[Maybe A bug] Multiple token "AES + TOTP + HTOP"

[Sherif Nagy]

Hello,

I have been testing and messing around with PrivacyIDEA for few hours now and it looks great !

I am using the latest stable version on top of Debian Jessie, I have a very simple WebUI policy that authenticate against PrivacyIDEA itself and using LDAP resolver, I enrolled the following tokens and all assigned to a single user:

- 1 x HOTP Yubikey

- 1 x OTP "AES Yubikey

- 1 x HOTP Google Authenticator

- 1 x TOTP Google Authenticator

All works perfectly but once I assigned the AES one, only the AES one can actually login and the rest getting error below in the logs:

Traceback (most recent call last):

  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1817, in wsgi_app

    response = self.full_dispatch_request()

  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1477, in full_dispatch_request

    rv = self.handle_user_exception(e)

  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1381, in handle_user_exception

    reraise(exc_type, exc_value, tb)

  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1475, in full_dispatch_request

    rv = self.dispatch_request()

  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1461, in dispatch_request

    return self.view_functions[rule.endpoint](**req.view_args)

  File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 96, in policy_wrapper

    response = wrapped_function(*args, **kwds)

  File "/usr/lib/python2.7/dist-packages/privacyidea/api/auth.py", line 234, in get_auth_token

    superuser_realms)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 81, in policy_wrapper

    return self.decorator_function(wrapped_function, *args, **kwds)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 477, in login_mode

    return wrapped_function(*args, **kwds)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/auth.py", line 130, in check_webui_user

    check, details = check_user_pass(user_obj, password, options=options)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 81, in policy_wrapper

    return self.decorator_function(wrapped_function, *args, **kwds)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 274, in auth_user_timelimit

    res, reply_dict = wrapped_function(user_object, passw, options)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 81, in policy_wrapper

    return self.decorator_function(wrapped_function, *args, **kwds)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 360, in auth_lastauth

    res, reply_dict = wrapped_function(user_or_serial, passw, options)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 81, in policy_wrapper

    return self.decorator_function(wrapped_function, *args, **kwds)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 251, in auth_user_passthru

    return wrapped_function(user_object, passw, options)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 81, in policy_wrapper

    return self.decorator_function(wrapped_function, *args, **kwds)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 175, in auth_user_has_no_token

    return wrapped_function(user_object, passw, options)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 81, in policy_wrapper

    return self.decorator_function(wrapped_function, *args, **kwds)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 210, in auth_user_does_not_exist

    return wrapped_function(user_object, passw, options)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 125, in log_wrapper

    f_result = func(*args, **kwds)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", line 1803, in check_user_pass

    options=options)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 125, in log_wrapper

    f_result = func(*args, **kwds)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", line 1861, in check_token_list

    options=options)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py", line 45, in token_locked_wrapper

    f_result = func(*args, **kwds)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokenclass.py", line 388, in authenticate

    otp_counter = self.check_otp(otpval, options=options)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 125, in log_wrapper

    f_result = func(*args, **kwds)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py", line 45, in token_locked_wrapper

    f_result = func(*args, **kwds)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/yubikeytoken.py", line 191, in check_otp

    otp_bin = modhex_decode(yubi_otp)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/utils.py", line 104, in modhex_decode

    [mod2HexDict[c] for c in m]

KeyError: u'8'

unassign the AES token, and everything works perfectly again.

Kind regards,

Sherif

[Cornelius Kölbel]

Hi,

the problem with the AES yubikey is, that it behaves rather different,
since it comes with the userid in front of it.

Nevertheless: Thanks for the heads up. I will have to look into it...

Are you using OTP PIN from privacyIDEA or otppin=userstore?
If you are using OTP PIN, do the tokens have the same or different PINs?

I think I already have an idea:
Did you try to authenticate with another OTP token (not AES), when you
get this error?

Kind regards
Cornelius

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/8628704a-4821-4e8b-9de9-cc00264c3f85%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

[Cornelius Kölbel]

Hi Sherif,

I fixed the problem with this commit:

https://github.com/privacyidea/privacyidea/commit/81b42d65146831ea55995d5bb4e169140be5a2b2

I think I will cherry pick it with another fix in a version 2.8.1.

Kind regards
Conrelius

[Sherif Nagy]

Hi Conrelius,

Thank you for the commit, will try that commit tomorrow and see how it will go.

So far I have no Auth policy, so the OTP is the only password used. " No PIN or UserStore password "

I don't use PIN with any of the OTP / HOTP / AES 

Once I have the AES token assigned and I try to auth with any OTP "Other than the AES" I get the error I posted, when I try the AES, it does work and I can log in. It seems like that the AES takes a higher priority in the token list, but it does not loop after the AES.

Regards,

Sherif

[Sherif Nagy]

Hi Conrelius,

I just tested the last commit and it works like charm :) thank you !

Regards,

Sherif