Hi ! I’ve noticed that in privacyIDEA, using TOTP tokens, I can use one OTP
several times if I’m in the same time window.
So, is there a solution to fix this ?
Best regards,
CK,
Hi,
So here is my config :
I have a Prosody server (XMPP) and an XMPP client (Pidgin), and what I’m
doing is that I want to authenticate users registered in a LDAP to the
Prosody server.
So, in PI, I have one LDAP resolver which works well. Then, I assigned a
TOTP token to a user of this LDAP.
I also have installed Cyrus SASL, which is linked to Prosody server and
configured it to use PAM mechanism, so when I try to authenticate with my
XMPP client, it will wait for an OTP (because it uses the pam_python script
of PI to authenticate).
Prosody is configured to use SASL authentication.
Token parameters : TOTP SHA-256, timeStep : 30seconds, timeWindow : 180,
OTP Length : 6
Kind regards,
KarimLe jeudi 20 août 2015 09:55:36 UTC+2, Cornelinux K a écrit :
Hi CK,
I can not reproduce this.
As a matter of fact there are also several tests to check this:
https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510
https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102
https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141
https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165
Anyway - I am happy to add some more…Can you please tell, what exactly you are doing?
- Which Token did you enroll with which parameters
- how did you authenticate
- where did you authenticate (directly to the API or to any
Application?)Please give as much information as possible.
Kind regards
CorneliusAm Donnerstag, den 20.08.2015, 00:44 -0700 schrieb CK:
Hi,
I updated pi to 2.5, but the bug is still there…
Kind regards,
CK
Le vendredi 14 août 2015 18:48:36 UTC+2, Cornelinux K a écrit :
Hi,
I assume you are using 1.5.
This was a bug then.
1.5 is deprecated.
you should use 2.5.Kind regards Cornelius Cornelius Kölbel Corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel -------- Ursprüngliche Nachricht -------- Von: CK <testt...@gmail.com> Datum: 14.08.2015 14:57 (GMT+01:00) An: privacyidea <priva...@googlegroups.com> Betreff: Using the same TOTP several times in a time window Hi ! I've noticed that in privacyIDEA, using TOTP tokens, I can use one OTP several times if I'm in the same time window. So, is there a solution to fix this ? Best regards, CK,–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Cyrus sasl, in the /etc/default/saslauthd, initially, OPTIONS=" -c -m
/var/run/saslauthd" so I removed the “-c” (option to enable credentials
caching) and then it works well now ! (And I’ve all the auth requests in
the Audit log (first time : matching 1 token and then wrong otp value)Le jeudi 20 août 2015 14:16:22 UTC+2, Cornelinux K a écrit :
…so what was it?
Kind regards
CorneliusAm Donnerstag, den 20.08.2015, 05:02 -0700 schrieb CK:
Problem solved !!
Thanks a lot for your help
Kind regards,
Karim
Le jeudi 20 août 2015 12:21:42 UTC+2, CK a écrit :
Hi,
So I can not authenticate twice with the same OTP using the
test url of PI.
When I logged two times in Pidgin, I saw the auth request 1
time in the Audit log.So I think you're right, the issue comes from Cyrus sasl. I'm trying to find how to disable cache of credentials to fix this. Kind regards, Karim Le jeudi 20 août 2015 11:29:39 UTC+2, Cornelinux K a écrit : And you are entering the OTP into pidgin? So the workflow is like this: * enter OTP into pidgin * pdigin transfers OTP to prosody * transfers OTP to cyrus sasl * transfers OTP to PAM * transfers OTP to privacyIDEA My guess is, that some component (my wild guess would be cyrus sasl) will cache the authentication result, so that the second auth request with the same OTP does not even reach the privacyIDEA server. Please check: 1. Can you authenticate with the same OTP twice to the privacyIDEA server usinghttps://yourOTPserver/validate/check?user=....&pass=...otp…
2. Can you see the second authentication request in the Audit log on the privacyIDEA server? 3. check the log files of prosody and pam. Thanks a lot and kind regards Cornelius Am Donnerstag, den 20.08.2015, 01:30 -0700 schrieb CK: > Hi, > > > So here is my config : > > > I have a Prosody server (XMPP) and an XMPP client (Pidgin), and what > I'm doing is that I want to authenticate users registered in a LDAP to > the Prosody server. > So, in PI, I have one LDAP resolver which works well. Then, I assigned > a TOTP token to a user of this LDAP. > I also have installed Cyrus SASL, which is linked to Prosody server > and configured it to use PAM mechanism, so when I try to authenticate > with my XMPP client, it will wait for an OTP (because it uses the > pam_python script of PI to authenticate). > Prosody is configured to use SASL authentication. > > > > > Token parameters : TOTP SHA-256, timeStep : 30seconds, timeWindow : > 180, OTP Length : 6 > > > Kind regards, > > > Karim > > > Le jeudi 20 août 2015 09:55:36 UTC+2, Cornelinux K a écrit : > Hi CK, > > I can not reproduce this. > > As a matter of fact there are also several tests to check > this: >https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510
>https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102
>https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141
>https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165
> Anyway - I am happy to add some more... > > Can you please tell, what exactly you are doing? > > * Which Token did you enroll with which parameters > * how did you authenticate > * where did you authenticate (directly to the API or to any > Application?) > > Please give as much information as possible. > > Kind regards > Cornelius > > Am Donnerstag, den 20.08.2015, 00:44 -0700 schrieb CK: > > Hi, > > > > > > I updated pi to 2.5, but the bug is still there.. > > > > > > Kind regards, > > > > > > CK > > > > Le vendredi 14 août 2015 18:48:36 UTC+2, Cornelinux K a > écrit : > > Hi, > > I assume you are using 1.5. > > This was a bug then. > > 1.5 is deprecated. > > you should use 2.5. > > > > > > Kind regards > > Cornelius > > > > > > > > > > > > > > Cornelius Kölbel > > Corneliu...@netknights.it > > +49 151 2960 1417 > > > > > > NetKnights GmbH > > http://netknights.it > > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > > Tel: +49 561 3166797, Fax: +49 561 3166798 > > > > > > Amtsgericht Kassel, HRB 16405 > > Geschäftsführer: Cornelius Kölbel > > > > > > -------- Ursprüngliche Nachricht -------- > > Von: CK <testt...@gmail.com> > > Datum: 14.08.2015 14:57 (GMT +01:00) > > An: privacyidea <priva...@googlegroups.com> > > Betreff: Using the same TOTP several times in a time > window > > > > Hi ! I've noticed that in privacyIDEA, using TOTP > tokens, I > > can use one OTP several times if I'm in the same > time window. > > > > > > So, is there a solution to fix this ? > > > > > > > > > > Best regards, > > > > > > CK, > > > > > > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit >> For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
And you are entering the OTP into pidgin?
So the workflow is like this:
- enter OTP into pidgin
- pdigin transfers OTP to prosody
- transfers OTP to cyrus sasl
- transfers OTP to PAM
- transfers OTP to privacyIDEA
My guess is, that some component (my wild guess would be cyrus sasl)
will cache the authentication result, so that the second auth request
with the same OTP does not even reach the privacyIDEA server.
Please check:
-
Can you authenticate with the same OTP twice to the privacyIDEA
server using
https://yourOTPserver/validate/check?user=....&pass=...otp… -
Can you see the second authentication request in the Audit log on the
privacyIDEA server? -
check the log files of prosody and pam.
