Hello, I was testing my freeRadius server and I found out that a user can authenticate with the same TOTP multiple times within the 30 seconds period. From reading the RFC 6238 I understand that this must not be possible as the One Time Password is for one time use only. Here is my code: authorize { ldap if ((ok || updated)) { if (User-Password !~ /^(.*)([0-9]{6})$/) { reject } update request { User-Password := "%{1}" TOTP-Password := "%{2}" } # gets shared secret from ldap if ( &control:totp_teste =~ /([A-Za-z0-9]+),/ ) { update control { TOTP-Secret := "%{1}" } } totp.authenticate if (!ok) { reject } update control { Auth-Type := ldap } } } authenticate { Auth-Type ldap { ldap } } Could you please provide me some guidance on what I am doing wrong here? Thanks, Miguel
On 16/11/2023 14:09, João Miguel Regateiro wrote:
I was testing my freeRadius server and I found out that a user can authenticate with the same TOTP multiple times within the 30 seconds period. From reading the RFC 6238 I understand that this must not be possible as the One Time Password is for one time use only.
The TOTP code is the same for the whole 30 (usually) second period. The RFC does say that the code should only be used once, but rlm_totp just verifies that the code is correct.
Could you please provide me some guidance on what I am doing wrong here?
Nothing. If you want to enforce the one time use only then you'll need to add some kind of caching (rlm_cache, redis, etc) to check that the same code is not used multiple times. -- Matthew
Thank you for your feedback, that was very helpful! Matthew Newton via Freeradius-Users <freeradius-users@lists.freeradius.org> escreveu no dia quinta, 16/11/2023 à(s) 14:19:
On 16/11/2023 14:09, João Miguel Regateiro wrote:
I was testing my freeRadius server and I found out that a user can authenticate with the same TOTP multiple times within the 30 seconds period. From reading the RFC 6238 I understand that this must not be possible as the One Time Password is for one time use only.
The TOTP code is the same for the whole 30 (usually) second period.
The RFC does say that the code should only be used once, but rlm_totp just verifies that the code is correct.
Could you please provide me some guidance on what I am doing wrong here?
Nothing. If you want to enforce the one time use only then you'll need to add some kind of caching (rlm_cache, redis, etc) to check that the same code is not used multiple times.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 16, 2023, at 9:18 AM, Matthew Newton via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Nothing. If you want to enforce the one time use only then you'll need to add some kind of caching (rlm_cache, redis, etc) to check that the same code is not used multiple times.
We're also happy to accept patches :) Alan DeKok.
participants (3)
-
Alan DeKok -
João Miguel Regateiro -
Matthew Newton