Remove PIN from Token
75 views
Skip to first unread message
simv...@gmail.com
Aug 24, 2016, 3:09:50 AM8/24/16
to privacyidea
Hello Cornelius and all !
Is it possible to remove PIN from a Token (by WEB or API) ?
The only option that I found is to manually clean the sql table (pin_seed & pin_hash).
Regards
Sim
Is it possible to remove PIN from a Token (by WEB or API) ?
The only option that I found is to manually clean the sql table (pin_seed & pin_hash).
Regards
Sim
Cornelius Kölbel
Aug 24, 2016, 3:22:47 AM8/24/16
to priva...@googlegroups.com
Hi Sim,
you can set an empty password or you can set the policy otppin=none.
Kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/e46596f7-7de8-43f9-9a2d-0db2b0d7daa8%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
you can set an empty password or you can set the policy otppin=none.
Kind regards
Cornelius
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/e46596f7-7de8-43f9-9a2d-0db2b0d7daa8%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
simv...@gmail.com
Aug 24, 2016, 3:42:32 AM8/24/16
to privacyidea
Hi Cornelius,
you are right!
Setting an empty password not clear the DB record but set "empty" correctly.
Yes, i'm using otppin=none as you know but it's not the best solution with SMS token.
Now I'm testing otppin=tokenpin and "empty" PIN (for TOTP). It's equal to otppin=none,
but I can set PIN for SMS token.
It's work correctly but there is always the "failcounter" problem for TOTP
Sim
you are right!
Setting an empty password not clear the DB record but set "empty" correctly.
Yes, i'm using otppin=none as you know but it's not the best solution with SMS token.
Now I'm testing otppin=tokenpin and "empty" PIN (for TOTP). It's equal to otppin=none,
but I can set PIN for SMS token.
It's work correctly but there is always the "failcounter" problem for TOTP
Sim
Cornelius Kölbel
Aug 24, 2016, 3:44:38 AM8/24/16
to priva...@googlegroups.com
Hi Sim,
regarding the failcounter:
Is this right?
https://github.com/privacyidea/privacyidea/issues/471
Or please add more description to this ticket with regards
to your problem.
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/7c4d5e77-88dc-42ef-a524-5a5ccf3b9ae0%40googlegroups.com.
regarding the failcounter:
Is this right?
https://github.com/privacyidea/privacyidea/issues/471
Or please add more description to this ticket with regards
to your problem.
Kind regards
Cornelius
simv...@gmail.com
Aug 24, 2016, 3:51:53 AM8/24/16
to privacyidea
Excuse me... I've another question.....
I've requested token by SMS and received it.
This is the "List Challenges":
Wed, 24 Aug 2016 09:33:28 GMT PISM0000CC7B 00155976067561524466 Wed, 24 Aug 2016 09:38:28 GMT 0
Now... I'm waiting more than 5 minutes.....
And then I try to validate token.. (09:43)
Result..
"matching 1 tokens", "type": "sms", "serial": "PISM0000CC7B", "otplen": 6}
"result": {"status": true, "value": true}, "time": 1472024584.399257, "id": 1}
Mmmm....
This is the log
11572 - 8/24/16 09:43:04 - GET /validate/check - 1 - PISM0000CC7B - ... matching 1 tokens - OK
But the Challenges report expiration : 09:38:28
Is it a bug or a settings?
And what is the "Received: 0"?... it's always 0.
Regards
Sim
I've requested token by SMS and received it.
This is the "List Challenges":
Wed, 24 Aug 2016 09:33:28 GMT PISM0000CC7B 00155976067561524466 Wed, 24 Aug 2016 09:38:28 GMT 0
Now... I'm waiting more than 5 minutes.....
And then I try to validate token.. (09:43)
Result..
"matching 1 tokens", "type": "sms", "serial": "PISM0000CC7B", "otplen": 6}
"result": {"status": true, "value": true}, "time": 1472024584.399257, "id": 1}
Mmmm....
This is the log
11572 - 8/24/16 09:43:04 - GET /validate/check - 1 - PISM0000CC7B - ... matching 1 tokens - OK
But the Challenges report expiration : 09:38:28
Is it a bug or a settings?
And what is the "Received: 0"?... it's always 0.
