Discussion:
OTP broken?
Emmanuel Dreyfus
2015-11-06 08:55:34 UTC
Permalink
Content preview: Hello It seems OTP was broken at some time, I wonder if it
is just me (and why), or if it is more genral. I have a user with: cmusaslsecretOTP:
sha1 0499 se2124 xxxxxxxxxxxxxxxx 00000000 slapd.conf contains: access to
dn.regex="^uid=.+,dc=example,dc=net$" attrs=cmusaslsecretOTP by anonymous
auth stop by self write stop by * none stop [...]

Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[149.20.53.66 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: netbsd.org]
0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Hello

It seems OTP was broken at some time, I wonder if it is just me (and why),
or if it is more genral. I have a user with:
cmusaslsecretOTP: sha1 0499 se2124 xxxxxxxxxxxxxxxx 00000000

slapd.conf contains:
access to dn.regex="^uid=.+,dc=example,dc=net$" attrs=cmusaslsecretOTP
by anonymous auth stop
by self write stop
by * none stop

I try:
$ ldapwhomai -Y OTP -X dn:${user_dn}
SASL/OTP authentication started
(delay)
ldap_sasl_interactive_bind_s: Server is unavailable (52)
additional info: SASL(-8): transient failure (e.g., weak key): simultaneous OTP authentications not permitted

This is:
OpenLDAP 2.4.42
Cyrusl SASL 2.1.26

While there, this uses sha1. Is there some new specs about doing
it with sha256? Patching cyrus-sasl to add a new hashing algorithme
is just a one liner.
--
Emmanuel Dreyfus
***@netbsd.org
Quanah Gibson-Mount
2015-11-06 16:27:02 UTC
Permalink
Content preview: --On Friday, November 06, 2015 8:55 AM +0000 Emmanuel Dreyfus
<***@netbsd.org> wrote: > While there, this uses sha1. Is there some new
specs about doing > it with sha256? Patching cyrus-sasl to add a new hashing
algorithme > is just a one liner. [...]

Content analysis details: (-4.3 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[162.209.122.174 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: netbsd.org]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

--On Friday, November 06, 2015 8:55 AM +0000 Emmanuel Dreyfus
Post by Emmanuel Dreyfus
While there, this uses sha1. Is there some new specs about doing
it with sha256? Patching cyrus-sasl to add a new hashing algorithme
is just a one liner.
This bit at least, would be a question to ask the cyrus-sasl folks. ;) Who
have promised the project isn't dead.

--Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
Emmanuel Dreyfus
2015-11-06 20:26:59 UTC
Permalink
Content preview: Quanah Gibson-Mount <***@zimbra.com> wrote: > > While there,
this uses sha1. Is there some new specs about doing > > it with sha256? Patching
cyrus-sasl to add a new hashing algorithme > > is just a one liner. > > This
bit at least, would be a question to ask the cyrus-sasl folks. ;) Who > have
promised the project isn't dead. [...]

Content analysis details: (-2.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[193.54.82.9 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: netbsd.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Post by Quanah Gibson-Mount
Post by Emmanuel Dreyfus
While there, this uses sha1. Is there some new specs about doing
it with sha256? Patching cyrus-sasl to add a new hashing algorithme
is just a one liner.
This bit at least, would be a question to ask the cyrus-sasl folks. ;) Who
have promised the project isn't dead.
I will submit my patch once I will have OTP working again with OpenLDAP:
I cannot test anything right now.
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
***@netbsd.org
Dieter Klünter
2015-11-06 21:53:10 UTC
Permalink
Content preview: Am Fri, 6 Nov 2015 08:55:34 +0000 schrieb Emmanuel Dreyfus
cmusaslsecretOTP: sha1 0499 se2124 xxxxxxxxxxxxxxxx > 00000000 > > slapd.conf
contains: > access to dn.regex="^uid=.+,dc=example,dc=net$" attrs=cmusaslsecretOTP
$ ldapwhomai -Y OTP -X dn:${user_dn} > SASL/OTP authentication started
(delay) > ldap_sasl_interactive_bind_s: Server is unavailable (52) > additional
info: SASL(-8): transient failure (e.g., weak > key): simultaneous OTP authentications
not permitted > > This is: > OpenLDAP 2.4.42 > Cyrusl SASL 2.1.26 [...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: sys4.de]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Am Fri, 6 Nov 2015 08:55:34 +0000
Hello
It seems OTP was broken at some time, I wonder if it is just me (and
cmusaslsecretOTP: sha1 0499 se2124 xxxxxxxxxxxxxxxx
00000000
access to dn.regex="^uid=.+,dc=example,dc=net$" attrs=cmusaslsecretOTP
by anonymous auth stop
by self write stop
by * none stop
$ ldapwhomai -Y OTP -X dn:${user_dn}
SASL/OTP authentication started
(delay)
ldap_sasl_interactive_bind_s: Server is unavailable (52)
additional info: SASL(-8): transient failure (e.g., weak
key): simultaneous OTP authentications not permitted
OpenLDAP 2.4.42
Cyrusl SASL 2.1.26
If you are referring to sasl-OTP, which requires opiekey, this is still
working,

https://sys4.de/de/blog/2014/04/15/one-time-password-system-network-based-services/

On the other hand, there is a Time based OTP module in
contrib/slapd-modules/passwd/otpt which is broken, although i use
google authenticator and alternatively sophos authenticator.

