Using the same TOTP several times in a time window

Hi ! I’ve noticed that in privacyIDEA, using TOTP tokens, I can use one OTP
several times if I’m in the same time window.

So, is there a solution to fix this ?

Best regards,

CK,

Hi,

So here is my config :

I have a Prosody server (XMPP) and an XMPP client (Pidgin), and what I’m
doing is that I want to authenticate users registered in a LDAP to the
Prosody server.
So, in PI, I have one LDAP resolver which works well. Then, I assigned a
TOTP token to a user of this LDAP.
I also have installed Cyrus SASL, which is linked to Prosody server and
configured it to use PAM mechanism, so when I try to authenticate with my
XMPP client, it will wait for an OTP (because it uses the pam_python script
of PI to authenticate).
Prosody is configured to use SASL authentication.

Token parameters : TOTP SHA-256, timeStep : 30seconds, timeWindow : 180,
OTP Length : 6

Kind regards,

KarimLe jeudi 20 août 2015 09:55:36 UTC+2, Cornelinux K a écrit :

Hi CK,

I can not reproduce this.

As a matter of fact there are also several tests to check this:

https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165
Anyway - I am happy to add some more…

Can you please tell, what exactly you are doing?

  • Which Token did you enroll with which parameters
  • how did you authenticate
  • where did you authenticate (directly to the API or to any
    Application?)

Please give as much information as possible.

Kind regards
Cornelius

Am Donnerstag, den 20.08.2015, 00:44 -0700 schrieb CK:

Hi,

I updated pi to 2.5, but the bug is still there…

Kind regards,

CK

Le vendredi 14 août 2015 18:48:36 UTC+2, Cornelinux K a écrit :
Hi,
I assume you are using 1.5.
This was a bug then.
1.5 is deprecated.
you should use 2.5.

    Kind regards 
    Cornelius 
    
    
    
    
    
    
    Cornelius Kölbel 
    Corneliu...@netknights.it 
    +49 151 2960 1417 
    
    
    NetKnights GmbH 
    http://netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 
    
    
    -------- Ursprüngliche Nachricht -------- 
    Von: CK <testt...@gmail.com> 
    Datum: 14.08.2015 14:57 (GMT+01:00) 
    An: privacyidea <priva...@googlegroups.com> 
    Betreff: Using the same TOTP several times in a time window 
    
    Hi ! I've noticed that in privacyIDEA, using TOTP tokens, I 
    can use one OTP several times if I'm in the same time window. 
    
    
    So, is there a solution to fix this ? 
    
    
    
    
    Best regards, 
    
    
    CK, 


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Cyrus sasl, in the /etc/default/saslauthd, initially, OPTIONS=" -c -m
/var/run/saslauthd" so I removed the “-c” (option to enable credentials
caching) and then it works well now ! (And I’ve all the auth requests in
the Audit log (first time : matching 1 token and then wrong otp value)Le jeudi 20 août 2015 14:16:22 UTC+2, Cornelinux K a écrit :

…so what was it?

Kind regards
Cornelius

Am Donnerstag, den 20.08.2015, 05:02 -0700 schrieb CK:

Problem solved !!

Thanks a lot for your help :wink:

Kind regards,

Karim

Le jeudi 20 août 2015 12:21:42 UTC+2, CK a écrit :
Hi,
So I can not authenticate twice with the same OTP using the
test url of PI.
When I logged two times in Pidgin, I saw the auth request 1
time in the Audit log.

    So I think you're right, the issue comes from Cyrus sasl. I'm 
    trying to find how to disable cache of credentials to fix 
    this. 
    
    
    Kind regards, 
    
    
    Karim 
    
    
    Le jeudi 20 août 2015 11:29:39 UTC+2, Cornelinux K a écrit : 
            And you are entering the OTP into pidgin? 
            
            So the workflow is like this: 
            
            * enter OTP into pidgin 
            * pdigin transfers OTP to prosody 
            * transfers OTP to cyrus sasl 
            * transfers OTP to PAM 
            * transfers OTP to privacyIDEA 
            
            My guess is, that some component (my wild guess would 
            be cyrus sasl) 
            will cache the authentication result, so that the 
            second auth request 
            with the same OTP does not even reach the privacyIDEA 
            server. 
            
            Please check: 
            
            1. Can you authenticate with the same OTP twice to the 
            privacyIDEA 
            server using 

https://yourOTPserver/validate/check?user=…&pass=…otp…

            2. Can you see the second authentication request in 
            the Audit log on the 
            privacyIDEA server? 
            
            3. check the log files of prosody and pam. 
            
            Thanks a lot and kind regards 
            Cornelius 
            
            Am Donnerstag, den 20.08.2015, 01:30 -0700 schrieb 
            CK: 
            > Hi, 
            > 
            > 
            > So here is my config : 
            > 
            > 
            > I have a Prosody server (XMPP) and an XMPP client 
            (Pidgin), and what 
            > I'm doing is that I want to authenticate users 
            registered in a LDAP to 
            > the Prosody server. 
            > So, in PI, I have one LDAP resolver which works 
            well. Then, I assigned 
            > a TOTP token to a user of this LDAP. 
            > I also have installed Cyrus SASL, which is linked to 
            Prosody server 
            > and configured it to use PAM mechanism, so when I 
            try to authenticate 
            > with my XMPP client, it will wait for an OTP 
            (because it uses the 
            > pam_python script of PI to authenticate). 
            > Prosody is configured to use SASL authentication. 
            > 
            > 
            > 
            > 
            > Token parameters : TOTP SHA-256, timeStep : 
            30seconds, timeWindow : 
            > 180, OTP Length : 6 
            > 
            > 
            > Kind regards, 
            > 
            > 
            > Karim 
            > 
            > 
            > Le jeudi 20 août 2015 09:55:36 UTC+2, Cornelinux K a 
            écrit : 
            >         Hi CK, 
            >         
            >         I can not reproduce this. 
            >         
            >         As a matter of fact there are also several 
            tests to check 
            >         this: 
            > 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510

            > 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102

            > 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141

            > 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165

            >         Anyway - I am happy to add some more... 
            >         
            >         Can you please tell, what exactly you are 
            doing? 
            >         
            >         * Which Token did you enroll with which 
            parameters 
            >         * how did you authenticate 
            >         * where did you authenticate (directly to 
            the API or to any 
            >         Application?) 
            >         
            >         Please give as much information as 
            possible. 
            >         
            >         Kind regards 
            >         Cornelius 
            >         
            >         Am Donnerstag, den 20.08.2015, 00:44 -0700 
            schrieb CK: 
            >         > Hi, 
            >         > 
            >         > 
            >         > I updated pi to 2.5, but the bug is still 
            there.. 
            >         > 
            >         > 
            >         > Kind regards, 
            >         > 
            >         > 
            >         > CK 
            >         > 
            >         > Le vendredi 14 août 2015 18:48:36 UTC+2, 
            Cornelinux K a 
            >         écrit : 
            >         >         Hi, 
            >         >         I assume you are using 1.5. 
            >         >         This was a bug then. 
            >         >         1.5 is deprecated. 
            >         >         you should use 2.5. 
            >         >         
            >         >         
            >         >         Kind regards 
            >         >         Cornelius 
            >         >         
            >         >         
            >         >         
            >         >         
            >         >         
            >         >         
            >         >         Cornelius Kölbel 
            >         >         Corneliu...@netknights.it 
            >         >         +49 151 2960 1417 
            >         >         
            >         >         
            >         >         NetKnights GmbH 
            >         >         http://netknights.it 
            >         >         Landgraf-Karl-Str. 19, 34131 
            Kassel, Germany 
            >         >         Tel: +49 561 3166797, Fax: +49 561 
            3166798 
            >         >         
            >         >         
            >         >         Amtsgericht Kassel, HRB 16405 
            >         >         Geschäftsführer: Cornelius Kölbel 
            >         >         
            >         >         
            >         >         -------- Ursprüngliche Nachricht 
            -------- 
            >         >         Von: CK <testt...@gmail.com> 
            >         >         Datum: 14.08.2015 14:57 (GMT 
            +01:00) 
            >         >         An: privacyidea 
            <priva...@googlegroups.com> 
            >         >         Betreff: Using the same TOTP 
            several times in a time 
            >         window 
            >         >         
            >         >         Hi ! I've noticed that in 
            privacyIDEA, using TOTP 
            >         tokens, I 
            >         >         can use one OTP several times if 
            I'm in the same 
            >         time window. 
            >         >         
            >         >         
            >         >         So, is there a solution to fix 
            this ? 
            >         >         
            >         >         
            >         >         
            >         >         
            >         >         Best regards, 
            >         >         
            >         >         
            >         >         CK, 
            >         >         
            >         > 
            >         > 
            >         -- 
            >         Cornelius Kölbel 
            >         corneliu...@netknights.it 
            >         +49 151 2960 1417 
            >         
            >         NetKnights GmbH 
            >         http://www.netknights.it 
            >         Landgraf-Karl-Str. 19, 34131 Kassel, 
            Germany 
            >         Tel: +49 561 3166797, Fax: +49 561 3166798 
            >         
            >         Amtsgericht Kassel, HRB 16405 
            >         Geschäftsführer: Cornelius Kölbel 
            >         
            >         
            > -- 
            > You received this message because you are subscribed 
            to the Google 
            > Groups "privacyidea" group. 
            > To unsubscribe from this group and stop receiving 
            emails from it, send 
            > an email to privacyidea...@googlegroups.com. 
            > To post to this group, send email to 
            priva...@googlegroups.com. 
            > To view this discussion on the web visit 
            > 

https://groups.google.com/d/msgid/privacyidea/aa428ada-7f54-414d-9747-db6d82ecdbfc%40googlegroups.com.

            > For more options, visit 
            https://groups.google.com/d/optout. 
            
            -- 
            Cornelius Kölbel 
            corneliu...@netknights.it 
            +49 151 2960 1417 
            
            NetKnights GmbH 
            http://www.netknights.it 
            Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
            Tel: +49 561 3166797, Fax: +49 561 3166798 
            
            Amtsgericht Kassel, HRB 16405 
            Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/2e0fa40a-be7d-4c3e-991c-4b2a8f7cccee%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

And you are entering the OTP into pidgin?

So the workflow is like this:

  • enter OTP into pidgin
  • pdigin transfers OTP to prosody
  • transfers OTP to cyrus sasl
  • transfers OTP to PAM
  • transfers OTP to privacyIDEA

My guess is, that some component (my wild guess would be cyrus sasl)
will cache the authentication result, so that the second auth request
with the same OTP does not even reach the privacyIDEA server.

Please check:

  1. Can you authenticate with the same OTP twice to the privacyIDEA
    server using
    https://yourOTPserver/validate/check?user=…&pass=…otp…

  2. Can you see the second authentication request in the Audit log on the
    privacyIDEA server?

  3. check the log files of prosody and pam.

Thanks a lot and kind regards
CorneliusAm Donnerstag, den 20.08.2015, 01:30 -0700 schrieb CK:

Hi,

So here is my config :

I have a Prosody server (XMPP) and an XMPP client (Pidgin), and what
I’m doing is that I want to authenticate users registered in a LDAP to
the Prosody server.
So, in PI, I have one LDAP resolver which works well. Then, I assigned
a TOTP token to a user of this LDAP.
I also have installed Cyrus SASL, which is linked to Prosody server
and configured it to use PAM mechanism, so when I try to authenticate
with my XMPP client, it will wait for an OTP (because it uses the
pam_python script of PI to authenticate).
Prosody is configured to use SASL authentication.

