[Maybe A bug] Multiple token "AES + TOTP + HTOP"

Hello,

I have been testing and messing around with PrivacyIDEA for few hours now
and it looks great !

I am using the latest stable version on top of Debian Jessie, I have a very
simple WebUI policy that authenticate against PrivacyIDEA itself and using
LDAP resolver, I enrolled the following tokens and all assigned to a single
user:

  • 1 x HOTP Yubikey
  • 1 x OTP "AES Yubikey
  • 1 x HOTP Google Authenticator
  • 1 x TOTP Google Authenticator

All works perfectly but once I assigned the AES one, only the AES one can
actually login and the rest getting error below in the logs:

Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line
96, in policy_wrapper
response = wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/auth.py”, line
234, in get_auth_token
superuser_realms)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py",
line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py",
line 477, in login_mode
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/auth.py”, line
130, in check_webui_user
check, details = check_user_pass(user_obj, password, options=options)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py",
line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py",
line 274, in auth_user_timelimit
res, reply_dict = wrapped_function(user_object, passw, options)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py",
line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py",
line 360, in auth_lastauth
res, reply_dict = wrapped_function(user_or_serial, passw, options)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py",
line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py",
line 251, in auth_user_passthru
return wrapped_function(user_object, passw, options)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py",
line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py",
line 175, in auth_user_has_no_token
return wrapped_function(user_object, passw, options)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py",
line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py",
line 210, in auth_user_does_not_exist
return wrapped_function(user_object, passw, options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line 125,
in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”, line
1803, in check_user_pass
options=options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line 125,
in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”, line
1861, in check_token_list
options=options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py”,
line 45, in token_locked_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/tokenclass.py”,
line 388, in authenticate
otp_counter = self.check_otp(otpval, options=options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line 125,
in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py”,
line 45, in token_locked_wrapper
f_result = func(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/yubikeytoken.py",
line 191, in check_otp
otp_bin = modhex_decode(yubi_otp)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/utils.py”, line
104, in modhex_decode
[mod2HexDict[c] for c in m]
KeyError: u’8’

unassign the AES token, and everything works perfectly again.

Kind regards,
Sherif

Hi,

the problem with the AES yubikey is, that it behaves rather different,
since it comes with the userid in front of it.

Nevertheless: Thanks for the heads up. I will have to look into it…

Are you using OTP PIN from privacyIDEA or otppin=userstore?
If you are using OTP PIN, do the tokens have the same or different PINs?

I think I already have an idea:
Did you try to authenticate with another OTP token (not AES), when you
get this error?

Kind regards
CorneliusAm Dienstag, den 01.12.2015, 09:39 -0800 schrieb Sherif Nagy:

Hello,

I have been testing and messing around with PrivacyIDEA for few hours
now and it looks great !

I am using the latest stable version on top of Debian Jessie, I have a
very simple WebUI policy that authenticate against PrivacyIDEA itself
and using LDAP resolver, I enrolled the following tokens and all
assigned to a single user:

  • 1 x HOTP Yubikey
  • 1 x OTP "AES Yubikey
  • 1 x HOTP Google Authenticator
  • 1 x TOTP Google Authenticator

All works perfectly but once I assigned the AES one, only the AES one
can actually login and the rest getting error below in the logs:

Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”,
line 96, in policy_wrapper
response = wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/auth.py”,
line 234, in get_auth_token
superuser_realms)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 477, in login_mode
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/auth.py”,
line 130, in check_webui_user
check, details = check_user_pass(user_obj, password,
options=options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 274, in auth_user_timelimit
res, reply_dict = wrapped_function(user_object, passw, options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 360, in auth_lastauth
res, reply_dict = wrapped_function(user_or_serial, passw, options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 251, in auth_user_passthru
return wrapped_function(user_object, passw, options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 175, in auth_user_has_no_token
return wrapped_function(user_object, passw, options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 210, in auth_user_does_not_exist
return wrapped_function(user_object, passw, options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
125, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 1803, in check_user_pass
options=options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
125, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 1861, in check_token_list
options=options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py”, line
45, in token_locked_wrapper
f_result = func(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokenclass.py”, line
388, in authenticate
otp_counter = self.check_otp(otpval, options=options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
125, in log_wrapper
f_result = func(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py”, line
45, in token_locked_wrapper
f_result = func(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/yubikeytoken.py”, line 191, in check_otp
otp_bin = modhex_decode(yubi_otp)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/utils.py”,
line 104, in modhex_decode
[mod2HexDict[c] for c in m]
KeyError: u’8’

unassign the AES token, and everything works perfectly again.