-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Howard Chu
2015-11-07 01:04:57 UTC
Permalink
Content preview: Dieter Klünter wrote: > Am Fri, 6 Nov 2015 08:55:34 +0000
was broken at some time, I wonder if it is just me (and >> why), or if it
is more genral. I have a user with: >> cmusaslsecretOTP: sha1 0499 se2124
xxxxxxxxxxxxxxxx >> 00000000 >> >> slapd.conf contains: >> access to dn.regex="^uid=.+,dc=example,dc=net$"
attrs=cmusaslsecretOTP >> by anonymous auth stop >> by self write stop >>
by * none stop >> >> I try: >> $ ldapwhomai -Y OTP -X dn:${user_dn} >> SASL/OTP
authentication started >> (delay) >> ldap_sasl_interactive_bind_s: Server
is unavailable (52) >> additional info: SASL(-8): transient failure (e.g.,
Post by Dieter Klünter
OpenLDAP 2.4.42 >> Cyrusl SASL 2.1.26 > > If you are referring to sasl-OTP,
which requires opiekey, this is still > working, > > https://sys4.de/de/blog/2014/04/15/one-time-password-system-network-based-services/
Post by Dieter Klünter
On the other hand, there is a Time based OTP module in > contrib/slapd-modules/passwd/otpt
which is broken, although i use > google authenticator and alternatively
sophos authenticator. [...]

Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: openldap.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[69.43.206.106 listed in list.dnswl.org]
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -4.2 (----)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Dieter Klünter wrote: > Am Fri, 6 Nov 2015 08:55:34 +0000
was broken at some time, I wonder if it is just me (and >> why), or if it
is more genral. I have a user with: >> cmusaslsecretOTP: sha1 0499 se2124
xxxxxxxxxxxxxxxx >> 00000000 >> >> slapd.conf contains: >> access to dn.regex="^uid=.+,dc=example,dc=net$"
attrs=cmusaslsecretOTP >> by anonymous auth stop >> by self write stop >>
by * none stop >> >> I try: >> $ ldapwhomai -Y OTP -X dn:${user_dn} >> SASL/OTP
authentication started >> (delay) >> ldap_sasl_interactive_bind_s: Server
is unavailable (52) >> additional info: SASL(-8): transient failure (e.g.,
Post by Dieter Klünter
OpenLDAP 2.4.42 >> Cyrusl SASL 2.1.26 > > If you are referring to sasl-OTP,
which requires opiekey, this is still > working, > > https://sys4.de/de/blog/2014/04/15/one-time-password-system-network-based-services/
Post by Dieter Klünter
On the other hand, there is a Time based OTP module in > contrib/slapd-modules/passwd/otpt
which is broken, although i use > google authenticator and alternatively
sophos authenticator. [...]

Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[69.43.206.106 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: netbsd.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Post by Dieter Klünter
Am Fri, 6 Nov 2015 08:55:34 +0000
Hello
It seems OTP was broken at some time, I wonder if it is just me (and
cmusaslsecretOTP: sha1 0499 se2124 xxxxxxxxxxxxxxxx
00000000
access to dn.regex="^uid=.+,dc=example,dc=net$" attrs=cmusaslsecretOTP
by anonymous auth stop
by self write stop
by * none stop
$ ldapwhomai -Y OTP -X dn:${user_dn}
SASL/OTP authentication started
(delay)
ldap_sasl_interactive_bind_s: Server is unavailable (52)
additional info: SASL(-8): transient failure (e.g., weak
key): simultaneous OTP authentications not permitted
OpenLDAP 2.4.42
Cyrusl SASL 2.1.26
If you are referring to sasl-OTP, which requires opiekey, this is still
working,
https://sys4.de/de/blog/2014/04/15/one-time-password-system-network-based-services/
On the other hand, there is a Time based OTP module in
contrib/slapd-modules/passwd/otpt which is broken, although i use
google authenticator and alternatively sophos authenticator.
The passwd/totp module is a slapd password-hash mechanism and has nothing to
do with SASL. It also works perfectly with google authenticator, what makes
you say it's broken?
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Dieter Klünter
2015-11-07 12:29:25 UTC
Permalink
Dieter Klünter wrote: > > Am Fri, 6 Nov 2015 08:55:34 +0000 > > schrieb
Emmanuel Dreyfus <***@netbsd.org>: > > > >> Hello > >> > >> It seems OTP
was broken at some time, I wonder if it is just me > >> (and why), or if
it is more genral. I have a user with: > >> cmusaslsecretOTP: sha1 0499 se2124
xxxxxxxxxxxxxxxx > >> 00000000 > >> > >> slapd.conf contains: > >> access
to dn.regex="^uid=.+,dc=example,dc=net$" > >> attrs=cmusaslsecretOTP by anonymous
auth stop > >> by self write stop > >> by * none stop > >> > >> I try: >
$ ldapwhomai -Y OTP -X dn:${user_dn} > >> SASL/OTP authentication started
(delay) > >> ldap_sasl_interactive_bind_s: Server is unavailable (52)
simultaneous OTP authentications not permitted > >> > >> This is: > >> OpenLDAP
2.4.42 > >> Cyrusl SASL 2.1.26 > > > > If you are referring to sasl-OTP,
which requires opiekey, this is > > still working, > > > > https://sys4.de/de/blog/2014/04/15/one-time-password-system-network-based-services/
On the other hand, there is a Time based OTP module in > > contrib/slapd-modules/passwd/otpt
which is broken, although i use > > google authenticator and alternatively
sophos authenticator. > > The passwd/totp module is a slapd password-hash
mechanism and has > nothing to do with SASL. It also works perfectly with
google > authenticator, what makes you say it's broken? > [...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: netbsd.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -1.9 (-)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Dieter Klünter wrote: > > Am Fri, 6 Nov 2015 08:55:34 +0000 > > schrieb
Emmanuel Dreyfus <***@netbsd.org>: > > > >> Hello > >> > >> It seems OTP
was broken at some time, I wonder if it is just me > >> (and why), or if
it is more genral. I have a user with: > >> cmusaslsecretOTP: sha1 0499 se2124
xxxxxxxxxxxxxxxx > >> 00000000 > >> > >> slapd.conf contains: > >> access
to dn.regex="^uid=.+,dc=example,dc=net$" > >> attrs=cmusaslsecretOTP by anonymous
auth stop > >> by self write stop > >> by * none stop > >> > >> I try: >
$ ldapwhomai -Y OTP -X dn:${user_dn} > >> SASL/OTP authentication started
(delay) > >> ldap_sasl_interactive_bind_s: Server is unavailable (52)
simultaneous OTP authentications not permitted > >> > >> This is: > >> OpenLDAP
2.4.42 > >> Cyrusl SASL 2.1.26 > > > > If you are referring to sasl-OTP,
which requires opiekey, this is > > still working, > > > > https://sys4.de/de/blog/2014/04/15/one-time-password-system-network-based-services/
On the other hand, there is a Time based OTP module in > > contrib/slapd-modules/passwd/otpt
which is broken, although i use > > google authenticator and alternatively
sophos authenticator. > > The passwd/totp module is a slapd password-hash
mechanism and has > nothing to do with SASL. It also works perfectly with
google > authenticator, what makes you say it's broken? > [...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: pw-totp.la]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Am Sat, 7 Nov 2015 01:04:57 +0000
Am Fri, 6 Nov 2015 08:55:34 +0000
Hello
It seems OTP was broken at some time, I wonder if it is just me
cmusaslsecretOTP: sha1 0499 se2124 xxxxxxxxxxxxxxxx
00000000
access to dn.regex="^uid=.+,dc=example,dc=net$"
attrs=cmusaslsecretOTP by anonymous auth stop
by self write stop
by * none stop
$ ldapwhomai -Y OTP -X dn:${user_dn}
SASL/OTP authentication started
(delay)
ldap_sasl_interactive_bind_s: Server is unavailable (52)
additional info: SASL(-8): transient failure (e.g., weak
key): simultaneous OTP authentications not permitted
OpenLDAP 2.4.42
Cyrusl SASL 2.1.26
If you are referring to sasl-OTP, which requires opiekey, this is
still working,
https://sys4.de/de/blog/2014/04/15/one-time-password-system-network-based-services/
On the other hand, there is a Time based OTP module in
contrib/slapd-modules/passwd/otpt which is broken, although i use
google authenticator and alternatively sophos authenticator.
The passwd/totp module is a slapd password-hash mechanism and has
nothing to do with SASL. It also works perfectly with google
authenticator, what makes you say it's broken?
I am not claiming the totp module to be a SASL Mechanism.

1. compiled pw-totp
2. installed pw-totp.la and pw-totp.so.0.0.0
3. included pw-totp.la in slapd.conf
4. added password-hash {TOTP1}
5. created a user

dn: cn=test1 example,o=Test
sn: example
objectClass: inetOrgPerson
cn: test1 example
givenName: test1

6. added credentials by ldappasswd
userPassword:: e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
8. added credentials to google Authenticator and sophos authenticator
9. run ./ldapwhoami -D "cn=test1 example,o=Test" -W -H
ldap://localhost:9007
10. entered the numberstring from a authenticator
11. result: ldap_bind: Invalid credentials (49)

You may test yourself, based on my credentials.

