[Freeipa-devel] [PATCH 0017] Add OTP support to ipalib CLI

Thu Sep 12 11:28:38 UTC 2013

I've started the work on OTP UI and found few issues in this patch:

1. api.txt is not regenerated. Run ./makeapi. Same issue is in patch #15 
and #16.
2. python-qrcode is missing in BuildRequires

3. minor: would be nice if attribute names in `takes_params` and 
`default_attributes` would have same casing.

4. 'OTP token' prefix in each param label seems redundant to me. We 
don't use it in other commands and it makes labels unnecessary long.

5. Tried to run:
$  ipa otp-add fbarkey4 --owner fbar --type=totp --raw --all
while kinit-ed as user fbar and got:
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the 
entry 
'ipatokenuniqueid=fbarkey4,cn=otp,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'.

running it as admin works.

Qs:

a. Do we have some use cases for adding internal OTP? I wonder which 
otp-add options are essential (ipatokenvendor, ipatokenmodel, 
ipatokenserial, ipatokenotpkey, ipatokenotpalgorithm, ipatokenotpdigits, 
ipatokentotpclockoffset, ipatokentotptimestep?) and which are less 
important (ipatokennotbefore, ipatokennotafter ?).

 From user perspective it seems that the best thing is to enter the 
token id and then run with defaults.

On 09/05/2013 06:25 AM, Nathaniel McCallum wrote:
> This patch has a few problems that I'd like some help with. There are a
> few notes here as well.
>
> 1. The handling of the 'key' option is insecure. It should probably be
> treated like a password (hidden from logs, etc). However, in this case,
> it is binary, so I'm not quite sure how to do that. Passing it as a
> command line option may be nice for scripting, but is potentially a
> security problem if it ends up in bash.history. It would also be nice if
> the encoding were base32 instead of base64, since nearly all the OTP
> tools use this encoding.
>
> 2. The 'key' option also appears in otp-find. I'd like to suppress this.
> How?
>
> 3. I had to make the 'id' option optional to make the uuid
> autogeneration work in otp-add. However, this has the side-effect that
> 'id' is now optional in all the other commands. This is particularly bad
> in the case of otp-del, where calling this command with no ID
> transparently removes all tokens. How can I make this optional for
> otp-add but required for all other commands?
>
> 4. otp-import is not implemented. I spent a few hours looking and I
> didn't find any otp tool that actually uses this xml format for
> exporting. Should we implement this now or wait until someone can
> actually export data to us?
>
> 5. otp-del happily deletes the last token for a user. How can I find out
> the dn of the user executing the command? Also, what is the right
> exception to throw in pre_callback()?
>
> 6. user-show does not list the associated tokens for this user. Do we
> care? It is a single search: otp-find --owner npmccallum.
>
> 7. otp-add only prints the qr code if the --qrcode option is specified.
> This is for two reasons. First, and most importantly, the qr code
> doesn't fit on a standard 24x80 terminal. I wanted to avoid dumping
> garbage on people's screens by default. Second, you may not always want
> the qr code output (like for a hard token or manual code entry).
>
> Nathaniel
>
-- 
Petr Vobornik