#4412 Unable to login to Web UI with HOTP
Closed: Fixed None Opened 9 years ago by edewata.

A user cannot login to the Web UI, or sync, with HOTP token. With TOTP it works just fine.

Steps to reproduce:
1. As admin, create a new user.
2. Enable OTP authentication for this user (disable password authentication).
3. Create an HOTP token.
4. Logout.
5. Login as the new user with password and OTP.

Actual result:
The UI will say "The password or username you entered is incorrect" with no option to reset the password. Syncing the HOTP doesn't work either.

If step #3 is replaced with TOTP it will work (i.e. it will show the reset password screen).

Expected result: Login and sync with HOTP should work.


I am able to reproduce this. It occurs any time the password is expired. I am not able to reproduce it from kinit. SSSD has a similar bug because it attempts to use the OTP twice (which is currently permitted with TOTP, but not HOTP). This seems to me to be a bug in UI code.

This is an issue in rpcserver.py login procedure.

So the problem arises here: https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/rpcserver.py#n948

kinit is called to perform the authentication. If the authentication fails, a bind is performed to determine if the password was expired.

The problem is that the same OTP is used in both steps. The kinit fails, but consumes the OTP. The bind then too fails because the OTP was already used. Hence, the authentication appears to have failed.

This code is all pretty terrible. It would be much better to get the password expired state from the kinit operation directly. This should be possible since kinit knows about this properly in both the OTP and non-OTP cases. We can do it right now with screen scraping, but this too is fairly hacky (though probably still better than the current method).

After discussion with MIT, we decided the screen scraping approach is neither difficult nor too hacky. I implemented a fix and submitted it:

http://www.redhat.com/archives/freeipa-devel/2014-July/msg00228.html

master:

  • e477130 Fix login password expiration detection with OTP

ipa-4-1:

  • e477130 Fix login password expiration detection with OTP

ipa-4-0:

  • e477130 Fix login password expiration detection with OTP

Spec updated:

master:

  • 53c8efe Update freeipa-server krb5-server dependency to 1.11.5-5

ipa-4-1:

  • 53c8efe Update freeipa-server krb5-server dependency to 1.11.5-5

ipa-4-0:

  • 53c8efe Update freeipa-server krb5-server dependency to 1.11.5-5

Metadata Update from @edewata:
- Issue assigned to npmccallum
- Issue set to the milestone: FreeIPA 4.0.1

7 years ago

Login to comment on this ticket.

Metadata