#4456 Regular users should not be able to add OTP tokens with custom name
Opened 6 years ago by mkosek. Modified 4 years ago

As reported in Luc's blog, users are able to add add custom names to their tokens.

This is questionable given that tokens are in one tree and different users could easily add different tokens with the same name. This create clashes and confusing error messages.

I think that for user tokens, ipauniqueid should be always generated by IPA and users should rather use just description to add friendly name.


Not an easy or straightforward fix available, given that the ID needs to be unique for all users. Couple ideas discussed on the last devel meeting:

  • Do not allow users specify the ID in Web UI, only allow to admins (fixes the problem, though not so convenient for users)
  • Force uid prefix to the ID, like "mkosek-main-token", "mkosek-yubi", ...

We should discuss the options in 4.1 time frame before jumping to implementation.

We can use the post read control to get back the uuid and let ipa autogenerate it.
This way access control is simply a matter of allowing users to only use the special "autogenerate" value.

I just tested this command with freeipa 4.0.3 and 389-ds 1.3.3:

ldapadd -Y GSSAPI -e postread=ipauniqueid -f t.ldif

where t.ldif is:

dn: ipaUniqueID=autogenerate,cn=groups,cn=accounts,dc=ipa,dc=dev,dc=lan
objectClass: top
objectClass: ipaobject
ipaUniqueID: autogenerate

And 389-ds happiliy generate and returned in the reply control the new DN and IPAUniqueID:

$ ldapadd -Y GSSAPI -e postread=ipauniqueid -f t.ldif
SASL/GSSAPI authentication started
SASL username: admin@IPA.DEV.LAN
SASL SSF: 56
SASL data security layer installed.
adding new entry "ipaUniqueID=autogenerate,cn=groups,cn=accounts,dc=ipa,dc=dev,dc=lan"
control: 1.3.6.1.1.13.2 false MIGWBFtpcGFVbmlxdWVJRD1lYjhiZjRlOC00NzJkLTExZTQt
 YTg3OS01MjU0MDBjZDc2NDUsY249Z3JvdXBzLGNuPWFjY291bnRzLGRjPWlwYSxkYz1kZXYsZGM9b
 GFuMDcwNQQLaXBhdW5pcXVlaWQxJgQkZWI4YmY0ZTgtNDcyZC0xMWU0LWE4NzktNTI1NDAwY2Q3Nj
 Q1
# ==> postread
dn: ipaUniqueID=eb8bf4e8-472d-11e4-a879-525400cd7645,cn=groups,cn=accounts,dc=
 ipa,dc=dev,dc=lan
ipauniqueid: eb8bf4e8-472d-11e4-a879-525400cd7645
# <== postread

There are now patches posted which solve the majority of this issue:
https://www.redhat.com/archives/freeipa-devel/2014-October/msg00235.html

If these patches are merged, all that remains is:

This were too big changes for 4.1, see [HELP] Regular users should not be able to add OTP tokens with custom name thread.

So in 4.1, the token name was just hidden from Web UI to make adding it more difficult:

master: c5f7ca5[[BR]]
ipa-4-1: 0f69e75

In next release, this should be fixed properly.

Processing leftovers from 4.2 backlog - this ticket was found as suitable for consideration in next big feature release - 4.4.

Metadata Update from @mkosek:
- Issue assigned to npmccallum
- Issue set to the milestone: FreeIPA 4.5 backlog

4 years ago

Login to comment on this ticket.

Metadata