On Fri, 2014-06-27 at 19:55 +0300, Alexander Bokovoy wrote:
> On Fri, 27 Jun 2014, Martin Kosek wrote:
> >Hello team,
> >
> >As we are about to very soon release the FreeIPA 4.0, I triaged all the 
> >pending
> >tickets and divided them to following milestones:
> >
> >1) FreeIPA 4.0 GA - last work that is required for the release. When this
> >milestone is completed, we will release. All tickets in this milestone are 
> >thus
> >the top priority for people working on 4.0 - this applies both for 
> >development
> >and for reviews.
> Endi found that with TOTP we don't yet enforce a requirement to prevent
> reuse of OTP code multiple times within the same time step (you are able
> to login with TOTP and reuse it for password change within 30 seconds,
> for example). RFC3268 part 5.2 clearly says that the verifier MUST NOT
> allow this behavior.
> I'll look into this case on Monday but so far this is a release blocker.

This is a well known limitation.

The reason we allow for it is due to performance issues with replication
if we did so, we do not have a good way to mark used values in a
distributed fashion.

It's for the same reason that we have not implemented HOTP yet.


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to