Thanks a lot and kind regards
CorneliusAm Donnerstag, den 20.08.2015, 01:30 -0700 schrieb CK:
Hi,
So here is my config :
I have a Prosody server (XMPP) and an XMPP client (Pidgin), and what
I’m doing is that I want to authenticate users registered in a LDAP to
the Prosody server.
So, in PI, I have one LDAP resolver which works well. Then, I assigned
a TOTP token to a user of this LDAP.
I also have installed Cyrus SASL, which is linked to Prosody server
and configured it to use PAM mechanism, so when I try to authenticate
with my XMPP client, it will wait for an OTP (because it uses the
pam_python script of PI to authenticate).
Prosody is configured to use SASL authentication.Token parameters : TOTP SHA-256, timeStep : 30seconds, timeWindow :
180, OTP Length : 6Kind regards,
Karim
Le jeudi 20 août 2015 09:55:36 UTC+2, Cornelinux K a écrit :
Hi CK,I can not reproduce this. As a matter of fact there are also several tests to check this: https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510 https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102 https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141 https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165 Anyway - I am happy to add some more... Can you please tell, what exactly you are doing? * Which Token did you enroll with which parameters * how did you authenticate * where did you authenticate (directly to the API or to any Application?) Please give as much information as possible. Kind regards Cornelius Am Donnerstag, den 20.08.2015, 00:44 -0700 schrieb CK: > Hi, > > > I updated pi to 2.5, but the bug is still there.. > > > Kind regards, > > > CK > > Le vendredi 14 août 2015 18:48:36 UTC+2, Cornelinux K a écrit : > Hi, > I assume you are using 1.5. > This was a bug then. > 1.5 is deprecated. > you should use 2.5. > > > Kind regards > Cornelius > > > > > > > Cornelius Kölbel > Corneliu...@netknights.it > +49 151 2960 1417 > > > NetKnights GmbH > http://netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -------- Ursprüngliche Nachricht -------- > Von: CK <testt...@gmail.com> > Datum: 14.08.2015 14:57 (GMT+01:00) > An: privacyidea <priva...@googlegroups.com> > Betreff: Using the same TOTP several times in a time window > > Hi ! I've noticed that in privacyIDEA, using TOTP tokens, I > can use one OTP several times if I'm in the same time window. > > > So, is there a solution to fix this ? > > > > > Best regards, > > > CK, > > > -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/aa428ada-7f54-414d-9747-db6d82ecdbfc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
Hi,
So I can not authenticate twice with the same OTP using the test url of PI.
When I logged two times in Pidgin, I saw the auth request 1 time in the
Audit log.
So I think you’re right, the issue comes from Cyrus sasl. I’m trying to
find how to disable cache of credentials to fix this.
Kind regards,
KarimLe jeudi 20 août 2015 11:29:39 UTC+2, Cornelinux K a écrit :
And you are entering the OTP into pidgin?
So the workflow is like this:
- enter OTP into pidgin
- pdigin transfers OTP to prosody
- transfers OTP to cyrus sasl
- transfers OTP to PAM
- transfers OTP to privacyIDEA
My guess is, that some component (my wild guess would be cyrus sasl)
will cache the authentication result, so that the second auth request
with the same OTP does not even reach the privacyIDEA server.Please check:
Can you authenticate with the same OTP twice to the privacyIDEA
server using
https://yourOTPserver/validate/check?user=....&pass=...otp…Can you see the second authentication request in the Audit log on the
privacyIDEA server?check the log files of prosody and pam.
Thanks a lot and kind regards
CorneliusAm Donnerstag, den 20.08.2015, 01:30 -0700 schrieb CK:
Hi,
So here is my config :
I have a Prosody server (XMPP) and an XMPP client (Pidgin), and what
I’m doing is that I want to authenticate users registered in a LDAP to
the Prosody server.
So, in PI, I have one LDAP resolver which works well. Then, I assigned
a TOTP token to a user of this LDAP.
I also have installed Cyrus SASL, which is linked to Prosody server
and configured it to use PAM mechanism, so when I try to authenticate
with my XMPP client, it will wait for an OTP (because it uses the
pam_python script of PI to authenticate).
Prosody is configured to use SASL authentication.Token parameters : TOTP SHA-256, timeStep : 30seconds, timeWindow :
180, OTP Length : 6Kind regards,
Karim
Le jeudi 20 août 2015 09:55:36 UTC+2, Cornelinux K a écrit :
Hi CK,I can not reproduce this. As a matter of fact there are also several tests to check this:https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510
https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102
https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141
https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165
Anyway - I am happy to add some more... Can you please tell, what exactly you are doing? * Which Token did you enroll with which parameters * how did you authenticate * where did you authenticate (directly to the API or to any Application?) Please give as much information as possible. Kind regards Cornelius Am Donnerstag, den 20.08.2015, 00:44 -0700 schrieb CK: > Hi, > > > I updated pi to 2.5, but the bug is still there.. > > > Kind regards, > > > CK > > Le vendredi 14 août 2015 18:48:36 UTC+2, Cornelinux K a écrit : > Hi, > I assume you are using 1.5. > This was a bug then. > 1.5 is deprecated. > you should use 2.5. > > > Kind regards > Cornelius > > > > > > > Cornelius Kölbel > Corneliu...@netknights.it > +49 151 2960 1417 > > > NetKnights GmbH > http://netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -------- Ursprüngliche Nachricht -------- > Von: CK <testt...@gmail.com> > Datum: 14.08.2015 14:57 (GMT+01:00) > An: privacyidea <priva...@googlegroups.com> > Betreff: Using the same TOTP several times in a time window > > Hi ! I've noticed that in privacyIDEA, using TOTP tokens, I > can use one OTP several times if I'm in the same time window. > > > So, is there a solution to fix this ? > > > > > Best regards, > > > CK, > > > -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Problem solved !!
Thanks a lot for your help 
Kind regards,
KarimLe jeudi 20 août 2015 12:21:42 UTC+2, CK a écrit :
Hi,
So I can not authenticate twice with the same OTP using the test url of PI.
When I logged two times in Pidgin, I saw the auth request 1 time in the
Audit log.So I think you’re right, the issue comes from Cyrus sasl. I’m trying to
find how to disable cache of credentials to fix this.Kind regards,
Karim
Le jeudi 20 août 2015 11:29:39 UTC+2, Cornelinux K a écrit :
And you are entering the OTP into pidgin?
So the workflow is like this:
- enter OTP into pidgin
- pdigin transfers OTP to prosody
- transfers OTP to cyrus sasl
- transfers OTP to PAM
- transfers OTP to privacyIDEA
My guess is, that some component (my wild guess would be cyrus sasl)
will cache the authentication result, so that the second auth request
with the same OTP does not even reach the privacyIDEA server.Please check:
Can you authenticate with the same OTP twice to the privacyIDEA
server using
https://yourOTPserver/validate/check?user=....&pass=...otp…Can you see the second authentication request in the Audit log on the
privacyIDEA server?check the log files of prosody and pam.
Thanks a lot and kind regards
CorneliusAm Donnerstag, den 20.08.2015, 01:30 -0700 schrieb CK:
Hi,
So here is my config :
I have a Prosody server (XMPP) and an XMPP client (Pidgin), and what
I’m doing is that I want to authenticate users registered in a LDAP to
the Prosody server.
So, in PI, I have one LDAP resolver which works well. Then, I assigned
a TOTP token to a user of this LDAP.
I also have installed Cyrus SASL, which is linked to Prosody server
and configured it to use PAM mechanism, so when I try to authenticate
with my XMPP client, it will wait for an OTP (because it uses the
pam_python script of PI to authenticate).