Token parameters : TOTP SHA-256, timeStep : 30seconds, timeWindow :
180, OTP Length : 6

Kind regards,

Karim

Le jeudi 20 août 2015 09:55:36 UTC+2, Cornelinux K a écrit :
Hi CK,

    I can not reproduce this. 
    
    As a matter of fact there are also several tests to check
    this: 
    https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510 
    https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102 
    https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141 
    https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165 
    Anyway - I am happy to add some more... 
    
    Can you please tell, what exactly you are doing? 
    
    * Which Token did you enroll with which parameters 
    * how did you authenticate 
    * where did you authenticate (directly to the API or to any 
    Application?) 
    
    Please give as much information as possible. 
    
    Kind regards 
    Cornelius 
    
    Am Donnerstag, den 20.08.2015, 00:44 -0700 schrieb CK: 
    > Hi, 
    > 
    > 
    > I updated pi to 2.5, but the bug is still there.. 
    > 
    > 
    > Kind regards, 
    > 
    > 
    > CK 
    > 
    > Le vendredi 14 août 2015 18:48:36 UTC+2, Cornelinux K a
    écrit : 
    >         Hi, 
    >         I assume you are using 1.5. 
    >         This was a bug then. 
    >         1.5 is deprecated. 
    >         you should use 2.5. 
    >         
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         
    >         
    >         
    >         
    >         Cornelius Kölbel 
    >         Corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         
    >         NetKnights GmbH 
    >         http://netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    >         -------- Ursprüngliche Nachricht -------- 
    >         Von: CK <testt...@gmail.com> 
    >         Datum: 14.08.2015 14:57 (GMT+01:00) 
    >         An: privacyidea <priva...@googlegroups.com> 
    >         Betreff: Using the same TOTP several times in a time
    window 
    >         
    >         Hi ! I've noticed that in privacyIDEA, using TOTP
    tokens, I 
    >         can use one OTP several times if I'm in the same
    time window. 
    >         
    >         
    >         So, is there a solution to fix this ? 
    >         
    >         
    >         
    >         
    >         Best regards, 
    >         
    >         
    >         CK, 
    >         
    > 
    > 
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/aa428ada-7f54-414d-9747-db6d82ecdbfc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi,
So I can not authenticate twice with the same OTP using the test url of PI.
When I logged two times in Pidgin, I saw the auth request 1 time in the
Audit log.

So I think you’re right, the issue comes from Cyrus sasl. I’m trying to
find how to disable cache of credentials to fix this.

Kind regards,

KarimLe jeudi 20 août 2015 11:29:39 UTC+2, Cornelinux K a écrit :

And you are entering the OTP into pidgin?

So the workflow is like this:

  • enter OTP into pidgin
  • pdigin transfers OTP to prosody
  • transfers OTP to cyrus sasl
  • transfers OTP to PAM
  • transfers OTP to privacyIDEA

My guess is, that some component (my wild guess would be cyrus sasl)
will cache the authentication result, so that the second auth request
with the same OTP does not even reach the privacyIDEA server.

Please check:

  1. Can you authenticate with the same OTP twice to the privacyIDEA
    server using
    https://yourOTPserver/validate/check?user=…&pass=…otp…

  2. Can you see the second authentication request in the Audit log on the
    privacyIDEA server?

  3. check the log files of prosody and pam.

Thanks a lot and kind regards
Cornelius

Am Donnerstag, den 20.08.2015, 01:30 -0700 schrieb CK:

Hi,

So here is my config :

I have a Prosody server (XMPP) and an XMPP client (Pidgin), and what
I’m doing is that I want to authenticate users registered in a LDAP to
the Prosody server.
So, in PI, I have one LDAP resolver which works well. Then, I assigned
a TOTP token to a user of this LDAP.
I also have installed Cyrus SASL, which is linked to Prosody server
and configured it to use PAM mechanism, so when I try to authenticate
with my XMPP client, it will wait for an OTP (because it uses the
pam_python script of PI to authenticate).
Prosody is configured to use SASL authentication.

Token parameters : TOTP SHA-256, timeStep : 30seconds, timeWindow :
180, OTP Length : 6

Kind regards,

Karim

Le jeudi 20 août 2015 09:55:36 UTC+2, Cornelinux K a écrit :
Hi CK,

    I can not reproduce this. 
    
    As a matter of fact there are also several tests to check 
    this: 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165

    Anyway - I am happy to add some more... 
    
    Can you please tell, what exactly you are doing? 
    
    * Which Token did you enroll with which parameters 
    * how did you authenticate 
    * where did you authenticate (directly to the API or to any 
    Application?) 
    
    Please give as much information as possible. 
    
    Kind regards 
    Cornelius 
    
    Am Donnerstag, den 20.08.2015, 00:44 -0700 schrieb CK: 
    > Hi, 
    > 
    > 
    > I updated pi to 2.5, but the bug is still there.. 
    > 
    > 
    > Kind regards, 
    > 
    > 
    > CK 
    > 
    > Le vendredi 14 août 2015 18:48:36 UTC+2, Cornelinux K a 
    écrit : 
    >         Hi, 
    >         I assume you are using 1.5. 
    >         This was a bug then. 
    >         1.5 is deprecated. 
    >         you should use 2.5. 
    >         
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         
    >         
    >         
    >         
    >         Cornelius Kölbel 
    >         Corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         
    >         NetKnights GmbH 
    >         http://netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    >         -------- Ursprüngliche Nachricht -------- 
    >         Von: CK <testt...@gmail.com> 
    >         Datum: 14.08.2015 14:57 (GMT+01:00) 
    >         An: privacyidea <priva...@googlegroups.com> 
    >         Betreff: Using the same TOTP several times in a time 
    window 
    >         
    >         Hi ! I've noticed that in privacyIDEA, using TOTP 
    tokens, I 
    >         can use one OTP several times if I'm in the same 
    time window. 
    >         
    >         
    >         So, is there a solution to fix this ? 
    >         
    >         
    >         
    >         
    >         Best regards, 
    >         
    >         
    >         CK, 
    >         
    > 
    > 
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/aa428ada-7f54-414d-9747-db6d82ecdbfc%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Problem solved !!

Thanks a lot for your help :wink:

Kind regards,

KarimLe jeudi 20 août 2015 12:21:42 UTC+2, CK a écrit :

Hi,
So I can not authenticate twice with the same OTP using the test url of PI.
When I logged two times in Pidgin, I saw the auth request 1 time in the
Audit log.

So I think you’re right, the issue comes from Cyrus sasl. I’m trying to
find how to disable cache of credentials to fix this.

Kind regards,

Karim

Le jeudi 20 août 2015 11:29:39 UTC+2, Cornelinux K a écrit :

And you are entering the OTP into pidgin?

So the workflow is like this:

  • enter OTP into pidgin
  • pdigin transfers OTP to prosody
  • transfers OTP to cyrus sasl
  • transfers OTP to PAM
  • transfers OTP to privacyIDEA

My guess is, that some component (my wild guess would be cyrus sasl)
will cache the authentication result, so that the second auth request
with the same OTP does not even reach the privacyIDEA server.

Please check:

  1. Can you authenticate with the same OTP twice to the privacyIDEA
    server using
    https://yourOTPserver/validate/check?user=…&pass=…otp…

  2. Can you see the second authentication request in the Audit log on the
    privacyIDEA server?

  3. check the log files of prosody and pam.

Thanks a lot and kind regards
Cornelius

Am Donnerstag, den 20.08.2015, 01:30 -0700 schrieb CK:

Hi,

So here is my config :

I have a Prosody server (XMPP) and an XMPP client (Pidgin), and what
I’m doing is that I want to authenticate users registered in a LDAP to
the Prosody server.
So, in PI, I have one LDAP resolver which works well. Then, I assigned
a TOTP token to a user of this LDAP.
I also have installed Cyrus SASL, which is linked to Prosody server
and configured it to use PAM mechanism, so when I try to authenticate
with my XMPP client, it will wait for an OTP (because it uses the
pam_python script of PI to authenticate).
Prosody is configured to use SASL authentication.

Token parameters : TOTP SHA-256, timeStep : 30seconds, timeWindow :
180, OTP Length : 6

Kind regards,

Karim

Le jeudi 20 août 2015 09:55:36 UTC+2, Cornelinux K a écrit :
Hi CK,

    I can not reproduce this. 
    
    As a matter of fact there are also several tests to check 
    this: 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165

    Anyway - I am happy to add some more... 
    
    Can you please tell, what exactly you are doing? 
    
    * Which Token did you enroll with which parameters 
    * how did you authenticate 
    * where did you authenticate (directly to the API or to any 
    Application?) 
    
    Please give as much information as possible. 
    
    Kind regards 
    Cornelius 
    
    Am Donnerstag, den 20.08.2015, 00:44 -0700 schrieb CK: 
    > Hi, 
    > 
    > 
    > I updated pi to 2.5, but the bug is still there.. 
    > 
    > 
    > Kind regards, 
    > 
    > 
    > CK 
    > 
    > Le vendredi 14 août 2015 18:48:36 UTC+2, Cornelinux K a 
    écrit : 
    >         Hi, 
    >         I assume you are using 1.5. 
    >         This was a bug then. 
    >         1.5 is deprecated. 
    >         you should use 2.5. 
    >         
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         
    >         
    >         
    >         
    >         Cornelius Kölbel 
    >         Corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         
    >         NetKnights GmbH 
    >         http://netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    >         -------- Ursprüngliche Nachricht -------- 
    >         Von: CK <testt...@gmail.com> 
    >         Datum: 14.08.2015 14:57 (GMT+01:00) 
    >         An: privacyidea <priva...@googlegroups.com> 
    >         Betreff: Using the same TOTP several times in a time 
    window 
    >         
    >         Hi ! I've noticed that in privacyIDEA, using TOTP 
    tokens, I 
    >         can use one OTP several times if I'm in the same 
    time window. 
    >         
    >         
    >         So, is there a solution to fix this ? 
    >         
    >         
    >         
    >         
    >         Best regards, 
    >         
    >         
    >         CK, 
    >         
    > 
    > 
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/aa428ada-7f54-414d-9747-db6d82ecdbfc%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

The certificate of the privacyIDEA server must be issued by a trusted
root authority.

Kind regards
CorneliusAm Donnerstag, den 20.08.2015, 05:50 -0700 schrieb CK:

And just one question quickly, until now, I’ve worked with the
“nosslverify” option in PAM configuration, but now I disabled it, and
so I have this in auth.log :

saslauthd: Traceback (most recent call last):#012 File
“/lib/x86_64-linux-gnu/security/privacyidea_pam.py”, line 100, in
pam_sm_authenticate#012 verify=sslverify)#012 File
“/usr/lib/python2.7/dist-packages/requests/api.py”, line 88, in
post#012 return request(‘post’, url, data=data, **kwargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/api.py”, line 44, in
request#012 return session.request(method=method, url=url,
**kwargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/sessions.py”, line 455, in
request#012 resp = self.send(prep, **send_kwargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/sessions.py”, line 558, in
send#012 r = adapter.send(request, **kwargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/adapters.py”, line 385, in
send#012 raise SSLError(e)#012SSLError: [Errno 1] _ssl.c:510:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed

The certificate to use is the one of the privacyidea server right ?

Karim

Le jeudi 20 août 2015 14:29:13 UTC+2, CK a écrit :
Thanks for your help ! :slight_smile: (PrivacyIdea is a really nice one
authentication server solution !)

