subject:"\[Freeipa\-users\] 4.1.4 and OTP"

Re: [Freeipa-users] 4.1.4 and OTP

2015-05-18 Thread Nathaniel McCallum

On Mon, 2015-05-18 at 07:59 -0500, Janelle wrote:
> > 
> > On May 18, 2015, at 04:31, Martin Kosek  wrote:
> > 
> > > On 05/18/2015 01:49 AM, Janelle wrote:
> > > > On 4/28/15 6:44 AM, Nathaniel McCallum wrote:
> > > > > On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote:
> > > > > > On 4/17/15 5:59 PM, Dmitri Pal wrote:
> > > > > > > On 04/17/2015 08:07 PM, Janelle wrote:
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > On Apr 17, 2015, at 16:36, Dmitri Pal  
> > > > > > > wrote:
> > > > > > > 
> > >  for shorter thread
> > > > > > > Simple. And my test made it simple.
> > > > > > > Stand up new vm running fc21/freeipa.
> > > > > > > Configure user.
> > > > > > > Add password.
> > > > > > > Add token.
> > > > > > > 
> > > > > > > Login to the vm with the user created using password. 
> > > > > > > Kerberos
> > > > > > > ticket assigned, all is well.
> > > > > > > 
> > > > > > > Login to web interface with admin. Change user to OTP 
> > > > > > > only.
> > > > > > > Go to web UI and click sync OTP.
> > > > > > > Enter username, password and 2 OTP sequences. Click sync. 
> > > > > > > Error
> > > > > > > appears.
> > > > > > > 
> > > > > > > Now, ssh to same vm using OTP username. Enter password + 
> > > > > > > OTP
> > > > > > > value.
> > > > > > > Login successful.
> > > > > > I can reproduce this issue with demo instance.
> > > > > > I will file a bug later today.
> > > > > > I think it is a bug with sync.
> > > > > > Which token do you use time based or event based?
> > > > > TOTP...
> > > > > 
> > > > > Hmm, makes me wonder - with HOTP fail the same? Off to try 
> > > > > it.
> > > > This should just affect TOTP. I have posted a patch that should 
> > > > fix
> > > > this problem. Are you able to test it?
> > > > 
> > > > https://www.redhat.com/archives/freeipa-devel/2015
> > > > -April/msg00282.html
> > > > 
> > > > 
> > > Sorry - I just got around to testing this and it does resolve the 
> > > problem -
> > > HOWEVER, you took away the ability to "Name" the tokens? They are 
> > > now
> > > "assigned" unique IDs??
> > > 
> > > Was this intentional?
> > 
> > It was, we track this (half-done) change in this ticket:
> > https://fedorahosted.org/freeipa/ticket/4456
> > 
> > The main problem here is that user token names share the same name 
> > space and we
> > thus do not want to create completely arbitrary names as they would 
> > collide.
> > 
> > Applications like FreeOTP allow users to set own labels, so this is 
> > IMO the way
> > how to add friendly names to the OTP tokens.
> > 
> > Martin
> > 
> 
> Makes sense, my only concern is syncing tokens.  Once you add a 
> second to,en and want to sync it you have to give it a token ID, 
> otherwise it does not know which to sync. In the past if you named 
> it, that was easy, but it does not seem to take description field as 
> a token name. Guess I need to tell my users it is cut/paste time, or 
> is there another option perhaps?

You do not need to specify the token id when syncing. It is optional.
If you leave it blank, FreeIPA will do the right thing.

> Also, I was wondering, looking for a way to use both FreeOTP and 
> yubikey and wondering if anyone has tried this and possible caveats?

There shouldn't be any caveats. Yubikey is just an HOTP token.