Prosody is configured to use SASL authentication.Token parameters : TOTP SHA-256, timeStep : 30seconds, timeWindow :
180, OTP Length : 6Kind regards,
Karim
Le jeudi 20 août 2015 09:55:36 UTC+2, Cornelinux K a écrit :
Hi CK,I can not reproduce this. As a matter of fact there are also several tests to check this:https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510
https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102
https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141
https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165
Anyway - I am happy to add some more... Can you please tell, what exactly you are doing? * Which Token did you enroll with which parameters * how did you authenticate * where did you authenticate (directly to the API or to any Application?) Please give as much information as possible. Kind regards Cornelius Am Donnerstag, den 20.08.2015, 00:44 -0700 schrieb CK: > Hi, > > > I updated pi to 2.5, but the bug is still there.. > > > Kind regards, > > > CK > > Le vendredi 14 août 2015 18:48:36 UTC+2, Cornelinux K a écrit : > Hi, > I assume you are using 1.5. > This was a bug then. > 1.5 is deprecated. > you should use 2.5. > > > Kind regards > Cornelius > > > > > > > Cornelius Kölbel > Corneliu...@netknights.it > +49 151 2960 1417 > > > NetKnights GmbH > http://netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -------- Ursprüngliche Nachricht -------- > Von: CK <testt...@gmail.com> > Datum: 14.08.2015 14:57 (GMT+01:00) > An: privacyidea <priva...@googlegroups.com> > Betreff: Using the same TOTP several times in a time window > > Hi ! I've noticed that in privacyIDEA, using TOTP tokens, I > can use one OTP several times if I'm in the same time window. > > > So, is there a solution to fix this ? > > > > > Best regards, > > > CK, > > > -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
The certificate of the privacyIDEA server must be issued by a trusted
root authority.
Kind regards
CorneliusAm Donnerstag, den 20.08.2015, 05:50 -0700 schrieb CK:
And just one question quickly, until now, I’ve worked with the
“nosslverify” option in PAM configuration, but now I disabled it, and
so I have this in auth.log :saslauthd: Traceback (most recent call last):#012 File
“/lib/x86_64-linux-gnu/security/privacyidea_pam.py”, line 100, in
pam_sm_authenticate#012 verify=sslverify)#012 File
“/usr/lib/python2.7/dist-packages/requests/api.py”, line 88, in
post#012 return request(‘post’, url, data=data, **kwargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/api.py”, line 44, in
request#012 return session.request(method=method, url=url,
**kwargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/sessions.py”, line 455, in
request#012 resp = self.send(prep, **send_kwargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/sessions.py”, line 558, in
send#012 r = adapter.send(request, **kwargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/adapters.py”, line 385, in
send#012 raise SSLError(e)#012SSLError: [Errno 1] _ssl.c:510:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failedThe certificate to use is the one of the privacyidea server right ?
Karim
Le jeudi 20 août 2015 14:29:13 UTC+2, CK a écrit :
Thanks for your help !(PrivacyIdea is a really nice one
authentication server solution !)Kind regards, Karim Le jeudi 20 août 2015 14:27:32 UTC+2, Cornelinux K a écrit : Cool. THanks! Cornelius Am Donnerstag, den 20.08.2015, 05:23 -0700 schrieb CK: > Cyrus sasl, in the /etc/default/saslauthd, initially, OPTIONS=" -c > -m /var/run/saslauthd" so I removed the "-c" (option to enable > credentials caching) and then it works well now ! (And I've all the > auth requests in the Audit log (first time : matching 1 token and then > wrong otp value) > > > > > Le jeudi 20 août 2015 14:16:22 UTC+2, Cornelinux K a écrit : > ...so what was it? > > Kind regards > Cornelius > > Am Donnerstag, den 20.08.2015, 05:02 -0700 schrieb CK: > > Problem solved !! > > > > > > Thanks a lot for your help ;-) > > > > > > Kind regards, > > > > > > Karim > > > > Le jeudi 20 août 2015 12:21:42 UTC+2, CK a écrit : > > Hi, > > So I can not authenticate twice with the same OTP > using the > > test url of PI. > > When I logged two times in Pidgin, I saw the auth > request 1 > > time in the Audit log. > > > > > > So I think you're right, the issue comes from Cyrus > sasl. I'm > > trying to find how to disable cache of credentials > to fix > > this. > > > > > > Kind regards, > > > > > > Karim > > > > > > Le jeudi 20 août 2015 11:29:39 UTC +2, Cornelinux K a > écrit : > > And you are entering the OTP into pidgin? > > > > So the workflow is like this: > > > > * enter OTP into pidgin > > * pdigin transfers OTP to prosody > > * transfers OTP to cyrus sasl > > * transfers OTP to PAM > > * transfers OTP to privacyIDEA > > > > My guess is, that some component (my wild > guess would > > be cyrus sasl) > > will cache the authentication result, so > that the > > second auth request > > with the same OTP does not even reach the > privacyIDEA > > server. > > > > Please check: > > > > 1. Can you authenticate with the same OTP > twice to the > > privacyIDEA > > server using > > > https://yourOTPserver/validate/check?user=....&pass=...otp... > > > > 2. Can you see the second authentication > request in > > the Audit log on the > > privacyIDEA server? > > > > 3. check the log files of prosody and pam. > > > > Thanks a lot and kind regards > > Cornelius > > > > Am Donnerstag, den 20.08.2015, 01:30 -0700 schrieb > > CK: > > > Hi, > > > > > > > > > So here is my config : > > > > > > > > > I have a Prosody server (XMPP) and an XMPP > client > > (Pidgin), and what > > > I'm doing is that I want to authenticate > users > > registered in a LDAP to > > > the Prosody server. > > > So, in PI, I have one LDAP resolver which > works > > well. Then, I assigned > > > a TOTP token to a user of this LDAP. > > > I also have installed Cyrus SASL, which is > linked to > > Prosody server > > > and configured it to use PAM mechanism, so > when I > > try to authenticate > > > with my XMPP client, it will wait for an > OTP > > (because it uses the > > > pam_python script of PI to authenticate). > > > Prosody is configured to use SASL > authentication. > > > > > > > > > > > > > > > Token parameters : TOTP SHA-256, > timeStep : > > 30seconds, timeWindow : > > > 180, OTP Length : 6 > > > > > > > > > Kind regards, > > > > > > > > > Karim > > > > > > > > > Le jeudi 20 août 2015 09:55:36 UTC+2, > Cornelinux K a > > écrit : > > > Hi CK, > > > > > > I can not reproduce this. > > > > > > As a matter of fact there are also > several > > tests to check > > > this: > > > > > > https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510 > > > > > > https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102 > > > > > > https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141 > > > > > > https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165 > > > Anyway - I am happy to add some > more... > > > > > > Can you please tell, what exactly > you are > > doing? > > > > > > * Which Token did you enroll with > which > > parameters > > > * how did you authenticate > > > * where did you authenticate > (directly to > > the API or to any > > > Application?) > > > > > > Please give as much information > as > > possible. > > > > > > Kind regards > > > Cornelius > > > > > > Am Donnerstag, den 20.08.2015, > 00:44 -0700 > > schrieb CK: > > > > Hi, > > > > > > > > > > > > I updated pi to 2.5, but the bug > is still > > there.. > > > > > > > > > > > > Kind regards, > > > > > > > > > > > > CK > > > > > > > > Le vendredi 14 août 2015 > 18:48:36 UTC+2, > > Cornelinux K a > > > écrit : > > > > Hi, > > > > I assume you are using > 1.5. > > > > This was a bug then. > > > > 1.5 is deprecated. > > > > you should use 2.5. > > > > > > > > > > > > Kind regards > > > > Cornelius > > > > > > > > > > > > > > > > > > > > > > > > > > > > Cornelius Kölbel > > > > > Corneliu...