Kind regards,
Sherif

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/8628704a-4821-4e8b-9de9-cc00264c3f85%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Conrelius,

Thank you for the commit, will try that commit tomorrow and see how it will
go.

So far I have no Auth policy, so the OTP is the only password used. " No
PIN or UserStore password "

I don’t use PIN with any of the OTP / HOTP / AES

Once I have the AES token assigned and I try to auth with any OTP “Other
than the AES” I get the error I posted, when I try the AES, it does work
and I can log in. It seems like that the AES takes a higher priority in the
token list, but it does not loop after the AES.

Regards,
SherifOn Tuesday, December 1, 2015 at 8:22:25 PM UTC, Cornelius Kölbel wrote:

Hi Sherif,

I fixed the problem with this commit:

https://github.com/privacyidea/privacyidea/commit/81b42d65146831ea55995d5bb4e169140be5a2b2

I think I will cherry pick it with another fix in a version 2.8.1.

Kind regards
Conrelius

Am Dienstag, den 01.12.2015, 19:50 +0100 schrieb Cornelius Kölbel:

Hi,

the problem with the AES yubikey is, that it behaves rather different,
since it comes with the userid in front of it.

Nevertheless: Thanks for the heads up. I will have to look into it…

Are you using OTP PIN from privacyIDEA or otppin=userstore?
If you are using OTP PIN, do the tokens have the same or different PINs?

I think I already have an idea:
Did you try to authenticate with another OTP token (not AES), when you
get this error?

Kind regards
Cornelius

Am Dienstag, den 01.12.2015, 09:39 -0800 schrieb Sherif Nagy:

Hello,

I have been testing and messing around with PrivacyIDEA for few hours
now and it looks great !

I am using the latest stable version on top of Debian Jessie, I have a
very simple WebUI policy that authenticate against PrivacyIDEA itself
and using LDAP resolver, I enrolled the following tokens and all
assigned to a single user:

  • 1 x HOTP Yubikey
  • 1 x OTP "AES Yubikey
  • 1 x HOTP Google Authenticator
  • 1 x TOTP Google Authenticator

All works perfectly but once I assigned the AES one, only the AES one
can actually login and the rest getting error below in the logs:

Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py",
line 96, in policy_wrapper
response = wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/auth.py”,
line 234, in get_auth_token
superuser_realms)
File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 81, in policy_wrapper

return self.decorator_function(wrapped_function, *args, **kwds) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 477, in login_mode

return wrapped_function(*args, **kwds) 

File “/usr/lib/python2.7/dist-packages/privacyidea/lib/auth.py”,
line 130, in check_webui_user
check, details = check_user_pass(user_obj, password,
options=options)
File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 81, in policy_wrapper

return self.decorator_function(wrapped_function, *args, **kwds) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 274, in auth_user_timelimit

res, reply_dict = wrapped_function(user_object, passw, options) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 81, in policy_wrapper

return self.decorator_function(wrapped_function, *args, **kwds) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 360, in auth_lastauth

res, reply_dict = wrapped_function(user_or_serial, passw, options) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 81, in policy_wrapper

return self.decorator_function(wrapped_function, *args, **kwds) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 251, in auth_user_passthru

return wrapped_function(user_object, passw, options) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 81, in policy_wrapper

return self.decorator_function(wrapped_function, *args, **kwds) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 175, in auth_user_has_no_token

return wrapped_function(user_object, passw, options) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 81, in policy_wrapper

return self.decorator_function(wrapped_function, *args, **kwds) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 210, in auth_user_does_not_exist

return wrapped_function(user_object, passw, options) 