-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Dieter Klünter
2015-11-07 12:45:21 UTC
Permalink
Content preview: Am Sat, 7 Nov 2015 13:29:25 +0100 schrieb Dieter Klünter
Post by Dieter Klünter
Hello > > >> > > >> It seems OTP was broken at some time, I wonder if
cmusaslsecretOTP: sha1 0499 se2124 xxxxxxxxxxxxxxxx > > >> 00000000
slapd.conf contains: > > >> access to dn.regex="^uid=.+,dc=example,dc=net$"
attrs=cmusaslsecretOTP by anonymous auth stop > > >> by self write
stop > > >> by * none stop > > >> > > >> I try: > > >> $ ldapwhomai -Y OTP
-X dn:${user_dn} > > >> SASL/OTP authentication started > > >> (delay) >
Post by Dieter Klünter
ldap_sasl_interactive_bind_s: Server is unavailable (52) > > >> additional
info: SASL(-8): transient failure (e.g., weak > > >> key): simultaneous OTP
authentications not permitted > > >> > > >> This is: > > >> OpenLDAP 2.4.42
Post by Dieter Klünter
Cyrusl SASL 2.1.26 > > > > > > If you are referring to sasl-OTP, which
requires opiekey, this is > > > still working, > > > > > > https://sys4.de/de/blog/2014/04/15/one-time-password-system-network-based-services/
Post by Dieter Klünter
On the other hand, there is a Time based OTP module in > > >
contrib/slapd-modules/passwd/otpt which is broken, although i use > > > google
authenticator and alternatively sophos authenticator. > > > > The passwd/totp
module is a slapd password-hash mechanism and has > > nothing to do with
SASL. It also works perfectly with google > > authenticator, what makes you
say it's broken? > > > > I am not claiming the totp module to be a SASL Mechanism.
Post by Dieter Klünter
1. compiled pw-totp > 2. installed pw-totp.la and pw-totp.so.0.0.0 >
3. included pw-totp.la in slapd.conf > 4. added password-hash {TOTP1} [...]


Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: pw-totp.la]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -1.9 (-)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Am Sat, 7 Nov 2015 13:29:25 +0100 schrieb Dieter Klünter
Post by Dieter Klünter
Hello > > >> > > >> It seems OTP was broken at some time, I wonder if
cmusaslsecretOTP: sha1 0499 se2124 xxxxxxxxxxxxxxxx > > >> 00000000
slapd.conf contains: > > >> access to dn.regex="^uid=.+,dc=example,dc=net$"
attrs=cmusaslsecretOTP by anonymous auth stop > > >> by self write
stop > > >> by * none stop > > >> > > >> I try: > > >> $ ldapwhomai -Y OTP
-X dn:${user_dn} > > >> SASL/OTP authentication started > > >> (delay) >
Post by Dieter Klünter
ldap_sasl_interactive_bind_s: Server is unavailable (52) > > >> additional
info: SASL(-8): transient failure (e.g., weak > > >> key): simultaneous OTP
authentications not permitted > > >> > > >> This is: > > >> OpenLDAP 2.4.42
Post by Dieter Klünter
Cyrusl SASL 2.1.26 > > > > > > If you are referring to sasl-OTP, which
requires opiekey, this is > > > still working, > > > > > > https://sys4.de/de/blog/2014/04/15/one-time-password-system-network-based-services/
Post by Dieter Klünter
On the other hand, there is a Time based OTP module in > > >
contrib/slapd-modules/passwd/otpt which is broken, although i use > > > google
authenticator and alternatively sophos authenticator. > > > > The passwd/totp
module is a slapd password-hash mechanism and has > > nothing to do with
SASL. It also works perfectly with google > > authenticator, what makes you
say it's broken? > > > > I am not claiming the totp module to be a SASL Mechanism.
Post by Dieter Klünter
1. compiled pw-totp > 2. installed pw-totp.la and pw-totp.so.0.0.0 >
3. included pw-totp.la in slapd.conf > 4. added password-hash {TOTP1} [...]


Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: pw-totp.la]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Am Sat, 7 Nov 2015 13:29:25 +0100
Post by Dieter Klünter
Am Sat, 7 Nov 2015 01:04:57 +0000
Am Fri, 6 Nov 2015 08:55:34 +0000
Hello
It seems OTP was broken at some time, I wonder if it is just me
cmusaslsecretOTP: sha1 0499 se2124 xxxxxxxxxxxxxxxx
00000000
access to dn.regex="^uid=.+,dc=example,dc=net$"
attrs=cmusaslsecretOTP by anonymous auth stop
by self write stop
by * none stop
$ ldapwhomai -Y OTP -X dn:${user_dn}
SASL/OTP authentication started
(delay)
ldap_sasl_interactive_bind_s: Server is unavailable (52)
additional info: SASL(-8): transient failure (e.g., weak
key): simultaneous OTP authentications not permitted
OpenLDAP 2.4.42
Cyrusl SASL 2.1.26
If you are referring to sasl-OTP, which requires opiekey, this is
still working,
https://sys4.de/de/blog/2014/04/15/one-time-password-system-network-based-services/
On the other hand, there is a Time based OTP module in
contrib/slapd-modules/passwd/otpt which is broken, although i use
google authenticator and alternatively sophos authenticator.
The passwd/totp module is a slapd password-hash mechanism and has
nothing to do with SASL. It also works perfectly with google
authenticator, what makes you say it's broken?
I am not claiming the totp module to be a SASL Mechanism.
1. compiled pw-totp
2. installed pw-totp.la and pw-totp.so.0.0.0
3. included pw-totp.la in slapd.conf
4. added password-hash {TOTP1}
4.1 forgot to mention that i have added a overlay declaration
overlay totp
which happens to be the first overlay, followed by memberOf
Post by Dieter Klünter
5. created a user
dn: cn=test1 example,o=Test
sn: example
objectClass: inetOrgPerson
cn: test1 example
givenName: test1
6. added credentials by ldappasswd
userPassword:: e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
8. added credentials to google Authenticator and sophos authenticator
9. run ./ldapwhoami -D "cn=test1 example,o=Test" -W -H
ldap://localhost:9007
10. entered the numberstring from a authenticator
11. result: ldap_bind: Invalid credentials (49)
You may test yourself, based on my credentials.
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Peter Marschall
2015-11-07 13:09:08 UTC
Permalink
Content preview: Hi, On Saturday, 7. November 2015 13:45:21 Dieter Klünter
wrote: > > schrieb Howard Chu <***@symas.com>: > > > The passwd/totp module
is a slapd password-hash mechanism and has > > > nothing to do with SASL.
It also works perfectly with google > > > authenticator, what makes you say
it's broken? [...]

Content analysis details: (-2.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[89.107.184.29 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: adpm.de]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -2.6 (--)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Hi, On Saturday, 7. November 2015 13:45:21 Dieter Klünter
wrote: > > schrieb Howard Chu <***@symas.com>: > > > The passwd/totp module
is a slapd password-hash mechanism and has > > > nothing to do with SASL.
It also works perfectly with google > > > authenticator, what makes you say
it's broken? [...]

Content analysis details: (-2.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[89.107.184.29 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: adpm.de]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Hi,
Post by Howard Chu
The passwd/totp module is a slapd password-hash mechanism and has
nothing to do with SASL. It also works perfectly with google
authenticator, what makes you say it's broken?
I concur with Harald.
the pw-totp module in HEAD works.

There have been issues in the initial commit, which have been fixed since then.

Best
Peter
--
Peter Marschall
***@adpm.de
Michael Ströder
2015-11-07 13:33:22 UTC
Permalink
Post by Dieter Klünter
6. added credentials by ldappasswd
userPassword:: e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
I have not really tried the module myself yet but I note that the key is
actually 21 bytes long (see below). Shouldn't that be 20 bytes?

Ciao, Michael.

Python 2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2
Post by Dieter Klünter
'e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09'.decode('base64')
'{TOTP1}NBUEI6KEJMYDCNBTGI2TMQKCINCA===='
Post by Dieter Klünter
s='NBUEI6KEJMYDCNBTGI2TMQKCINCA===='.decode('base64')
len(s)
21
Howard Chu
2015-11-07 17:46:04 UTC
Permalink
Content preview: Michael Ströder wrote: > Dieter Klünter wrote: >> 6. added
credentials by ldappasswd >> userPassword:: e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
Post by Michael Ströder
Post by Michael Ströder
I have not really tried the module myself yet but I note that the key
is > actually 21 bytes long (see below). Shouldn't that be 20 bytes? [...]


Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[69.43.206.106 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: symas.com]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -4.2 (----)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Michael Ströder wrote: > Dieter Klünter wrote: >> 6. added
credentials by ldappasswd >> userPassword:: e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
Post by Michael Ströder
Post by Michael Ströder
I have not really tried the module myself yet but I note that the key
is > actually 21 bytes long (see below). Shouldn't that be 20 bytes? [...]


Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[69.43.206.106 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: highlandsun.com]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Post by Michael Ströder
Post by Michael Ströder
6. added credentials by ldappasswd
userPassword:: e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
I have not really tried the module myself yet but I note that the key is
actually 21 bytes long (see below). Shouldn't that be 20 bytes?
Looks like you're right. Perhaps we should re-enable the key length checks in
the module (which are currently disabled with #if 0 ).
Post by Michael Ströder
Ciao, Michael.
Python 2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2
Post by Michael Ströder
'e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09'.decode('base64')
'{TOTP1}NBUEI6KEJMYDCNBTGI2TMQKCINCA===='
Post by Michael Ströder
s='NBUEI6KEJMYDCNBTGI2TMQKCINCA===='.decode('base64')
len(s)
21
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Dieter Klünter
2015-11-07 19:53:38 UTC
Permalink
Content preview: Am Sat, 7 Nov 2015 14:33:22 +0100 schrieb Michael Ströder
<***@stroeder.com>: > Dieter Klünter wrote: > > 6. added credentials
by ldappasswd > > userPassword:: > > e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
Post by Michael Ströder
I have not really tried the module myself yet but I note that the key
is actually 21 bytes long (see below). Shouldn't that be 20 bytes? > >
Ciao, Michael. > > Python 2.7.10 (default, May 24 2015, 14:46:10) [GCC] on
linux2 > >>> 'e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09'.decode('base64')
'{TOTP1}NBUEI6KEJMYDCNBTGI2TMQKCINCA====' > >>> s='NBUEI6KEJMYDCNBTGI2TMQKCINCA===='.decode('base64')
Post by Michael Ströder
len(s) > 21 [...]
Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: sys4.de]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -1.9 (-)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Am Sat, 7 Nov 2015 14:33:22 +0100 schrieb Michael Ströder
<***@stroeder.com>: > Dieter Klünter wrote: > > 6. added credentials
by ldappasswd > > userPassword:: > > e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
Post by Michael Ströder
I have not really tried the module myself yet but I note that the key
is actually 21 bytes long (see below). Shouldn't that be 20 bytes? > >
Ciao, Michael. > > Python 2.7.10 (default, May 24 2015, 14:46:10) [GCC] on
linux2 > >>> 'e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09'.decode('base64')
'{TOTP1}NBUEI6KEJMYDCNBTGI2TMQKCINCA====' > >>> s='NBUEI6KEJMYDCNBTGI2TMQKCINCA===='.decode('base64')
Post by Michael Ströder
len(s) > 21 [...]
Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: sys4.de]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Am Sat, 7 Nov 2015 14:33:22 +0100
Post by Michael Ströder
6. added credentials by ldappasswd
e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
I have not really tried the module myself yet but I note that the key
is actually 21 bytes long (see below). Shouldn't that be 20 bytes?
Ciao, Michael.
Python 2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2
Post by Michael Ströder
'e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09'.decode('base64')
'{TOTP1}NBUEI6KEJMYDCNBTGI2TMQKCINCA===='
Post by Michael Ströder
s='NBUEI6KEJMYDCNBTGI2TMQKCINCA===='.decode('base64')
len(s)
21
The TOTP1 string is base32 encoded, not base64.
With regard to length, this might be a bug in google Authenticator, as
it would not accept a credential string shorter than mine.

-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Michael Ströder
2015-11-07 21:03:04 UTC
Permalink
Post by Dieter Klünter
Am Sat, 7 Nov 2015 14:33:22 +0100
Post by Michael Ströder
Post by Dieter Klünter
6. added credentials by ldappasswd
e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
I have not really tried the module myself yet but I note that the key
is actually 21 bytes long (see below). Shouldn't that be 20 bytes?
Python 2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2
Post by Dieter Klünter
'e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09'.decode('base64')
'{TOTP1}NBUEI6KEJMYDCNBTGI2TMQKCINCA===='
Post by Dieter Klünter
s='NBUEI6KEJMYDCNBTGI2TMQKCINCA===='.decode('base64')
len(s)
21
The TOTP1 string is base32 encoded, not base64.
If it's sent to the Google Authenticator the base32-encoded form is appended
to the totp:// URL. And looking at slapd-totp.c it seems you're also right
regarding the storage format in 'userPassword':

/* Key is stored in base32 */

But still 17 bytes look strange to me:

Python 2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2
Post by Dieter Klünter
Post by Michael Ströder
Post by Dieter Klünter
import base64
base64.b32decode('NBUEI6KEJMYDCNBTGI2TMQKCINCA====')
'hhDyDK0143256ABCD'
Post by Dieter Klünter
Post by Michael Ströder
Post by Dieter Klünter
len(base64.b32decode('NBUEI6KEJMYDCNBTGI2TMQKCINCA===='))
17

What's the correct length of your shared secret?