Nathaniel

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 4.1.4 and OTP

2015-05-18 Thread Janelle


> On May 18, 2015, at 04:31, Martin Kosek  wrote:
> 
>> On 05/18/2015 01:49 AM, Janelle wrote:
>>> On 4/28/15 6:44 AM, Nathaniel McCallum wrote:
 On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote:
> On 4/17/15 5:59 PM, Dmitri Pal wrote:
>> On 04/17/2015 08:07 PM, Janelle wrote:
>> 
>> 
>> 
>> On Apr 17, 2015, at 16:36, Dmitri Pal  wrote:
>> 
>>  for shorter thread
>> Simple. And my test made it simple.
>> Stand up new vm running fc21/freeipa.
>> Configure user.
>> Add password.
>> Add token.
>> 
>> Login to the vm with the user created using password. Kerberos
>> ticket assigned, all is well.
>> 
>> Login to web interface with admin. Change user to OTP only.
>> Go to web UI and click sync OTP.
>> Enter username, password and 2 OTP sequences. Click sync. Error
>> appears.
>> 
>> Now, ssh to same vm using OTP username. Enter password + OTP
>> value.
>> Login successful.
> I can reproduce this issue with demo instance.
> I will file a bug later today.
> I think it is a bug with sync.
> Which token do you use time based or event based?
 TOTP...
 
 Hmm, makes me wonder - with HOTP fail the same? Off to try it.
>>> This should just affect TOTP. I have posted a patch that should fix
>>> this problem. Are you able to test it?
>>> 
>>> https://www.redhat.com/archives/freeipa-devel/2015-April/msg00282.html
>>> 
>>> 
>> Sorry - I just got around to testing this and it does resolve the problem -
>> HOWEVER, you took away the ability to "Name" the tokens? They are now
>> "assigned" unique IDs??
>> 
>> Was this intentional?
> 
> It was, we track this (half-done) change in this ticket:
> https://fedorahosted.org/freeipa/ticket/4456
> 
> The main problem here is that user token names share the same name space and 
> we
> thus do not want to create completely arbitrary names as they would collide.
> 
> Applications like FreeOTP allow users to set own labels, so this is IMO the 
> way
> how to add friendly names to the OTP tokens.
> 
> Martin
> 

Makes sense, my only concern is syncing tokens.  Once you add a second to,en 
and want to sync it you have to give it a token ID, otherwise it does not know 
which to sync. In the past if you named it, that was easy, but it does not seem 
to take description field as a token name. Guess I need to tell my users it is 
cut/paste time, or is there another option perhaps?

Also, I was wondering, looking for a way to use both FreeOTP and yubikey and 
wondering if anyone has tried this and possible caveats?

Janelle

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 4.1.4 and OTP

2015-05-18 Thread Martin Kosek

On 05/18/2015 01:49 AM, Janelle wrote:
> On 4/28/15 6:44 AM, Nathaniel McCallum wrote:
>> On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote:
>>> On 4/17/15 5:59 PM, Dmitri Pal wrote:
 On 04/17/2015 08:07 PM, Janelle wrote:
>
>
>
> On Apr 17, 2015, at 16:36, Dmitri Pal  wrote:
>
>  for shorter thread
> Simple. And my test made it simple.
> Stand up new vm running fc21/freeipa.
> Configure user.
> Add password.
> Add token.
>
> Login to the vm with the user created using password. Kerberos
> ticket assigned, all is well.
>
> Login to web interface with admin. Change user to OTP only.
> Go to web UI and click sync OTP.
> Enter username, password and 2 OTP sequences. Click sync. Error
> appears.
>
> Now, ssh to same vm using OTP username. Enter password + OTP
> value.
> Login successful.
 I can reproduce this issue with demo instance.
 I will file a bug later today.
 I think it is a bug with sync.
 Which token do you use time based or event based?
>>> TOTP...
>>>
>>> Hmm, makes me wonder - with HOTP fail the same? Off to try it.
>> This should just affect TOTP. I have posted a patch that should fix
>> this problem. Are you able to test it?
>>
>> https://www.redhat.com/archives/freeipa-devel/2015-April/msg00282.html
>>
>>
> Sorry - I just got around to testing this and it does resolve the problem -
> HOWEVER, you took away the ability to "Name" the tokens? They are now
> "assigned" unique IDs??
> 
> Was this intentional?

