Issue #8557: Unable to login to Web UI or ssh with HOTP - freeipa

freeipa

#8557 Unable to login to Web UI or ssh with HOTP

Closed: fixed 3 years ago by softstraus. Opened 3 years ago by softstraus.

Issue

A user cannot login to the Web UI, or ssh, with HOTP token. With TOTP it works just fine.

Steps to Reproduce

Import OTP data using ipa-otptoken-import <PSKC file> <output file> ( as admin )
As admin, create a new user. e.g. otpuser
Change token's owner from admin to otpuser
Enable Two factor authentication (password + OTP) via Web UI

Actual behavior

Web UI
The password you entered is incorrect.
SSH
Permission denied, please try again.

Expected behavior

Version/Release/Distribution

package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.6.6-11.el7.centos.x86_64
ipa-client-4.6.6-11.el7.centos.x86_64
389-ds-base-1.3.10.1-14.el7_8.x86_64
pki-ca-10.5.17-6.el7.noarch
krb5-server-1.15.1-46.el7.x86_64

Additional info:

Check OTP data is correct by ipa otptoken-show --all

krb5kdc.log:
preauth (otp) verify failure: Generic preauthentication failure
AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 22.22.22.22: PREAUTH_FAILED: otpuser@MYIPA.EXAMPLE.COM for krbtgt/MYIPA.EXAMPLE.COM@MYIPA.EXAMPLE.COM, Preauthentication failed

softstraus commented 3 years ago

Oh
I use FeiTian c100 token.

softstraus commented 3 years ago

Fixed.
Default 'Count' value in the PSKC (RFC 6030) file is 0
So login work with tokens that was not showing the otp code yet but if token was in use you need find clicks count value and change it in xml.
I found the number of clicks in Linotp.
FreeIPA token resync not work without correct count value.

Metadata Update from @softstraus:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata Update from @softstraus:
- Issue status updated to: Open (was: Closed)

3 years ago

softstraus commented 3 years ago

Linotp can resync token with incorrect count.
Is it possible to add same functionality in FreeIPA ?

frenaud commented 3 years ago

Hi @softstraus
did you have a look at the command ipa otptoken-sync?

# ipa otptoken-sync --help
Usage: ipa [global-options] otptoken-sync [TOKEN] [options]

Synchronize an OTP token.
Options:
  -h, --help     show this help message and exit
  --user=STR     User ID
  --password     Password
  --first-code   First Code
  --second-code  Second Code

It is also possible using the webUI. Both methods are described in the appendix B.4.3. OTP Token Out of Sync of the "Linux Domain Identity, Authentication and Policy Guide".

Let me know if it solves your issue.

softstraus commented 3 years ago

Thanks for your reply.
Yes I know about cli and webui resync feature.
I found my mistake in understanding how OTPs work.

Metadata Update from @softstraus:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#8557 Unable to login to Web UI or ssh with HOTP Closed: fixed 3 years ago by softstraus. Opened 3 years ago by softstraus.

Issue

Steps to Reproduce

Actual behavior

Expected behavior

Version/Release/Distribution

Additional info:

Metadata

#8557 Unable to login to Web UI or ssh with HOTP

Closed: fixed 3 years ago by softstraus. Opened 3 years ago by softstraus.