Ciao, Michael.
Dieter Klünter
2015-11-08 09:28:09 UTC
Permalink
Content preview: Am Sat, 7 Nov 2015 22:03:04 +0100 schrieb Michael Ströder
Post by Michael Ströder
e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09 > >> > >> I have
not really tried the module myself yet but I note that the > >> key is actually
21 bytes long (see below). Shouldn't that be 20 > >> bytes? > >> > >> Python
2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2 > >>>>> 'e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09'.decode('base64')
Post by Michael Ströder
'{TOTP1}NBUEI6KEJMYDCNBTGI2TMQKCINCA====' > >>>>> s='NBUEI6KEJMYDCNBTGI2TMQKCINCA===='.decode('base64')
len(s) > >> 21 > > > > The TOTP1 string is base32 encoded, not base64.
If it's sent to the Google Authenticator the base32-encoded form is >
appended to the totp:// URL. And looking at slapd-totp.c it seems > you're
also right regarding the storage format in 'userPassword': > > /* Key is
stored in base32 */ > > But still 17 bytes look strange to me: > > Python
2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2 > >>> import base64
Post by Michael Ströder
base64.b32decode('NBUEI6KEJMYDCNBTGI2TMQKCINCA====') > 'hhDyDK0143256ABCD'
len(base64.b32decode('NBUEI6KEJMYDCNBTGI2TMQKCINCA====')) > 17 > >
What's the correct length of your shared secret? [...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: sys4.de]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -1.9 (-)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Am Sat, 7 Nov 2015 22:03:04 +0100 schrieb Michael Ströder
Post by Michael Ströder
e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09 > >> > >> I have
not really tried the module myself yet but I note that the > >> key is actually
21 bytes long (see below). Shouldn't that be 20 > >> bytes? > >> > >> Python
2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2 > >>>>> 'e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09'.decode('base64')
Post by Michael Ströder
'{TOTP1}NBUEI6KEJMYDCNBTGI2TMQKCINCA====' > >>>>> s='NBUEI6KEJMYDCNBTGI2TMQKCINCA===='.decode('base64')
len(s) > >> 21 > > > > The TOTP1 string is base32 encoded, not base64.
If it's sent to the Google Authenticator the base32-encoded form is >
appended to the totp:// URL. And looking at slapd-totp.c it seems > you're
also right regarding the storage format in 'userPassword': > > /* Key is
stored in base32 */ > > But still 17 bytes look strange to me: > > Python
2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2 > >>> import base64
Post by Michael Ströder
base64.b32decode('NBUEI6KEJMYDCNBTGI2TMQKCINCA====') > 'hhDyDK0143256ABCD'
len(base64.b32decode('NBUEI6KEJMYDCNBTGI2TMQKCINCA====')) > 17 > >
What's the correct length of your shared secret? [...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: sys4.de]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Am Sat, 7 Nov 2015 22:03:04 +0100
Post by Michael Ströder
Am Sat, 7 Nov 2015 14:33:22 +0100
6. added credentials by ldappasswd
e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
I have not really tried the module myself yet but I note that the
key is actually 21 bytes long (see below). Shouldn't that be 20
bytes?
Python 2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2
'e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09'.decode('base64')
'{TOTP1}NBUEI6KEJMYDCNBTGI2TMQKCINCA===='
s='NBUEI6KEJMYDCNBTGI2TMQKCINCA===='.decode('base64')
len(s)
21
The TOTP1 string is base32 encoded, not base64.
If it's sent to the Google Authenticator the base32-encoded form is
appended to the totp:// URL. And looking at slapd-totp.c it seems
/* Key is stored in base32 */
Python 2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2
import base64
base64.b32decode('NBUEI6KEJMYDCNBTGI2TMQKCINCA====')
'hhDyDK0143256ABCD'
len(base64.b32decode('NBUEI6KEJMYDCNBTGI2TMQKCINCA===='))
17
What's the correct length of your shared secret?
In fact i have tested with various length. You are correct that the key
is question is of 17 bytes.