    Kind regards, 
    
    
    Karim 
    
    Le jeudi 20 août 2015 14:27:32 UTC+2, Cornelinux K a écrit :
            Cool. THanks! 
            Cornelius 
            
            Am Donnerstag, den 20.08.2015, 05:23 -0700 schrieb
            CK: 
            > Cyrus sasl, in the /etc/default/saslauthd,
            initially, OPTIONS=" -c 
            > -m /var/run/saslauthd"  so I removed the
            "-c" (option to enable 
            > credentials caching) and then it works well now !
             (And I've all the 
            > auth requests in the Audit log (first time :
            matching 1 token and then 
            > wrong otp value) 
            > 
            > 
            > 
            > 
            > Le jeudi 20 août 2015 14:16:22 UTC+2, Cornelinux K a
            écrit : 
            >         ...so what was it? 
            >         
            >         Kind regards 
            >         Cornelius 
            >         
            >         Am Donnerstag, den 20.08.2015, 05:02 -0700
            schrieb CK: 
            >         > Problem solved !! 
            >         > 
            >         > 
            >         > Thanks a lot for your help ;-) 
            >         > 
            >         > 
            >         > Kind regards, 
            >         > 
            >         > 
            >         > Karim 
            >         > 
            >         > Le jeudi 20 août 2015 12:21:42 UTC+2, CK a
            écrit : 
            >         >         Hi, 
            >         >         So I can not authenticate twice
            with the same OTP 
            >         using the 
            >         >         test url of PI. 
            >         >         When I logged two times in Pidgin,
            I saw the auth 
            >         request 1 
            >         >         time in the Audit log. 
            >         >         
            >         >         
            >         >         So I think you're right, the issue
            comes from Cyrus 
            >         sasl. I'm 
            >         >         trying to find how to disable
            cache of credentials 
            >         to fix 
            >         >         this. 
            >         >         
            >         >         
            >         >         Kind regards, 
            >         >         
            >         >         
            >         >         Karim 
            >         >         
            >         >         
            >         >         Le jeudi 20 août 2015 11:29:39 UTC
            +2, Cornelinux K a 
            >         écrit : 
            >         >                 And you are entering the
            OTP into pidgin? 
            >         >                 
            >         >                 So the workflow is like
            this: 
            >         >                 
            >         >                 * enter OTP into pidgin 
            >         >                 * pdigin transfers OTP to
            prosody 
            >         >                 * transfers OTP to cyrus
            sasl 
            >         >                 * transfers OTP to PAM 
            >         >                 * transfers OTP to
            privacyIDEA 
            >         >                 
            >         >                 My guess is, that some
            component (my wild 
            >         guess would 
            >         >                 be cyrus sasl) 
            >         >                 will cache the
            authentication result, so 
            >         that the 
            >         >                 second auth request 
            >         >                 with the same OTP does not
            even reach the 
            >         privacyIDEA 
            >         >                 server. 
            >         >                 
            >         >                 Please check: 
            >         >                 
            >         >                 1. Can you authenticate
            with the same OTP 
            >         twice to the 
            >         >                 privacyIDEA 
            >         >                 server using 
            >         > 
            >
            https://yourOTPserver/validate/check?user=....&pass=...otp... 
            >         >                 
            >         >                 2. Can you see the second
            authentication 
            >         request in 
            >         >                 the Audit log on the 
            >         >                 privacyIDEA server? 
            >         >                 
            >         >                 3. check the log files of
            prosody and pam. 
            >         >                 
            >         >                 Thanks a lot and kind
            regards 
            >         >                 Cornelius 
            >         >                 
            >         >                 Am Donnerstag, den 20.08.2015, 01:30 -0700  schrieb 
            >         >                 CK: 
            >         >                 > Hi, 
            >         >                 > 
            >         >                 > 
            >         >                 > So here is my config : 
            >         >                 > 
            >         >                 > 
            >         >                 > I have a Prosody server
            (XMPP) and an XMPP 
            >         client 
            >         >                 (Pidgin), and what 
            >         >                 > I'm doing is that I want
            to authenticate 
            >         users 
            >         >                 registered in a LDAP to 
            >         >                 > the Prosody server. 
            >         >                 > So, in PI, I have one
            LDAP resolver which 
            >         works 
            >         >                 well. Then, I assigned 
            >         >                 > a TOTP token to a user
            of this LDAP. 
            >         >                 > I also have installed
            Cyrus SASL, which is 
            >         linked to 
            >         >                 Prosody server 
            >         >                 > and configured it to use
            PAM mechanism, so 
            >         when I 
            >         >                 try to authenticate 
            >         >                 > with my XMPP client, it
            will wait for an 
            >         OTP 
            >         >                 (because it uses the 
            >         >                 > pam_python script of PI
            to authenticate). 
            >         >                 > Prosody is configured to
            use SASL 
            >         authentication. 
            >         >                 > 
            >         >                 > 
            >         >                 > 
            >         >                 > 
            >         >                 > Token parameters : TOTP
            SHA-256, 
            >         timeStep : 
            >         >                 30seconds, timeWindow : 
            >         >                 > 180, OTP Length : 6 
            >         >                 > 
            >         >                 > 
            >         >                 > Kind regards, 
            >         >                 > 
            >         >                 > 
            >         >                 > Karim 
            >         >                 > 
            >         >                 > 
            >         >                 > Le jeudi 20 août 2015
            09:55:36 UTC+2, 
            >         Cornelinux K a 
            >         >                 écrit : 
            >         >                 >         Hi CK, 
            >         >                 >         
            >         >                 >         I can not
            reproduce this. 
            >         >                 >         
            >         >                 >         As a matter of
            fact there are also 
            >         several 
            >         >                 tests to check 
            >         >                 >         this: 
            >         >                 > 
            >         > 
            >
            https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510 
            >         >                 > 
            >         > 
            >
            https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102 
            >         >                 > 
            >         > 
            >
            https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141 
            >         >                 > 
            >         > 
            >
            https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165 
            >         >                 >         Anyway - I am
            happy to add some 
            >         more... 
            >         >                 >         
            >         >                 >         Can you please
            tell, what exactly 
            >         you are 
            >         >                 doing? 
            >         >                 >         
            >         >                 >         * Which Token
            did you enroll with 
            >         which 
            >         >                 parameters 
            >         >                 >         * how did you
            authenticate 
            >         >                 >         * where did you
            authenticate 
            >         (directly to 
            >         >                 the API or to any 
            >         >                 >         Application?) 
            >         >                 >         
            >         >                 >         Please give as
            much information 
            >         as 
            >         >                 possible. 
            >         >                 >         
            >         >                 >         Kind regards 
            >         >                 >         Cornelius 
            >         >                 >         
            >         >                 >         Am Donnerstag,
            den 20.08.2015, 
            >         00:44 -0700 
            >         >                 schrieb CK: 
            >         >                 >         > Hi, 
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         > I updated pi
            to 2.5, but the bug 
            >         is still 
            >         >                 there.. 
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         > Kind regards, 
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         > CK 
            >         >                 >         > 
            >         >                 >         > Le vendredi 14
            août 2015 
            >         18:48:36 UTC+2, 
            >         >                 Cornelinux K a 
            >         >                 >         écrit : 
            >         >                 >         >         Hi, 
            >         >                 >         >         I
            assume you are using 
            >         1.5. 
            >         >                 >         >         This
            was a bug then. 
            >         >                 >         >         1.5 is
            deprecated. 
            >         >                 >         >         you
            should use 2.5. 
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         Kind
            regards 
            >         >                 >         >
            Cornelius 
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >
            Cornelius Kölbel 
            >         >                 >         > 
            >         Corneliu...@netknights.it 
            >         >                 >         >         +49
            151 2960 1417 
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >
            NetKnights GmbH 
            >         >                 >         >
            http://netknights.it 
            >         >                 >         >
            Landgraf-Karl-Str. 19, 
            >         34131 
            >         >                 Kassel, Germany 
            >         >                 >         >         Tel:
            +49 561 3166797, 
            >         Fax: +49 561 
            >         >                 3166798 
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >
            Amtsgericht Kassel, HRB 
            >         16405 
            >         >                 >         >
            Geschäftsführer: 
            >         Cornelius Kölbel 
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >
            -------- Ursprüngliche 
            >         Nachricht 
            >         >                 -------- 
            >         >                 >         >         Von:
            CK 
            >         <testt...@gmail.com> 
            >         >                 >         >         Datum:
            14.08.2015 14:57 
            >         (GMT 
            >         >                 +01:00) 
            >         >                 >         >         An:
            privacyidea 
            >         >
            <priva...@googlegroups.com> 
            >         >                 >         >
            Betreff: Using the same 
            >         TOTP 
            >         >                 several times in a time 
            >         >                 >         window 
            >         >                 >         >         
            >         >                 >         >         Hi !
            I've noticed that 
            >         in 
            >         >                 privacyIDEA, using TOTP 
            >         >                 >         tokens, I 
            >         >                 >         >         can
            use one OTP several 
            >         times if 
            >         >                 I'm in the same 
            >         >                 >         time window. 
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         So, is
            there a solution 
            >         to fix 
            >         >                 this ? 
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         Best
            regards, 
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         CK, 
            >         >                 >         >         
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         -- 
            >         >                 >         Cornelius
            Kölbel 
            >         >                 >
            corneliu...@netknights.it 
            >         >                 >         +49 151 2960
            1417 
            >         >                 >         
            >         >                 >         NetKnights GmbH 
            >         >                 >
            http://www.netknights.it 
            >         >                 >
            Landgraf-Karl-Str. 19, 34131 
            >         Kassel, 
            >         >                 Germany 
            >         >                 >         Tel: +49 561
            3166797, Fax: +49 561 
            >         3166798 
            >         >                 >         
            >         >                 >         Amtsgericht
            Kassel, HRB 16405 
            >         >                 >         Geschäftsführer:
            Cornelius Kölbel 
            >         >                 >         
            >         >                 >         
            >         >                 > -- 
            >         >                 > You received this
            message because you are 
            >         subscribed 
            >         >                 to the Google 
            >         >                 > Groups "privacyidea"
            group. 
            >         >                 > To unsubscribe from this
            group and stop 
            >         receiving 
            >         >                 emails from it, send 
            >         >                 > an email to 
            >         privacyidea...@googlegroups.com. 
            >         >                 > To post to this group,
            send email to 
            >         >
            priva...@googlegroups.com. 
            >         >                 > To view this discussion
            on the web visit 
            >         >                 > 
            >         > 
            >
            https://groups.google.com/d/msgid/privacyidea/aa428ada-7f54-414d-9747-db6d82ecdbfc%40googlegroups.com. 
            >         >                 > For more options, visit 
            >         >
            https://groups.google.com/d/optout. 
            >         >                 
            >         >                 -- 
            >         >                 Cornelius Kölbel 
            >         >                 corneliu...@netknights.it 
            >         >                 +49 151 2960 1417 
            >         >                 
            >         >                 NetKnights GmbH 
            >         >                 http://www.netknights.it 
            >         >                 Landgraf-Karl-Str. 19,
            34131 Kassel, 
            >         Germany 
            >         >                 Tel: +49 561 3166797, Fax:
            +49 561 3166798 
            >         >                 
            >         >                 Amtsgericht Kassel, HRB
            16405 
            >         >                 Geschäftsführer: Cornelius
            Kölbel 
            >         >                 
            >         >                 
            >         > -- 
            >         > You received this message because you are
            subscribed to the 
            >         Google 
            >         > Groups "privacyidea" group. 
            >         > To unsubscribe from this group and stop
            receiving emails 
            >         from it, send 
            >         > an email to
            privacyidea...@googlegroups.com. 
            >         > To post to this group, send email to 
            >         priva...@googlegroups.com. 
            >         > To view this discussion on the web visit 
            >         > 
            >
            https://groups.google.com/d/msgid/privacyidea/2e0fa40a-be7d-4c3e-991c-4b2a8f7cccee%40googlegroups.com. 
            >         > For more options, visit
            https://groups.google.com/d/optout. 
            >         
            >         -- 
            >         Cornelius Kölbel 
            >         corneliu...@netknights.it 
            >         +49 151 2960 1417 
            >         
            >         NetKnights GmbH 
            >         http://www.netknights.it 
            >         Landgraf-Karl-Str. 19, 34131 Kassel,
            Germany 
            >         Tel: +49 561 3166797, Fax: +49 561 3166798 
            >         
            >         Amtsgericht Kassel, HRB 16405 
            >         Geschäftsführer: Cornelius Kölbel 
            >         
            >         
            > -- 
            > You received this message because you are subscribed
            to the Google 
            > Groups "privacyidea" group. 
            > To unsubscribe from this group and stop receiving
            emails from it, send 
            > an email to privacyidea...@googlegroups.com. 
            > To post to this group, send email to
            priva...@googlegroups.com. 
            > To view this discussion on the web visit 
            >
            https://groups.google.com/d/msgid/privacyidea/6e478aa6-65dc-4735-914a-b786f525d96a%40googlegroups.com. 
            > For more options, visit
            https://groups.google.com/d/optout. 
            
