On Fri, 27 Jun 2014, Martin Kosek wrote:
As we are about to very soon release the FreeIPA 4.0, I triaged all the pending
tickets and divided them to following milestones:
1) FreeIPA 4.0 GA - last work that is required for the release. When this
milestone is completed, we will release. All tickets in this milestone are thus
the top priority for people working on 4.0 - this applies both for development
and for reviews.
Endi found that with TOTP we don't yet enforce a requirement to prevent
reuse of OTP code multiple times within the same time step (you are able
to login with TOTP and reuse it for password change within 30 seconds,
for example). RFC3268 part 5.2 clearly says that the verifier MUST NOT
allow this behavior.
I'll look into this case on Monday but so far this is a release blocker.
/ Alexander Bokovoy
Freeipa-devel mailing list