[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OTP broken?



Am Sat, 7 Nov 2015 13:29:25 +0100
schrieb Dieter Klünter <dieter@dkluenter.de>:

> Am Sat, 7 Nov 2015 01:04:57 +0000
> schrieb Howard Chu <hyc@symas.com>:
> 
> > Dieter Klünter wrote:
> > > Am Fri, 6 Nov 2015 08:55:34 +0000
> > > schrieb Emmanuel Dreyfus <manu@netbsd.org>:
> > >
> > >> Hello
> > >>
> > >> It seems OTP was broken at some time, I wonder if it is just me
> > >> (and why), or if it is more genral. I have a user with:
> > >> cmusaslsecretOTP: sha1    0499    se2124  xxxxxxxxxxxxxxxx
> > >> 00000000
> > >>
> > >> slapd.conf contains:
> > >> access to dn.regex="^uid=.+,dc=example,dc=net$"
> > >> attrs=cmusaslsecretOTP by anonymous auth stop
> > >>      by self write stop
> > >>      by * none stop
> > >>
> > >> I try:
> > >> $ ldapwhomai -Y OTP -X dn:${user_dn}
> > >> SASL/OTP authentication started
> > >> (delay)
> > >> ldap_sasl_interactive_bind_s: Server is unavailable (52)
> > >>          additional info: SASL(-8): transient failure (e.g., weak
> > >> key): simultaneous OTP authentications not permitted
> > >>
> > >> This is:
> > >> OpenLDAP 2.4.42
> > >> Cyrusl SASL 2.1.26
> > >
> > > If you are referring to sasl-OTP, which requires opiekey, this is
> > > still working,
> > >
> > > https://sys4.de/de/blog/2014/04/15/one-time-password-system-network-based-services/
> > >
> > > On the other hand, there is a Time based OTP module in
> > > contrib/slapd-modules/passwd/otpt which is broken, although i use
> > > google authenticator and alternatively sophos authenticator.
> > 
> > The passwd/totp module is a slapd password-hash mechanism and has
> > nothing to do with SASL. It also works perfectly with google
> > authenticator, what makes you say it's broken?
> > 
> 
> I am not claiming the totp module to be a SASL Mechanism.
> 
> 1. compiled pw-totp
> 2. installed pw-totp.la and pw-totp.so.0.0.0
> 3. included pw-totp.la in slapd.conf
> 4. added password-hash {TOTP1}
  
4.1 forgot to mention that i have added a overlay declaration
    overlay totp 
    which happens to be the first overlay, followed by memberOf 
    
> 5. created a user
> 
> dn: cn=test1 example,o=Test
> sn: example
> objectClass: inetOrgPerson
> cn: test1 example
> givenName: test1
> 
> 6. added credentials by ldappasswd
>    userPassword:: e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
> 8. added credentials to google Authenticator and sophos authenticator
> 9. run ./ldapwhoami -D "cn=test1 example,o=Test" -W -H
>     ldap://localhost:9007 
> 10. entered the numberstring from a authenticator
> 11. result: ldap_bind: Invalid credentials (49)


> 
> You may test yourself, based on my credentials.




-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E