            -- 
            Cornelius Kölbel 
            corneliu...@netknights.it 
            +49 151 2960 1417 
            
            NetKnights GmbH 
            http://www.netknights.it 
            Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
            Tel: +49 561 3166797, Fax: +49 561 3166798 
            
            Amtsgericht Kassel, HRB 16405 
            Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/5c81775c-aace-47b3-8e3e-6a0cf3aee08b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi,

I updated pi to 2.5, but the bug is still there…

Kind regards,

CKLe vendredi 14 août 2015 18:48:36 UTC+2, Cornelinux K a écrit :

Hi,
I assume you are using 1.5.
This was a bug then.
1.5 is deprecated.
you should use 2.5.

Kind regards
Cornelius

Cornelius Kölbel
Corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

-------- Ursprüngliche Nachricht --------
Von: CK <testt...@gmail.com <javascript:>>
Datum: 14.08.2015 14:57 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com <javascript:>>
Betreff: Using the same TOTP several times in a time window

Hi ! I’ve noticed that in privacyIDEA, using TOTP tokens, I can use one
OTP several times if I’m in the same time window.

So, is there a solution to fix this ?

Best regards,

CK,


You received this message because you are subscribed to the Google Groups
"privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/2b0bbe76-580b-4262-b6df-49c711928032%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/2b0bbe76-580b-4262-b6df-49c711928032%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Cool. THanks!
CorneliusAm Donnerstag, den 20.08.2015, 05:23 -0700 schrieb CK:

Cyrus sasl, in the /etc/default/saslauthd, initially, OPTIONS=" -c
-m /var/run/saslauthd" so I removed the “-c” (option to enable
credentials caching) and then it works well now ! (And I’ve all the
auth requests in the Audit log (first time : matching 1 token and then
wrong otp value)

Le jeudi 20 août 2015 14:16:22 UTC+2, Cornelinux K a écrit :
…so what was it?

    Kind regards 
    Cornelius 
    
    Am Donnerstag, den 20.08.2015, 05:02 -0700 schrieb CK: 
    > Problem solved !! 
    > 
    > 
    > Thanks a lot for your help ;-) 
    > 
    > 
    > Kind regards, 
    > 
    > 
    > Karim 
    > 
    > Le jeudi 20 août 2015 12:21:42 UTC+2, CK a écrit : 
    >         Hi, 
    >         So I can not authenticate twice with the same OTP
    using the 
    >         test url of PI. 
    >         When I logged two times in Pidgin, I saw the auth
    request 1 
    >         time in the Audit log. 
    >         
    >         
    >         So I think you're right, the issue comes from Cyrus
    sasl. I'm 
    >         trying to find how to disable cache of credentials
    to fix 
    >         this. 
    >         
    >         
    >         Kind regards, 
    >         
    >         
    >         Karim 
    >         
    >         
    >         Le jeudi 20 août 2015 11:29:39 UTC+2, Cornelinux K a
    écrit : 
    >                 And you are entering the OTP into pidgin? 
    >                 
    >                 So the workflow is like this: 
    >                 
    >                 * enter OTP into pidgin 
    >                 * pdigin transfers OTP to prosody 
    >                 * transfers OTP to cyrus sasl 
    >                 * transfers OTP to PAM 
    >                 * transfers OTP to privacyIDEA 
    >                 
    >                 My guess is, that some component (my wild
    guess would 
    >                 be cyrus sasl) 
    >                 will cache the authentication result, so
    that the 
    >                 second auth request 
    >                 with the same OTP does not even reach the
    privacyIDEA 
    >                 server. 
    >                 
    >                 Please check: 
    >                 
    >                 1. Can you authenticate with the same OTP
    twice to the 
    >                 privacyIDEA 
    >                 server using 
    >
    https://yourOTPserver/validate/check?user=....&pass=...otp... 
    >                 
    >                 2. Can you see the second authentication
    request in 
    >                 the Audit log on the 
    >                 privacyIDEA server? 
    >                 
    >                 3. check the log files of prosody and pam. 
    >                 
    >                 Thanks a lot and kind regards 
    >                 Cornelius 
    >                 
    >                 Am Donnerstag, den 20.08.2015, 01:30 -0700 schrieb 
    >                 CK: 
    >                 > Hi, 
    >                 > 
    >                 > 
    >                 > So here is my config : 
    >                 > 
    >                 > 
    >                 > I have a Prosody server (XMPP) and an XMPP
    client 
    >                 (Pidgin), and what 
    >                 > I'm doing is that I want to authenticate
    users 
    >                 registered in a LDAP to 
    >                 > the Prosody server. 
    >                 > So, in PI, I have one LDAP resolver which
    works 
    >                 well. Then, I assigned 
    >                 > a TOTP token to a user of this LDAP. 
    >                 > I also have installed Cyrus SASL, which is
    linked to 
    >                 Prosody server 
    >                 > and configured it to use PAM mechanism, so
    when I 
    >                 try to authenticate 
    >                 > with my XMPP client, it will wait for an
    OTP 
    >                 (because it uses the 
    >                 > pam_python script of PI to authenticate). 
    >                 > Prosody is configured to use SASL
    authentication. 
    >                 > 
    >                 > 
    >                 > 
    >                 > 
    >                 > Token parameters : TOTP SHA-256,
    timeStep : 
    >                 30seconds, timeWindow : 
    >                 > 180, OTP Length : 6 
    >                 > 
    >                 > 
    >                 > Kind regards, 
    >                 > 
    >                 > 
    >                 > Karim 
    >                 > 
    >                 > 
    >                 > Le jeudi 20 août 2015 09:55:36 UTC+2,
    Cornelinux K a 
    >                 écrit : 
    >                 >         Hi CK, 
    >                 >         
    >                 >         I can not reproduce this. 
    >                 >         
    >                 >         As a matter of fact there are also
    several 
    >                 tests to check 
    >                 >         this: 
    >                 > 
    >
    https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510 
    >                 > 
    >
    https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102 
    >                 > 
    >
    https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141 
    >                 > 
    >
    https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165 
    >                 >         Anyway - I am happy to add some
    more... 
    >                 >         
    >                 >         Can you please tell, what exactly
    you are 
    >                 doing? 
    >                 >         
    >                 >         * Which Token did you enroll with
    which 
    >                 parameters 
    >                 >         * how did you authenticate 
    >                 >         * where did you authenticate
    (directly to 
    >                 the API or to any 
    >                 >         Application?) 
    >                 >         
    >                 >         Please give as much information
    as 
    >                 possible. 
    >                 >         
    >                 >         Kind regards 
    >                 >         Cornelius 
    >                 >         
    >                 >         Am Donnerstag, den 20.08.2015,
    00:44 -0700 
    >                 schrieb CK: 
    >                 >         > Hi, 
    >                 >         > 
    >                 >         > 
    >                 >         > I updated pi to 2.5, but the bug
    is still 
    >                 there.. 
    >                 >         > 
    >                 >         > 
    >                 >         > Kind regards, 
    >                 >         > 
    >                 >         > 
    >                 >         > CK 
    >                 >         > 
    >                 >         > Le vendredi 14 août 2015
    18:48:36 UTC+2, 
    >                 Cornelinux K a 
    >                 >         écrit : 
    >                 >         >         Hi, 
    >                 >         >         I assume you are using
    1.5. 
    >                 >         >         This was a bug then. 
    >                 >         >         1.5 is deprecated. 
    >                 >         >         you should use 2.5. 
    >                 >         >         
    >                 >         >         
    >                 >         >         Kind regards 
    >                 >         >         Cornelius 
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         Cornelius Kölbel 
    >                 >         >
    Corneliu...@netknights.it 
    >                 >         >         +49 151 2960 1417 
    >                 >         >         
    >                 >         >         
    >                 >         >         NetKnights GmbH 
    >                 >         >         http://netknights.it 
    >                 >         >         Landgraf-Karl-Str. 19,
    34131 
    >                 Kassel, Germany 
    >                 >         >         Tel: +49 561 3166797,
    Fax: +49 561 
    >                 3166798 
    >                 >         >         
    >                 >         >         
    >                 >         >         Amtsgericht Kassel, HRB
    16405 
    >                 >         >         Geschäftsführer:
    Cornelius Kölbel 
    >                 >         >         
    >                 >         >         
    >                 >         >         -------- Ursprüngliche
    Nachricht 
    >                 -------- 
    >                 >         >         Von: CK
    <testt...@gmail.com> 
    >                 >         >         Datum: 14.08.2015 14:57
    (GMT 
    >                 +01:00) 
    >                 >         >         An: privacyidea 
    >                 <priva...@googlegroups.com> 
    >                 >         >         Betreff: Using the same
    TOTP 
    >                 several times in a time 
    >                 >         window 
    >                 >         >         
    >                 >         >         Hi ! I've noticed that
    in 
    >                 privacyIDEA, using TOTP 
    >                 >         tokens, I 
    >                 >         >         can use one OTP several
    times if 
    >                 I'm in the same 
    >                 >         time window. 
    >                 >         >         
    >                 >         >         
    >                 >         >         So, is there a solution
    to fix 
    >                 this ? 
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         Best regards, 
    >                 >         >         
    >                 >         >         
    >                 >         >         CK, 
    >                 >         >         
    >                 >         > 
    >                 >         > 
    >                 >         -- 
    >                 >         Cornelius Kölbel 
    >                 >         corneliu...@netknights.it 
    >                 >         +49 151 2960 1417 
    >                 >         
    >                 >         NetKnights GmbH 
    >                 >         http://www.netknights.it 
    >                 >         Landgraf-Karl-Str. 19, 34131
    Kassel, 
    >                 Germany 
    >                 >         Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >                 >         
    >                 >         Amtsgericht Kassel, HRB 16405 
    >                 >         Geschäftsführer: Cornelius Kölbel 
    >                 >         
    >                 >         
    >                 > -- 
    >                 > You received this message because you are
    subscribed 
    >                 to the Google 
    >                 > Groups "privacyidea" group. 
    >                 > To unsubscribe from this group and stop
    receiving 
    >                 emails from it, send 
    >                 > an email to
    privacyidea...@googlegroups.com. 
    >                 > To post to this group, send email to 
    >                 priva...@googlegroups.com. 
    >                 > To view this discussion on the web visit 
    >                 > 
    >
    https://groups.google.com/d/msgid/privacyidea/aa428ada-7f54-414d-9747-db6d82ecdbfc%40googlegroups.com. 
    >                 > For more options, visit 
    >                 https://groups.google.com/d/optout. 
    >                 
    >                 -- 
    >                 Cornelius Kölbel 
    >                 corneliu...@netknights.it 
    >                 +49 151 2960 1417 
    >                 
    >                 NetKnights GmbH 
    >                 http://www.netknights.it 
    >                 Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany 
    >                 Tel: +49 561 3166797, Fax: +49 561 3166798 
    >                 
    >                 Amtsgericht Kassel, HRB 16405 
    >                 Geschäftsführer: Cornelius Kölbel 
    >                 
    >                 
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/2e0fa40a-be7d-4c3e-991c-4b2a8f7cccee%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/6e478aa6-65dc-4735-914a-b786f525d96a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Okay thanks a lot.