It was, we track this (half-done) change in this ticket:
https://fedorahosted.org/freeipa/ticket/4456

The main problem here is that user token names share the same name space and we
thus do not want to create completely arbitrary names as they would collide.

Applications like FreeOTP allow users to set own labels, so this is IMO the way
how to add friendly names to the OTP tokens.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 4.1.4 and OTP

2015-05-17 Thread Janelle


On 4/28/15 6:44 AM, Nathaniel McCallum wrote:

On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote:

On 4/17/15 5:59 PM, Dmitri Pal wrote:

On 04/17/2015 08:07 PM, Janelle wrote:




On Apr 17, 2015, at 16:36, Dmitri Pal  wrote:


 for shorter thread

Simple. And my test made it simple.
Stand up new vm running fc21/freeipa.
Configure user.
Add password.
Add token.

Login to the vm with the user created using password. Kerberos
ticket assigned, all is well.

Login to web interface with admin. Change user to OTP only.
Go to web UI and click sync OTP.
Enter username, password and 2 OTP sequences. Click sync. Error
appears.

Now, ssh to same vm using OTP username. Enter password + OTP
value.
Login successful.

I can reproduce this issue with demo instance.
I will file a bug later today.
I think it is a bug with sync.
Which token do you use time based or event based?

TOTP...

Hmm, makes me wonder - with HOTP fail the same? Off to try it.

This should just affect TOTP. I have posted a patch that should fix
this problem. Are you able to test it?

https://www.redhat.com/archives/freeipa-devel/2015-April/msg00282.html


Sorry - I just got around to testing this and it does resolve the 
problem - HOWEVER, you took away the ability to "Name" the tokens? They 
are now "assigned" unique IDs??


Was this intentional?

~J

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 4.1.4 and OTP

2015-04-28 Thread Janelle


On 4/28/15 6:44 AM, Nathaniel McCallum wrote:

On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote:

On 4/17/15 5:59 PM, Dmitri Pal wrote:

On 04/17/2015 08:07 PM, Janelle wrote:




On Apr 17, 2015, at 16:36, Dmitri Pal  wrote:


On 04/17/2015 04:52 PM, Janelle wrote:

  On 4/17/15 1:19 PM, Dmitri Pal wrote:

On 04/17/2015 01:20 PM, Janelle wrote:

On 4/17/15 9:53 AM, Dmitri Pal wrote:

On 04/17/2015 11:16 AM, Janelle wrote:

Hi,

Is anyone else having issues with OTP since
upgrading? For the life of me I can't get it to
accept "Sync" for the tokens. No matter what is put
in, it just keeps saying the username, password or
tokens entered  are incorrect.

To make it simple - I am tryign this on a brand new
CentOS 7.1 system with a clean/fresh install of
FreeIPA 4.1.4 and yet it just refuses to work.

I create a user -- configure them. They work just
fine with a password. Then add a token. Sync with
FreeOTP and that all works. Then going back to the
web UI and do Sync OTP and it simply refuses to
accept any values. And yet the same user can login
to the regular web UI with their password.

I have tried setting the user to both Password and
OTP for auth methods. And also just OTP and nothing
works.

Please look in the logs to see what is going on.
You would need to look at the KDC, http and DS logs on
the server to sort out what is going on.

Do you change the password for the user first after
creating him?

Can you reproduce the problem with demo instance?
http://www.freeipa.org/page/Demo
If you can then we can take a look at the logs right
away.
Hints? Am I missing  a step?

~J


It appears to be the UI. If I go through the steps and
let it "fail", I can still login using OTP to servers. I
made the assumption that the error itself was not an
error.. :-)

~J


I am not sure I get what you are saying. Do you still see
the problem or you misinterpreted the UI and now the
problem is gone? If you did is there any recommendation
how to improve the UI not to confuse people?


The problem exists -- this is what it shows:
HOWEVER, it is still WORKING. Meaning, even if you get this
error, if you attempt to login with your FreeOTP token, it
WORKS.

~J





Does it give you this error when you use password or password
and token?
Can you please describe the flow of steps in more details?
I start browser, go here, click here, enter this, etc.