@netknights.it > > > > +49 151 2960 1417 > > > > > > > > > > > > NetKnights GmbH > > > > http://netknights.it > > > > Landgraf-Karl-Str. 19, > 34131 > > Kassel, Germany > > > > Tel: +49 561 3166797, > Fax: +49 561 > > 3166798 > > > > > > > > > > > > Amtsgericht Kassel, HRB > 16405 > > > > Geschäftsführer: > Cornelius Kölbel > > > > > > > > > > > > -------- Ursprüngliche > Nachricht > > -------- > > > > Von: CK > <testt...@gmail.com> > > > > Datum: 14.08.2015 14:57 > (GMT > > +01:00) > > > > An: privacyidea > > <priva...@googlegroups.com> > > > > Betreff: Using the same > TOTP > > several times in a time > > > window > > > > > > > > Hi ! I've noticed that > in > > privacyIDEA, using TOTP > > > tokens, I > > > > can use one OTP several > times if > > I'm in the same > > > time window. > > > > > > > > > > > > So, is there a solution > to fix > > this ? > > > > > > > > > > > > > > > > > > > > Best regards, > > > > > > > > > > > > CK, > > > > > > > > > > > > > > > -- > > > Cornelius Kölbel > > > corneliu...@netknights.it > > > +49 151 2960 1417 > > > > > > NetKnights GmbH > > > http://www.netknights.it > > > Landgraf-Karl-Str. 19, 34131 > Kassel, > > Germany > > > Tel: +49 561 3166797, Fax: +49 561 > 3166798 > > > > > > Amtsgericht Kassel, HRB 16405 > > > Geschäftsführer: Cornelius Kölbel > > > > > > > > > -- > > > You received this message because you are > subscribed > > to the Google > > > Groups "privacyidea" group. > > > To unsubscribe from this group and stop > receiving > > emails from it, send > > > an email to > privacyidea...@googlegroups.com. > > > To post to this group, send email to > > priva...@googlegroups.com. > > > To view this discussion on the web visit > > > > > > https://groups.google.com/d/msgid/privacyidea/aa428ada-7f54-414d-9747-db6d82ecdbfc%40googlegroups.com. > > > For more options, visit > > https://groups.google.com/d/optout. > > > > -- > > Cornelius Kölbel > > corneliu...@netknights.it > > +49 151 2960 1417 > > > > NetKnights GmbH > > http://www.netknights.it > > Landgraf-Karl-Str. 19, 34131 Kassel, > Germany > > Tel: +49 561 3166797, Fax: +49 561 3166798 > > > > Amtsgericht Kassel, HRB 16405 > > Geschäftsführer: Cornelius Kölbel > > > > > > -- > > You received this message because you are subscribed to the > Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving emails > from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/privacyidea/2e0fa40a-be7d-4c3e-991c-4b2a8f7cccee%40googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/privacyidea/6e478aa6-65dc-4735-914a-b786f525d96a%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/5c81775c-aace-47b3-8e3e-6a0cf3aee08b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
Hi,
I updated pi to 2.5, but the bug is still there…
Kind regards,
CKLe vendredi 14 août 2015 18:48:36 UTC+2, Cornelinux K a écrit :
Hi,
I assume you are using 1.5.
This was a bug then.
1.5 is deprecated.
you should use 2.5.Kind regards
CorneliusCornelius Kölbel
Corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel-------- Ursprüngliche Nachricht --------
Von: CK <testt...@gmail.com <javascript:>>
Datum: 14.08.2015 14:57 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com <javascript:>>
Betreff: Using the same TOTP several times in a time windowHi ! I’ve noticed that in privacyIDEA, using TOTP tokens, I can use one
OTP several times if I’m in the same time window.So, is there a solution to fix this ?
Best regards,
CK,
–
You received this message because you are subscribed to the Google Groups
“privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/2b0bbe76-580b-4262-b6df-49c711928032%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/2b0bbe76-580b-4262-b6df-49c711928032%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.
Cool. THanks!
CorneliusAm Donnerstag, den 20.08.2015, 05:23 -0700 schrieb CK:
Cyrus sasl, in the /etc/default/saslauthd, initially, OPTIONS=" -c
-m /var/run/saslauthd" so I removed the “-c” (option to enable
credentials caching) and then it works well now ! (And I’ve all the
auth requests in the Audit log (first time : matching 1 token and then
wrong otp value)Le jeudi 20 août 2015 14:16:22 UTC+2, Cornelinux K a écrit :
…so what was it?Kind regards Cornelius Am Donnerstag, den 20.08.2015, 05:02 -0700 schrieb CK: > Problem solved !! > > > Thanks a lot for your help ;-) > > > Kind regards, > > > Karim > > Le jeudi 20 août 2015 12:21:42 UTC+2, CK a écrit : > Hi, > So I can not authenticate twice with the same OTP using the > test url of PI. > When I logged two times in Pidgin, I saw the auth request 1 > time in the Audit log. > > > So I think you're right, the issue comes from Cyrus sasl. I'm > trying to find how to disable cache of credentials to fix > this. > > > Kind regards, > > > Karim > > > Le jeudi 20 août 2015 11:29:39 UTC+2, Cornelinux K a écrit : > And you are entering the OTP into pidgin? > > So the workflow is like this: > > * enter OTP into pidgin > * pdigin transfers OTP to prosody > * transfers OTP to cyrus sasl > * transfers OTP to PAM > * transfers OTP to privacyIDEA > > My guess is, that some component (my wild guess would > be cyrus sasl) > will cache the authentication result, so that the > second auth request > with the same OTP does not even reach the privacyIDEA > server. > > Please check: > > 1. Can you authenticate with the same OTP twice to the > privacyIDEA > server using > https://yourOTPserver/validate/check?user=....&pass=...otp... > > 2. Can you see the second authentication request in > the Audit log on the > privacyIDEA server? > > 3. check the log files of prosody and pam. > > Thanks a lot and kind regards > Cornelius > > Am Donnerstag, den 20.08.2015, 01:30 -0700 schrieb > CK: > > Hi, > > > > > > So here is my config : > > > > > > I have a Prosody server (XMPP) and an XMPP client > (Pidgin), and what > > I'm doing is that I want to authenticate users > registered in a LDAP to > > the Prosody server. > > So, in PI, I have one LDAP resolver which works > well. Then, I assigned > > a TOTP token to a user of this LDAP. > > I also have installed Cyrus SASL, which is linked to > Prosody server > > and configured it to use PAM mechanism, so when I > try to authenticate > > with my XMPP client, it will wait for an OTP > (because it uses the > > pam_python script of PI to authenticate). > > Prosody is configured to use SASL authentication. > > > > > > > > > > Token parameters : TOTP SHA-256, timeStep : > 30seconds, timeWindow : > > 180, OTP Length : 6 > > > > > > Kind regards, > > > > > > Karim > > > > > > Le jeudi 20 août 2015 09:55:36 UTC+2, Cornelinux K a > écrit : > > Hi CK, > > > > I can not reproduce this. > > > > As a matter of fact there are also several > tests to check > > this: > > > https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510 > > > https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102 > > > https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141 > > > https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165 > > Anyway - I am happy to add some more... > > > > Can you please tell, what exactly you are > doing? > > > > * Which Token did you enroll with which > parameters > > * how did you authenticate > > * where did you authenticate (directly to > the API or to any > > Application?) > > > > Please give as much information as > possible. > > > > Kind regards > > Cornelius > > > > Am Donnerstag, den 20.08.2015, 00:44 -0700 > schrieb CK: > > > Hi, > > > > > > > > > I updated pi to 2.5, but the bug is still > there.. > > > > > > > > > Kind regards, > > > > > > > > > CK > > > > > > Le vendredi 14 août 2015 18:48:36 UTC+2, > Cornelinux K a > > écrit : > > > Hi, > > > I assume you are using 1.5. > > > This was a bug then. > > > 1.5 is deprecated. > > > you should use 2.5. > > > > > > > > > Kind regards > > > Cornelius > > > > > > > > > > > > > > > > > > > > > Cornelius Kölbel > > > Corneliu...