Kind regards,

KarimLe jeudi 20 août 2015 15:02:47 UTC+2, Cornelinux K a écrit :

The certificate of the privacyIDEA server must be issued by a trusted
root authority.

Kind regards
Cornelius

Am Donnerstag, den 20.08.2015, 05:50 -0700 schrieb CK:

And just one question quickly, until now, I’ve worked with the
"nosslverify" option in PAM configuration, but now I disabled it, and
so I have this in auth.log :

saslauthd: Traceback (most recent call last):#012 File
"/lib/x86_64-linux-gnu/security/privacyidea_pam.py", line 100, in
pam_sm_authenticate#012 verify=sslverify)#012 File
"/usr/lib/python2.7/dist-packages/requests/api.py", line 88, in
post#012 return request(‘post’, url, data=data, **kwargs)#012 File
"/usr/lib/python2.7/dist-packages/requests/api.py", line 44, in
request#012 return session.request(method=method, url=url,
**kwargs)#012 File
"/usr/lib/python2.7/dist-packages/requests/sessions.py", line 455, in
request#012 resp = self.send(prep, **send_kwargs)#012 File
"/usr/lib/python2.7/dist-packages/requests/sessions.py", line 558, in
send#012 r = adapter.send(request, **kwargs)#012 File
"/usr/lib/python2.7/dist-packages/requests/adapters.py", line 385, in
send#012 raise SSLError(e)#012SSLError: [Errno 1] _ssl.c:510:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed

The certificate to use is the one of the privacyidea server right ?

Karim

Le jeudi 20 août 2015 14:29:13 UTC+2, CK a écrit :
Thanks for your help ! :slight_smile: (PrivacyIdea is a really nice one
authentication server solution !)

    Kind regards, 
    
    
    Karim 
    
    Le jeudi 20 août 2015 14:27:32 UTC+2, Cornelinux K a écrit : 
            Cool. THanks! 
            Cornelius 
            
            Am Donnerstag, den 20.08.2015, 05:23 -0700 schrieb 
            CK: 
            > Cyrus sasl, in the /etc/default/saslauthd, 
            initially, OPTIONS=" -c 
            > -m /var/run/saslauthd"  so I removed the 
            "-c" (option to enable 
            > credentials caching) and then it works well now ! 
             (And I've all the 
            > auth requests in the Audit log (first time : 
            matching 1 token and then 
            > wrong otp value) 
            > 
            > 
            > 
            > 
            > Le jeudi 20 août 2015 14:16:22 UTC+2, Cornelinux K a 
            écrit : 
            >         ...so what was it? 
            >         
            >         Kind regards 
            >         Cornelius 
            >         
            >         Am Donnerstag, den 20.08.2015, 05:02 -0700 
            schrieb CK: 
            >         > Problem solved !! 
            >         > 
            >         > 
            >         > Thanks a lot for your help ;-) 
            >         > 
            >         > 
            >         > Kind regards, 
            >         > 
            >         > 
            >         > Karim 
            >         > 
            >         > Le jeudi 20 août 2015 12:21:42 UTC+2, CK a 
            écrit : 
            >         >         Hi, 
            >         >         So I can not authenticate twice 
            with the same OTP 
            >         using the 
            >         >         test url of PI. 
            >         >         When I logged two times in Pidgin, 
            I saw the auth 
            >         request 1 
            >         >         time in the Audit log. 
            >         >         
            >         >         
            >         >         So I think you're right, the issue 
            comes from Cyrus 
            >         sasl. I'm 
            >         >         trying to find how to disable 
            cache of credentials 
            >         to fix 
            >         >         this. 
            >         >         
            >         >         
            >         >         Kind regards, 
            >         >         
            >         >         
            >         >         Karim 
            >         >         
            >         >         
            >         >         Le jeudi 20 août 2015 11:29:39 UTC 
            +2, Cornelinux K a 
            >         écrit : 
            >         >                 And you are entering the 
            OTP into pidgin? 
            >         >                 
            >         >                 So the workflow is like 
            this: 
            >         >                 
            >         >                 * enter OTP into pidgin 
            >         >                 * pdigin transfers OTP to 
            prosody 
            >         >                 * transfers OTP to cyrus 
            sasl 
            >         >                 * transfers OTP to PAM 
            >         >                 * transfers OTP to 
            privacyIDEA 
            >         >                 
            >         >                 My guess is, that some 
            component (my wild 
            >         guess would 
            >         >                 be cyrus sasl) 
            >         >                 will cache the 
            authentication result, so 
            >         that the 
            >         >                 second auth request 
            >         >                 with the same OTP does not 
            even reach the 
            >         privacyIDEA 
            >         >                 server. 
            >         >                 
            >         >                 Please check: 
            >         >                 
            >         >                 1. Can you authenticate 
            with the same OTP 
            >         twice to the 
            >         >                 privacyIDEA 
            >         >                 server using 
            >         > 
            > 

https://yourOTPserver/validate/check?user=…&pass=…otp…

            >         >                 
            >         >                 2. Can you see the second 
            authentication 
            >         request in 
            >         >                 the Audit log on the 
            >         >                 privacyIDEA server? 
            >         >                 
            >         >                 3. check the log files of 
            prosody and pam. 
            >         >                 
            >         >                 Thanks a lot and kind 
            regards 
            >         >                 Cornelius 
            >         >                 
            >         >                 Am Donnerstag, den  20.08.2015, 01:30 -0700  schrieb 
            >         >                 CK: 
            >         >                 > Hi, 
            >         >                 > 
            >         >                 > 
            >         >                 > So here is my config : 
            >         >                 > 
            >         >                 > 
            >         >                 > I have a Prosody server 
            (XMPP) and an XMPP 
            >         client 
            >         >                 (Pidgin), and what 
            >         >                 > I'm doing is that I want 
            to authenticate 
            >         users 
            >         >                 registered in a LDAP to 
            >         >                 > the Prosody server. 
            >         >                 > So, in PI, I have one 
            LDAP resolver which 
            >         works 
            >         >                 well. Then, I assigned 
            >         >                 > a TOTP token to a user 
            of this LDAP. 
            >         >                 > I also have installed 
            Cyrus SASL, which is 
            >         linked to 
            >         >                 Prosody server 
            >         >                 > and configured it to use 
            PAM mechanism, so 
            >         when I 
            >         >                 try to authenticate 
            >         >                 > with my XMPP client, it 
            will wait for an 
            >         OTP 
            >         >                 (because it uses the 
            >         >                 > pam_python script of PI 
            to authenticate). 
            >         >                 > Prosody is configured to 
            use SASL 
            >         authentication. 
            >         >                 > 
            >         >                 > 
            >         >                 > 
            >         >                 > 
            >         >                 > Token parameters : TOTP 
            SHA-256, 
            >         timeStep : 
            >         >                 30seconds, timeWindow : 
            >         >                 > 180, OTP Length : 6 
            >         >                 > 
            >         >                 > 
            >         >                 > Kind regards, 
            >         >                 > 
            >         >                 > 
            >         >                 > Karim 
            >         >                 > 
            >         >                 > 
            >         >                 > Le jeudi 20 août 2015 
            09:55:36 UTC+2, 
            >         Cornelinux K a 
            >         >                 écrit : 
            >         >                 >         Hi CK, 
            >         >                 >         
            >         >                 >         I can not 
            reproduce this. 
            >         >                 >         
            >         >                 >         As a matter of 
            fact there are also 
            >         several 
            >         >                 tests to check 
            >         >                 >         this: 
            >         >                 > 
            >         > 
            > 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510

            >         >                 > 
            >         > 
            > 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102

            >         >                 > 
            >         > 
            > 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141

            >         >                 > 
            >         > 
            > 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165

            >         >                 >         Anyway - I am 
            happy to add some 
            >         more... 
            >         >                 >         
            >         >                 >         Can you please 
            tell, what exactly 
            >         you are 
            >         >                 doing? 
            >         >                 >         
            >         >                 >         * Which Token 
            did you enroll with 
            >         which 
            >         >                 parameters 
            >         >                 >         * how did you 
            authenticate 
            >         >                 >         * where did you 
            authenticate 
            >         (directly to 
            >         >                 the API or to any 
            >         >                 >         Application?) 
            >         >                 >         
            >         >                 >         Please give as 
            much information 
            >         as 
            >         >                 possible. 
            >         >                 >         
            >         >                 >         Kind regards 
            >         >                 >         Cornelius 
            >         >                 >         
            >         >                 >         Am Donnerstag, 
            den 20.08.2015, 
            >         00:44 -0700 
            >         >                 schrieb CK: 
            >         >                 >         > Hi, 
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         > I updated pi 
            to 2.5, but the bug 
            >         is still 
            >         >                 there.. 
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         > Kind regards, 
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         > CK 
            >         >                 >         > 
            >         >                 >         > Le vendredi 14 
            août 2015 
            >         18:48:36 UTC+2, 
            >         >                 Cornelinux K a 
            >         >                 >         écrit : 
            >         >                 >         >         Hi, 
            >         >                 >         >         I 
            assume you are using 
            >         1.5. 
            >         >                 >         >         This 
            was a bug then. 
            >         >                 >         >         1.5 is 
            deprecated. 
            >         >                 >         >         you 
            should use 2.5. 
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         Kind 
            regards 
            >         >                 >         > 
            Cornelius 
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         > 
            Cornelius Kölbel 
            >         >                 >         > 
            >         Corneliu...@netknights.it 
            >         >                 >         >         +49 
            151 2960 1417 
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         > 
            NetKnights GmbH 
            >         >                 >         > 
            http://netknights.it 
            >         >                 >         > 
            Landgraf-Karl-Str. 19, 
            >         34131 
            >         >                 Kassel, Germany 
            >         >                 >         >         Tel: 
            +49 561 3166797, 
            >         Fax: +49 561 
            >         >                 3166798 
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         > 
            Amtsgericht Kassel, HRB 
            >         16405 
            >         >                 >         > 
            Geschäftsführer: 
            >         Cornelius Kölbel 
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         > 
            -------- Ursprüngliche 
            >         Nachricht 
            >         >                 -------- 
            >         >                 >         >         Von: 
            CK 
            >         <testt...@gmail.com> 
            >         >                 >         >         Datum: 
            14.08.2015 14:57 
            >         (GMT 
            >         >                 +01:00) 
            >         >                 >         >         An: 
            privacyidea 
            >         > 
            <priva...@googlegroups.com> 
            >         >                 >         > 
            Betreff: Using the same 
            >         TOTP 
            >         >                 several times in a time 
            >         >                 >         window 
            >         >                 >         >         
            >         >                 >         >         Hi ! 
            I've noticed that 
            >         in 
            >         >                 privacyIDEA, using TOTP 
            >         >                 >         tokens, I 
            >         >                 >         >         can 
            use one OTP several 
            >         times if 
            >         >                 I'm in the same 
            >         >                 >         time window. 
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         So, is 
            there a solution 
            >         to fix 
            >         >                 this ? 
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         Best 
            regards, 
            >         >                 >         >         
            >         >                 >         >         
            >         >                 >         >         CK, 
            >         >                 >         >         
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         -- 
            >         >                 >         Cornelius 
            Kölbel 
            >         >                 > 
            corneliu...@netknights.it 
            >         >                 >         +49 151 2960 
            1417 
            >         >                 >         
            >         >                 >         NetKnights GmbH 
            >         >                 > 
            http://www.netknights.it 
            >         >                 > 
            Landgraf-Karl-Str. 19, 34131 
            >         Kassel, 
            >         >                 Germany 
            >         >                 >         Tel: +49 561 
            3166797, Fax: +49 561 
            >         3166798 
            >         >                 >         
            >         >                 >         Amtsgericht 
            Kassel, HRB 16405 
            >         >                 >         Geschäftsführer: 
            Cornelius Kölbel 
            >         >                 >         
            >         >                 >         
            >         >                 > -- 
            >         >                 > You received this 
            message because you are 
            >         subscribed 
            >         >                 to the Google 
            >         >                 > Groups "privacyidea" 
            group. 
            >         >                 > To unsubscribe from this 
            group and stop 
            >         receiving 
            >         >                 emails from it, send 
            >         >                 > an email to 
            >         privacyidea...@googlegroups.com. 
            >         >                 > To post to this group, 
            send email to 
            >         > 
            priva...@googlegroups.com. 
            >         >                 > To view this discussion 
            on the web visit 
            >         >                 > 
            >         > 
            > 

https://groups.google.com/d/msgid/privacyidea/aa428ada-7f54-414d-9747-db6d82ecdbfc%40googlegroups.com.

