#4472 User should not be able to login with password after OTP has been created
Closed: Invalid None Opened 10 years ago by tscherf.

If a OTP token has been created by a user, the user is still able to login using a password. This should be either

  • disabled
  • made a self-service config option for the user if both login types (password and otp) should be possible

What is the value of the user auth config in your setup?

After talking with the user on IRC, this is a configuration error.

Nathaniel, could you please elaborate a little bit? I did not see the IRC discussion and would like to know what wrong.

The problem was, that user-auth-type was set to "password,otp" after a user has been created. I used this setting, because I thought it's necessary to allow a password based login to initially create a token and let freeipa change this setting automatically to otp only after a token has been created by a user. But apparently an initial password based login is possible also when user-auth-type is set to otp only.

This should be highlighted in the (upcoming) documentation.

Metadata Update from @tscherf:
- Issue assigned to npmccallum
- Issue set to the milestone: FreeIPA 4.0.2

7 years ago

Log in to comment on this ticket.

Metadata