1573674 – IPA OTP Broken

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1573674 - IPA OTP Broken

Summary: IPA OTP Broken

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-05-01 22:22 UTC by James Chang
Modified:	2023-09-14 04:27 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-06-18 15:12:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description James Chang 2018-05-01 22:22:08 UTC

Description of problem: IPA OTP token sync doesn't work


Version-Release number of selected component (if applicable): 4.5.0


How reproducible: add OTP token, try to sync


Steps to Reproduce:
1. either use 'ipa otptoken-add' or do it in the ipa gui
2. scan the QR code with authenticator app (google authenticator)
3. either use 'ipa otptoken-sync' or try to sync during login screen of ipa gui

Actual results: 'Invalid Credentials!'


Expected results: Token Synced


Additional info: Usually token sync will fail.  Sometimes, the token will sync (not sure why?) but you still cannot login with token.  IPA will ask you for first factor, then second factor, then ask you for the first factor again.

Additionally, using 'ipa otptoken-add' results in a QR code that you cannot scan with google authenticator nor FreeOTP.

Comment 2 Petr Vobornik 2018-05-18 16:01:47 UTC

works for me. Could you share specific reproduction steps. E.g. as below:

$ rpm -q ipa-server
ipa-server-4.5.4-10.el7.x86_64


[pvoborni@vm-171-226 ~]$ ipa user-add --first=foo --last=bar --password
User login [fbar]: 
Password: 
Enter Password again to verify: 
-----------------
Added user "fbar"
-----------------
  User login: fbar
  First name: foo
  Last name: bar
  Full name: foo bar
  Display name: foo bar
  Initials: fb
  Home directory: /home/fbar
  GECOS: foo bar
  Login shell: /bin/sh
  Principal name: fbar.IDM.LAB.ENG.BRQ.REDHAT.COM
  Principal alias: fbar.IDM.LAB.ENG.BRQ.REDHAT.COM
  Email address: fbar.idm.lab.eng.brq.redhat.com
  UID: 1645800001
  GID: 1645800001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True


[pvoborni@vm-171-226 ~]$ kinit fbar
Password for fbar.IDM.LAB.ENG.BRQ.REDHAT.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 


[pvoborni@vm-171-226 ~]$ ipa otptoken-add
------------------
Added OTP token ""
------------------
  Unique ID: 415f6ccb-e96f-4711-96e2-dec6a15d4345
  Type: TOTP
  Owner: fbar
  Manager: fbar
  Algorithm: sha1
  Digits: 6
  Clock interval: 30
  URI: otpauth://totp/fbar.IDM.LAB.ENG.BRQ.REDHAT.COM:415f6ccb-e96f-4711-96e2-dec6a15d4345?digits=6&secret=HR3JPDDSLB7AS34MSGSBCOLZ5FYFWWEB&period=30&algorithm=SHA1&issuer=fbar%40DOM-171-226.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM


█████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████
████ ▄▄▄▄▄ █ ▀█ ▄ ██▀ ▄ ▀▄▄█▀█  ▀▄█▀█▄█▀█ ▄  █ ▀ ▄▄ ██ ▄▄▄▄▄ ████
████ █   █ █▀▀▄▄▀█ ▀▄▀▀  ▄█▀ █▄█▄▀▄▀▄▀ █▀▄██  █▄▄ ▄ ██ █   █ ████
████ █▄▄▄█ ███ ▄▀▀██ ▄▄▀█▄  ▄▄ ▄▄▄ ██▄▄▄█▀ ▀█ ▀▀▄█▀▄██ █▄▄▄█ ████
████▄▄▄▄▄▄▄█ █▄█▄█▄█ █▄▀ ▀▄█ ▀ █▄█ ▀ ▀▄█ ▀ ▀▄█ ▀▄▀ █ █▄▄▄▄▄▄▄████
████▄▀ ▄█ ▄ ▀███   ▄   ▄ █▄  ▄▄ ▄  ▄█ ▀█▀██  ▀▄█▄ █▀▀▀▄▀█ █  ████
████▄█▀▄▄▀▄▀ ▄ ▄ █  ▄█ ▄▀▄▄▀█▀▄▀█ █▀     ▄█▄█▄█▄▄█ ▄  ▄██▀█▄▄████
████▀ ▄ ▄▀▄▀▄██▀▀ ▄▄ ▄██▄█▄█ ▀▀█▄█ ▀█▄██ █ ▀█ ▀▄▄▄█▄▀ ▀ ▀  █▄████
████ █▀███▄▀  ▄██ ▄▀█▄▄▀▄██▀▄██▀▄█▀███▄ ▀█▄ █ █▄██▄▄ ▀▄███▀██████
████▄ ▀▀▀█▄▄  ▄▀▀█▄█▄ ▄▄▀▄ ▀▄▀▄█▀ ▄█▀▀▀█▄█▀▄█▀▄▄ ▀   ▄▄  █▄▄ ████
████▀ ▀██▄▄ ▀███ ▄█▀▄▄█▀ ▄▀ █▄▄█▀ ▀▀▀▀▄▄▄▄█ ▀██▄█ ▀ ▀ ▄ ▀▀█ ▀████
████▀ ▀▀▄▀▄ ▀▄▀█▄  ▄ ▄▀██▀▀  █ ▀  ▄▄█▀▄ ▄█  ▄▀ ▀▀█ █ ▀ ▄▄ ▄█▀████
█████▀ ▀██▄█ ▄▀ █▄  ██▀▄▀▄█▄▄▄██  ▄▄▀██ █▀██ ▄▄█▀█ ▄ ████▀▄█▀████
████   ▄ ▄▄▄  ▀▀ ▄ █▄ ▀▀█▄▄█  █▀█▀ ▀█ ▀█▄▀▀██▄▀▄▀ █▀▀ ▀█▀ ▀▄▀████
████▀███ ▄▄▄   ▄█▀█▀█  █▀ ▀██▀ ▄▄▄ ▄▄   ▄█▀█ ▄████▀  ▄▄▄ ▄▀██████
████▀▀██ █▄█  ▀ ▄█ ▀ ▀ ▄██ █▄▀ █▄█   ▀▀▄█ ▄▀█ █ ▀    █▄█ █  ▀████
█████▀▄▄▄▄▄▄ ▀▄  ▄█▄█▄▀▄  ▄▀▀▀▄▄  ▄█ ▄▀▀   █▀ ▀ ▀█▄█▄▄ ▄▄ ▄█ ████
████▀▀▄▀▀ ▄▄▀▀▄ ▀▄▄██▄▄  █▄█▀▄▄█▀▄▄▀██▀▄▄█▄▀ ▄▄█▄ ██▀▄██ ▀█ █████
████▀▀▄██ ▄█▀▄ ██ ▄ ▀ █▀▄ █ ▀▄▄ ███ █▀▀█ ▀▀▀█ █▄▄▀ ▄▄▀  █▄█▀▄████
████▄▄ ▀█▄▄ █▀█  █▄▄▄ █▄▀▄█▄██▄ ▄▀▀█▀▀▀ ▀▀█▀████▄▄ ▀█████▄▀██████
████▄▀▀  ▀▄██▀ █▄█  ▄█▀▀▄ █▄█ ▀ █▄▄ ██ ▄ ▄██▄█ ██ ▄▀ ▄▀ ▄ ▀▀█████
█████ ▀█▄▄▄▄▄█ ▄ ▄▀▄▄█▄▄▀ █▀   ▄ █ ▀█▀▀▀▀██▄▄▀▄▀▄▀█▄▄ ▄ █ ▄ ▄████
████▀█▄▀█▀▄█▄▄█ ▀▄▄ ▀█▀ █▄  █▀  ▀██▀▀▄▄   ██ ▀█▀█ ▀██▄█▄▄█▄ █████
████▄ ▄▄  ▄▄▄▀█ ▀▄█▄██ ▄▄ ▀ ▀▄▀▀▄█▄█ █ ██▄▀    ▀▀█▄█▀▀▄██▄ ▄█████
████ ▀ ▀▀▄▄▀  ▀▄▀██ ▀ ▀█▄▄██▀█  ▄▄▄▄▀▄▀█▀▄▄▄█▄  ▀▀▀█ ▄██▀▀▄ ▄████
██████████▄█  ▄ █ ▀██▀▄█ ▀ ▀██ ▄▄▄ ▄██▀ ▄▀ █▀██▄▄ █▀ ▄▄▄ ▄▄█▄████
████ ▄▄▄▄▄ █ ▄   ▀  █▀ █▄▄ ▄ █ █▄█ ▄▄ ██▄ ▄▀ ▀ █ ███ █▄█ █▀ █████
████ █   █ █▀▄█▄▄▄▀    ▄ ▀▀▄▄▄▄     ▄ ▀▀ ██ █▄▄ ▀█▀▄▄ ▄▄▄▄█ █████
████ █▄▄▄█ █▄█▀▄▀ ▄▄█▀▄██ ▀▀▀▄█ ▄█ █▀▀▄▄█ █▄▀▀▄▀▄ █▀▄█▀█▀█▄█▀████
████▄▄▄▄▄▄▄█▄▄██▄█▄▄▄▄██▄▄██▄██▄███▄█▄▄▄▄▄▄▄▄█▄█████▄▄█▄▄████████
█████████████████████████████████████████████████████████████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀


[pvoborni@vm-171-226 ~]$ kinit admin
Password for admin.IDM.LAB.ENG.BRQ.REDHAT.COM: 

[pvoborni@vm-171-226 ~]$ ipa user-mod fbar --user-auth-type=otp
--------------------
Modified user "fbar"
--------------------
  User login: fbar
  First name: foo
  Last name: bar
  Home directory: /home/fbar
  Login shell: /bin/sh
  Principal name: fbar.IDM.LAB.ENG.BRQ.REDHAT.COM
  Principal alias: fbar.IDM.LAB.ENG.BRQ.REDHAT.COM
  Email address: fbar.idm.lab.eng.brq.redhat.com
  UID: 1645800001
  GID: 1645800001
  User authentication types: otp
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[pvoborni@vm-171-226 ~]$ kdestroy -A
[pvoborni@vm-171-226 ~]$ kinit -n
[pvoborni@vm-171-226 ~]$ klist
Ticket cache: KEYRING:persistent:17127:krb_ccache_nISgXgj
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS

Valid starting       Expires              Service principal
05/18/2018 17:55:29  05/19/2018 17:55:29  krbtgt/DOM-171-226.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM.IDM.LAB.ENG.BRQ.REDHAT.COM


[pvoborni@vm-171-226 ~]$ kinit  -T KEYRING:persistent:17127:krb_ccache_nISgXgj fbar
Enter OTP Token Value: 

[pvoborni@vm-171-226 ~]$ ipa otptoken-sync
User ID: fbar
Password: 
First Code: 
Second Code: 
Token synchronized.

Comment 3 Florence Blanc-Renaud 2018-06-18 15:12:53 UTC

As this bug has been in NEEDINFO for an extended period of time we are going to close this bug due to inactivity. If you would like to pursue this matter feel free to reopen this bug and attach the needed information.

Comment 4 Red Hat Bugzilla 2023-09-14 04:27:35 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.