            >         >                 > For more options, visit 
            >         > 
            https://groups.google.com/d/optout. 
            >         >                 
            >         >                 -- 
            >         >                 Cornelius Kölbel 
            >         >                 corneliu...@netknights.it 
            >         >                 +49 151 2960 1417 
            >         >                 
            >         >                 NetKnights GmbH 
            >         >                 http://www.netknights.it 
            >         >                 Landgraf-Karl-Str. 19, 
            34131 Kassel, 
            >         Germany 
            >         >                 Tel: +49 561 3166797, Fax: 
            +49 561 3166798 
            >         >                 
            >         >                 Amtsgericht Kassel, HRB 
            16405 
            >         >                 Geschäftsführer: Cornelius 
            Kölbel 
            >         >                 
            >         >                 
            >         > -- 
            >         > You received this message because you are 
            subscribed to the 
            >         Google 
            >         > Groups "privacyidea" group. 
            >         > To unsubscribe from this group and stop 
            receiving emails 
            >         from it, send 
            >         > an email to 
            privacyidea...@googlegroups.com. 
            >         > To post to this group, send email to 
            >         priva...@googlegroups.com. 
            >         > To view this discussion on the web visit 
            >         > 
            > 

https://groups.google.com/d/msgid/privacyidea/2e0fa40a-be7d-4c3e-991c-4b2a8f7cccee%40googlegroups.com.

            >         > For more options, visit 
            https://groups.google.com/d/optout. 
            >         
            >         -- 
            >         Cornelius Kölbel 
            >         corneliu...@netknights.it 
            >         +49 151 2960 1417 
            >         
            >         NetKnights GmbH 
            >         http://www.netknights.it 
            >         Landgraf-Karl-Str. 19, 34131 Kassel, 
            Germany 
            >         Tel: +49 561 3166797, Fax: +49 561 3166798 
            >         
            >         Amtsgericht Kassel, HRB 16405 
            >         Geschäftsführer: Cornelius Kölbel 
            >         
            >         
            > -- 
            > You received this message because you are subscribed 
            to the Google 
            > Groups "privacyidea" group. 
            > To unsubscribe from this group and stop receiving 
            emails from it, send 
            > an email to privacyidea...@googlegroups.com. 
            > To post to this group, send email to 
            priva...@googlegroups.com. 
            > To view this discussion on the web visit 
            > 

https://groups.google.com/d/msgid/privacyidea/6e478aa6-65dc-4735-914a-b786f525d96a%40googlegroups.com.

            > For more options, visit 
            https://groups.google.com/d/optout. 
            
            -- 
            Cornelius Kölbel 
            corneliu...@netknights.it 
            +49 151 2960 1417 
            
            NetKnights GmbH 
            http://www.netknights.it 
            Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
            Tel: +49 561 3166797, Fax: +49 561 3166798 
            
            Amtsgericht Kassel, HRB 16405 
            Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/5c81775c-aace-47b3-8e3e-6a0cf3aee08b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

And just one question quickly, until now, I’ve worked with the
"nosslverify" option in PAM configuration, but now I disabled it, and so I
have this in auth.log :

saslauthd: Traceback (most recent call last):#012 File
"/lib/x86_64-linux-gnu/security/privacyidea_pam.py", line 100, in
pam_sm_authenticate#012 verify=sslverify)#012 File
"/usr/lib/python2.7/dist-packages/requests/api.py", line 88, in post#012
return request(‘post’, url, data=data, **kwargs)#012 File
"/usr/lib/python2.7/dist-packages/requests/api.py", line 44, in request#012
return session.request(method=method, url=url, **kwargs)#012 File
"/usr/lib/python2.7/dist-packages/requests/sessions.py", line 455, in
request#012 resp = self.send(prep, **send_kwargs)#012 File
"/usr/lib/python2.7/dist-packages/requests/sessions.py", line 558, in
send#012 r = adapter.send(request, **kwargs)#012 File
"/usr/lib/python2.7/dist-packages/requests/adapters.py", line 385, in
send#012 raise SSLError(e)#012SSLError: [Errno 1] _ssl.c:510:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed

The certificate to use is the one of the privacyidea server right ?

KarimLe jeudi 20 août 2015 14:29:13 UTC+2, CK a écrit :

Thanks for your help ! :slight_smile: (PrivacyIdea is a really nice one
authentication server solution !)

Kind regards,

Karim

Le jeudi 20 août 2015 14:27:32 UTC+2, Cornelinux K a écrit :

Cool. THanks!
Cornelius

Am Donnerstag, den 20.08.2015, 05:23 -0700 schrieb CK:

Cyrus sasl, in the /etc/default/saslauthd, initially, OPTIONS=" -c
-m /var/run/saslauthd" so I removed the “-c” (option to enable
credentials caching) and then it works well now ! (And I’ve all the
auth requests in the Audit log (first time : matching 1 token and then
wrong otp value)

Le jeudi 20 août 2015 14:16:22 UTC+2, Cornelinux K a écrit :
…so what was it?

    Kind regards 
    Cornelius 
    
    Am Donnerstag, den 20.08.2015, 05:02 -0700 schrieb CK: 
    > Problem solved !! 
    > 
    > 
    > Thanks a lot for your help ;-) 
    > 
    > 
    > Kind regards, 
    > 
    > 
    > Karim 
    > 
    > Le jeudi 20 août 2015 12:21:42 UTC+2, CK a écrit : 
    >         Hi, 
    >         So I can not authenticate twice with the same OTP 
    using the 
    >         test url of PI. 
    >         When I logged two times in Pidgin, I saw the auth 
    request 1 
    >         time in the Audit log. 
    >         
    >         
    >         So I think you're right, the issue comes from Cyrus 
    sasl. I'm 
    >         trying to find how to disable cache of credentials 
    to fix 
    >         this. 
    >         
    >         
    >         Kind regards, 
    >         
    >         
    >         Karim 
    >         
    >         
    >         Le jeudi 20 août 2015 11:29:39 UTC+2, Cornelinux K a 
    écrit : 
    >                 And you are entering the OTP into pidgin? 
    >                 
    >                 So the workflow is like this: 
    >                 
    >                 * enter OTP into pidgin 
    >                 * pdigin transfers OTP to prosody 
    >                 * transfers OTP to cyrus sasl 
    >                 * transfers OTP to PAM 
    >                 * transfers OTP to privacyIDEA 
    >                 
    >                 My guess is, that some component (my wild 
    guess would 
    >                 be cyrus sasl) 
    >                 will cache the authentication result, so 
    that the 
    >                 second auth request 
    >                 with the same OTP does not even reach the 
    privacyIDEA 
    >                 server. 
    >                 
    >                 Please check: 
    >                 
    >                 1. Can you authenticate with the same OTP 
    twice to the 
    >                 privacyIDEA 
    >                 server using 
    > 
    https://yourOTPserver/validate/check?user=....&pass=...otp... 
    >                 
    >                 2. Can you see the second authentication 
    request in 
    >                 the Audit log on the 
    >                 privacyIDEA server? 
    >                 
    >                 3. check the log files of prosody and pam. 
    >                 
    >                 Thanks a lot and kind regards 
    >                 Cornelius 
    >                 
    >                 Am Donnerstag, den 20.08.2015, 01:30 -0700  schrieb 
    >                 CK: 
    >                 > Hi, 
    >                 > 
    >                 > 
    >                 > So here is my config : 
    >                 > 
    >                 > 
    >                 > I have a Prosody server (XMPP) and an XMPP 
    client 
    >                 (Pidgin), and what 
    >                 > I'm doing is that I want to authenticate 
    users 
    >                 registered in a LDAP to 
    >                 > the Prosody server. 
    >                 > So, in PI, I have one LDAP resolver which 
    works 
    >                 well. Then, I assigned 
    >                 > a TOTP token to a user of this LDAP. 
    >                 > I also have installed Cyrus SASL, which is 
    linked to 
    >                 Prosody server 
    >                 > and configured it to use PAM mechanism, so 
    when I 
    >                 try to authenticate 
    >                 > with my XMPP client, it will wait for an 
    OTP 
    >                 (because it uses the 
    >                 > pam_python script of PI to authenticate). 
    >                 > Prosody is configured to use SASL 
    authentication. 
    >                 > 
    >                 > 
    >                 > 
    >                 > 
    >                 > Token parameters : TOTP SHA-256, 
    timeStep : 
    >                 30seconds, timeWindow : 
    >                 > 180, OTP Length : 6 
    >                 > 
    >                 > 
    >                 > Kind regards, 
    >                 > 
    >                 > 
    >                 > Karim 
    >                 > 
    >                 > 
    >                 > Le jeudi 20 août 2015 09:55:36 UTC+2, 
    Cornelinux K a 
    >                 écrit : 
    >                 >         Hi CK, 
    >                 >         
    >                 >         I can not reproduce this. 
    >                 >         
    >                 >         As a matter of fact there are also 
    several 
    >                 tests to check 
    >                 >         this: 
    >                 > 
    > 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510

    >                 > 
    > 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102

    >                 > 
    > 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141

    >                 > 
    > 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165