Regards
Sim
On Wednesday, August 24, 2016 at 9:44:38 AM UTC+2, Cornelius Kölbel wrote:
Hi Sim,
simv...@gmail.com
Aug 25, 2016, 5:37:26 AM8/25/16
to privacyidea
Excuse me again....
Any idea about this?
Regards
Sim
Any idea about this?
Regards
Sim
Cornelius Kölbel
Aug 25, 2016, 5:48:47 AM8/25/16
to priva...@googlegroups.com
Hi Sim,
the "0" is the received_count. Roughly It is increased if an invalid
response for this transactinId was retrieved.
The expiration date of a challenge is checked here:
https://github.com/privacyidea/privacyidea/blob/master/privacyidea/models.py#L1083
So there might be some confusions with the datatime and your database
column.
You could add a
log.error(c_now)
log.error(self.expiration)
So we would know, what might be wrong there.
Kind regards
Cornelius
the "0" is the received_count. Roughly It is increased if an invalid
response for this transactinId was retrieved.
The expiration date of a challenge is checked here:
https://github.com/privacyidea/privacyidea/blob/master/privacyidea/models.py#L1083
So there might be some confusions with the datatime and your database
column.
You could add a
log.error(c_now)
log.error(self.expiration)
So we would know, what might be wrong there.
Kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/053ab032-2bab-4254-ac14-4bb182958cf3%40googlegroups.com.
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
simv...@gmail.com
Aug 25, 2016, 5:58:22 AM8/25/16
to privacyidea
Well, I can add
log.error(c_now)
log.error(self.expiration)
in the middle of 1090 and 1091, right?
Regards
Sim
log.error(c_now)
log.error(self.expiration)
in the middle of 1090 and 1091, right?
Regards
Sim
Cornelius Kölbel
Aug 25, 2016, 6:38:58 AM8/25/16
to priva...@googlegroups.com
simv...@gmail.com
Aug 25, 2016, 11:09:51 AM8/25/16
to privacyidea
- This is the code
def is_valid(self):
"""
Returns true, if the expiration time has not passed, yet.
:return: True if valid
:rtype: bool
"""
ret = False
c_now = datetime.now()
log.error("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
log.error(c_now)
log.error(self.expiration)
if c_now < self.expiration:
ret = True
return ret
- enabled PI_LOGLEVEL = logging.DEBUG
- rm /usr/lib/python2.7/dist-packages/privacyidea/models.pyc
- restarted Apache
- request SMS PIN and used it (/validate/check?user=...) before expire (for a test)
...but not "XXXXX...." in /var/log/privacyidea/privacyidea.log ...
mmm....
def is_valid(self):
"""
Returns true, if the expiration time has not passed, yet.
:return: True if valid
:rtype: bool
"""
ret = False
c_now = datetime.now()
log.error("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
log.error(c_now)
log.error(self.expiration)
if c_now < self.expiration:
ret = True
return ret
- enabled PI_LOGLEVEL = logging.DEBUG
- rm /usr/lib/python2.7/dist-packages/privacyidea/models.pyc
- restarted Apache
- request SMS PIN and used it (/validate/check?user=...) before expire (for a test)
...but not "XXXXX...." in /var/log/privacyidea/privacyidea.log ...
mmm....
Cornelius Kölbel
Aug 26, 2016, 1:32:32 AM8/26/16
to priva...@googlegroups.com
Hi Sim,
I am not sure if this is a bug or a misunderstanding.
I opened an issue on github
https://github.com/privacyidea/privacyidea/issues/496
since for me the mailing list is the wrong place to track this.
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/be113139-2821-40eb-97d5-5aa7a5902db0%40googlegroups.com.
I am not sure if this is a bug or a misunderstanding.
I opened an issue on github
https://github.com/privacyidea/privacyidea/issues/496
since for me the mailing list is the wrong place to track this.
Kind regards
Cornelius
Cornelius Kölbel
Aug 26, 2016, 2:24:24 AM8/26/16
to priva...@googlegroups.com
Hi Sim,
could it be, that you are authenticating like this:
1. username
password
-> you get your SMS with OTP
2. username
password + otp
> https://groups.google.com/d/msgid/privacyidea/be113139-2821-40eb-97d5-5aa7a5902db0%40googlegroups.com.
could it be, that you are authenticating like this:
1. username
password
-> you get your SMS with OTP
2. username
password + otp
Reply all
Reply to author
Forward
0 new messages