TOTP and sync
100 views
Skip to first unread message
Travis Brown
Apr 14, 2015, 4:44:09 PM4/14/15
to priva...@googlegroups.com
I am using privacyIDEA 2.2 with Apache2 on Ubuntu 14.04. I followed the installation instructions here: http://privacyidea.readthedocs.org/en/latest/installation/#install-ubuntu
I set up a TOTP auth token with the following parameters:
{ "count_auth": "10", "hashlib": "sha256", "timeShift": "0", "timeStep": "30", "timeWindow": "180" }
The problem is that none of my TOTP tokens work, and I can't figure out how to make the DEBUG setting work. I tried to set the PI_LOGLEVEL = 10 in /etc/privacyidea/pi.cfg, but all I get are WARNING messages. That is definitely the config file referenced by the wsgi: application = create_app(config_name="production", config_file="/etc/privacyidea/pi.cfg")
When I try to resync the token, it returns false.
I see this in the logs occasionally: [2015-04-14 20:34:36,217][6571][140152141510400][WARNING][privacyidea.lib.tokens.totptoken:495] a previous OTP value was used again! tokencounter: 0, presented counter -1
[2015-04
Any ideas what I am doing wrong? I thought it was perhaps a time synchronization issue, but I am running NTP, and my timezone is set to UTC on the system.
Thanks,
Travis
I set up a TOTP auth token with the following parameters:
{ "count_auth": "10", "hashlib": "sha256", "timeShift": "0", "timeStep": "30", "timeWindow": "180" }
The problem is that none of my TOTP tokens work, and I can't figure out how to make the DEBUG setting work. I tried to set the PI_LOGLEVEL = 10 in /etc/privacyidea/pi.cfg, but all I get are WARNING messages. That is definitely the config file referenced by the wsgi: application = create_app(config_name="production", config_file="/etc/privacyidea/pi.cfg")
When I try to resync the token, it returns false.
I see this in the logs occasionally: [2015-04-14 20:34:36,217][6571][140152141510400][WARNING][privacyidea.lib.tokens.totptoken:495] a previous OTP value was used again! tokencounter: 0, presented counter -1
[2015-04
Any ideas what I am doing wrong? I thought it was perhaps a time synchronization issue, but I am running NTP, and my timezone is set to UTC on the system.
Thanks,
Travis
Cornelius Kölbel
Apr 15, 2015, 12:29:10 AM4/15/15
to priva...@googlegroups.com
Hello Travis,
what kind of Tokens are you using? Keyfob or Smartphone?
There are two parameters, that can lead to problems:
hashlib: Most keyfob tokens and also Google Authenticator e. al. are using sha1 hash algorithm. Unfortunately you can not change (except in the database) the hash algo, so you need to reenroll the token.
timeStep: Some keyfob tokens are using 60 seconds, not 30.
So I assume you are running the wrong hash algo.
Kind regards
Cornelius
what kind of Tokens are you using? Keyfob or Smartphone?
There are two parameters, that can lead to problems:
hashlib: Most keyfob tokens and also Google Authenticator e. al. are using sha1 hash algorithm. Unfortunately you can not change (except in the database) the hash algo, so you need to reenroll the token.
timeStep: Some keyfob tokens are using 60 seconds, not 30.
So I assume you are running the wrong hash algo.
Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/6cd3a92f-0a38-4657-860f-da318ecf9f72%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
-- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel
Travis Brown
Apr 15, 2015, 8:00:40 AM4/15/15
to Cornelius Kölbel, priva...@googlegroups.com
Hi Cornelius,
I am using Google Authenticator on an iphone. Sure enough, the issue was with the wrong hash algorithm. SHA1 works great. Thank you very much for you time and a very nice software package!
Cheers,
Travis
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/552DE90D.6030606%40netknights.it.
0 new messages