    >                 >         Anyway - I am happy to add some 
    more... 
    >                 >         
    >                 >         Can you please tell, what exactly 
    you are 
    >                 doing? 
    >                 >         
    >                 >         * Which Token did you enroll with 
    which 
    >                 parameters 
    >                 >         * how did you authenticate 
    >                 >         * where did you authenticate 
    (directly to 
    >                 the API or to any 
    >                 >         Application?) 
    >                 >         
    >                 >         Please give as much information 
    as 
    >                 possible. 
    >                 >         
    >                 >         Kind regards 
    >                 >         Cornelius 
    >                 >         
    >                 >         Am Donnerstag, den 20.08.2015, 
    00:44 -0700 
    >                 schrieb CK: 
    >                 >         > Hi, 
    >                 >         > 
    >                 >         > 
    >                 >         > I updated pi to 2.5, but the bug 
    is still 
    >                 there.. 
    >                 >         > 
    >                 >         > 
    >                 >         > Kind regards, 
    >                 >         > 
    >                 >         > 
    >                 >         > CK 
    >                 >         > 
    >                 >         > Le vendredi 14 août 2015 
    18:48:36 UTC+2, 
    >                 Cornelinux K a 
    >                 >         écrit : 
    >                 >         >         Hi, 
    >                 >         >         I assume you are using 
    1.5. 
    >                 >         >         This was a bug then. 
    >                 >         >         1.5 is deprecated. 
    >                 >         >         you should use 2.5. 
    >                 >         >         
    >                 >         >         
    >                 >         >         Kind regards 
    >                 >         >         Cornelius 
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         Cornelius Kölbel 
    >                 >         > 
    Corneliu...@netknights.it 
    >                 >         >         +49 151 2960 1417 
    >                 >         >         
    >                 >         >         
    >                 >         >         NetKnights GmbH 
    >                 >         >         http://netknights.it 
    >                 >         >         Landgraf-Karl-Str. 19, 
    34131 
    >                 Kassel, Germany 
    >                 >         >         Tel: +49 561 3166797, 
    Fax: +49 561 
    >                 3166798 
    >                 >         >         
    >                 >         >         
    >                 >         >         Amtsgericht Kassel, HRB 
    16405 
    >                 >         >         Geschäftsführer: 
    Cornelius Kölbel 
    >                 >         >         
    >                 >         >         
    >                 >         >         -------- Ursprüngliche 
    Nachricht 
    >                 -------- 
    >                 >         >         Von: CK 
    <testt...@gmail.com> 
    >                 >         >         Datum: 14.08.2015 14:57 
    (GMT 
    >                 +01:00) 
    >                 >         >         An: privacyidea 
    >                 <priva...@googlegroups.com> 
    >                 >         >         Betreff: Using the same 
    TOTP 
    >                 several times in a time 
    >                 >         window 
    >                 >         >         
    >                 >         >         Hi ! I've noticed that 
    in 
    >                 privacyIDEA, using TOTP 
    >                 >         tokens, I 
    >                 >         >         can use one OTP several 
    times if 
    >                 I'm in the same 
    >                 >         time window. 
    >                 >         >         
    >                 >         >         
    >                 >         >         So, is there a solution 
    to fix 
    >                 this ? 
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         Best regards, 
    >                 >         >         
    >                 >         >         
    >                 >         >         CK, 
    >                 >         >         
    >                 >         > 
    >                 >         > 
    >                 >         -- 
    >                 >         Cornelius Kölbel 
    >                 >         corneliu...@netknights.it 
    >                 >         +49 151 2960 1417 
    >                 >         
    >                 >         NetKnights GmbH 
    >                 >         http://www.netknights.it 
    >                 >         Landgraf-Karl-Str. 19, 34131 
    Kassel, 
    >                 Germany 
    >                 >         Tel: +49 561 3166797, Fax: +49 561 
    3166798 
    >                 >         
    >                 >         Amtsgericht Kassel, HRB 16405 
    >                 >         Geschäftsführer: Cornelius Kölbel 
    >                 >         
    >                 >         
    >                 > -- 
    >                 > You received this message because you are 
    subscribed 
    >                 to the Google 
    >                 > Groups "privacyidea" group. 
    >                 > To unsubscribe from this group and stop 
    receiving 
    >                 emails from it, send 
    >                 > an email to 
    privacyidea...@googlegroups.com. 
    >                 > To post to this group, send email to 
    >                 priva...@googlegroups.com. 
    >                 > To view this discussion on the web visit 
    >                 > 
    > 

https://groups.google.com/d/msgid/privacyidea/aa428ada-7f54-414d-9747-db6d82ecdbfc%40googlegroups.com.

    >                 > For more options, visit 
    >                 https://groups.google.com/d/optout. 
    >                 
    >                 -- 
    >                 Cornelius Kölbel 
    >                 corneliu...@netknights.it 
    >                 +49 151 2960 1417 
    >                 
    >                 NetKnights GmbH 
    >                 http://www.netknights.it 
    >                 Landgraf-Karl-Str. 19, 34131 Kassel, 
    Germany 
    >                 Tel: +49 561 3166797, Fax: +49 561 3166798 
    >                 
    >                 Amtsgericht Kassel, HRB 16405 
    >                 Geschäftsführer: Cornelius Kölbel 
    >                 
    >                 
    > -- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/2e0fa40a-be7d-4c3e-991c-4b2a8f7cccee%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/6e478aa6-65dc-4735-914a-b786f525d96a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

…so what was it?

Kind regards
CorneliusAm Donnerstag, den 20.08.2015, 05:02 -0700 schrieb CK:

Problem solved !!

Thanks a lot for your help :wink:

Kind regards,

Karim

Le jeudi 20 août 2015 12:21:42 UTC+2, CK a écrit :
Hi,
So I can not authenticate twice with the same OTP using the
test url of PI.
When I logged two times in Pidgin, I saw the auth request 1
time in the Audit log.

    So I think you're right, the issue comes from Cyrus sasl. I'm
    trying to find how to disable cache of credentials to fix
    this.
    
    
    Kind regards,
    
    
    Karim
    
    
    Le jeudi 20 août 2015 11:29:39 UTC+2, Cornelinux K a écrit :
            And you are entering the OTP into pidgin? 
            
            So the workflow is like this: 
            
            * enter OTP into pidgin 
            * pdigin transfers OTP to prosody 
            * transfers OTP to cyrus sasl 
            * transfers OTP to PAM 
            * transfers OTP to privacyIDEA 
            
            My guess is, that some component (my wild guess would
            be cyrus sasl) 
            will cache the authentication result, so that the
            second auth request 
            with the same OTP does not even reach the privacyIDEA
            server. 
            
            Please check: 
            
            1. Can you authenticate with the same OTP twice to the
            privacyIDEA 
            server using 
            https://yourOTPserver/validate/check?user=....&pass=...otp... 
            
            2. Can you see the second authentication request in
            the Audit log on the 
            privacyIDEA server? 
            
            3. check the log files of prosody and pam. 
            
            Thanks a lot and kind regards 
            Cornelius 
            
            Am Donnerstag, den 20.08.2015, 01:30 -0700 schrieb
            CK: 
            > Hi, 
            > 
            > 
            > So here is my config : 
            > 
            > 
            > I have a Prosody server (XMPP) and an XMPP client
            (Pidgin), and what 
            > I'm doing is that I want to authenticate users
            registered in a LDAP to 
            > the Prosody server. 
            > So, in PI, I have one LDAP resolver which works
            well. Then, I assigned 
            > a TOTP token to a user of this LDAP. 
            > I also have installed Cyrus SASL, which is linked to
            Prosody server 
            > and configured it to use PAM mechanism, so when I
            try to authenticate 
            > with my XMPP client, it will wait for an OTP
            (because it uses the 
            > pam_python script of PI to authenticate). 
            > Prosody is configured to use SASL authentication. 
            > 
            > 
            > 
            > 
            > Token parameters : TOTP SHA-256, timeStep :
            30seconds, timeWindow : 
            > 180, OTP Length : 6 
            > 
            > 
            > Kind regards, 
            > 
            > 
            > Karim 
            > 
            > 
            > Le jeudi 20 août 2015 09:55:36 UTC+2, Cornelinux K a
            écrit : 
            >         Hi CK, 
            >         
            >         I can not reproduce this. 
            >         
            >         As a matter of fact there are also several
            tests to check 
            >         this: 
            >
            https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510 
            >
            https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102 
            >
            https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141 
            >
            https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165 
            >         Anyway - I am happy to add some more... 
            >         
            >         Can you please tell, what exactly you are
            doing? 
            >         
            >         * Which Token did you enroll with which
            parameters 
            >         * how did you authenticate 
            >         * where did you authenticate (directly to
            the API or to any 
            >         Application?) 
            >         
            >         Please give as much information as
            possible. 
            >         
            >         Kind regards 
            >         Cornelius 
            >         
            >         Am Donnerstag, den 20.08.2015, 00:44 -0700
            schrieb CK: 
            >         > Hi, 
            >         > 
            >         > 
            >         > I updated pi to 2.5, but the bug is still
            there.. 
            >         > 
            >         > 
            >         > Kind regards, 
            >         > 
            >         > 
            >         > CK 
            >         > 
            >         > Le vendredi 14 août 2015 18:48:36 UTC+2,
            Cornelinux K a 
            >         écrit : 
            >         >         Hi, 
            >         >         I assume you are using 1.5. 
            >         >         This was a bug then. 
            >         >         1.5 is deprecated. 
            >         >         you should use 2.5. 
            >         >         
            >         >         
            >         >         Kind regards 
            >         >         Cornelius 
            >         >         
            >         >         
            >         >         
            >         >         
            >         >         
            >         >         
            >         >         Cornelius Kölbel 
            >         >         Corneliu...@netknights.it 
            >         >         +49 151 2960 1417 
            >         >         
            >         >         
            >         >         NetKnights GmbH 
            >         >         http://netknights.it 
            >         >         Landgraf-Karl-Str. 19, 34131
            Kassel, Germany 
            >         >         Tel: +49 561 3166797, Fax: +49 561
            3166798 
            >         >         
            >         >         
            >         >         Amtsgericht Kassel, HRB 16405 
            >         >         Geschäftsführer: Cornelius Kölbel 
            >         >         
            >         >         
            >         >         -------- Ursprüngliche Nachricht
            -------- 
            >         >         Von: CK <testt...@gmail.com> 
            >         >         Datum: 14.08.2015 14:57 (GMT
            +01:00) 
            >         >         An: privacyidea
            <priva...@googlegroups.com> 
            >         >         Betreff: Using the same TOTP
            several times in a time 
            >         window 
            >         >         
            >         >         Hi ! I've noticed that in
            privacyIDEA, using TOTP 
            >         tokens, I 
            >         >         can use one OTP several times if
            I'm in the same 
            >         time window. 
            >         >         
            >         >         
            >         >         So, is there a solution to fix
            this ? 
            >         >         
            >         >         
            >         >         
            >         >         
            >         >         Best regards, 
            >         >         
            >         >         
            >         >         CK, 
            >         >         
            >         > 
            >         > 
            >         -- 
            >         Cornelius Kölbel 
            >         corneliu...@netknights.it 
            >         +49 151 2960 1417 
            >         
            >         NetKnights GmbH 
            >         http://www.netknights.it 
            >         Landgraf-Karl-Str. 19, 34131 Kassel,
            Germany 
            >         Tel: +49 561 3166797, Fax: +49 561 3166798 
            >         
            >         Amtsgericht Kassel, HRB 16405 
            >         Geschäftsführer: Cornelius Kölbel 
            >         
            >         
            > -- 
            > You received this message because you are subscribed
            to the Google 
            > Groups "privacyidea" group. 
            > To unsubscribe from this group and stop receiving
            emails from it, send 
            > an email to privacyidea...@googlegroups.com. 
            > To post to this group, send email to
            priva...@googlegroups.com. 
            > To view this discussion on the web visit 
            >
            https://groups.google.com/d/msgid/privacyidea/aa428ada-7f54-414d-9747-db6d82ecdbfc%40googlegroups.com. 
            > For more options, visit
            https://groups.google.com/d/optout. 
            
            -- 
            Cornelius Kölbel 
            corneliu...@netknights.it 
            +49 151 2960 1417 
            
            NetKnights GmbH 
            http://www.netknights.it 
            Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
            Tel: +49 561 3166797, Fax: +49 561 3166798 
            
            Amtsgericht Kassel, HRB 16405 
            Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/2e0fa40a-be7d-4c3e-991c-4b2a8f7cccee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Thanks for your help ! :slight_smile: (PrivacyIdea is a really nice one authentication
server solution !)