Are you using SSSD to login to servers? Is SSSD configured
with IPA provider or you configured it for LDAP manually.
There is a difference between LDAP and Kerberos authentication.

May be the following article will help you to understand the
expectations:
https://access.redhat.com/documentation/en
-US/Red_Hat_Enterprise_Linux/7/html/System
-Level_Authentication_Guide/authconfig-addl-auth.html#enable
-otp




Simple. And my test made it simple.
Stand up new vm running fc21/freeipa.
Configure user.
Add password.
Add token.

Login to the vm with the user created using password. Kerberos
ticket assigned, all is well.

Login to web interface with admin. Change user to OTP only.
Go to web UI and click sync OTP.
Enter username, password and 2 OTP sequences. Click sync. Error
appears.

Now, ssh to same vm using OTP username. Enter password + OTP
value.
Login successful.

I can reproduce this issue with demo instance.
I will file a bug later today.
I think it is a bug with sync.
Which token do you use time based or event based?

TOTP...

Hmm, makes me wonder - with HOTP fail the same? Off to try it.

This should just affect TOTP. I have posted a patch that should fix
this problem. Are you able to test it?

https://www.redhat.com/archives/freeipa-devel/2015-April/msg00282.html



I shall give it a try and let you know.

~J

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 4.1.4 and OTP

2015-04-28 Thread Nathaniel McCallum

On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote:
> On 4/17/15 5:59 PM, Dmitri Pal wrote:
> > On 04/17/2015 08:07 PM, Janelle wrote:
> > > 
> > > 
> > > 
> > > 
> > > On Apr 17, 2015, at 16:36, Dmitri Pal  wrote:
> > > 
> > > > On 04/17/2015 04:52 PM, Janelle wrote:
> > > > >  On 4/17/15 1:19 PM, Dmitri Pal wrote:
> > > > > > On 04/17/2015 01:20 PM, Janelle wrote: 
> > > > > > > On 4/17/15 9:53 AM, Dmitri Pal wrote: 
> > > > > > > > On 04/17/2015 11:16 AM, Janelle wrote: 
> > > > > > > > > Hi, 
> > > > > > > > > 
> > > > > > > > > Is anyone else having issues with OTP since 
> > > > > > > > > upgrading? For the life of me I can't get it to 
> > > > > > > > > accept "Sync" for the tokens. No matter what is put 
> > > > > > > > > in, it just keeps saying the username, password or 
> > > > > > > > > tokens entered  are incorrect. 
> > > > > > > > > 
> > > > > > > > > To make it simple - I am tryign this on a brand new 
> > > > > > > > > CentOS 7.1 system with a clean/fresh install of 
> > > > > > > > > FreeIPA 4.1.4 and yet it just refuses to work. 
> > > > > > > > > 
> > > > > > > > > I create a user -- configure them. They work just 
> > > > > > > > > fine with a password. Then add a token. Sync with 
> > > > > > > > > FreeOTP and that all works. Then going back to the 
> > > > > > > > > web UI and do Sync OTP and it simply refuses to 
> > > > > > > > > accept any values. And yet the same user can login 
> > > > > > > > > to the regular web UI with their password. 
> > > > > > > > > 
> > > > > > > > > I have tried setting the user to both Password and 
> > > > > > > > > OTP for auth methods. And also just OTP and nothing 
> > > > > > > > > works. 
> > > > > > > > Please look in the logs to see what is going on. 
> > > > > > > > You would need to look at the KDC, http and DS logs on 
> > > > > > > > the server to sort out what is going on. 
> > > > > > > > 
> > > > > > > > Do you change the password for the user first after 
> > > > > > > > creating him? 
> > > > > > > > 
> > > > > > > > Can you reproduce the problem with demo instance? 
> > > > > > > > http://www.freeipa.org/page/Demo 
> > > > > > > > If you can then we can take a look at the logs right 
> > > > > > > > away. 
> > > > > > > > Hints? Am I missing  a step? 
> > > > > > > > 
> > > > > > > > ~J 
> > > > > > > > 
> > > > > > > It appears to be the UI. If I go through the steps and 
> > > > > > > let it "fail", I can still login using OTP to servers. I 
> > > > > > > made the assumption that the error itself was not an 
> > > > > > > error.. :-) 
> > > > > > > 
> > > > > > > ~J 
> > > > > > > 
> > > > > > I am not sure I get what you are saying. Do you still see 
> > > > > > the problem or you misinterpreted the UI and now the 
> > > > > > problem is gone? If you did is there any recommendation 
> > > > > > how to improve the UI not to confuse people? 
> > > > > > 
> > > > > The problem exists -- this is what it shows:
> > > > > HOWEVER, it is still WORKING. Meaning, even if you get this 
> > > > > error, if you attempt to login with your FreeOTP token, it 
> > > > > WORKS.
> > > > > 
> > > > > ~J
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > Does it give you this error when you use password or password 
> > > > and token?
> > > > Can you please describe the flow of steps in more details?
> > > > I start browser, go here, click here, enter this, etc.
> > > > 
> > > > Are you using SSSD to login to servers? Is SSSD configured 
> > > > with IPA provider or you configured it for LDAP manually. 
> > > > There is a difference between LDAP and Kerberos authentication.
> > > > 
> > > > May be the following article will help you to understand the 
> > > > expectations:
> > > > https://access.redhat.com/documentation/en
> > > > -US/Red_Hat_Enterprise_Linux/7/html/System
> > > > -Level_Authentication_Guide/authconfig-addl-auth.html#enable
> > > > -otp
> > > > 
> > > > 
> > > > 
> > > Simple. And my test made it simple.
> > > Stand up new vm running fc21/freeipa.
> > > Configure user.
> > > Add password.
> > > Add token.
> > > 
> > > Login to the vm with the user created using password. Kerberos 
> > > ticket assigned, all is well.
> > > 
> > > Login to web interface with admin. Change user to OTP only.
> > > Go to web UI and click sync OTP. 
> > > Enter username, password and 2 OTP sequences. Click sync. Error 
> > > appears.
> > > 
> > > Now, ssh to same vm using OTP username. Enter password + OTP 
> > > value.
> > > Login successful.
> > I can reproduce this issue with demo instance.
> > I will file a bug later today.
> > I think it is a bug with sync.
> > Which token do you use time based or event based?
> TOTP... 
> 
> Hmm, makes me wonder - with HOTP fail the same? Off to try it.