-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Dieter Klünter
2015-11-09 12:37:14 UTC
Permalink
Content preview: Am Sat, 7 Nov 2015 20:53:38 +0100 schrieb Dieter Klünter
<***@dkluenter.de>: > Am Sat, 7 Nov 2015 14:33:22 +0100 > schrieb Michael
Ströder <***@stroeder.com>: > > > Dieter Klünter wrote: > > > 6. added
credentials by ldappasswd > > > userPassword:: > > > e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
Post by Dieter Klünter
Post by Dieter Klünter
Post by Michael Ströder
I have not really tried the module myself yet but I note that the
key is actually 21 bytes long (see below). Shouldn't that be 20 > > bytes?
Post by Dieter Klünter
Post by Michael Ströder
Ciao, Michael. > > > > Python 2.7.10 (default, May 24 2015, 14:46:10)
[GCC] on linux2 > > >>> 'e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09'.decode('base64')
Post by Dieter Klünter
'{TOTP1}NBUEI6KEJMYDCNBTGI2TMQKCINCA====' > > >>> s='NBUEI6KEJMYDCNBTGI2TMQKCINCA===='.decode('base64')
Post by Dieter Klünter
Post by Michael Ströder
len(s) > > 21 > > The TOTP1 string is base32 encoded, not base64.
With regard to length, this might be a bug in google Authenticator, as
it would not accept a credential string shorter than mine. [...]
Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: sys4.de]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -1.9 (-)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Am Sat, 7 Nov 2015 20:53:38 +0100 schrieb Dieter Klünter
<***@dkluenter.de>: > Am Sat, 7 Nov 2015 14:33:22 +0100 > schrieb Michael
Ströder <***@stroeder.com>: > > > Dieter Klünter wrote: > > > 6. added
credentials by ldappasswd > > > userPassword:: > > > e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
Post by Dieter Klünter
Post by Dieter Klünter
Post by Michael Ströder
I have not really tried the module myself yet but I note that the
key is actually 21 bytes long (see below). Shouldn't that be 20 > > bytes?
Post by Dieter Klünter
Post by Michael Ströder
Ciao, Michael. > > > > Python 2.7.10 (default, May 24 2015, 14:46:10)
[GCC] on linux2 > > >>> 'e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09'.decode('base64')
Post by Dieter Klünter
'{TOTP1}NBUEI6KEJMYDCNBTGI2TMQKCINCA====' > > >>> s='NBUEI6KEJMYDCNBTGI2TMQKCINCA===='.decode('base64')
Post by Dieter Klünter
Post by Michael Ströder
len(s) > > 21 > > The TOTP1 string is base32 encoded, not base64.
With regard to length, this might be a bug in google Authenticator, as
it would not accept a credential string shorter than mine. [...]
Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: sys4.de]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Am Sat, 7 Nov 2015 20:53:38 +0100
Post by Dieter Klünter
Am Sat, 7 Nov 2015 14:33:22 +0100
Post by Dieter Klünter
6. added credentials by ldappasswd
e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
I have not really tried the module myself yet but I note that the
key is actually 21 bytes long (see below). Shouldn't that be 20
bytes?
Ciao, Michael.
Python 2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2
Post by Dieter Klünter
Post by Michael Ströder
'e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09'.decode('base64')
'{TOTP1}NBUEI6KEJMYDCNBTGI2TMQKCINCA===='
Post by Dieter Klünter
Post by Michael Ströder
s='NBUEI6KEJMYDCNBTGI2TMQKCINCA===='.decode('base64')
len(s)
21
The TOTP1 string is base32 encoded, not base64.
With regard to length, this might be a bug in google Authenticator, as
it would not accept a credential string shorter than mine.
Just for the records:
the pw-totp has not a bug. The so called SMART devices are not smart
at all. I expected them to convert user password to a base32 string,
which they don't.
To produce a totp numberstring, the valid base32 string has to be
entered to the smart device application. I have successfully tested it
with google authenticator, Sophos authenticator and FreeOTP.

-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Michael Ströder
2015-11-07 10:50:56 UTC
Permalink
Post by Emmanuel Dreyfus
$ ldapwhomai -Y OTP -X dn:${user_dn}
The main problem with SASL/OTP is that clients have to implement special
support for it.

There will be a talk about OATH-LDAP at LDAPcon 2015:

http://ldapcon.org/2015/?page_id=185

Similar to password/totp it also works for LDAP simple bind but with some
policy parameters enforced.

Ciao, Michael.
Emmanuel Dreyfus
2015-11-07 14:34:04 UTC
Permalink
Content preview: Emmanuel Dreyfus <***@netbsd.org> wrote: > $ ldapwhomai -Y
OTP -X dn:${user_dn} > SASL/OTP authentication started > (delay) > ldap_sasl_interactive_bind_s:
Server is unavailable (52) > additional info: SASL(-8): transient failure
(e.g., weak key): > simultaneous OTP authentications not permitted [...]

Content analysis details: (-2.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[193.54.82.9 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: netbsd.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Post by Emmanuel Dreyfus
$ ldapwhomai -Y OTP -X dn:${user_dn}
SASL/OTP authentication started
(delay)
ldap_sasl_interactive_bind_s: Server is unavailable (52)
simultaneous OTP authentications not permitted
I made some progress, with a fix in cyrus SASL (I also include my added
SHA2 support just in case someone has a comment on it).

This was a signedness problem in the timeout parameter: readed as signed
on a machines with 32 bits time_t, it get always in a far future.
Scanning it as unsigned fixes the problem.

--- plugins/otp.c.orig 2012-10-12 16:05:48.000000000 +0200
+++ plugins/otp.c 2015-11-07 15:19:43.000000000 +0100
@@ -92,8 +92,12 @@
static algorithm_option_t algorithm_options[] = {
{"md4", 0, "md4"},
{"md5", 0, "md5"},
{"sha1", 4, "sha1"},
+ {"sha224", 4, "sha224"},
+ {"sha256", 4, "sha256"},
+ {"sha384", 4, "sha384"},
+ {"sha512", 4, "sha512"},
{NULL, 0, NULL}
};

/* Convert the binary data into ASCII hex */
@@ -675,9 +679,9 @@
SETERROR(utils, "OTP secret too short");
return SASL_FAIL;
}

- sscanf(secret, "%s\t%04d\t%s\t%s\t%020ld",
+ sscanf(secret, "%s\t%04d\t%s\t%s\t%020lu",
alg, seq, seed, buf, timeout);

hex2bin(buf, otp, OTP_HASH_SIZE);
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
***@netbsd.org
Loading...