Kind regards,

KarimLe jeudi 20 août 2015 14:27:32 UTC+2, Cornelinux K a écrit :

Cool. THanks!
Cornelius

Am Donnerstag, den 20.08.2015, 05:23 -0700 schrieb CK:

Cyrus sasl, in the /etc/default/saslauthd, initially, OPTIONS=" -c
-m /var/run/saslauthd" so I removed the “-c” (option to enable
credentials caching) and then it works well now ! (And I’ve all the
auth requests in the Audit log (first time : matching 1 token and then
wrong otp value)

Le jeudi 20 août 2015 14:16:22 UTC+2, Cornelinux K a écrit :
…so what was it?

    Kind regards 
    Cornelius 
    
    Am Donnerstag, den 20.08.2015, 05:02 -0700 schrieb CK: 
    > Problem solved !! 
    > 
    > 
    > Thanks a lot for your help ;-) 
    > 
    > 
    > Kind regards, 
    > 
    > 
    > Karim 
    > 
    > Le jeudi 20 août 2015 12:21:42 UTC+2, CK a écrit : 
    >         Hi, 
    >         So I can not authenticate twice with the same OTP 
    using the 
    >         test url of PI. 
    >         When I logged two times in Pidgin, I saw the auth 
    request 1 
    >         time in the Audit log. 
    >         
    >         
    >         So I think you're right, the issue comes from Cyrus 
    sasl. I'm 
    >         trying to find how to disable cache of credentials 
    to fix 
    >         this. 
    >         
    >         
    >         Kind regards, 
    >         
    >         
    >         Karim 
    >         
    >         
    >         Le jeudi 20 août 2015 11:29:39 UTC+2, Cornelinux K a 
    écrit : 
    >                 And you are entering the OTP into pidgin? 
    >                 
    >                 So the workflow is like this: 
    >                 
    >                 * enter OTP into pidgin 
    >                 * pdigin transfers OTP to prosody 
    >                 * transfers OTP to cyrus sasl 
    >                 * transfers OTP to PAM 
    >                 * transfers OTP to privacyIDEA 
    >                 
    >                 My guess is, that some component (my wild 
    guess would 
    >                 be cyrus sasl) 
    >                 will cache the authentication result, so 
    that the 
    >                 second auth request 
    >                 with the same OTP does not even reach the 
    privacyIDEA 
    >                 server. 
    >                 
    >                 Please check: 
    >                 
    >                 1. Can you authenticate with the same OTP 
    twice to the 
    >                 privacyIDEA 
    >                 server using 
    > 
    https://yourOTPserver/validate/check?user=....&pass=...otp... 
    >                 
    >                 2. Can you see the second authentication 
    request in 
    >                 the Audit log on the 
    >                 privacyIDEA server? 
    >                 
    >                 3. check the log files of prosody and pam. 
    >                 
    >                 Thanks a lot and kind regards 
    >                 Cornelius 
    >                 
    >                 Am Donnerstag, den 20.08.2015, 01:30 -0700  schrieb 
    >                 CK: 
    >                 > Hi, 
    >                 > 
    >                 > 
    >                 > So here is my config : 
    >                 > 
    >                 > 
    >                 > I have a Prosody server (XMPP) and an XMPP 
    client 
    >                 (Pidgin), and what 
    >                 > I'm doing is that I want to authenticate 
    users 
    >                 registered in a LDAP to 
    >                 > the Prosody server. 
    >                 > So, in PI, I have one LDAP resolver which 
    works 
    >                 well. Then, I assigned 
    >                 > a TOTP token to a user of this LDAP. 
    >                 > I also have installed Cyrus SASL, which is 
    linked to 
    >                 Prosody server 
    >                 > and configured it to use PAM mechanism, so 
    when I 
    >                 try to authenticate 
    >                 > with my XMPP client, it will wait for an 
    OTP 
    >                 (because it uses the 
    >                 > pam_python script of PI to authenticate). 
    >                 > Prosody is configured to use SASL 
    authentication. 
    >                 > 
    >                 > 
    >                 > 
    >                 > 
    >                 > Token parameters : TOTP SHA-256, 
    timeStep : 
    >                 30seconds, timeWindow : 
    >                 > 180, OTP Length : 6 
    >                 > 
    >                 > 
    >                 > Kind regards, 
    >                 > 
    >                 > 
    >                 > Karim 
    >                 > 
    >                 > 
    >                 > Le jeudi 20 août 2015 09:55:36 UTC+2, 
    Cornelinux K a 
    >                 écrit : 
    >                 >         Hi CK, 
    >                 >         
    >                 >         I can not reproduce this. 
    >                 >         
    >                 >         As a matter of fact there are also 
    several 
    >                 tests to check 
    >                 >         this: 
    >                 > 
    > 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510

    >                 > 
    > 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102

    >                 > 
    > 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141

    >                 > 
    > 

https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165

    >                 >         Anyway - I am happy to add some 
    more... 
    >                 >         
    >                 >         Can you please tell, what exactly 
    you are 
    >                 doing? 
    >                 >         
    >                 >         * Which Token did you enroll with 
    which 
    >                 parameters 
    >                 >         * how did you authenticate 
    >                 >         * where did you authenticate 
    (directly to 
    >                 the API or to any 
    >                 >         Application?) 
    >                 >         
    >                 >         Please give as much information 
    as 
    >                 possible. 
    >                 >         
    >                 >         Kind regards 
    >                 >         Cornelius 
    >                 >         
    >                 >         Am Donnerstag, den 20.08.2015, 
    00:44 -0700 
    >                 schrieb CK: 
    >                 >         > Hi, 
    >                 >         > 
    >                 >         > 
    >                 >         > I updated pi to 2.5, but the bug 
    is still 
    >                 there.. 
    >                 >         > 
    >                 >         > 
    >                 >         > Kind regards, 
    >                 >         > 
    >                 >         > 
    >                 >         > CK 
    >                 >         > 
    >                 >         > Le vendredi 14 août 2015 
    18:48:36 UTC+2, 
    >                 Cornelinux K a 
    >                 >         écrit : 
    >                 >         >         Hi, 
    >                 >         >         I assume you are using 
    1.5. 
    >                 >         >         This was a bug then. 
    >                 >         >         1.5 is deprecated. 
    >                 >         >         you should use 2.5. 
    >                 >         >         
    >                 >         >         
    >                 >         >         Kind regards 
    >                 >         >         Cornelius 
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         Cornelius Kölbel 
    >                 >         > 
    Corneliu...@netknights.it 
    >                 >         >         +49 151 2960 1417 
    >                 >         >         
    >                 >         >         
    >                 >         >         NetKnights GmbH 
    >                 >         >         http://netknights.it 
    >                 >         >         Landgraf-Karl-Str. 19, 
    34131 
    >                 Kassel, Germany 
    >                 >         >         Tel: +49 561 3166797, 
    Fax: +49 561 
    >                 3166798 
    >                 >         >         
    >                 >         >         
    >                 >         >         Amtsgericht Kassel, HRB 
    16405 
    >                 >         >         Geschäftsführer: 
    Cornelius Kölbel 
    >                 >         >         
    >                 >         >         
    >                 >         >         -------- Ursprüngliche 
    Nachricht 
    >                 -------- 
    >                 >         >         Von: CK 
    <testt...@gmail.com> 
    >                 >         >         Datum: 14.08.2015 14:57 
    (GMT 
    >                 +01:00) 
    >                 >         >         An: privacyidea 
    >                 <priva...@googlegroups.com> 
    >                 >         >         Betreff: Using the same 
    TOTP 
    >                 several times in a time 
    >                 >         window 
    >                 >         >         
    >                 >         >         Hi ! I've noticed that 
    in 
    >                 privacyIDEA, using TOTP 
    >                 >         tokens, I 
    >                 >         >         can use one OTP several 
    times if 
    >                 I'm in the same 
    >                 >         time window. 
    >                 >         >         
    >                 >         >         
    >                 >         >         So, is there a solution 
    to fix 
    >                 this ? 
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         
    >                 >         >         Best regards, 
    >                 >         >         
    >                 >         >         
    >                 >         >         CK, 
    >                 >         >         
    >                 >         > 
    >                 >         > 
    >                 >         -- 
    >                 >         Cornelius Kölbel 
    >                 >         corneliu...@netknights.it 
    >                 >         +49 151 2960 1417 
    >                 >         
    >                 >         NetKnights GmbH 
    >                 >         http://www.netknights.it 
    >                 >         Landgraf-Karl-Str. 19, 34131 
    Kassel, 
    >                 Germany 
    >                 >         Tel: +49 561 3166797, Fax: +49 561 
    3166798 
    >                 >         
    >                 >         Amtsgericht Kassel, HRB 16405 
    >                 >         Geschäftsführer: Cornelius Kölbel 
    >                 >         
    >                 >         
    >                 > -- 
    >                 > You received this message because you are 
    subscribed 
    >                 to the Google 
    >                 > Groups "privacyidea" group. 
    >                 > To unsubscribe from this group and stop 
    receiving 
    >                 emails from it, send 
    >                 > an email to 
    privacyidea...@googlegroups.com. 
    >                 > To post to this group, send email to 
    >                 priva...@googlegroups.com. 
    >                 > To view this discussion on the web visit 
    >                 > 
    > 

https://groups.google.com/d/msgid/privacyidea/aa428ada-7f54-414d-9747-db6d82ecdbfc%40googlegroups.com.

    >                 > For more options, visit 
    >                 https://groups.google.com/d/optout. 
    >                 
    >                 -- 
    >                 Cornelius Kölbel 
    >                 corneliu...@netknights.it 
    >                 +49 151 2960 1417 
    >                 
    >                 NetKnights GmbH 
    >                 http://www.netknights.it 
    >                 Landgraf-Karl-Str. 19, 34131 Kassel, 
    Germany 
    >                 Tel: +49 561 3166797, Fax: +49 561 3166798 
    >                 
    >                 Amtsgericht Kassel, HRB 16405 
    >                 Geschäftsführer: Cornelius Kölbel 
    >                 
    >                 
    > -- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/2e0fa40a-be7d-4c3e-991c-4b2a8f7cccee%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/6e478aa6-65dc-4735-914a-b786f525d96a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi CK,

I can not reproduce this.

As a matter of fact there are also several tests to check this:





Anyway - I am happy to add some more…

Can you please tell, what exactly you are doing?

  • Which Token did you enroll with which parameters
  • how did you authenticate
  • where did you authenticate (directly to the API or to any
    Application?)

Please give as much information as possible.

Kind regards
CorneliusAm Donnerstag, den 20.08.2015, 00:44 -0700 schrieb CK:

Hi,

I updated pi to 2.5, but the bug is still there…

Kind regards,

CK

Le vendredi 14 août 2015 18:48:36 UTC+2, Cornelinux K a écrit :
Hi,
I assume you are using 1.5.
This was a bug then.
1.5 is deprecated.
you should use 2.5.

    Kind regards
    Cornelius 
    
    
    
    
    
    
    Cornelius Kölbel
    Corneliu...@netknights.it
    +49 151 2960 1417
    
    
    NetKnights GmbH
    http://netknights.it
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany
    Tel: +49 561 3166797, Fax: +49 561 3166798
    
    
    Amtsgericht Kassel, HRB 16405
    Geschäftsführer: Cornelius Kölbel
    
    
    -------- Ursprüngliche Nachricht --------
    Von: CK <testt...@gmail.com> 
    Datum: 14.08.2015 14:57 (GMT+01:00) 
    An: privacyidea <priva...@googlegroups.com> 
    Betreff: Using the same TOTP several times in a time window 
    
    Hi ! I've noticed that in privacyIDEA, using TOTP tokens, I
    can use one OTP several times if I'm in the same time window.
    
    
    So, is there a solution to fix this ? 
    
    
    
    
    Best regards,
    
    
    CK,


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)