Using the same TOTP several times in a time window
74 views
Skip to first unread message
CK
Aug 14, 2015, 8:57:07 AM8/14/15
to privacyidea
Hi ! I've noticed that in privacyIDEA, using TOTP tokens, I can use one OTP several times if I'm in the same time window.
So, is there a solution to fix this ?
Best regards,
CK,
Cornelius Kölbel
Aug 14, 2015, 12:48:36 PM8/14/15
to CK, privacyidea
Hi,
I assume you are using 1.5.
This was a bug then.
1.5 is deprecated.
you should use 2.5.
Kind regards
Cornelius
Cornelius Kölbel
+49 151 2960 1417
NetKnights GmbH
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
-------- Ursprüngliche Nachricht --------
Von: CK <testt...@gmail.com>
Datum: 14.08.2015 14:57 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Betreff: Using the same TOTP several times in a time window
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/2b0bbe76-580b-4262-b6df-49c711928032%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/2b0bbe76-580b-4262-b6df-49c711928032%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Message has been deleted
Message has been deleted
CK
Aug 20, 2015, 3:44:06 AM8/20/15
to privacyidea, testt...@gmail.com
Hi,
I updated pi to 2.5, but the bug is still there..
Kind regards,
CK
Cornelius Kölbel
Aug 20, 2015, 3:55:36 AM8/20/15
to priva...@googlegroups.com
Hi CK,
I can not reproduce this.
As a matter of fact there are also several tests to check this:
https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510
https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102
https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141
https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165
Anyway - I am happy to add some more...
Can you please tell, what exactly you are doing?
* Which Token did you enroll with which parameters
* how did you authenticate
* where did you authenticate (directly to the API or to any
Application?)
Please give as much information as possible.
Kind regards
Cornelius
Cornelius Kölbel
corneliu...@netknights.it
I can not reproduce this.
As a matter of fact there are also several tests to check this:
https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510
https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102
https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141
https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165
Anyway - I am happy to add some more...
Can you please tell, what exactly you are doing?
* Which Token did you enroll with which parameters
* how did you authenticate
* where did you authenticate (directly to the API or to any
Application?)
Please give as much information as possible.
Kind regards
Cornelius
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
NetKnights GmbH
CK
Aug 20, 2015, 4:30:48 AM8/20/15
to privacyidea
Hi,
So here is my config :
I have a Prosody server (XMPP) and an XMPP client (Pidgin), and what I'm doing is that I want to authenticate users registered in a LDAP to the Prosody server.
So, in PI, I have one LDAP resolver which works well. Then, I assigned a TOTP token to a user of this LDAP.
I also have installed Cyrus SASL, which is linked to Prosody server and configured it to use PAM mechanism, so when I try to authenticate with my XMPP client, it will wait for an OTP (because it uses the pam_python script of PI to authenticate).
Prosody is configured to use SASL authentication.
Token parameters : TOTP SHA-256, timeStep : 30seconds, timeWindow : 180, OTP Length : 6
Kind regards,
Karim
Cornelius Kölbel
Aug 20, 2015, 5:29:39 AM8/20/15
to priva...@googlegroups.com
And you are entering the OTP into pidgin?
So the workflow is like this:
* enter OTP into pidgin
* pdigin transfers OTP to prosody
* transfers OTP to cyrus sasl
* transfers OTP to PAM
* transfers OTP to privacyIDEA
My guess is, that some component (my wild guess would be cyrus sasl)
will cache the authentication result, so that the second auth request
with the same OTP does not even reach the privacyIDEA server.
Please check:
1. Can you authenticate with the same OTP twice to the privacyIDEA
server using
https://yourOTPserver/validate/check?user=....&pass=...otp...
2. Can you see the second authentication request in the Audit log on the
privacyIDEA server?
3. check the log files of prosody and pam.