@netknights.it > > > +49 151 2960 1417 > > > > > > > > > NetKnights GmbH > > > http://netknights.it > > > Landgraf-Karl-Str. 19, 34131 > Kassel, Germany > > > Tel: +49 561 3166797, Fax: +49 561 > 3166798 > > > > > > > > > Amtsgericht Kassel, HRB 16405 > > > Geschäftsführer: Cornelius Kölbel > > > > > > > > > -------- Ursprüngliche Nachricht > -------- > > > Von: CK <testt...@gmail.com> > > > Datum: 14.08.2015 14:57 (GMT > +01:00) > > > An: privacyidea > <priva...@googlegroups.com> > > > Betreff: Using the same TOTP > several times in a time > > window > > > > > > Hi ! I've noticed that in > privacyIDEA, using TOTP > > tokens, I > > > can use one OTP several times if > I'm in the same > > time window. > > > > > > > > > So, is there a solution to fix > this ? > > > > > > > > > > > > > > > Best regards, > > > > > > > > > CK, > > > > > > > > > > > -- > > Cornelius Kölbel > > corneliu...@netknights.it > > +49 151 2960 1417 > > > > NetKnights GmbH > > http://www.netknights.it > > Landgraf-Karl-Str. 19, 34131 Kassel, > Germany > > Tel: +49 561 3166797, Fax: +49 561 3166798 > > > > Amtsgericht Kassel, HRB 16405 > > Geschäftsführer: Cornelius Kölbel > > > > > > -- > > You received this message because you are subscribed > to the Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving > emails from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/privacyidea/aa428ada-7f54-414d-9747-db6d82ecdbfc%40googlegroups.com. > > For more options, visit > https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/privacyidea/2e0fa40a-be7d-4c3e-991c-4b2a8f7cccee%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/6e478aa6-65dc-4735-914a-b786f525d96a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
Okay thanks a lot.
Kind regards,
KarimLe jeudi 20 août 2015 15:02:47 UTC+2, Cornelinux K a écrit :
The certificate of the privacyIDEA server must be issued by a trusted
root authority.Kind regards
CorneliusAm Donnerstag, den 20.08.2015, 05:50 -0700 schrieb CK:
And just one question quickly, until now, I’ve worked with the
“nosslverify” option in PAM configuration, but now I disabled it, and
so I have this in auth.log :saslauthd: Traceback (most recent call last):#012 File
“/lib/x86_64-linux-gnu/security/privacyidea_pam.py”, line 100, in
pam_sm_authenticate#012 verify=sslverify)#012 File
“/usr/lib/python2.7/dist-packages/requests/api.py”, line 88, in
post#012 return request(‘post’, url, data=data, **kwargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/api.py”, line 44, in
request#012 return session.request(method=method, url=url,
**kwargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/sessions.py”, line 455, in
request#012 resp = self.send(prep, **send_kwargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/sessions.py”, line 558, in
send#012 r = adapter.send(request, **kwargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/adapters.py”, line 385, in
send#012 raise SSLError(e)#012SSLError: [Errno 1] _ssl.c:510:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failedThe certificate to use is the one of the privacyidea server right ?
Karim
Le jeudi 20 août 2015 14:29:13 UTC+2, CK a écrit :
Thanks for your help !
authentication server solution !)Kind regards, Karim Le jeudi 20 août 2015 14:27:32 UTC+2, Cornelinux K a écrit : Cool. THanks! Cornelius Am Donnerstag, den 20.08.2015, 05:23 -0700 schrieb CK: > Cyrus sasl, in the /etc/default/saslauthd, initially, OPTIONS=" -c > -m /var/run/saslauthd" so I removed the "-c" (option to enable > credentials caching) and then it works well now ! (And I've all the > auth requests in the Audit log (first time : matching 1 token and then > wrong otp value) > > > > > Le jeudi 20 août 2015 14:16:22 UTC+2, Cornelinux K a écrit : > ...so what was it? > > Kind regards > Cornelius > > Am Donnerstag, den 20.08.2015, 05:02 -0700 schrieb CK: > > Problem solved !! > > > > > > Thanks a lot for your help ;-) > > > > > > Kind regards, > > > > > > Karim > > > > Le jeudi 20 août 2015 12:21:42 UTC+2, CK a écrit : > > Hi, > > So I can not authenticate twice with the same OTP > using the > > test url of PI. > > When I logged two times in Pidgin, I saw the auth > request 1 > > time in the Audit log. > > > > > > So I think you're right, the issue comes from Cyrus > sasl. I'm > > trying to find how to disable cache of credentials > to fix > > this. > > > > > > Kind regards, > > > > > > Karim > > > > > > Le jeudi 20 août 2015 11:29:39 UTC +2, Cornelinux K a > écrit : > > And you are entering the OTP into pidgin? > > > > So the workflow is like this: > > > > * enter OTP into pidgin > > * pdigin transfers OTP to prosody > > * transfers OTP to cyrus sasl > > * transfers OTP to PAM > > * transfers OTP to privacyIDEA > > > > My guess is, that some component (my wild > guess would > > be cyrus sasl) > > will cache the authentication result, so > that the > > second auth request > > with the same OTP does not even reach the > privacyIDEA > > server. > > > > Please check: > > > > 1. Can you authenticate with the same OTP > twice to the > > privacyIDEA > > server using > > >https://yourOTPserver/validate/check?user=....&pass=...otp…
> > > > 2. Can you see the second authentication > request in > > the Audit log on the > > privacyIDEA server? > > > > 3. check the log files of prosody and pam. > > > > Thanks a lot and kind regards > > Cornelius > > > > Am Donnerstag, den 20.08.2015, 01:30 -0700 schrieb > > CK: > > > Hi, > > > > > > > > > So here is my config : > > > > > > > > > I have a Prosody server (XMPP) and an XMPP > client > > (Pidgin), and what > > > I'm doing is that I want to authenticate > users > > registered in a LDAP to > > > the Prosody server. > > > So, in PI, I have one LDAP resolver which > works > > well. Then, I assigned > > > a TOTP token to a user of this LDAP. > > > I also have installed Cyrus SASL, which is > linked to > > Prosody server > > > and configured it to use PAM mechanism, so > when I > > try to authenticate > > > with my XMPP client, it will wait for an > OTP > > (because it uses the > > > pam_python script of PI to authenticate). > > > Prosody is configured to use SASL > authentication. > > > > > > > > > > > > > > > Token parameters : TOTP SHA-256, > timeStep : > > 30seconds, timeWindow : > > > 180, OTP Length : 6 > > > > > > > > > Kind regards, > > > > > > > > > Karim > > > > > > > > > Le jeudi 20 août 2015 09:55:36 UTC+2, > Cornelinux K a > > écrit : > > > Hi CK, > > > > > > I can not reproduce this. > > > > > > As a matter of fact there are also > several > > tests to check > > > this: > > > > > >https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510
> > > > > >https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102
> > > > > >https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141
