subject:"\[Freeipa\-users\] Re\: TOTP generators producing different values"

[Freeipa-users] Re: TOTP generators producing different values

2018-12-05 Thread Brian Topping via FreeIPA-users

Hi guys, thanks for your input here. Phones these days have very accurate time 
on account of the demands of TDMA, so it never struck me that the phone could 
be “out of sync”. Rather, there may be some TZ quirk that a single sync would 
have cured the very first time I tried it and never knew to do it. 

That said, I do need to get the issue created so the issue isn’t lost.

best, Brian

> On Dec 5, 2018, at 9:04 PM, Simo Sorce  wrote:
> 
> On Tue, 2018-12-04 at 09:43 +0100, Florence Blanc-Renaud via FreeIPA-
> users wrote:
>> On 12/3/18 6:10 PM, Brian Topping via FreeIPA-users wrote:
>>> Hi all, I have a question about TOTP authenticators (Google Authenticator, 
>>> Authy, FreeOTP):
>>> 
>>> Why is it that a given URL/QRCode can load into all three authenticators, 
>>> but all three give different OTP values at any given time and only FreeOTP 
>>> actually works?
>> 
>> Hi,
>> 
>> TOTP values are generated using the current time to ensure their 
>> uniqueness. I didn't have any issue when using Google Authenticator and 
>> FreeOTP, but you need to make sure that the clocks are in sync when 
>> using TOTP.
> 
> Keep in mind that a hardware (or even software) token may have clock
> drifting issues. These are handled by the server via token re-sync.
> It is best to have clocks in sync, but if the clock doesn't jump wildly
> the server should be able to handle clock differences with, at most, a
> re-sync.
> 
> Simo.
> 
>>> 
>>> When I run `ipa otp-sync` with values from Authy, it crashes:
>>> 
>>> ```
>>> [root@ns-0 /]# ipa otptoken-sync 752f744e-1879-4499-a9c5-8932f739d26a
>>> User ID: player1
>>> Password:
>>> First Code:
>>> Second Code:
>>> ipa: ERROR: non-public: AttributeError: 'NoneType' object has no attribute 
>>> 'name'
>>> Traceback (most recent call last):
>>>  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 139, in 
>>> execute
>>>result = self.Command[_name](*args, **options)
>>>  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in 
>>> __call__
>>>return self.__do_call(*args, **options)
>>>  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in 
>>> __do_call
>>>ret = self.run(*args, **options)
>>>  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1199, in 
>>> run
>>>return self.forward(*args, **options)
>>>  File "/usr/lib/python2.7/site-packages/ipaclient/plugins/otptoken.py", 
>>> line 168, in forward
>>>query['token'] = DN((obj.primary_key.name, args[0]),
>>> AttributeError: 'NoneType' object has no attribute 'name'
>>> ipa: ERROR: an internal error has occurred
>>> ```
>>> 
>> 
>> I could consistently reproduce the AttributeError exception. Could you 
>> please open a ticket on pagure for this issue 
>> (https://pagure.io/freeipa/new_issue)?
>> 
>> flo
>> 
>> 
>>> Thanks kindly for any leads on this!
>>> 
>>> Brian
>>> ___
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: 
>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>> 
>> 
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
>> 
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
>> 
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html 
>> 
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 
>> 
>> List Archives: 
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>  
>> 
> 
> -- 
> Simo Sorce
> Sr. Principal Software Engineer
> Red Hat, Inc

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: TOTP generators producing different values

2018-12-05 Thread Simo Sorce via FreeIPA-users

On Tue, 2018-12-04 at 09:43 +0100, Florence Blanc-Renaud via FreeIPA-
users wrote:
> On 12/3/18 6:10 PM, Brian Topping via FreeIPA-users wrote:
> > Hi all, I have a question about TOTP authenticators (Google Authenticator, 
> > Authy, FreeOTP):
> > 
> > Why is it that a given URL/QRCode can load into all three authenticators, 
> > but all three give different OTP values at any given time and only FreeOTP 
> > actually works?
> 
> Hi,
> 
> TOTP values are generated using the current time to ensure their 
> uniqueness. I didn't have any issue when using Google Authenticator and 
> FreeOTP, but you need to make sure that the clocks are in sync when 
> using TOTP.

Keep in mind that a hardware (or even software) token may have clock
drifting issues. These are handled by the server via token re-sync.
It is best to have clocks in sync, but if the clock doesn't jump wildly
the server should be able to handle clock differences with, at most, a
re-sync.

Simo.

> > 
> > When I run `ipa otp-sync` with values from Authy, it crashes:
> > 
> > ```
> > [root@ns-0 /]# ipa otptoken-sync 752f744e-1879-4499-a9c5-8932f739d26a
> > User ID: player1
> > Password:
> > First Code:
> > Second Code:
> > ipa: ERROR: non-public: AttributeError: 'NoneType' object has no attribute 
> > 'name'
> > Traceback (most recent call last):
> >   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 139, in 
> > execute
> > result = self.Command[_name](*args, **options)
> >   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in 
> > __call__
> > return self.__do_call(*args, **options)
> >   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in 
> > __do_call
> > ret = self.run(*args, **options)
> >   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1199, in 
> > run
> > return self.forward(*args, **options)
> >   File "/usr/lib/python2.7/site-packages/ipaclient/plugins/otptoken.py", 
> > line 168, in forward
> > query['token'] = DN((obj.primary_key.name, args[0]),
> > AttributeError: 'NoneType' object has no attribute 'name'
> > ipa: ERROR: an internal error has occurred
> > ```
> > 
> 
> I could consistently reproduce the AttributeError exception. Could you 
> please open a ticket on pagure for this issue 
> (https://pagure.io/freeipa/new_issue)?
> 
> flo
> 
> 
> > Thanks kindly for any leads on this!
> > 
> > Brian
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: 
> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: TOTP generators producing different values

2018-12-04 Thread Florence Blanc-Renaud via FreeIPA-users


On 12/3/18 6:10 PM, Brian Topping via FreeIPA-users wrote:

Hi all, I have a question about TOTP authenticators (Google Authenticator, 
Authy, FreeOTP):

Why is it that a given URL/QRCode can load into all three authenticators, but 
all three give different OTP values at any given time and only FreeOTP actually 
works?

Hi,

TOTP values are generated using the current time to ensure their 
uniqueness. I didn't have any issue when using Google Authenticator and 
FreeOTP, but you need to make sure that the clocks are in sync when 
using TOTP.




When I run `ipa otp-sync` with values from Authy, it crashes:

```
[root@ns-0 /]# ipa otptoken-sync 752f744e-1879-4499-a9c5-8932f739d26a
User ID: player1
Password:
First Code:
Second Code:
ipa: ERROR: non-public: AttributeError: 'NoneType' object has no attribute 
'name'
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 139, in 
execute
result = self.Command[_name](*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in 
__call__
return self.__do_call(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in 
__do_call
ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1199, in run
return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipaclient/plugins/otptoken.py", line 
168, in forward
query['token'] = DN((obj.primary_key.name, args[0]),
AttributeError: 'NoneType' object has no attribute 'name'
ipa: ERROR: an internal error has occurred
```



I could consistently reproduce the AttributeError exception. Could you 
please open a ticket on pagure for this issue 
(https://pagure.io/freeipa/new_issue)?


flo



Thanks kindly for any leads on this!

Brian
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: TOTP generators producing different values

[Freeipa-users] Re: TOTP generators producing different values

[Freeipa-users] Re: TOTP generators producing different values

3 matches

Site Navigation

Mail list logo

Footer information