Regular users are forbid to choose the security options for their OTP token from the Web UI, which is hard-coded to SHA1 hash algorithm and 6-digits password.
The solutions proposed in #6430 is still insufficient when comes to strict security policies (SHA512/8-digits).
We need a global setting from which admins can choose the default hash/digits combinations for user-created OTPs.
$ rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server ipa-server-4.8.0-13.module+el8.1.0+4923+c6efe041.x86_64 ipa-client-4.8.0-13.module+el8.1.0+4923+c6efe041.x86_64 389-ds-base-1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f.x86_64 pki-ca-10.7.3-1.module+el8.1.0+3964+500fc130.noarch krb5-server-1.17-9.el8.x86_64
Regular users have permission to select other hash algorithms and OTP length. The Web UI just doesn't show the selectors for hashing algorithm and digits. The command line interface allows users to select SHA512 / 8. I assume that the options were not exposed so users don't get confused.
Possible fixes: - expose the hash algo and digit options for self-service (easy fix) - allow admin to globally set default otp hash algo and digits - allow admin to define a global policy of allowed hash algo / digits combinations. otptoken-add would then block new tokens that are not allowed by the policy.
By the way I see that you have RHEL8 packages listed. Could you please open a customer case and request the feature through the support system?
I totally agree with not allowing users choosing algorithm and digits; this could end up in users generating wrong tokens. Moreover, most of them are not used to a CLI and only interacts with IdM through the self-service portal.
Customer has already opened a case, pointing to this issue.
Thank you.
Metadata Update from @cheimes: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1833269
Issue linked to Bugzilla: Bug 1833269
Login to comment on this ticket.