> > > > > >https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165
> > > Anyway - I am happy to add some > more... > > > > > > Can you please tell, what exactly > you are > > doing? > > > > > > * Which Token did you enroll with > which > > parameters > > > * how did you authenticate > > > * where did you authenticate > (directly to > > the API or to any > > > Application?) > > > > > > Please give as much information > as > > possible. > > > > > > Kind regards > > > Cornelius > > > > > > Am Donnerstag, den 20.08.2015, > 00:44 -0700 > > schrieb CK: > > > > Hi, > > > > > > > > > > > > I updated pi to 2.5, but the bug > is still > > there.. > > > > > > > > > > > > Kind regards, > > > > > > > > > > > > CK > > > > > > > > Le vendredi 14 août 2015 > 18:48:36 UTC+2, > > Cornelinux K a > > > écrit : > > > > Hi, > > > > I assume you are using > 1.5. > > > > This was a bug then. > > > > 1.5 is deprecated. > > > > you should use 2.5. > > > > > > > > > > > > Kind regards > > > > Cornelius > > > > > > > > > > > > > > > > > > > > > > > > > > > > Cornelius Kölbel > > > > > Corneliu...@netknights.it > > > > +49 151 2960 1417 > > > > > > > > > > > > NetKnights GmbH > > > > http://netknights.it > > > > Landgraf-Karl-Str. 19, > 34131 > > Kassel, Germany > > > > Tel: +49 561 3166797, > Fax: +49 561 > > 3166798 > > > > > > > > > > > > Amtsgericht Kassel, HRB > 16405 > > > > Geschäftsführer: > Cornelius Kölbel > > > > > > > > > > > > -------- Ursprüngliche > Nachricht > > -------- > > > > Von: CK > <testt...@gmail.com> > > > > Datum: 14.08.2015 14:57 > (GMT > > +01:00) > > > > An: privacyidea > > <priva...@googlegroups.com> > > > > Betreff: Using the same > TOTP > > several times in a time > > > window > > > > > > > > Hi ! I've noticed that > in > > privacyIDEA, using TOTP > > > tokens, I > > > > can use one OTP several > times if > > I'm in the same > > > time window. > > > > > > > > > > > > So, is there a solution > to fix > > this ? > > > > > > > > > > > > > > > > > > > > Best regards, > > > > > > > > > > > > CK, > > > > > > > > > > > > > > > -- > > > Cornelius Kölbel > > > corneliu...@netknights.it > > > +49 151 2960 1417 > > > > > > NetKnights GmbH > > > http://www.netknights.it > > > Landgraf-Karl-Str. 19, 34131 > Kassel, > > Germany > > > Tel: +49 561 3166797, Fax: +49 561 > 3166798 > > > > > > Amtsgericht Kassel, HRB 16405 > > > Geschäftsführer: Cornelius Kölbel > > > > > > > > > -- > > > You received this message because you are > subscribed > > to the Google > > > Groups "privacyidea" group. > > > To unsubscribe from this group and stop > receiving > > emails from it, send > > > an email to > privacyidea...@googlegroups.com. > > > To post to this group, send email to > > priva...@googlegroups.com. > > > To view this discussion on the web visit > > > > > >> > > For more options, visit > > https://groups.google.com/d/optout. > > > > -- > > Cornelius Kölbel > > corneliu...@netknights.it > > +49 151 2960 1417 > > > > NetKnights GmbH > > http://www.netknights.it > > Landgraf-Karl-Str. 19, 34131 Kassel, > Germany > > Tel: +49 561 3166797, Fax: +49 561 3166798 > > > > Amtsgericht Kassel, HRB 16405 > > Geschäftsführer: Cornelius Kölbel > > > > > > -- > > You received this message because you are subscribed to the > Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving emails > from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > To view this discussion on the web visit > > >> > For more options, visit https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit >> For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
And just one question quickly, until now, I’ve worked with the
“nosslverify” option in PAM configuration, but now I disabled it, and so I
have this in auth.log :
saslauthd: Traceback (most recent call last):#012 File
“/lib/x86_64-linux-gnu/security/privacyidea_pam.py”, line 100, in
pam_sm_authenticate#012 verify=sslverify)#012 File
“/usr/lib/python2.7/dist-packages/requests/api.py”, line 88, in post#012
return request(‘post’, url, data=data, **kwargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/api.py”, line 44, in request#012
return session.request(method=method, url=url, **kwargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/sessions.py”, line 455, in
request#012 resp = self.send(prep, **send_kwargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/sessions.py”, line 558, in
send#012 r = adapter.send(request, **kwargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/adapters.py”, line 385, in
send#012 raise SSLError(e)#012SSLError: [Errno 1] _ssl.c:510:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
The certificate to use is the one of the privacyidea server right ?
KarimLe jeudi 20 août 2015 14:29:13 UTC+2, CK a écrit :
Thanks for your help !
authentication server solution !)Kind regards,
Karim
Le jeudi 20 août 2015 14:27:32 UTC+2, Cornelinux K a écrit :
Cool. THanks!
CorneliusAm Donnerstag, den 20.08.2015, 05:23 -0700 schrieb CK:
Cyrus sasl, in the /etc/default/saslauthd, initially, OPTIONS=" -c
-m /var/run/saslauthd" so I removed the “-c” (option to enable
credentials caching) and then it works well now ! (And I’ve all the
auth requests in the Audit log (first time : matching 1 token and then
wrong otp value)Le jeudi 20 août 2015 14:16:22 UTC+2, Cornelinux K a écrit :
…so what was it?Kind regards Cornelius Am Donnerstag, den 20.08.2015, 05:02 -0700 schrieb CK: > Problem solved !! > > > Thanks a lot for your help ;-) > > > Kind regards, > > > Karim > > Le jeudi 20 août 2015 12:21:42 UTC+2, CK a écrit : > Hi, > So I can not authenticate twice with the same OTP using the > test url of PI. > When I logged two times in Pidgin, I saw the auth request 1 > time in the Audit log. > > > So I think you're right, the issue comes from Cyrus sasl. I'm > trying to find how to disable cache of credentials to fix > this. > > > Kind regards, > > > Karim > > > Le jeudi 20 août 2015 11:29:39 UTC+2, Cornelinux K a écrit : > And you are entering the OTP into pidgin? > > So the workflow is like this: > > * enter OTP into pidgin > * pdigin transfers OTP to prosody > * transfers OTP to cyrus sasl > * transfers OTP to PAM > * transfers OTP to privacyIDEA > > My guess is, that some component (my wild guess would > be cyrus sasl) > will cache the authentication result, so that the > second auth request > with the same OTP does not even reach the privacyIDEA > server. > > Please check: > > 1. Can you authenticate with the same OTP twice to the > privacyIDEA > server using > https://yourOTPserver/validate/check?user=....&pass=...otp... > > 2. Can you see the second authentication request in > the Audit log on the > privacyIDEA server? > > 3. check the log files of prosody and pam. > > Thanks a lot and kind regards > Cornelius > > Am Donnerstag, den 20.08.2015, 01:30 -0700 schrieb > CK: > > Hi, > > > > > > So here is my config : > > > > > > I have a Prosody server (XMPP) and an XMPP client > (Pidgin), and what > > I'm doing is that I want to authenticate users > registered in a LDAP to > > the Prosody server. > > So, in PI, I have one LDAP resolver which works > well. Then, I assigned > > a TOTP token to a user of this LDAP. > > I also have installed Cyrus SASL, which is linked to > Prosody server > > and configured it to use PAM mechanism, so when I > try to authenticate > > with my XMPP client, it will wait for an OTP > (because it uses the > > pam_python script of PI to authenticate). > > Prosody is configured to use SASL authentication. > > > > > > > > > > Token parameters : TOTP SHA-256, timeStep : > 30seconds, timeWindow : > > 180, OTP Length : 6 > > > > > > Kind regards, > > > > > > Karim > > > > > > Le jeudi 20 août 2015 09:55:36 UTC+2, Cornelinux K a > écrit : > > Hi CK, > > > > I can not reproduce this. > > > > As a matter of fact there are also several > tests to check > > this: > > >https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510