Thanks a lot and kind regards
Cornelius
So the workflow is like this:
* enter OTP into pidgin
* pdigin transfers OTP to prosody
* transfers OTP to cyrus sasl
* transfers OTP to PAM
* transfers OTP to privacyIDEA
My guess is, that some component (my wild guess would be cyrus sasl)
will cache the authentication result, so that the second auth request
with the same OTP does not even reach the privacyIDEA server.
Please check:
1. Can you authenticate with the same OTP twice to the privacyIDEA
server using
https://yourOTPserver/validate/check?user=....&pass=...otp...
2. Can you see the second authentication request in the Audit log on the
privacyIDEA server?
3. check the log files of prosody and pam.
Thanks a lot and kind regards
Cornelius
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/aa428ada-7f54-414d-9747-db6d82ecdbfc%40googlegroups.com.
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
CK
Aug 20, 2015, 6:21:42 AM8/20/15
to privacyidea
Hi,
So I can not authenticate twice with the same OTP using the test url of PI.
When I logged two times in Pidgin, I saw the auth request 1 time in the Audit log.
So I think you're right, the issue comes from Cyrus sasl. I'm trying to find how to disable cache of credentials to fix this.
Kind regards,
Karim
CK
Aug 20, 2015, 8:02:22 AM8/20/15
to privacyidea
Problem solved !!
Thanks a lot for your help ;-)
Kind regards,
Karim
Cornelius Kölbel
Aug 20, 2015, 8:16:22 AM8/20/15
to priva...@googlegroups.com
...so what was it?
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/2e0fa40a-be7d-4c3e-991c-4b2a8f7cccee%40googlegroups.com.
Kind regards
Cornelius
CK
Aug 20, 2015, 8:23:27 AM8/20/15
to privacyidea
Cyrus sasl, in the /etc/default/saslauthd, initially, OPTIONS=" -c -m /var/run/saslauthd" so I removed the "-c" (option to enable credentials caching) and then it works well now ! (And I've all the auth requests in the Audit log (first time : matching 1 token and then wrong otp value)
Cornelius Kölbel
Aug 20, 2015, 8:27:32 AM8/20/15
to priva...@googlegroups.com
Cool. THanks!
Cornelius
> https://groups.google.com/d/msgid/privacyidea/6e478aa6-65dc-4735-914a-b786f525d96a%40googlegroups.com.
Cornelius
CK
Aug 20, 2015, 8:29:13 AM8/20/15
to privacyidea
Thanks for your help ! :-) (PrivacyIdea is a really nice one authentication server solution !)
Kind regards,
Karim
CK
Aug 20, 2015, 8:50:36 AM8/20/15
to privacyidea
And just one question quickly, until now, I've worked with the "nosslverify" option in PAM configuration, but now I disabled it, and so I have this in auth.log :
saslauthd: Traceback (most recent call last):#012 File "/lib/x86_64-linux-gnu/security/privacyidea_pam.py", line 100, in pam_sm_authenticate#012 verify=sslverify)#012 File "/usr/lib/python2.7/dist-packages/requests/api.py", line 88, in post#012 return request('post', url, data=data, **kwargs)#012 File "/usr/lib/python2.7/dist-packages/requests/api.py", line 44, in request#012 return session.request(method=method, url=url, **kwargs)#012 File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 455, in request#012 resp = self.send(prep, **send_kwargs)#012 File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 558, in send#012 r = adapter.send(request, **kwargs)#012 File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 385, in send#012 raise SSLError(e)#012SSLError: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The certificate to use is the one of the privacyidea server right ?
Karim
Cornelius Kölbel
Aug 20, 2015, 9:02:47 AM8/20/15
to priva...@googlegroups.com
The certificate of the privacyIDEA server must be issued by a trusted
root authority.
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/5c81775c-aace-47b3-8e3e-6a0cf3aee08b%40googlegroups.com.
root authority.
Kind regards
Cornelius
CK
Aug 20, 2015, 9:05:55 AM8/20/15
to privacyidea
Okay thanks a lot.
Kind regards,
Karim
Reply all
Reply to author
Forward
0 new messages