This should just affect TOTP. I have posted a patch that should fix
this problem. Are you able to test it?

https://www.redhat.com/archives/freeipa-devel/2015-April/msg00282.html

> ~J
> 
> PS - is there a way to sync a token from command line? I can't think 
> of a wa

Re: [Freeipa-users] 4.1.4 and OTP

2015-04-17 Thread Dmitri Pal

On 04/17/2015 11:21 PM, Janelle wrote:

On 4/17/15 5:59 PM, Dmitri Pal wrote:

On 04/17/2015 08:07 PM, Janelle wrote:

On Apr 17, 2015, at 16:36, Dmitri Pal > wrote:

On 04/17/2015 04:52 PM, Janelle wrote:

On 4/17/15 1:19 PM, Dmitri Pal wrote:

On 04/17/2015 01:20 PM, Janelle wrote:

On 4/17/15 9:53 AM, Dmitri Pal wrote:

On 04/17/2015 11:16 AM, Janelle wrote:

Hi,

Is anyone else having issues with OTP since upgrading? For the
life of me I can't get it to accept "Sync" for the tokens. No
matter what is put in, it just keeps saying the username,
password or tokens entered are incorrect.

To make it simple - I am tryign this on a brand new CentOS 7.1
system with a clean/fresh install of FreeIPA 4.1.4 and yet it
just refuses to work.

I create a user -- configure them. They work just fine with a
password. Then add a token. Sync with FreeOTP and that all
works. Then going back to the web UI and do Sync OTP and it
simply refuses to accept any values. And yet the same user can
login to the regular web UI with their password.

