Re: [Freeipa-devel] [PATCH 0062] Use delete/add for OTP counter/watermark updates
On Thu, 2014-09-18 at 14:20 -0400, Simo Sorce wrote: > On Thu, 18 Sep 2014 13:59:34 -0400 > Nathaniel McCallum wrote: > > > On Thu, 2014-09-18 at 14:00 +0200, Petr Vobornik wrote: > > > On 15.9.2014 21:08, Nathaniel McCallum wrote: > > > > On Thu, 2014-08-28 at 22:54 -0400, Nathaniel McCallum wrote: > > > >> This prevents any local attempt at rapid token code replay. If > > > >> two token codes hit the system at roughly the same moment, only > > > >> the first write will succeed. All subsequent authentications > > > >> will fail. > > > >> > > > >> This obviates the need for an OTP authentication lock. > > > >> > > > >> https://fedorahosted.org/freeipa/ticket/4493 > > > > > > > > I still need a review of this. This is targeted for 4.1. > > > > > > > > Nathaniel > > > > > > > > > > > > > Works fine with HTOP but fails for new TOTP tokens. > > > > > > New TOTP token doesn't have a watermark attribute set so there is > > > nothing to delete and therefore standard login procedure fails on > > > writeattr call (libotp.c:223). > > > > I have fixed this by making ipatokenTOTPwatermark a required attribute > > (MAY -> MUST). I did this in a separate patch (0066) because I thought > > it was cleaner. > > This can easily break stuff, and is not allowed, sorry you need to find > a way that will not cause objects, even temporarily to be incomplete. > > (think of a replica getting the new schema while an older one pushes > the object via replication) I rescind this patch. It is no longer necessary. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0062] Use delete/add for OTP counter/watermark updates
On Thu, 18 Sep 2014 13:59:34 -0400 Nathaniel McCallum wrote: > On Thu, 2014-09-18 at 14:00 +0200, Petr Vobornik wrote: > > On 15.9.2014 21:08, Nathaniel McCallum wrote: > > > On Thu, 2014-08-28 at 22:54 -0400, Nathaniel McCallum wrote: > > >> This prevents any local attempt at rapid token code replay. If > > >> two token codes hit the system at roughly the same moment, only > > >> the first write will succeed. All subsequent authentications > > >> will fail. > > >> > > >> This obviates the need for an OTP authentication lock. > > >> > > >> https://fedorahosted.org/freeipa/ticket/4493 > > > > > > I still need a review of this. This is targeted for 4.1. > > > > > > Nathaniel > > > > > > > > > Works fine with HTOP but fails for new TOTP tokens. > > > > New TOTP token doesn't have a watermark attribute set so there is > > nothing to delete and therefore standard login procedure fails on > > writeattr call (libotp.c:223). > > I have fixed this by making ipatokenTOTPwatermark a required attribute > (MAY -> MUST). I did this in a separate patch (0066) because I thought > it was cleaner. This can easily break stuff, and is not allowed, sorry you need to find a way that will not cause objects, even temporarily to be incomplete. (think of a replica getting the new schema while an older one pushes the object via replication) Simo. > https://www.redhat.com/archives/freeipa-devel/2014-September/msg00386.html > > There is no change to this patch, but it now depends on my patch 0066 > (linked above). > > Nathaniel > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0062] Use delete/add for OTP counter/watermark updates
On Thu, 2014-09-18 at 14:00 +0200, Petr Vobornik wrote: > On 15.9.2014 21:08, Nathaniel McCallum wrote: > > On Thu, 2014-08-28 at 22:54 -0400, Nathaniel McCallum wrote: > >> This prevents any local attempt at rapid token code replay. If two > >> token codes hit the system at roughly the same moment, only the > >> first write will succeed. All subsequent authentications will fail. > >> > >> This obviates the need for an OTP authentication lock. > >> > >> https://fedorahosted.org/freeipa/ticket/4493 > > > > I still need a review of this. This is targeted for 4.1. > > > > Nathaniel > > > > > Works fine with HTOP but fails for new TOTP tokens. > > New TOTP token doesn't have a watermark attribute set so there is > nothing to delete and therefore standard login procedure fails on > writeattr call (libotp.c:223). I have fixed this by making ipatokenTOTPwatermark a required attribute (MAY -> MUST). I did this in a separate patch (0066) because I thought it was cleaner. https://www.redhat.com/archives/freeipa-devel/2014-September/msg00386.html There is no change to this patch, but it now depends on my patch 0066 (linked above). Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0062] Use delete/add for OTP counter/watermark updates
On 15.9.2014 21:08, Nathaniel McCallum wrote: On Thu, 2014-08-28 at 22:54 -0400, Nathaniel McCallum wrote: This prevents any local attempt at rapid token code replay. If two token codes hit the system at roughly the same moment, only the first write will succeed. All subsequent authentications will fail. This obviates the need for an OTP authentication lock. https://fedorahosted.org/freeipa/ticket/4493 I still need a review of this. This is targeted for 4.1. Nathaniel Works fine with HTOP but fails for new TOTP tokens. New TOTP token doesn't have a watermark attribute set so there is nothing to delete and therefore standard login procedure fails on writeattr call (libotp.c:223). -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0062] Use delete/add for OTP counter/watermark updates
On Thu, 2014-08-28 at 22:54 -0400, Nathaniel McCallum wrote: > This prevents any local attempt at rapid token code replay. If two > token codes hit the system at roughly the same moment, only the > first write will succeed. All subsequent authentications will fail. > > This obviates the need for an OTP authentication lock. > > https://fedorahosted.org/freeipa/ticket/4493 I still need a review of this. This is targeted for 4.1. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0062] Use delete/add for OTP counter/watermark updates
On Thu, 2014-08-28 at 22:54 -0400, Nathaniel McCallum wrote: > This prevents any local attempt at rapid token code replay. If two > token codes hit the system at roughly the same moment, only the > first write will succeed. All subsequent authentications will fail. > > This obviates the need for an OTP authentication lock. > > https://fedorahosted.org/freeipa/ticket/4493 LGTM. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel