Wrong otp pin

Question
#1

Hi all,

I set up privacyIDEA by installing privacyidea-venv_2.8~dev1-1_amd64.deb in
a Debian 7.9 server. Although certain python
dependencies were missing, I resolved them and got authentication to work.
I was experimenting with various LDAP
configurations and Policies before settling to a setup I was happy with and
generally I had no other problems.

It seems however HOTP and TOTP tokens don’t seem to work anymore. Initially
I figured it might have been a policy
causing a problem, but now I have removed all policies and I still get a
"wrong otp pin" message.

What I’ve tried which doesn’t work so far:

  • Re-syncing the token
  • Adding and testing a token without assigning it to a realm
  • Changing a token’s PIN
  • Using an LDAP password along with the generated OTP on the "test token"
    field
    (although I don’t think that works even under normal conditions)

I’m out of ideas on making OTPs work again, any clues?

Kind regards,
Aris

#2

Hello Aris,

Hi all,

I set up privacyIDEA by installing
privacyidea-venv_2.8~dev1-1_amd64.deb in a Debian 7.9 server. Although
certain python
dependencies were missing, I resolved them and got authentication to
work.

The mentioned package installs everything in a python virtualenv
at /opt/privacyidea.

What was missing?

I was experimenting with various LDAP
configurations and Policies before settling to a setup I was happy
with and generally I had no other problems.

It seems however HOTP and TOTP tokens don’t seem to work anymore.

What do you mean with “anymore”?
Obviously you changed something.

Initially I figured it might have been a policy
causing a problem, but now I have removed all policies and I still get
a “wrong otp pin” message.

Please check the prepend pin system setting.
Be sure to check the checkbox and “save” the settings.
It might be that you need to append the PIN instead of “prepending” it.

What I’ve tried which doesn’t work so far:

  • Re-syncing the token
    Has nothing to do with OTP PIN.
  • Adding and testing a token without assigning it to a realm
  • Changing a token’s PIN
    That is the right way to do!
  • Using an LDAP password along with the generated OTP on the “test
    token” field

(although I don’t think that works even under normal conditions)
This would work, if you set otppin=userstore.

I’m out of ideas on making OTPs work again, any clues?

My guess would be the prepend thing.

Kind regards
CorneliusAm Montag, den 23.11.2015, 10:17 -0800 schrieb Aris Lambrianidis:

Kind regards,
Aris

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/978ca792-9885-4a02-aec2-46717aec0f13%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

#3

Cornelius Kölbel wrote:

The mentioned package installs everything in a python virtualenv
at /opt/privacyidea.

What was missing?
Let me get something out of the way: I don’t have extensive experience with
python virtual environments. Perhaps I missed something in documentation,
although I generally RTFM. I would expect the .deb package to install
all necessary dependencies or at least complaining about lack of.

Is the .deb package simply a “wrapper” package for the virtualenv
directory which
you then have to activate per the virtualenv instructions found on the
privacyIDEA
website? If so, that would be a departure from the “plug and play” nature
that I’m typically used to with Debian packages.

Disclaimers aside, when installing the
package and integrating it with my Freeradius 2.2/Apache installation, I
saw errors in /var/log/privacyidea/privacyidea.log that were resolved by
installing
the appropriate modules, for instance:

[2015-11-23
17:40:27,587][15513][140002536118016][INFO][privacyidea.lib.stats:158]
‘module’ object has no attribute ‘pyplot’
…led me to install matplotlib

I’ll have to reinstall from scratch to be able to provide logs for the rest,
as it looks they were truncated.

What do you mean with “anymore”? Obviously you changed something.
That might have been one of the cases. I would be more specific if I had
more data.
Is there accounting for administrative actions of any sort so there is
a trace?

Another possibility could be something modified in the environment,
or other administrators tampering with the setup.

Initially I figured it might have been a policy
causing a problem, but now I have removed all policies and I still get
a “wrong otp pin” message.

Please check the prepend pin system setting.
Be sure to check the checkbox and “save” the settings.
It might be that you need to append the PIN instead of “prepending” it.
That seems to be it, indeed. If you would ask me, I’d tell you I didn’t
change that setting, not that I remember at least. The one thing
that I know I changed (and reverted back) at that page is
"Automatic resync during authentication".

It would be of great help if the default message in the “Test Token” field
would change its text appropriately to "Enter PIN and OTP to check the
token"
or “Enter OTP and PIN to check the token”, depending on that setting,
if possible…

My guess would be the prepend thing. Kind regards Cornelius
Your guess was indeed correct, many thanks for the fast reply!

Kind regards,
Aris

#4

Hello Aris,

yes. The debian package wraps everything in the python virtualenv.
This is due to the fact that all dependencies on the current debian
release are … old.

However, chances are good that privacyIDEA will be in the next debian
release.

Thanks for your request on adapting the label of the test-token-field
according to the prepend-pin-setting.
I will put an issue on github.

Kind regards
CorneliusAm Dienstag, den 24.11.2015, 01:13 +0100 schrieb Aris Lambrianidis:

Cornelius Kölbel wrote:

The mentioned package installs everything in a python virtualenv
at /opt/privacyidea.

What was missing?
Let me get something out of the way: I don’t have extensive experience
with
python virtual environments. Perhaps I missed something in
documentation,
although I generally RTFM. I would expect the .deb package to install
all necessary dependencies or at least complaining about lack of.

Is the .deb package simply a “wrapper” package for the virtualenv
directory which
you then have to activate per the virtualenv instructions found on the
privacyIDEA
website? If so, that would be a departure from the “plug and play”
nature
that I’m typically used to with Debian packages.

Disclaimers aside, when installing the
package and integrating it with my Freeradius 2.2/Apache installation,
I
saw errors in /var/log/privacyidea/privacyidea.log that were resolved
by installing
the appropriate modules, for instance:

[2015-11-23
17:40:27,587][15513][140002536118016][INFO][privacyidea.lib.stats:158]
‘module’ object has no attribute ‘pyplot’
…led me to install matplotlib

I’ll have to reinstall from scratch to be able to provide logs for the
rest,
as it looks they were truncated.

What do you mean with “anymore”? Obviously you changed something.
That might have been one of the cases. I would be more specific if I
had more data.
Is there accounting for administrative actions of any sort so there
is a trace?

Another possibility could be something modified in the environment,
or other administrators tampering with the setup.

Initially I figured it might have been a policy
causing a problem, but now I have removed all policies and I still get
a “wrong otp pin” message.

Please check the prepend pin system setting.
Be sure to check the checkbox and “save” the settings.
It might be that you need to append the PIN instead of “prepending” it.
That seems to be it, indeed. If you would ask me, I’d tell you I
didn’t
change that setting, not that I remember at least. The one thing
that I know I changed (and reverted back) at that page is
“Automatic resync during authentication”.

It would be of great help if the default message in the “Test Token”
field
would change its text appropriately to “Enter PIN and OTP to check
the token”
or “Enter OTP and PIN to check the token”, depending on that setting,
if possible…

My guess would be the prepend thing. Kind regards Cornelius
Your guess was indeed correct, many thanks for the fast reply!

Kind regards,
Aris


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/5653ABB8.6060309%
40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)