=
looks like thin-client related output decoding issue.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6247
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/386fdc1d77affc897b923a58602a9f14325216c6/
Verified ipa-server-4.4.0-12.el7.x86_64 [root@host108 ~]# ipa otptoken-add --type=hotp --key Key: Enter Key again to verify: ipa: WARNING: QR code width is greater than that of the output tty. Please resize your terminal. ------------------ Added OTP token "" ------------------ Unique ID: d33ea305-97b4-4837-9716-ff945a32fb5e Type: HOTP Owner: admin Manager: admin Key: MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= Algorithm: sha1 Digits: 6 Counter: 0 URI: otpauth://hotp/admin@TESTRELM.TEST:d33ea305-97b4-4837-9716-ff945a32fb5e?digits=6&secret=GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ&counter=0&algorithm=SHA1&issuer=admin%40TESTRELM.TEST █████████████████████████████████████████████████████████████ █████████████████████████████████████████████████████████████ ████ ▄▄▄▄▄ █▄██▄▀█▄▄█▄█ ▀██▄█▀█▄▀█▄▄█▄▀▄▄ █▄▀ ▀██ ▄▄▄▄▄ ████ ████ █ █ █▀█▀█ ▀ ▄█ ▀▀ █ ▄▄▄██▄█ █▀▀ ██▀▀▄▀▄▀█ █ █ ████ ████ █▄▄▄█ █ ▀▄ ▄ ▀█▄██ ▄▄▄ █ █▀▀██▄ ▄█ ▄ ███ █▄▄▄█ ████ ████▄▄▄▄▄▄▄█ █▄▀ ▀▄▀ █ ▀ ▀▄▀ █▄█ █▄█▄▀ █ █▄▀▄█ ▀ █▄▄▄▄▄▄▄████ ████ ███ █▄▄▄▄▄▄▄█▀▄ █▄ ▄▄▀▀▄▄ ▄ █▄ ▄█▀▄ █▄▀▀▀ ▄ ▄█▀ ████ ████ ██▄▀█▄▄██████▀ ▄ ▀▀▄▄▀ ▄ █ ▀ ▀▄██ ▄▄▄▄▀▀█▀▄▀█▄████ █████▄▄█▀▀▄███ ██ ▄▄█▀▄ ██▄▀██▀▀ ▀█▄ █▀▀ █▀▀██ ▀▀█▄█▄█ ████ ████▀ ▀ ▄▄▄▄▄▀ ▀ █▀▄▄▀█▄▀ ▀▄██▄ █▀▄▀█▀ ▄▄██▄▀▄▄█ ▄█▄██▄████ ████ ▄▀▀ █▄▀▄▀█▄▀ ▄ ▄▄▀█▄██▄▀▀█▀ ▄ ▄███▀ █▄█▄ ▄▄ ▄█████▀████ █████▄▀ █▄▀ █▄ █ ██▄▄▄ ███ ███ ▀▄█▄ ▀▄▄█▄▀▄▄▀ █ ▄▄▄▄████ ████ ▀█▀▀▄▄ ▄ ▀█▀▄█ ▄▀█▀█▄ ▀ ▀█ ▀▄ ▀██ ▄▄ ▀▄ ▀▄▀████ ████ ▄ █▄▄▀▀███ ▄▄▀▄▄ ██ ▀███▄ ▄▄▄▀ ▀ ▀ █▄▀ █ ▄▄ ▄ ▄█ ████ ████▀▄ █ ▄▄▄ ▀ █ █▀ ▄▄▀ ▄▀▄▄ ▄▄▄ ▄▀▄ ███▄█▀▀▀ ▄ ▄▄▄ █▀▄█████ ████ ▄██ █▄█ █ ▀▀ ██▀▄█▀▄▀▄ █▄█ ▄█▀ ▄▄█▄▀▄▄ ▄ █▄█ ▀█▀▀████ ████▄ ▄█▄▄▄ ▄▀█▄▄▀█▀█ █ ▄▄▀▄ ▄ ▄▄█▀▀ ▀ █ █▄ ▀ ▀ ▄ ▄ ▄█▀▄ ████ ████ ███ ▀▄ ▄▀ █▀▄▄ ▄▄ ▄▀▄██▀▀█▀▄▀▄▀ █ ▄ █▄ ▄ ▄█▄▀▄ █▄▀█ ████ ████▀▄█▀ ▄▄█ ██▄█ █▄▀ ▀▄▀▄▄█▄ ▀▄▄ ▄██▄█ ▄▀██ ▀█ ▄█ ▀▄▄ ▀████ ██████▄▀▄▀▄ ▀ █▄▀▄ ███ ██▀██ █▄ ▀█▄█▀▀▀██ █▄▄▄ ▀▄▀█ ▄█ ████ ████▀▀ ▄▀▄▄█ ▀ ▄▄█ █ ▀█▀ █▀ ▀ ▄▄█▄▀ █ ██ ▀ ▀█▀ ▄▄▄ ▀ ▀█▄████ █████▀▄▀▄ ▄██▀▄▄ █▀ ▀ ▄ ▀▀█ ▄ █▀▀█▄▄▀ ▀▀▄▀▀▀▄▄█▄ ▀██ █▄ ████ ████▀█▀ ▀▀▄█▀ ▀▀███ ▄▄ ▄▄██▀▄▀▄▀▀█▄██▄ ▄▀█▄▄█ █▀▄█▀▄ ████ ████▄ ▀▄▄▄▄█▀▀▀█▀▀▄ ▄█ █▀▄ ▀ ▄█▄ ▀ ▀████▄▄█ ▀▄█▄▀▀ █ ▄████ ███████▄██▄▄▀▄ ██▄ ██▄ █▄▀█ ▄▄▄ ▄▀▀ ███ █ █▀ ▄▄▄ ▀██████ ████ ▄▄▄▄▄ █▄▀▄▀█▄██▀ ▀▄█▄ ▄ █▄█ ▄▄█▀▄▄▄▄█▄▄█ █ █▄█ ▀█▀▀████ ████ █ █ █▄▀ ██▄▀▀▀ ▄█▀▀█▄▄ ▄ ▄█ █▀▀ ███▀▄▀▀ ▀▄▄ ▄▄▄▀▀█████ ████ █▄▄▄█ ██▄▀▄█▀██▄▄ ██▄▀█ ██▀ █ ▀ █ ▄█▄ ▄ █ ▀▀██▀ ████ ████▄▄▄▄▄▄▄█▄▄▄████▄▄▄▄▄▄▄▄▄▄▄█▄▄██▄█▄▄▄▄█▄████▄▄██▄▄▄▄▄█████ █████████████████████████████████████████████████████████████ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ dn: ipatokenuniqueid=d33ea305-97b4-4837-9716-ff945a32fb5e,cn=otp,dc=testrelm,dc=test ipatokenuniqueid: d33ea305-97b4-4837-9716-ff945a32fb5e type: HOTP ipatokenowner: uid=admin,cn=users,cn=accounts,dc=testrelm,dc=test managedby: uid=admin,cn=users,cn=accounts,dc=testrelm,dc=test ipatokenHOTPcounter: 0 ipatokenOTPalgorithm: sha1 ipatokenOTPdigits: 6 ipatokenOTPkey: MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= objectclass: ipatokenhotp objectclass: ipatoken objectclass: top
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html