Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1368981
Description of problem: The option --key of ipa otptoken-add is documented to accept the key encoded in Base32. In RHEL 7.2, this input value ended up Base32-encoded in the secret parameter of the displayed otpauth://hotp/ URL and Base64-encoded in the Key output of the ipa otptoken-add --type=hotp --key command and in the ipatokenOTPkey. In RHEL 7.3 nightly, the secret parameter of the otpauth: URL is different and the Key and ipatokenOTPkey show exactly this Base32-encoded string. The result is wrong codes generated by FreeOTP and failing authentication when correct codes are used. Version-Release number of selected component (if applicable): ipa-server-4.4.0-8.el7.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. ipa otptoken-add --type=hotp --key and enter (paste) GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ twice 2. ipa otptoken-find --raw --all Actual results: Key: Enter Key again to verify: ------------------ Added OTP token "" ------------------ Unique ID: 6f780b6a-9771-40bf-afa8-42060ceb7a03 Type: HOTP Owner: admin Manager: admin Key: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ Algorithm: sha1 Digits: 6 Counter: 0 URI: otpauth://hotp/admin@EXAMPLE.TEST:6f780b6a-9771-40bf-afa8-42060ceb7a03?d igits=6&secret=DBDEGGGQKUMY3U2A4JIBQRSDDDIFKGMN2NAOEUA%3D&counter=0&algorithm=S HA1&issuer=admin%40EXAMPLE.TEST [ QR code ] ------------------- 1 OTP token matched ------------------- dn: ipatokenuniqueid=6f780b6a-9771-40bf-afa8-42060ceb7a03,cn=otp,dc=example,dc=test ipatokenuniqueid: 6f780b6a-9771-40bf-afa8-42060ceb7a03 type: HOTP ipatokenowner: uid=admin,cn=users,cn=accounts,dc=example,dc=test managedby: uid=admin,cn=users,cn=accounts,dc=example,dc=test ipatokenHOTPcounter: 0 ipatokenOTPalgorithm: sha1 ipatokenOTPdigits: 6 ipatokenOTPkey: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ objectclass: ipatokenhotp objectclass: ipatoken objectclass: top ---------------------------- Number of entries returned 1 ---------------------------- Expected results: This output comes from RHEL 7.2: [root@cloud-qe-4 ~]# ipa otptoken-add --type=hotp --keyKey: Enter Key again to verify: ------------------ Added OTP token "" ------------------ Unique ID: 7c00bb55-a14b-451b-9f6d-db6885c760e4 Type: HOTP Owner: admin Manager: admin Key: MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= Algorithm: sha1 Digits: 6 Counter: 0 URI: otpauth://hotp/admin@EXAMPLE.TEST:7c00bb55-a14b-451b-9f6d-db6885c760e4?d igits=6&secret=GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ&counter=0&algorithm=SHA1&issuer =admin%40EXAMPLE.TEST [ QR code ] ------------------- 1 OTP token matched ------------------- dn: ipatokenuniqueid=7c00bb55-a14b-451b-9f6d-db6885c760e4,cn=otp,dc=example,dc=test ipatokenuniqueid: 7c00bb55-a14b-451b-9f6d-db6885c760e4 type: HOTP ipatokenowner: uid=admin,cn=users,cn=accounts,dc=example,dc=test ipatokenHOTPcounter: 0 ipatokenOTPalgorithm: sha1 ipatokenOTPdigits: 6 ipatokenOTPkey: MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= managedby: uid=admin,cn=users,cn=accounts,dc=example,dc=test objectclass: ipatokenhotp objectclass: ipatoken objectclass: top ---------------------------- Number of entries returned 1 ---------------------------- Additional info:
master:
Metadata Update from @pvoborni: - Issue assigned to dkupka - Issue set to the milestone: FreeIPA 4.4.1
Login to comment on this ticket.