Debug OATH token verification

[r_pi]

Hello,

I have been trying to get OATH tokens working - both HOTP and TOTP.

Neither of them are properly validated, even without a set Pin.

Is there a way to debug the validation of these types of tokens?

The version I am using is 2.4 (installed via pip). The app used to generate tokens is FreeOTP.

Kind regards,

Robin

[Cornelius Kölbel]

Hello Robin,

you can set the loglevel to debug.
In the pi.cfg file you can set

PI_LOGLEVEL = 10

See
http://privacyidea.readthedocs.org/en/latest/installation/system/logging.html
for more details.

You can also take a look at the event validate/check in the audit log
(tab "audit" in the webui). Some additional information are there, too.

So you installed via pip.
How are you running privacyIDEA. Are you running via wsgi in Apache2?

Kind regards
Cornelius

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/5d6eab6d-bb2a-4422-b808-947c18b77bb0%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

[Cornelius Kölbel]

Hi Robin,

by the way: FreeOTP only works with TOTP.

In case of TOTP you need to check that

* the clocks are in sync
* Sha1 is used!
* the timestep is set to 30secs.

Kind regards
Cornelius

Am Dienstag, den 30.06.2015, 05:50 -0700 schrieb r_pi:

--

You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/5d6eab6d-bb2a-4422-b808-947c18b77bb0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[r_pi]

Hello,

I found out that actually HOTP works well with FreeOTP after some initial attempts have failed.

FreeOTP should also be capable of using different hashing algorithms, as it display some other algorithms besides SHA1 in the manual config dialogue.

Naturally, for that to work, the algorithm has to be included in the othpauth://-URI. [1]

[1] https://github.com/google/google-authenticator/wiki/Key-Uri-Format

Kind regards,

Robin

[Cornelius Kölbel]

Oh, this is new to me, that FreeOTP supports HOTP.
What version on which device are you running?

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/privacyidea/e01d962a-0ec3-4d99-8168-d84b4ab3f342%40googlegroups.com.

[Cornelius Kölbel]

...indeed FreeOTP works with HOTP.
Was not aware of this :-)

[r_pi]

Everything is working now, thank you :-)

[Cornelius Kölbel]

Great,

do you know what the problem was?

maybe we should improve the docs.

Kind regards

cornelius

Cornelius Kölbel

Corneliu...@netknights.it

+49 151 2960 1417

NetKnights GmbH

http://netknights.it

Landgraf-Karl-Str. 19, 34131 Kassel, Germany

Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405

Geschäftsführer: Cornelius Kölbel

-------- Ursprüngliche Nachricht --------
Von: r_pi <robin...@googlemail.com>
Datum: 01.07.2015 13:35 (GMT+01:00)
An: priva...@googlegroups.com
Betreff: Re: Debug OATH token verification

Everything is working now, thank you :-)

--

You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/9cbad065-0113-4252-96df-31408f6e424a%40googlegroups.com.

[r_pi]

Sadly, at the time these errors occurred, I did not have an appropriate log level configured, hence I have no idea what might have caused it.

After some further attempts it suddenly worked.

I will post my findings, though, in case this behavior reoccurs.

Kind regards,

Robin

[Cornelius Kölbel]

I think there might be an issue with the first counter when enrolling
HOTP token resulting in that the first OTP value generated by the e.g.
Google Authenticator will not work but the second one.

Kind regards
Cornelius

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/privacyidea/d380cbcc-24e1-4e67-8d85-489aae50c364%40googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--
Cornelius Kölbel
corneliu...@netknights.it

+49 151 2960 1417

NetKnights GmbH

http://www.netknights.it