Martin Basti <mba...@redhat.com> writes: > Hello, I have a few comments/questions related to HOTP inline
Sure :-) > On 28.12.2016 13:54, Jochen Hein wrote: >> >> I've settled for the following usage of the slots: >> >> * Slot 1: This is a (reprogrammed) Yubico-AES token, which >> authenticates against Privacyides yubico mode instead of Yubicos >> cloud server. >> >> Why Yubico and not HOTP or TOTP? >> >> Here FreeIPA fails for me: Yubikey can't do TOTP, HOTP token can get >> out of sync, when we use them for local authentication, FreeIPA and >> Kolab (each application has a count, which needs to be "in near >> sync" with the counter in the Yubikey. I wouldn't trust such a >> setup.) > > AFAIK this is security feature to have "Window of allowed tokens" and > counter is essential for HOTP, > https://tools.ietf.org/html/rfc4226#section-7.2 Exactly. So it seems essential for me, that only one system can be the owner of the token (has the secret and counter to check the validity of an OTP). This is for both HOTP and Yubico-AES (cloud validation). So at first they look more or less identical, but why did I choose Yubico? Two usecases for me will work with yubico-AES, but not easily with HOTP (or maybe as well...). First is Kolab, my mailserver. With the current (development) release I can use 2FA with HOTP/TOTP and yubico-AES. Kolab wants to be the owner of the HOTP/TOTP token, so the Yubikey couldn't be used for other applications. Right now there is no external validation for TOTP/HOTP implemented. But we can ask a yubico validation server (e.g. privacyidea) which is the owner of my yubico AES token. Second is pam_yubico, which asks my privacyidea server for validation. For HOTP is might be possible to use something like pam_googleauthenticator, but with Kolab I didn't see a solution. So, one yubikey is enrolled privacyidea and can be used by multiple applications with pam_yubico, yubico validation protocol and RADIUS, but the secret and counter is only stored in privacyidea... >> But providing access to a Yubico Token via privacyidea works for all >> cases I have in mind. > > How they are checking the valid tokes if they don't use its counter? Privacyidea is the "owner" of the token and has the secret and the counter stored. Every other system (e.g. pam_yubico or FreeIPA) is checking the validation against privacyiadea, either with the yubico protocol, the privacyidey validation, or RADIUS. Does this clarify the architecture of my system? Jochen -- The only problem with troubleshooting is that the trouble shoots back. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project