> > >https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102
> > >https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141
> > >https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165
> > Anyway - I am happy to add some more... > > > > Can you please tell, what exactly you are > doing? > > > > * Which Token did you enroll with which > parameters > > * how did you authenticate > > * where did you authenticate (directly to > the API or to any > > Application?) > > > > Please give as much information as > possible. > > > > Kind regards > > Cornelius > > > > Am Donnerstag, den 20.08.2015, 00:44 -0700 > schrieb CK: > > > Hi, > > > > > > > > > I updated pi to 2.5, but the bug is still > there.. > > > > > > > > > Kind regards, > > > > > > > > > CK > > > > > > Le vendredi 14 août 2015 18:48:36 UTC+2, > Cornelinux K a > > écrit : > > > Hi, > > > I assume you are using 1.5. > > > This was a bug then. > > > 1.5 is deprecated. > > > you should use 2.5. > > > > > > > > > Kind regards > > > Cornelius > > > > > > > > > > > > > > > > > > > > > Cornelius Kölbel > > > Corneliu...@netknights.it > > > +49 151 2960 1417 > > > > > > > > > NetKnights GmbH > > > http://netknights.it > > > Landgraf-Karl-Str. 19, 34131 > Kassel, Germany > > > Tel: +49 561 3166797, Fax: +49 561 > 3166798 > > > > > > > > > Amtsgericht Kassel, HRB 16405 > > > Geschäftsführer: Cornelius Kölbel > > > > > > > > > -------- Ursprüngliche Nachricht > -------- > > > Von: CK <testt...@gmail.com> > > > Datum: 14.08.2015 14:57 (GMT > +01:00) > > > An: privacyidea > <priva...@googlegroups.com> > > > Betreff: Using the same TOTP > several times in a time > > window > > > > > > Hi ! I've noticed that in > privacyIDEA, using TOTP > > tokens, I > > > can use one OTP several times if > I'm in the same > > time window. > > > > > > > > > So, is there a solution to fix > this ? > > > > > > > > > > > > > > > Best regards, > > > > > > > > > CK, > > > > > > > > > > > -- > > Cornelius Kölbel > > corneliu...@netknights.it > > +49 151 2960 1417 > > > > NetKnights GmbH > > http://www.netknights.it > > Landgraf-Karl-Str. 19, 34131 Kassel, > Germany > > Tel: +49 561 3166797, Fax: +49 561 3166798 > > > > Amtsgericht Kassel, HRB 16405 > > Geschäftsführer: Cornelius Kölbel > > > > > > -- > > You received this message because you are subscribed > to the Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving > emails from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > To view this discussion on the web visit > > >> > For more options, visit > https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit >> For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
…so what was it?
Kind regards
CorneliusAm Donnerstag, den 20.08.2015, 05:02 -0700 schrieb CK:
Problem solved !!
Thanks a lot for your help
Kind regards,
Karim
Le jeudi 20 août 2015 12:21:42 UTC+2, CK a écrit :
Hi,
So I can not authenticate twice with the same OTP using the
test url of PI.
When I logged two times in Pidgin, I saw the auth request 1
time in the Audit log.So I think you're right, the issue comes from Cyrus sasl. I'm trying to find how to disable cache of credentials to fix this. Kind regards, Karim Le jeudi 20 août 2015 11:29:39 UTC+2, Cornelinux K a écrit : And you are entering the OTP into pidgin? So the workflow is like this: * enter OTP into pidgin * pdigin transfers OTP to prosody * transfers OTP to cyrus sasl * transfers OTP to PAM * transfers OTP to privacyIDEA My guess is, that some component (my wild guess would be cyrus sasl) will cache the authentication result, so that the second auth request with the same OTP does not even reach the privacyIDEA server. Please check: 1. Can you authenticate with the same OTP twice to the privacyIDEA server using https://yourOTPserver/validate/check?user=....&pass=...otp... 2. Can you see the second authentication request in the Audit log on the privacyIDEA server? 3. check the log files of prosody and pam. Thanks a lot and kind regards Cornelius Am Donnerstag, den 20.08.2015, 01:30 -0700 schrieb CK: > Hi, > > > So here is my config : > > > I have a Prosody server (XMPP) and an XMPP client (Pidgin), and what > I'm doing is that I want to authenticate users registered in a LDAP to > the Prosody server. > So, in PI, I have one LDAP resolver which works well. Then, I assigned > a TOTP token to a user of this LDAP. > I also have installed Cyrus SASL, which is linked to Prosody server > and configured it to use PAM mechanism, so when I try to authenticate > with my XMPP client, it will wait for an OTP (because it uses the > pam_python script of PI to authenticate). > Prosody is configured to use SASL authentication. > > > > > Token parameters : TOTP SHA-256, timeStep : 30seconds, timeWindow : > 180, OTP Length : 6 > > > Kind regards, > > > Karim > > > Le jeudi 20 août 2015 09:55:36 UTC+2, Cornelinux K a écrit : > Hi CK, > > I can not reproduce this. > > As a matter of fact there are also several tests to check > this: > https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510 > https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102 > https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141 > https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165 > Anyway - I am happy to add some more... > > Can you please tell, what exactly you are doing? > > * Which Token did you enroll with which parameters > * how did you authenticate > * where did you authenticate (directly to the API or to any > Application?) > > Please give as much information as possible. > > Kind regards > Cornelius > > Am Donnerstag, den 20.08.2015, 00:44 -0700 schrieb CK: > > Hi, > > > > > > I updated pi to 2.5, but the bug is still there.. > > > > > > Kind regards, > > > > > > CK > > > > Le vendredi 14 août 2015 18:48:36 UTC+2, Cornelinux K a > écrit : > > Hi, > > I assume you are using 1.5. > > This was a bug then. > > 1.5 is deprecated. > > you should use 2.5. > > > > > > Kind regards > > Cornelius > > > > > > > > > > > > > > Cornelius Kölbel > > Corneliu...@netknights.it > > +49 151 2960 1417 > > > > > > NetKnights GmbH > > http://netknights.it > > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > > Tel: +49 561 3166797, Fax: +49 561 3166798 > > > > > > Amtsgericht Kassel, HRB 16405 > > Geschäftsführer: Cornelius Kölbel > > > > > > -------- Ursprüngliche Nachricht -------- > > Von: CK <testt...@gmail.com> > > Datum: 14.08.2015 14:57 (GMT +01:00) > > An: privacyidea <priva...@googlegroups.com> > > Betreff: Using the same TOTP several times in a time > window > > > > Hi ! I've noticed that in privacyIDEA, using TOTP > tokens, I > > can use one OTP several times if I'm in the same > time window. > > > > > > So, is there a solution to fix this ? > > > > > > > > > > Best regards, > > > > > > CK, > > > > > > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/privacyidea/aa428ada-7f54-414d-9747-db6d82ecdbfc%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/2e0fa40a-be7d-4c3e-991c-4b2a8f7cccee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
Thanks for your help ! (PrivacyIdea is a really nice one authentication
server solution !)
Kind regards,
KarimLe jeudi 20 août 2015 14:27:32 UTC+2, Cornelinux K a écrit :
Cool. THanks!
CorneliusAm Donnerstag, den 20.08.2015, 05:23 -0700 schrieb CK:
Cyrus sasl, in the /etc/default/saslauthd, initially, OPTIONS=" -c
-m /var/run/saslauthd" so I removed the “-c” (option to enable
credentials caching) and then it works well now ! (And I’ve all the
auth requests in the Audit log (first time : matching 1 token and then
wrong otp value)Le jeudi 20 août 2015 14:16:22 UTC+2, Cornelinux K a écrit :
…so what was it?Kind regards Cornelius Am Donnerstag, den 20.08.2015, 05:02 -0700 schrieb CK: > Problem solved !! > > > Thanks a lot for your help ;-) > > > Kind regards, > > > Karim > > Le jeudi 20 août 2015 12:21:42 UTC+2, CK a écrit : > Hi, > So I can not authenticate twice with the same OTP using the > test url of PI. > When I logged two times in Pidgin, I saw the auth request 1 > time in the Audit log. > > > So I think you're right, the issue comes from Cyrus sasl. I'm > trying to find how to disable cache of credentials to fix > this. > > > Kind regards, > > > Karim > > > Le jeudi 20 août 2015 11:29:39 UTC+2, Cornelinux K a écrit : > And you are entering the OTP into pidgin? > > So the workflow is like this: > > * enter OTP into pidgin > * pdigin transfers OTP to prosody > * transfers OTP to cyrus sasl > * transfers OTP to PAM > * transfers OTP to privacyIDEA > > My guess is, that some component (my wild guess would > be cyrus sasl) > will cache the authentication result, so that the > second auth request > with the same OTP does not even reach the privacyIDEA > server. > > Please check: > > 1. Can you authenticate with the same OTP twice to the > privacyIDEA > server using > https://yourOTPserver/validate/check?user=....&pass=...otp... > > 2. Can you see the second authentication request in > the Audit log on the > privacyIDEA server? > > 3. check the log files of prosody and pam. > > Thanks a lot and kind regards > Cornelius > > Am Donnerstag, den 20.08.2015, 01:30 -0700 schrieb > CK: > > Hi, > > > > > > So here is my config : > > > > > > I have a Prosody server (XMPP) and an XMPP client > (Pidgin), and what > > I'm doing is that I want to authenticate users > registered in a LDAP to > > the Prosody server. > > So, in PI, I have one LDAP resolver which works > well. Then, I assigned > > a TOTP token to a user of this LDAP. > > I also have installed Cyrus SASL, which is linked to > Prosody server > > and configured it to use PAM mechanism, so when I > try to authenticate > > with my XMPP client, it will wait for an OTP > (because it uses the > > pam_python script of PI to authenticate). > > Prosody is configured to use SASL authentication. > > > > > > > > > > Token parameters : TOTP SHA-256, timeStep : > 30seconds, timeWindow : > > 180, OTP Length : 6 > > > > > > Kind regards, > > > > > > Karim > > > > > > Le jeudi 20 août 2015 09:55:36 UTC+2, Cornelinux K a > écrit : > > Hi CK, > > > > I can not reproduce this. > > > > As a matter of fact there are also several > tests to check > > this: > > >https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py#L510
> > >https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L102
> > >https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L141
> > >https://github.com/privacyidea/privacyidea/blob/master/tests/test_api_validate.py#L165
> > Anyway - I am happy to add some more... > > > > Can you please tell, what exactly you are > doing? > > > > * Which Token did you enroll with which > parameters > > * how did you authenticate > > * where did you authenticate (directly to > the API or to any > > Application?) > > > > Please give as much information as > possible. > > > > Kind regards > > Cornelius > > > > Am Donnerstag, den 20.08.2015, 00:44 -0700 > schrieb CK: > > > Hi, > > > > > > > > > I updated pi to 2.5, but the bug is still > there.. > > > > > > > > > Kind regards, > > > > > > > > > CK > > > > > > Le vendredi 14 août 2015 18:48:36 UTC+2, > Cornelinux K a > > écrit : > > > Hi, > > > I assume you are using 1.5. > > > This was a bug then. > > > 1.5 is deprecated. > > > you should use 2.5. > > > > > > > > > Kind regards > > > Cornelius > > > > > > > > > > > > > > > > > > > > > Cornelius Kölbel > > > Corneliu...@netknights.it > > > +49 151 2960 1417 > > > > > > > > > NetKnights GmbH > > > http://netknights.it > > > Landgraf-Karl-Str. 19, 34131 > Kassel, Germany > > > Tel: +49 561 3166797, Fax: +49 561 > 3166798 > > > > > > > > > Amtsgericht Kassel, HRB 16405 > > > Geschäftsführer: Cornelius Kölbel > > > > > > > > > -------- Ursprüngliche Nachricht > -------- > > > Von: CK <testt...@gmail.com> > > > Datum: 14.08.2015 14:57 (GMT > +01:00) > > > An: privacyidea > <priva...@googlegroups.com> > > > Betreff: Using the same TOTP > several times in a time > > window > > > > > > Hi ! I've noticed that in > privacyIDEA, using TOTP > > tokens, I > > > can use one OTP several times if > I'm in the same > > time window. > > > > > > > > > So, is there a solution to fix > this ? > > > > > > > > > > > > > > > Best regards, > > > > > > > > > CK, > > > > > > > > > > > -- > > Cornelius Kölbel > > corneliu...@netknights.it > > +49 151 2960 1417 > > > > NetKnights GmbH > > http://www.netknights.it > > Landgraf-Karl-Str. 19, 34131 Kassel, > Germany > > Tel: +49 561 3166797, Fax: +49 561 3166798 > > > > Amtsgericht Kassel, HRB 16405 > > Geschäftsführer: Cornelius Kölbel > > > > > > -- > > You received this message because you are subscribed > to the Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving > emails from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > To view this discussion on the web visit > > >> > For more options, visit > https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit >> For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Hi CK,
I can not reproduce this.
As a matter of fact there are also several tests to check this:
Anyway - I am happy to add some more…
Can you please tell, what exactly you are doing?
- Which Token did you enroll with which parameters
- how did you authenticate
- where did you authenticate (directly to the API or to any
Application?)
Please give as much information as possible.
Kind regards
CorneliusAm Donnerstag, den 20.08.2015, 00:44 -0700 schrieb CK:
Hi,
I updated pi to 2.5, but the bug is still there…
Kind regards,
CK
Le vendredi 14 août 2015 18:48:36 UTC+2, Cornelinux K a écrit :
Hi,
I assume you are using 1.5.
This was a bug then.
1.5 is deprecated.
you should use 2.5.Kind regards Cornelius Cornelius Kölbel Corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel -------- Ursprüngliche Nachricht -------- Von: CK <testt...@gmail.com> Datum: 14.08.2015 14:57 (GMT+01:00) An: privacyidea <priva...@googlegroups.com> Betreff: Using the same TOTP several times in a time window Hi ! I've noticed that in privacyIDEA, using TOTP tokens, I can use one OTP several times if I'm in the same time window. So, is there a solution to fix this ? Best regards, CK,
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)