On Jun 27, 2014, at 1:49 PM, Simo Sorce <s...@redhat.com> wrote:

> On Fri, 2014-06-27 at 19:19 +0200, Petr Vobornik wrote:
>> On 27.6.2014 19:00, Simo Sorce wrote:
>>> On Fri, 2014-06-27 at 19:55 +0300, Alexander Bokovoy wrote:
>>>> On Fri, 27 Jun 2014, Martin Kosek wrote:
>>>>> Hello team,
>>>>> As we are about to very soon release the FreeIPA 4.0, I triaged all the 
>>>>> pending
>>>>> tickets and divided them to following milestones:
>>>>> 1) FreeIPA 4.0 GA - last work that is required for the release. When this
>>>>> milestone is completed, we will release. All tickets in this milestone 
>>>>> are thus
>>>>> the top priority for people working on 4.0 - this applies both for 
>>>>> development
>>>>> and for reviews.
>>>> Endi found that with TOTP we don't yet enforce a requirement to prevent
>>>> reuse of OTP code multiple times within the same time step (you are able
>>>> to login with TOTP and reuse it for password change within 30 seconds,
>>>> for example). RFC3268 part 5.2 clearly says that the verifier MUST NOT
>>>> allow this behavior.
>>>> I'll look into this case on Monday but so far this is a release blocker.
>>> This is a well known limitation.
>>> The reason we allow for it is due to performance issues with replication
>>> if we did so, we do not have a good way to mark used values in a
>>> distributed fashion.
>>> It's for the same reason that we have not implemented HOTP yet.
>> Not entirely true:
>> http://www.redhat.com/archives/freeipa-devel/2014-January/msg00069.html
> I should probably have said we have not implemented it *for* HOTP.
> That said using HOTP is not really something I would recommend at this
> point as each authentication will cause a replication event to be fired.
> That is probably ok if you have very few users/authentications, but in
> large domains it would quickly be problematic.
> Responding to Alexander, yes we need to document that we have this
> limitation.

+1, we need to clearly document it. I plan to work on this next week.

Just to outline the situation:

We currently implement two features: TOTP and HOTP. We currently only recommend 
deploying TOTP due to the aforementioned replication issues.

HOTP will not permit key reuse, but TOTP will. We call this feature for TOTP 
“high watermark.” The reasons for this are twofold.

First, we have a general concern about replication storms when recording the 
high watermark. We hope to solve this problem in the next release by defining a 
mechanism for high priority replication and, hopefully, custom replication 
conflict resolvers to prevent a possible scenario where the counter would move 

Second, when using HOTP, a bug is triggered in SSSD password changing where a 
token is implicitly used twice in a row. Enabling high watermark support for 
TOTP also triggers this bug. Fixing this in SSSD is also high on the priority 
list for the next release.

So, in short, it is a known defect that is not a blocker for this release and 
that needs to be appropriately documented.

Freeipa-devel mailing list

Reply via email to