[Freeipa-devel] Planning FreeIPA 4.0 GA

[Simo Sorce]

On Fri, 2014-06-27 at 19:19 +0200, Petr Vobornik wrote:
> On 27.6.2014 19:00, Simo Sorce wrote:
> > On Fri, 2014-06-27 at 19:55 +0300, Alexander Bokovoy wrote:
> >> On Fri, 27 Jun 2014, Martin Kosek wrote:
> >>> Hello team,
> >>>
> >>> As we are about to very soon release the FreeIPA 4.0, I triaged all the pending
> >>> tickets and divided them to following milestones:
> >>>
> >>> 1) FreeIPA 4.0 GA - last work that is required for the release. When this
> >>> milestone is completed, we will release. All tickets in this milestone are thus
> >>> the top priority for people working on 4.0 - this applies both for development
> >>> and for reviews.
> >> Endi found that with TOTP we don't yet enforce a requirement to prevent
> >> reuse of OTP code multiple times within the same time step (you are able
> >> to login with TOTP and reuse it for password change within 30 seconds,
> >> for example). RFC3268 part 5.2 clearly says that the verifier MUST NOT
> >> allow this behavior.
> >>
> >> I'll look into this case on Monday but so far this is a release blocker.
> >
> > This is a well known limitation.
> >
> > The reason we allow for it is due to performance issues with replication
> > if we did so, we do not have a good way to mark used values in a
> > distributed fashion.
> >
> 
> > It's for the same reason that we have not implemented HOTP yet.
> 
> Not entirely true:
> http://www.redhat.com/archives/freeipa-devel/2014-January/msg00069.html

I should probably have said we have not implemented it *for* HOTP.

That said using HOTP is not really something I would recommend at this
point as each authentication will cause a replication event to be fired.
That is probably ok if you have very few users/authentications, but in
large domains it would quickly be problematic.

Responding to Alexander, yes we need to document that we have this
limitation.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York