Re: [Freeipa-users] OTP Algorithm

2016-11-30 Thread Callum Guy 
Hi David,

I can confirm that using FreeOTP resolves the problem for me.

What a frustration, I am surprised that Google wouldn't add support beyond
SHA1 - perhaps a notice on the OTP documentation page would help others in
this situation.

Thank you so much for your assistance and links to explain the situation. I
hope to pay back the favour in due course.

Best Regards,

Callum


On Wed, Nov 30, 2016 at 1:11 PM David Kupka  wrote:

> On 30/11/16 10:13, David Kupka wrote:
> > On 29/11/16 12:57, Callum Guy wrote:
> >> Hi Alexander,
> >>
> >> I can confirm that I am using version 4.2.0.
> >>
> >> The bug link provided mentions that it caused GA to fail to scan the
> >> codes.
> >> In my situation it is FreeIPA (or related service) which appears to
> >> fail to
> >> validate codes generated, meaning that only OTP codes generated using
> >> sha1
> >> are validated and accepted.
> >>
> >> Just for clarity I can confirm that I have only tested OTP codes
> >> generated
> >> and configured via the FreeIPA web interface. I will check the command
> >> line
> >> generation and let you know if this makes a difference.
> >>
> >> Best Regards,
> >>
> >> Callum
> >
> > Hello Callum,
> > I've tried it with FreeIPA 4.3.2 (stock Fedora 24) and FreeOTP. I've
> > generated 3 OTPs (with sha256, sha384 and sha512) for tuser in the WebUI
> > and was then able to login into WebUI without problems.
> >
> >
> > $ ipa otptoken-find --owner tuser --all
> > 
> > 3 OTP tokens matched
> > 
> >   dn:
> >
> ipatokenuniqueid=3c899764-7abf-459d-bf2b-7ba4af978a8b,cn=otp,dc=dom-058-216,dc=example,dc=com
> >
> >   Unique ID: 3c899764-7abf-459d-bf2b-7ba4af978a8b
> >   Type: TOTP
> >   Owner: tuser
> >   Key: U5XDN0BYc9KbvG1iYuVPuVHB448=
> >   Algorithm: sha256
> >   Digits: 6
> >   Clock offset: 0
> >   Clock interval: 30
> >   ipatokentotpwatermark: 49349880
> >   objectclass: top, ipatokentotp, ipatoken
> >
> >   dn:
> >
> ipatokenuniqueid=40ad189b-7b7c-44b9-8450-b3eb78057ef6,cn=otp,dc=dom-058-216,dc=example,dc=com
> >
> >   Unique ID: 40ad189b-7b7c-44b9-8450-b3eb78057ef6
> >   Type: TOTP
> >   Owner: tuser
> >   Key: C79y2W+I0z429eRzsRP7qdpROaI=
> >   Algorithm: sha512
> >   Digits: 6
> >   Clock offset: 0
> >   Clock interval: 30
> >   ipatokentotpwatermark: 49349882
> >   objectclass: top, ipatokentotp, ipatoken
> >
> >   dn:
> >
> ipatokenuniqueid=baf6d329-61ad-46f1-beca-6ddb55ba9bb4,cn=otp,dc=dom-058-216,dc=example,dc=com
> >
> >   Unique ID: baf6d329-61ad-46f1-beca-6ddb55ba9bb4
> >   Type: TOTP
> >   Owner: tuser
> >   Key: 2hxrsJjQ6e+3qzVPZremtsB/NCg=
> >   Algorithm: sha384
> >   Digits: 6
> >   Clock offset: 0
> >   Clock interval: 30
> >   ipatokentotpwatermark: 49349881
> >   objectclass: top, ipatokentotp, ipatoken
>
> I've tried with Google Authenicator too and was unable to login.
>
> Alexander found issue [1] asking for SHA256 support. From comment on the
> issue it appear that SHA1 is the only supported hash.
>
> I compared codes generated by oathtool [2] and find out that Google
> Authenticator just ignores the information about used hash function and
> uses SHA1 without any error or warning.
>
> So I can only recommend switching to FreeOTP or returning to SHA-1 hash
> function.
>
> [1] https://github.com/google/google-authenticator-libpam/issues/11
> [2] http://www.nongnu.org/oath-toolkit/oathtool.1.html
>
> >
> >
> >>
> >>
> >> On Tue, Nov 29, 2016 at 11:51 AM Alexander Bokovoy  >
> >> wrote:
> >>
> >>> On ti, 29 marras 2016, Callum Guy wrote:
>  Hi Petr,
> 
>  Thanks for coming back to me on this.
> 
>  I have only tried using Google Authenticator. The generated QR code
>  successfully scans and codes are then generated on the GA device as
> >>> normal.
>  The problem is that the codes simply do not work.
> 
>  My current thinking is that the service which interprets the codes
>  server-side is not configured to use the same algorithm meaning that
>  it is
>  trying to validate sha256/sha512 (both tested and not functional for
>  me)
>  etc codes against codes perhaps generated with sha1 (the only
> algorithm
>  that appears to work).
> 
>  I apologise in advance for my naive interpretation of the situation,
>  this
>  really isn't an area where i have experience. I'd love to understand
>  whats
>  going on however I can't find what i need in the OTP documentation.
> >>> Which IPA version we are talking about? There was a case when the URI
> >>> generated by 'ipa otptoken-add' was using a wrong case in the algorithm
> >>> value and this was breaking Google Authenticator.
> >>>
> >>> https://fedorahosted.org/freeipa/ticket/5047
> >>>
> >>> This bug was fixed since 4.1.5 release.
> >>>
> 
>  Best Regards,
> 
>  Callum
> 
> 
>  On Tue, Nov 29, 2016 at 11:10 AM Petr Vobornik 
> >>> wrote:
> 
> > On

Re: [Freeipa-users] OTP Algorithm

2016-11-30 Thread David Kupka 

On 30/11/16 10:13, David Kupka wrote:

On 29/11/16 12:57, Callum Guy wrote:

Hi Alexander,

I can confirm that I am using version 4.2.0.

The bug link provided mentions that it caused GA to fail to scan the
codes.
In my situation it is FreeIPA (or related service) which appears to
fail to
validate codes generated, meaning that only OTP codes generated using
sha1
are validated and accepted.

Just for clarity I can confirm that I have only tested OTP codes
generated
and configured via the FreeIPA web interface. I will check the command
line
generation and let you know if this makes a difference.

Best Regards,

Callum


Hello Callum,
I've tried it with FreeIPA 4.3.2 (stock Fedora 24) and FreeOTP. I've
generated 3 OTPs (with sha256, sha384 and sha512) for tuser in the WebUI
and was then able to login into WebUI without problems.


$ ipa otptoken-find --owner tuser --all

3 OTP tokens matched

  dn:
ipatokenuniqueid=3c899764-7abf-459d-bf2b-7ba4af978a8b,cn=otp,dc=dom-058-216,dc=example,dc=com

  Unique ID: 3c899764-7abf-459d-bf2b-7ba4af978a8b
  Type: TOTP
  Owner: tuser
  Key: U5XDN0BYc9KbvG1iYuVPuVHB448=
  Algorithm: sha256
  Digits: 6
  Clock offset: 0
  Clock interval: 30
  ipatokentotpwatermark: 49349880
  objectclass: top, ipatokentotp, ipatoken

  dn:
ipatokenuniqueid=40ad189b-7b7c-44b9-8450-b3eb78057ef6,cn=otp,dc=dom-058-216,dc=example,dc=com

  Unique ID: 40ad189b-7b7c-44b9-8450-b3eb78057ef6
  Type: TOTP
  Owner: tuser
  Key: C79y2W+I0z429eRzsRP7qdpROaI=
  Algorithm: sha512
  Digits: 6
  Clock offset: 0
  Clock interval: 30
  ipatokentotpwatermark: 49349882
  objectclass: top, ipatokentotp, ipatoken

  dn:
ipatokenuniqueid=baf6d329-61ad-46f1-beca-6ddb55ba9bb4,cn=otp,dc=dom-058-216,dc=example,dc=com

  Unique ID: baf6d329-61ad-46f1-beca-6ddb55ba9bb4
  Type: TOTP
  Owner: tuser
  Key: 2hxrsJjQ6e+3qzVPZremtsB/NCg=
  Algorithm: sha384
  Digits: 6
  Clock offset: 0
  Clock interval: 30
  ipatokentotpwatermark: 49349881
  objectclass: top, ipatokentotp, ipatoken


I've tried with Google Authenicator too and was unable to login.

Alexander found issue [1] asking for SHA256 support. From comment on the 
issue it appear that SHA1 is the only supported hash.


I compared codes generated by oathtool [2] and find out that Google 
Authenticator just ignores the information about used hash function and 
uses SHA1 without any error or warning.


So I can only recommend switching to FreeOTP or returning to SHA-1 hash 
function.


[1] https://github.com/google/google-authenticator-libpam/issues/11
[2] http://www.nongnu.org/oath-toolkit/oathtool.1.html







On Tue, Nov 29, 2016 at 11:51 AM Alexander Bokovoy 
wrote:


On ti, 29 marras 2016, Callum Guy wrote:

Hi Petr,

Thanks for coming back to me on this.

I have only tried using Google Authenticator. The generated QR code
successfully scans and codes are then generated on the GA device as

normal.

The problem is that the codes simply do not work.

My current thinking is that the service which interprets the codes
server-side is not configured to use the same algorithm meaning that
it is
trying to validate sha256/sha512 (both tested and not functional for
me)
etc codes against codes perhaps generated with sha1 (the only algorithm
that appears to work).

I apologise in advance for my naive interpretation of the situation,
this
really isn't an area where i have experience. I'd love to understand
whats
going on however I can't find what i need in the OTP documentation.

Which IPA version we are talking about? There was a case when the URI
generated by 'ipa otptoken-add' was using a wrong case in the algorithm
value and this was breaking Google Authenticator.

https://fedorahosted.org/freeipa/ticket/5047

This bug was fixed since 4.1.5 release.



Best Regards,

Callum


On Tue, Nov 29, 2016 at 11:10 AM Petr Vobornik 

wrote:



On 11/28/2016 01:03 PM, Callum Guy wrote:

Hi All,

I wanted to ask a quick question - perhaps a more experienced user

will

be able

to help or point me to the correct documentation.

Basically we have implemented password+OTP type authentication which

works great.


When adding a OTP code using the admin login you can choose an

algorithm. For us

the generated codes only work properly if the weakest sha1 algorithm

is

chosen/

To be clear the code generation works fine but the codes are not
valid

when

logging in. Is there a related setting we must change?

Thanks,

Callum



What type of otp token do you use? Does it work with some different?
E.g. FreeOTP vs Google Authenticator ...


--
Petr Vobornik



--



*0333 332   |  www.x-on.co.uk   |   **


 *
X-on is a trading name of Storacall Technology Ltd a limited company
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel

Re: [Freeipa-users] OTP Algorithm

2016-11-29 Thread Callum Guy 
Hi Alexander,

I can confirm that I am using version 4.2.0.

The bug link provided mentions that it caused GA to fail to scan the codes.
In my situation it is FreeIPA (or related service) which appears to fail to
validate codes generated, meaning that only OTP codes generated using sha1
are validated and accepted.

Just for clarity I can confirm that I have only tested OTP codes generated
and configured via the FreeIPA web interface. I will check the command line
generation and let you know if this makes a difference.

Best Regards,

Callum


On Tue, Nov 29, 2016 at 11:51 AM Alexander Bokovoy 
wrote:

> On ti, 29 marras 2016, Callum Guy wrote:
> >Hi Petr,
> >
> >Thanks for coming back to me on this.
> >
> >I have only tried using Google Authenticator. The generated QR code
> >successfully scans and codes are then generated on the GA device as
> normal.
> >The problem is that the codes simply do not work.
> >
> >My current thinking is that the service which interprets the codes
> >server-side is not configured to use the same algorithm meaning that it is
> >trying to validate sha256/sha512 (both tested and not functional for me)
> >etc codes against codes perhaps generated with sha1 (the only algorithm
> >that appears to work).
> >
> >I apologise in advance for my naive interpretation of the situation, this
> >really isn't an area where i have experience. I'd love to understand whats
> >going on however I can't find what i need in the OTP documentation.
> Which IPA version we are talking about? There was a case when the URI
> generated by 'ipa otptoken-add' was using a wrong case in the algorithm
> value and this was breaking Google Authenticator.
>
> https://fedorahosted.org/freeipa/ticket/5047
>
> This bug was fixed since 4.1.5 release.
>
> >
> >Best Regards,
> >
> >Callum
> >
> >
> >On Tue, Nov 29, 2016 at 11:10 AM Petr Vobornik 
> wrote:
> >
> >> On 11/28/2016 01:03 PM, Callum Guy wrote:
> >> > Hi All,
> >> >
> >> > I wanted to ask a quick question - perhaps a more experienced user
> will
> >> be able
> >> > to help or point me to the correct documentation.
> >> >
> >> > Basically we have implemented password+OTP type authentication which
> >> works great.
> >> >
> >> > When adding a OTP code using the admin login you can choose an
> >> algorithm. For us
> >> > the generated codes only work properly if the weakest sha1 algorithm
> is
> >> chosen/
> >> > To be clear the code generation works fine but the codes are not valid
> >> when
> >> > logging in. Is there a related setting we must change?
> >> >
> >> > Thanks,
> >> >
> >> > Callum
> >> >
> >>
> >> What type of otp token do you use? Does it work with some different?
> >> E.g. FreeOTP vs Google Authenticator ...
> >>
> >>
> >> --
> >> Petr Vobornik
> >>
> >
> >--
> >
> >
> >
> >*0333 332   |  www.x-on.co.uk   |   **
> >
> >
> > *
> >X-on is a trading name of Storacall Technology Ltd a limited company
> >registered in England and Wales.
> >Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> >Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> >The information in this e-mail is confidential and for use by the
> >addressee(s) only. If you are not the intended recipient, please notify
> >X-on immediately on +44(0)333 332  <+44%20333%20332%20> and
> delete the
> >message from your computer. If you are not a named addressee you must not
> >use, disclose, disseminate, distribute, copy, print or reply to this
> email. Views
> >or opinions expressed by an individual
> >within this email may not necessarily reflect the views of X-on or its
> >associated companies. Although X-on routinely screens for viruses,
> >addressees should scan this email and any attachments
> >for viruses. X-on makes no representation or warranty as to the absence of
> >viruses in this email or any attachments.
> >
>
> >--
> >Manage your subscription for the Freeipa-users mailing list:
> >https://www.redhat.com/mailman/listinfo/freeipa-users
> >Go to http://freeipa.org for more info on the project
>
>
> --
> / Alexander Bokovoy
>

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
   
   
 * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this

Re: [Freeipa-users] OTP Algorithm

2016-11-29 Thread Alexander Bokovoy 

On ti, 29 marras 2016, Callum Guy wrote:

Hi Petr,

Thanks for coming back to me on this.

I have only tried using Google Authenticator. The generated QR code
successfully scans and codes are then generated on the GA device as normal.
The problem is that the codes simply do not work.

My current thinking is that the service which interprets the codes
server-side is not configured to use the same algorithm meaning that it is
trying to validate sha256/sha512 (both tested and not functional for me)
etc codes against codes perhaps generated with sha1 (the only algorithm
that appears to work).

I apologise in advance for my naive interpretation of the situation, this
really isn't an area where i have experience. I'd love to understand whats
going on however I can't find what i need in the OTP documentation.

Which IPA version we are talking about? There was a case when the URI
generated by 'ipa otptoken-add' was using a wrong case in the algorithm
value and this was breaking Google Authenticator.

https://fedorahosted.org/freeipa/ticket/5047

This bug was fixed since 4.1.5 release.



Best Regards,

Callum


On Tue, Nov 29, 2016 at 11:10 AM Petr Vobornik  wrote:


On 11/28/2016 01:03 PM, Callum Guy wrote:
> Hi All,
>
> I wanted to ask a quick question - perhaps a more experienced user will
be able
> to help or point me to the correct documentation.
>
> Basically we have implemented password+OTP type authentication which
works great.
>
> When adding a OTP code using the admin login you can choose an
algorithm. For us
> the generated codes only work properly if the weakest sha1 algorithm is
chosen/
> To be clear the code generation works fine but the codes are not valid
when
> logging in. Is there a related setting we must change?
>
> Thanks,
>
> Callum
>

What type of otp token do you use? Does it work with some different?
E.g. FreeOTP vs Google Authenticator ...


--
Petr Vobornik



--



*0333 332   |  www.x-on.co.uk   |   **


 *
X-on is a trading name of Storacall Technology Ltd a limited company
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the
addressee(s) only. If you are not the intended recipient, please notify
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its
associated companies. Although X-on routinely screens for viruses,
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of
viruses in this email or any attachments.




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP Algorithm

2016-11-29 Thread Callum Guy 
Hi Petr,

Thanks for coming back to me on this.

I have only tried using Google Authenticator. The generated QR code
successfully scans and codes are then generated on the GA device as normal.
The problem is that the codes simply do not work.

My current thinking is that the service which interprets the codes
server-side is not configured to use the same algorithm meaning that it is
trying to validate sha256/sha512 (both tested and not functional for me)
etc codes against codes perhaps generated with sha1 (the only algorithm
that appears to work).

I apologise in advance for my naive interpretation of the situation, this
really isn't an area where i have experience. I'd love to understand whats
going on however I can't find what i need in the OTP documentation.

Best Regards,

Callum


On Tue, Nov 29, 2016 at 11:10 AM Petr Vobornik  wrote:

> On 11/28/2016 01:03 PM, Callum Guy wrote:
> > Hi All,
> >
> > I wanted to ask a quick question - perhaps a more experienced user will
> be able
> > to help or point me to the correct documentation.
> >
> > Basically we have implemented password+OTP type authentication which
> works great.
> >
> > When adding a OTP code using the admin login you can choose an
> algorithm. For us
> > the generated codes only work properly if the weakest sha1 algorithm is
> chosen/
> > To be clear the code generation works fine but the codes are not valid
> when
> > logging in. Is there a related setting we must change?
> >
> > Thanks,
> >
> > Callum
> >
>
> What type of otp token do you use? Does it work with some different?
> E.g. FreeOTP vs Google Authenticator ...
>
>
> --
> Petr Vobornik
>

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
   
   
 * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP Algorithm

2016-11-29 Thread Petr Vobornik 
On 11/28/2016 01:03 PM, Callum Guy wrote:
> Hi All,
> 
> I wanted to ask a quick question - perhaps a more experienced user will be 
> able 
> to help or point me to the correct documentation.
> 
> Basically we have implemented password+OTP type authentication which works 
> great.
> 
> When adding a OTP code using the admin login you can choose an algorithm. For 
> us 
> the generated codes only work properly if the weakest sha1 algorithm is 
> chosen/ 
> To be clear the code generation works fine but the codes are not valid when 
> logging in. Is there a related setting we must change?
> 
> Thanks,
> 
> Callum
> 

What type of otp token do you use? Does it work with some different?
E.g. FreeOTP vs Google Authenticator ...


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] OTP Algorithm

2016-11-28 Thread Callum Guy 
Hi All,

I wanted to ask a quick question - perhaps a more experienced user will be
able to help or point me to the correct documentation.

Basically we have implemented password+OTP type authentication which works
great.

When adding a OTP code using the admin login you can choose an algorithm.
For us the generated codes only work properly if the weakest sha1 algorithm
is chosen/ To be clear the code generation works fine but the codes are not
valid when logging in. Is there a related setting we must change?

Thanks,

Callum

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
   
   
 * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project