#6247 ipa otptoken-add --type=hotp --key creates wrong OTP
Closed: Fixed None Opened 7 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1368981

Description of problem:

The option --key of ipa otptoken-add is documented to accept the key encoded in
Base32. In RHEL 7.2, this input value ended up Base32-encoded in the secret
parameter of the displayed otpauth://hotp/ URL and Base64-encoded in the Key
output of the ipa otptoken-add --type=hotp --key command and in the
ipatokenOTPkey.

In RHEL 7.3 nightly, the secret parameter of the otpauth: URL is different and
the Key and ipatokenOTPkey show exactly this Base32-encoded string.

The result is wrong codes generated by FreeOTP and failing authentication when
correct codes are used.

Version-Release number of selected component (if applicable):

ipa-server-4.4.0-8.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. ipa otptoken-add --type=hotp --key and enter (paste)
GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ twice
2. ipa otptoken-find --raw --all

Actual results:

Key:
Enter Key again to verify:
------------------
Added OTP token ""
------------------
  Unique ID: 6f780b6a-9771-40bf-afa8-42060ceb7a03
  Type: HOTP
  Owner: admin
  Manager: admin
  Key: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
  Algorithm: sha1
  Digits: 6
  Counter: 0
  URI: otpauth://hotp/admin@EXAMPLE.TEST:6f780b6a-9771-40bf-afa8-42060ceb7a03?d
igits=6&secret=DBDEGGGQKUMY3U2A4JIBQRSDDDIFKGMN2NAOEUA%3D&counter=0&algorithm=S
HA1&issuer=admin%40EXAMPLE.TEST

[ QR code ]

-------------------
1 OTP token matched
-------------------
  dn:
ipatokenuniqueid=6f780b6a-9771-40bf-afa8-42060ceb7a03,cn=otp,dc=example,dc=test
  ipatokenuniqueid: 6f780b6a-9771-40bf-afa8-42060ceb7a03
  type: HOTP
  ipatokenowner: uid=admin,cn=users,cn=accounts,dc=example,dc=test
  managedby: uid=admin,cn=users,cn=accounts,dc=example,dc=test
  ipatokenHOTPcounter: 0
  ipatokenOTPalgorithm: sha1
  ipatokenOTPdigits: 6
  ipatokenOTPkey: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
  objectclass: ipatokenhotp
  objectclass: ipatoken
  objectclass: top
----------------------------
Number of entries returned 1
----------------------------

Expected results:

This output comes from RHEL 7.2:

[root@cloud-qe-4 ~]# ipa otptoken-add --type=hotp --keyKey:
Enter Key again to verify:
------------------
Added OTP token ""
------------------
  Unique ID: 7c00bb55-a14b-451b-9f6d-db6885c760e4
  Type: HOTP
  Owner: admin
  Manager: admin
  Key: MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
  Algorithm: sha1
  Digits: 6
  Counter: 0
  URI: otpauth://hotp/admin@EXAMPLE.TEST:7c00bb55-a14b-451b-9f6d-db6885c760e4?d
igits=6&secret=GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ&counter=0&algorithm=SHA1&issuer
=admin%40EXAMPLE.TEST

[ QR code ]

-------------------
1 OTP token matched
-------------------
  dn:
ipatokenuniqueid=7c00bb55-a14b-451b-9f6d-db6885c760e4,cn=otp,dc=example,dc=test
  ipatokenuniqueid: 7c00bb55-a14b-451b-9f6d-db6885c760e4
  type: HOTP
  ipatokenowner: uid=admin,cn=users,cn=accounts,dc=example,dc=test
  ipatokenHOTPcounter: 0
  ipatokenOTPalgorithm: sha1
  ipatokenOTPdigits: 6
  ipatokenOTPkey: MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
  managedby: uid=admin,cn=users,cn=accounts,dc=example,dc=test
  objectclass: ipatokenhotp
  objectclass: ipatoken
  objectclass: top
----------------------------
Number of entries returned 1
----------------------------

Additional info:

master:

  • 386fdc1 otptoken, permission: Convert custom type parameters on server

Metadata Update from @pvoborni:
- Issue assigned to dkupka
- Issue set to the milestone: FreeIPA 4.4.1

6 years ago

Login to comment on this ticket.

Metadata