Debug OATH token verification

Hello,

I have been trying to get OATH tokens working - both HOTP and TOTP.
Neither of them are properly validated, even without a set Pin.

Is there a way to debug the validation of these types of tokens?
The version I am using is 2.4 (installed via pip). The app used to generate
tokens is FreeOTP.

Kind regards,
Robin

Hello Robin,

you can set the loglevel to debug.
In the pi.cfg file you can set

PI_LOGLEVEL = 10

See
http://privacyidea.readthedocs.org/en/latest/installation/system/logging.html
for more details.

You can also take a look at the event validate/check in the audit log
(tab “audit” in the webui). Some additional information are there, too.

So you installed via pip.
How are you running privacyIDEA. Are you running via wsgi in Apache2?

Kind regards
CorneliusAm Dienstag, den 30.06.2015, 05:50 -0700 schrieb r_pi:

Hello,

I have been trying to get OATH tokens working - both HOTP and TOTP.
Neither of them are properly validated, even without a set Pin.

Is there a way to debug the validation of these types of tokens?
The version I am using is 2.4 (installed via pip). The app used to
generate tokens is FreeOTP.

Kind regards,
Robin

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/5d6eab6d-bb2a-4422-b808-947c18b77bb0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Hello,

I found out that actually HOTP works well with FreeOTP after some initial
attempts have failed.
FreeOTP should also be capable of using different hashing algorithms, as it
display some other algorithms besides SHA1 in the manual config dialogue.
Naturally, for that to work, the algorithm has to be included in the
othpauth://-URI. [1]

[1] https://github.com/google/google-authenticator/wiki/Key-Uri-Format

Kind regards,
Robin

Hi Robin,>

by the way: FreeOTP only works with TOTP.

In case of TOTP you need to check that

  • the clocks are in sync
  • Sha1 is used!
  • the timestep is set to 30secs.

Kind regards
Cornelius

Hi Robin,

by the way: FreeOTP only works with TOTP.

In case of TOTP you need to check that

  • the clocks are in sync
  • Sha1 is used!
  • the timestep is set to 30secs.

Kind regards
CorneliusAm Dienstag, den 30.06.2015, 05:50 -0700 schrieb r_pi:

Hello,

I have been trying to get OATH tokens working - both HOTP and TOTP.
Neither of them are properly validated, even without a set Pin.

Is there a way to debug the validation of these types of tokens?
The version I am using is 2.4 (installed via pip). The app used to
generate tokens is FreeOTP.

Kind regards,
Robin


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/5d6eab6d-bb2a-4422-b808-947c18b77bb0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

…indeed FreeOTP works with HOTP.
Was not aware of this :-)Am Dienstag, den 30.06.2015, 19:24 +0200 schrieb Cornelius Kölbel:

Oh, this is new to me, that FreeOTP supports HOTP.
What version on which device are you running?

Am Dienstag, den 30.06.2015, 09:54 -0700 schrieb r_pi:

Hello,

I found out that actually HOTP works well with FreeOTP after some
initial attempts have failed.
FreeOTP should also be capable of using different hashing algorithms,
as it display some other algorithms besides SHA1 in the manual config
dialogue.
Naturally, for that to work, the algorithm has to be included in the
othpauth://-URI. [1]

[1] https://github.com/google/google-authenticator/wiki/Key-Uri-Format

Kind regards,
Robin

    Hi Robin,
    
    by the way: FreeOTP only works with TOTP.
    
    In case of TOTP you need to check that
    
    * the clocks are in sync
    * Sha1 is used!
    * the timestep is set to 30secs.
    
    Kind regards
    Cornelius


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/e01d962a-0ec3-4d99-8168-d84b4ab3f342%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Oh, this is new to me, that FreeOTP supports HOTP.
What version on which device are you running?Am Dienstag, den 30.06.2015, 09:54 -0700 schrieb r_pi:

Hello,

I found out that actually HOTP works well with FreeOTP after some
initial attempts have failed.
FreeOTP should also be capable of using different hashing algorithms,
as it display some other algorithms besides SHA1 in the manual config
dialogue.
Naturally, for that to work, the algorithm has to be included in the
othpauth://-URI. [1]

[1] https://github.com/google/google-authenticator/wiki/Key-Uri-Format

Kind regards,
Robin

    Hi Robin,
    
    by the way: FreeOTP only works with TOTP.
    
    In case of TOTP you need to check that
    
    * the clocks are in sync
    * Sha1 is used!
    * the timestep is set to 30secs.
    
    Kind regards
    Cornelius


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/e01d962a-0ec3-4d99-8168-d84b4ab3f342%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Everything is working now, thank you :slight_smile:

I think there might be an issue with the first counter when enrolling
HOTP token resulting in that the first OTP value generated by the e.g.
Google Authenticator will not work but the second one.

Kind regards
CorneliusAm Donnerstag, den 02.07.2015, 02:01 -0700 schrieb r_pi:

Sadly, at the time these errors occurred, I did not have
an appropriate log level configured, hence I have no idea what might
have caused it.
After some further attempts it suddenly worked.

I will post my findings, though, in case this behavior reoccurs.

Kind regards,
Robin

    Great,
    do you know what the problem was?
    maybe we should improve the docs.
    Kind regards
    cornelius


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/d380cbcc-24e1-4e67-8d85-489aae50c364%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Sadly, at the time these errors occurred, I did not have an appropriate log
level configured, hence I have no idea what might have caused it.
After some further attempts it suddenly worked.

I will post my findings, though, in case this behavior reoccurs.

Kind regards,
Robin

Great,> do you know what the problem was?

maybe we should improve the docs.
Kind regards
cornelius