I have tried setting the user to both Password and OTP for
auth methods. And also just OTP and nothing works.

Please look in the logs to see what is going on.
You would need to look at the KDC, http and DS logs on the
server to sort out what is going on.

Do you change the password for the user first after creating him?

Can you reproduce the problem with demo instance?
http://www.freeipa.org/page/Demo
If you can then we can take a look at the logs right away.
Hints? Am I missing a step?

It appears to be the UI. If I go through the steps and let it
"fail", I can still login using OTP to servers. I made the
assumption that the error itself was not an error.. :-)

I am not sure I get what you are saying. Do you still see the
problem or you misinterpreted the UI and now the problem is gone?
If you did is there any recommendation how to improve the UI not
to confuse people?

The problem exists -- this is what it shows:
HOWEVER, it is still WORKING. Meaning, even if you get this error,
if you attempt to login with your FreeOTP token, it WORKS.

Does it give you this error when you use password or password and
token?

Can you please describe the flow of steps in more details?
I start browser, go here, click here, enter this, etc.

Are you using SSSD to login to servers? Is SSSD configured with IPA
provider or you configured it for LDAP manually. There is a
difference between LDAP and Kerberos authentication.

May be the following article will help you to understand the
expectations:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#enable-otp

I suspect it is some combination of flags and protocols that is
confusing

Simple. And my test made it simple.
Stand up new vm running fc21/freeipa.
Configure user.
Add password.
Add token.

Login to web interface with admin. Change user to OTP only.
Go to web UI and click sync OTP.
Enter username, password and 2 OTP sequences. Click sync. Error appears.

Now, ssh to same vm using OTP username. Enter password + OTP value.
Login successful.

I can reproduce this issue with demo instance.
I will file a bug later today.
I think it is a bug with sync.
Which token do you use time based or event based?

TOTP...

Hmm, makes me wonder - with HOTP fail the same? Off to try it.

PS - is there a way to sync a token from command line? I can't think
of a way, but maybe...

Yes, there is a command line. But you do not really need to sync it. So
far it works without syncing as you have noticed.
It seems that the bug is with TOTP token. With HOTP token it seems to
work fine.

I filed a ticket
https://fedorahosted.org/freeipa/ticket/4990

I also filed another ticket
https://fedorahosted.org/freeipa/ticket/4991

And another one
https://fedorahosted.org/freeipa/ticket/4992

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 4.1.4 and OTP

2015-04-17 Thread Janelle

On 4/17/15 5:59 PM, Dmitri Pal wrote:

On 04/17/2015 08:07 PM, Janelle wrote:

On Apr 17, 2015, at 16:36, Dmitri Pal > wrote:

On 04/17/2015 04:52 PM, Janelle wrote:

On 4/17/15 1:19 PM, Dmitri Pal wrote:

On 04/17/2015 01:20 PM, Janelle wrote:

On 4/17/15 9:53 AM, Dmitri Pal wrote:

On 04/17/2015 11:16 AM, Janelle wrote:

Hi,

To make it simple - I am tryign this on a brand new CentOS 7.1
system with a clean/fresh install of FreeIPA 4.1.4 and yet it
just refuses to work.

I have tried setting the user to both Password and OTP for auth
methods. And also just OTP and nothing works.

Please look in the logs to see what is going on.
You would need to look at the KDC, http and DS logs on the
server to sort out what is going on.

Do you change the password for the user first after creating him?

Can you reproduce the problem with demo instance?
http://www.freeipa.org/page/Demo
If you can then we can take a look at the logs right away.
Hints? Am I missing a step?

It appears to be the UI. If I go through the steps and let it
"fail", I can still login using OTP to servers. I made the
assumption that the error itself was not an error.. :-)

The problem exists -- this is what it shows:
HOWEVER, it is still WORKING. Meaning, even if you get this error,
if you attempt to login with your FreeOTP token, it WORKS.

Does it give you this error when you use password or password and token?
Can you please describe the flow of steps in more details?
I start browser, go here, click here, enter this, etc.