File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
125, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 1803, in check_user_pass
options=options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
125, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 1861, in check_token_list
options=options)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py", line
45, in token_locked_wrapper
f_result = func(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/tokenclass.py", line
388, in authenticate
otp_counter = self.check_otp(otpval, options=options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
125, in log_wrapper
f_result = func(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py", line
45, in token_locked_wrapper
f_result = func(*args, **kwds)
File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/yubikeytoken.py”,
line 191, in check_otp

otp_bin = modhex_decode(yubi_otp) 

File “/usr/lib/python2.7/dist-packages/privacyidea/lib/utils.py”,
line 104, in modhex_decode
[mod2HexDict[c] for c in m]
KeyError: u’8’

unassign the AES token, and everything works perfectly again.

Kind regards,
Sherif

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.

To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/8628704a-4821-4e8b-9de9-cc00264c3f85%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi Sherif,

I fixed the problem with this commit:

I think I will cherry pick it with another fix in a version 2.8.1.

Kind regards
ConreliusAm Dienstag, den 01.12.2015, 19:50 +0100 schrieb Cornelius Kölbel:

Hi,

the problem with the AES yubikey is, that it behaves rather different,
since it comes with the userid in front of it.

Nevertheless: Thanks for the heads up. I will have to look into it…

Are you using OTP PIN from privacyIDEA or otppin=userstore?
If you are using OTP PIN, do the tokens have the same or different PINs?

I think I already have an idea:
Did you try to authenticate with another OTP token (not AES), when you
get this error?

Kind regards
Cornelius

Am Dienstag, den 01.12.2015, 09:39 -0800 schrieb Sherif Nagy:

Hello,

I have been testing and messing around with PrivacyIDEA for few hours
now and it looks great !

I am using the latest stable version on top of Debian Jessie, I have a
very simple WebUI policy that authenticate against PrivacyIDEA itself
and using LDAP resolver, I enrolled the following tokens and all
assigned to a single user:

  • 1 x HOTP Yubikey
  • 1 x OTP "AES Yubikey
  • 1 x HOTP Google Authenticator
  • 1 x TOTP Google Authenticator

All works perfectly but once I assigned the AES one, only the AES one
can actually login and the rest getting error below in the logs:

Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py”,
line 96, in policy_wrapper
response = wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/auth.py”,
line 234, in get_auth_token
superuser_realms)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 477, in login_mode
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/auth.py”,
line 130, in check_webui_user
check, details = check_user_pass(user_obj, password,
options=options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 274, in auth_user_timelimit
res, reply_dict = wrapped_function(user_object, passw, options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 360, in auth_lastauth
res, reply_dict = wrapped_function(user_or_serial, passw, options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 251, in auth_user_passthru
return wrapped_function(user_object, passw, options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 175, in auth_user_has_no_token
return wrapped_function(user_object, passw, options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 81, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”, line 210, in auth_user_does_not_exist
return wrapped_function(user_object, passw, options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
125, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 1803, in check_user_pass
options=options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
125, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 1861, in check_token_list
options=options)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py”, line
45, in token_locked_wrapper
f_result = func(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokenclass.py”, line
388, in authenticate
otp_counter = self.check_otp(otpval, options=options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
125, in log_wrapper
f_result = func(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py”, line
45, in token_locked_wrapper
f_result = func(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/yubikeytoken.py”, line 191, in check_otp
otp_bin = modhex_decode(yubi_otp)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/utils.py”,
line 104, in modhex_decode
[mod2HexDict[c] for c in m]
KeyError: u’8’

unassign the AES token, and everything works perfectly again.

Kind regards,
Sherif

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/8628704a-4821-4e8b-9de9-cc00264c3f85%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Conrelius,

I just tested the last commit and it works like charm :slight_smile: thank you !

Regards,
SherifOn Tuesday, December 1, 2015 at 11:00:40 PM UTC, Sherif Nagy wrote:

Hi Conrelius,

Thank you for the commit, will try that commit tomorrow and see how it
will go.

So far I have no Auth policy, so the OTP is the only password used. " No
PIN or UserStore password "

I don’t use PIN with any of the OTP / HOTP / AES

Once I have the AES token assigned and I try to auth with any OTP “Other
than the AES” I get the error I posted, when I try the AES, it does work
and I can log in. It seems like that the AES takes a higher priority in the
token list, but it does not loop after the AES.

