Re: [Freeipa-users] otp question to limit brute force vector for web applications
On 05/13/2016 05:24 PM, Thomas Heil wrote: > Hi, > > On 13.05.2016 16:12, Petr Spacek wrote: >> On 13.5.2016 15:25, Thomas Heil wrote: >>> Hi, >>> >>> I would like to reduce the vector of brute force attacks in my web >>> application written in php. Users can login via passord and otp which >>> are hosted on freeipa. >>> >>> To achieve this I would like to check the otp first, so no password auth >>> is done on the freeipa server and no user can be locked out. >>> >>> If the otp is correct, the user is now allowed to to login via password+otp. >>> >>> unfortunately, there is no api method that can check only the otp for a >>> user with an identity. >>> >>> Would it be possible to expose such a new method? >> >> This would open a new attack vector so it is a bad idea. >> >> Attacker must not be able to distinguish case where password OR OTP is >> correct/wrong. If you allow this, the attacker will be able to crack OTP >> first >> and then continue with password, so you are making it easier. > > Okay you are right with that. Sorry. > > My intention is to avoid to be vulnerable for brute force attacks. I > have a trust with an active directory and want to avoid that the user on > ad side is locked if otp is wrong. > > Is this possible? Not at the moment. We have an RFE filed, but we cannot augment AD user authentication with OTP yet: https://fedorahosted.org/freeipa/ticket/4876 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] otp question to limit brute force vector for web applications
Hi, On 13.05.2016 16:12, Petr Spacek wrote: > On 13.5.2016 15:25, Thomas Heil wrote: >> Hi, >> >> I would like to reduce the vector of brute force attacks in my web >> application written in php. Users can login via passord and otp which >> are hosted on freeipa. >> >> To achieve this I would like to check the otp first, so no password auth >> is done on the freeipa server and no user can be locked out. >> >> If the otp is correct, the user is now allowed to to login via password+otp. >> >> unfortunately, there is no api method that can check only the otp for a >> user with an identity. >> >> Would it be possible to expose such a new method? > > This would open a new attack vector so it is a bad idea. > > Attacker must not be able to distinguish case where password OR OTP is > correct/wrong. If you allow this, the attacker will be able to crack OTP first > and then continue with password, so you are making it easier. Okay you are right with that. Sorry. My intention is to avoid to be vulnerable for brute force attacks. I have a trust with an active directory and want to avoid that the user on ad side is locked if otp is wrong. Is this possible? > > Do not do that :-) > Indeed, I will not do that. cheers thomas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] otp question to limit brute force vector for web applications
On 13.5.2016 15:25, Thomas Heil wrote: > Hi, > > I would like to reduce the vector of brute force attacks in my web > application written in php. Users can login via passord and otp which > are hosted on freeipa. > > To achieve this I would like to check the otp first, so no password auth > is done on the freeipa server and no user can be locked out. > > If the otp is correct, the user is now allowed to to login via password+otp. > > unfortunately, there is no api method that can check only the otp for a > user with an identity. > > Would it be possible to expose such a new method? This would open a new attack vector so it is a bad idea. Attacker must not be able to distinguish case where password OR OTP is correct/wrong. If you allow this, the attacker will be able to crack OTP first and then continue with password, so you are making it easier. Do not do that :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] otp question to limit brute force vector for web applications
Hi, I would like to reduce the vector of brute force attacks in my web application written in php. Users can login via passord and otp which are hosted on freeipa. To achieve this I would like to check the otp first, so no password auth is done on the freeipa server and no user can be locked out. If the otp is correct, the user is now allowed to to login via password+otp. unfortunately, there is no api method that can check only the otp for a user with an identity. Would it be possible to expose such a new method? kind regards -- Thomas -- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project