Feature request: Initial pincode

[jmdeking]

Hi Cornelius,

I want to suggest a feature request, the software we use at the moment (RSA) has the ability to assign a token with an initial pincode.

After the user uses this pincode for the first time to login/authenticatie to our frontend he will be asked to change this to his own value.

This makes assigning tokens for other people possible, can you look into this?

Thanks

[cornelius.koelbel]

We can combine this with the random pin creation and sending of pin letter/notification of the initial pin to the user. 

We would need policies to define,  that the user should change the PIN of a token.

But how should the PIN be marked as must-change-me. 

Or better: the pin must be marked as being changed. So we can verify

1. Is there a change the pin policy

2. Was the pin not yet changed.

Should the pin have the property:

1. Set by administrator 

2. Created randomly

3. Set by user

....

Cornelius Kölbel 

+49 151 2960 1417

NetKnights GmbH

Http://NetKnights. It

+49 561 3166 797

-------- Ursprüngliche Nachricht --------

Von: "cornelius.koelbel" <corneliu...@netknights.it>

Datum: 18.06.16 15:19 (GMT+01:00)

An: jmdeking <jmdek...@gmail.com>

Betreff: AW: [privacyidea] Feature request: Initial pincode

Hi,

Where does the user authenticate with the otp?

Does he authenticate to the privacyidea webUI or to some applications?

In the webUI this could be implemented.

When authenticating within another application this would still be possible but a bit more complicated.

The validate API could return a detail info,  that the user needs to change his password or the token pin.

Kind regards 

Cornelius 

Cornelius Kölbel 

+49 151 2960 1417

NetKnights GmbH

Http://NetKnights. It

+49 561 3166 797

[cornelius.koelbel]

We could add a tokeninfo table entry with the date of the next PIN change.

Cornelius Kölbel 

+49 151 2960 1417

NetKnights GmbH

Http://NetKnights. It

+49 561 3166 797

-------- Ursprüngliche Nachricht --------

Von: "cornelius.koelbel" <corneliu...@netknights.it>

Datum: 18.06.16 17:49 (GMT+01:00)

An: jmdeking <jmdek...@gmail.com>, privacyidea <priva...@googlegroups.com>

[Cornelius Kölbel]

I added an issue
https://github.com/privacyidea/privacyidea/issues/429

> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/d5243197-6d8b-4f6e-8c2e-554ab48126cc%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Cornelius Kölbel
corneliu...@netknights.it

+49 151 2960 1417

NetKnights GmbH

http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

[jmdeking]

Thanks Cornleius,

Looks good. Just to clarify my use case is the following:

An administrator assigns a challenge response token (email or sms) with a pincode. But this pincode should not be known to the administrator cause its personal so in my view one of the following 2 things can be done about this.

1. My users log in to their citrix desktop using Citrix Netscaler with Radius request to the privacyidea server. The privacyidea server detects the 'initial' pincode is used and asks for a challenge response to change the pin to its own value.

2. When an administrator assigns an token he can leave the pin field empty for the system to generate a random pin that is being send automatically using the chosen token method. (email of SMS)

You think this is possible?

[Cornelius Kölbel]

The 2nd is already possible.
http://privacyidea.readthedocs.io/en/latest/policies/enrollment.html#otp-pin-random

> https://groups.google.com/d/msgid/privacyidea/449848c1-cec1-4ab7-93b6-5d6561ddcbdc%40googlegroups.com.

[jmdeking]

Sorry but its not clear how this works exactly when reading the document.

I apply'd the  otp_pin_random option and assigned a token to a user without setting a pin. But the user doesnt receive a email or anything so not sure how to know what the random code is.

Gr.

Johan

[Cornelius Kölbel]

This is because there is no PIN handler at the moment:

(click and follow the previous link)
http://privacyidea.readthedocs.io/en/latest/policies/enrollment.html#policy-pinhandling

The randomly created PIN is passed to the PINhandler.
The basic pinhandler simply logs the pin to the log file.
You may implement whichever pin handler you need (like sending the
email)

Implementing an SMTP Pin Handler based on the new centrally defined smtp
servers should not be a big issue. Of course you may also order this
development at your preferred open source service provider. ;-)

privacyIDEA can not cover 100% of all possible scenarios. But it is
flexible enough to do the basics. And you may understand that my time to
enrich the world with no-cost code is also limited.

Kind regards
Cornelius

> https://groups.google.com/d/msgid/privacyidea/a62bce18-21f4-4524-b4ec-35ea9cd3b04e%40googlegroups.com.

[jmdeking]

Now when enabling pinhandling and setting the value to "send pin" i get the error Item in ``from list'' not a string

[Cornelius Kölbel]

Hi Johan,

have you tried entering "do_what_i_mean"? ;-)

...sorry - could not resist this...

Kind regards
Cornelius

> https://groups.google.com/d/msgid/privacyidea/98e6cda2-398b-4fe2-9a5b-7ea55208049e%40googlegroups.com.

[jmdeking]

I understand Cornelius, thanks for the github feature enhacement. i hope you get the time to implement that.

Gr.

Johan

[Cornelius Kölbel]

Since your Netscaler does not know about the pin changing.

The PIN change is sent in the privacyIDEA API. This is not forwarded in
the RADIUS protocol and to my limited knowledge there is no PIN change
functionality in the RADIUS protocol.

Am Montag, den 22.08.2016, 03:06 -0700 schrieb jmdeking:
> Hi again Cornerlius,
>
>
> I noticed this feature got released in 2.14-1trusty.
>
>
> I enabled it and applied it to the only realm i got.
>
>
> I set a pincode for a ldap user and when looking at the token it
> says, next_pin_change: 22/08/16 11:55.
>
>
> But when i log in to my netscaler using freeradius i do not get
> prompted by a radius message to change the pin.
>
>
> How come.

> https://groups.google.com/d/msgid/privacyidea/efc8fa2d-d481-48fc-8707-c209146b7825%40googlegroups.com.

[jmdeking]

Hi again Cornerlius,

I noticed this feature got released in 2.14-1trusty.

I enabled it and applied it to the only realm i got.

I set a pincode for a ldap user and when looking at the token it says, next_pin_change: 22/08/16 11:55.

But when i log in to my netscaler using freeradius i do not get prompted by a radius message to change the pin.

How come.

[Cornelius Kölbel]

I understand that PASSWORD change can be performed via MSCHAPv2.
I could explain to you, why MSCHAPv2 does not work with OTP.
But we would have to dive into your setup a bit deeper. And I am not
willing to invest my time here to explain to you your Many-Bucks-Juniper
setup. Go and ask your Juniper support!!!!!!!!!!!!
!!!!
!
!!!!!!!!
After all - you payed for that!

Besides - I also stressed the problem with MSChapv2 and OTP a lot on
different channels. So google might be your friend here.

> https://groups.google.com/d/msgid/privacyidea/aaae7048-73c6-4cde-9c7d-5d5db74af67c%40googlegroups.com.