Regards,
Sherif

On Tuesday, December 1, 2015 at 8:22:25 PM UTC, Cornelius Kölbel wrote:

Hi Sherif,

I fixed the problem with this commit:

https://github.com/privacyidea/privacyidea/commit/81b42d65146831ea55995d5bb4e169140be5a2b2

I think I will cherry pick it with another fix in a version 2.8.1.

Kind regards
Conrelius

Am Dienstag, den 01.12.2015, 19:50 +0100 schrieb Cornelius Kölbel:

Hi,

the problem with the AES yubikey is, that it behaves rather different,
since it comes with the userid in front of it.

Nevertheless: Thanks for the heads up. I will have to look into it…

Are you using OTP PIN from privacyIDEA or otppin=userstore?
If you are using OTP PIN, do the tokens have the same or different
PINs?

I think I already have an idea:
Did you try to authenticate with another OTP token (not AES), when you
get this error?

Kind regards
Cornelius

Am Dienstag, den 01.12.2015, 09:39 -0800 schrieb Sherif Nagy:

Hello,

I have been testing and messing around with PrivacyIDEA for few hours
now and it looks great !

I am using the latest stable version on top of Debian Jessie, I have
a

very simple WebUI policy that authenticate against PrivacyIDEA itself
and using LDAP resolver, I enrolled the following tokens and all
assigned to a single user:

  • 1 x HOTP Yubikey
  • 1 x OTP "AES Yubikey
  • 1 x HOTP Google Authenticator
  • 1 x TOTP Google Authenticator

All works perfectly but once I assigned the AES one, only the AES one
can actually login and the rest getting error below in the logs:

Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py",
line 96, in policy_wrapper
response = wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/auth.py”,
line 234, in get_auth_token
superuser_realms)
File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 81, in policy_wrapper

return self.decorator_function(wrapped_function, *args, **kwds) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 477, in login_mode

return wrapped_function(*args, **kwds) 

File “/usr/lib/python2.7/dist-packages/privacyidea/lib/auth.py”,
line 130, in check_webui_user
check, details = check_user_pass(user_obj, password,
options=options)
File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 81, in policy_wrapper

return self.decorator_function(wrapped_function, *args, **kwds) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 274, in auth_user_timelimit

res, reply_dict = wrapped_function(user_object, passw, options) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 81, in policy_wrapper

return self.decorator_function(wrapped_function, *args, **kwds) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 360, in auth_lastauth

res, reply_dict = wrapped_function(user_or_serial, passw, 

options)

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 81, in policy_wrapper

return self.decorator_function(wrapped_function, *args, **kwds) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 251, in auth_user_passthru

return wrapped_function(user_object, passw, options) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 81, in policy_wrapper

return self.decorator_function(wrapped_function, *args, **kwds) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 175, in auth_user_has_no_token

return wrapped_function(user_object, passw, options) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 81, in policy_wrapper

return self.decorator_function(wrapped_function, *args, **kwds) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py”,
line 210, in auth_user_does_not_exist

return wrapped_function(user_object, passw, options) 

File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”,
line

125, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 1803, in check_user_pass
options=options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”,
line

125, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 1861, in check_token_list
options=options)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py",
line

45, in token_locked_wrapper
f_result = func(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/tokenclass.py",
line

388, in authenticate
otp_counter = self.check_otp(otpval, options=options)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”,
line

125, in log_wrapper
f_result = func(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py",
line

45, in token_locked_wrapper
f_result = func(*args, **kwds)
File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/yubikeytoken.py”,
line 191, in check_otp

otp_bin = modhex_decode(yubi_otp) 

File “/usr/lib/python2.7/dist-packages/privacyidea/lib/utils.py”,
line 104, in modhex_decode
[mod2HexDict[c] for c in m]
KeyError: u’8’

unassign the AES token, and everything works perfectly again.

Kind regards,
Sherif

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it,
send

an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/8628704a-4821-4e8b-9de9-cc00264c3f85%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel