possibly incorrect use of OTPAuthMaxOffset

[GoogleCodeExporter]

What steps will reproduce the problem?
1. normal initialisation of a user
2. set own value for OTPAuthMaxOffset that is larger than 4
3. "desynchronise" token by more than 4 and try to log-on

What is the expected output? What do you see instead?
authentication fails

What version of the product are you using? On what operating system?
Debian, latest version downloaded on 14th Apr 2011

Please provide any additional information below.

I'm not perfectly sure it is the case but I had to hack source code and change 
the default value from 4 to a higher value to logon. I didn't have much time to 
analyse the module's code in more detail.

Original issue reported on code.google.com by dancvr...@gmail.com on 14 Apr 2011 at 7:54

[GoogleCodeExporter]

I was not able to reproduce this. I have a server configured with 
OTPAuthMaxOffset 10 and was able to login with an offset of either -10 or 10.

Did you fully restart Apache after your configuration change?

Are you seeing "user ... provided the wrong OTP" in Apache's error log, or some 
other error?

Original comment by archie.c...@gmail.com on 14 Apr 2011 at 8:13

[GoogleCodeExporter]

Original comment by archie.c...@gmail.com on 14 Apr 2011 at 8:14

• Changed state: Feedback

[GoogleCodeExporter]

Hi

This is the message I'm getting:
[Thu Apr 14 20:13:33 2011] [notice] [client 213.192.60.45] user "dan"
provided the wrong OTP
[Thu Apr 14 20:13:33 2011] [error] [client 213.192.60.45] user dan:
authentication failure for "/ours": Password Mismatch

In that case, I just incorrectly define the property for apache server.
However, the file is updated correctly after successful authentications.

This is what I do.
the main config file..
# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf

authn_otp.load
LoadModule authn_otp_module /usr/lib/apache2/modules/mod_authn_otp.so

authn_otp.conf...
<IfModule authn_otp_module.c>
        OTPAuthUsersFile "/etc/otp/otp-users.txt"
        OTPAuthMaxOffset 100
        OTPAuthMaxLinger 600
        OTPAuthLogoutOnIPChange 1
        OTPAuthPINAuthProvider
</IfModule>
~

Original comment by dancvr...@gmail.com on 14 Apr 2011 at 8:31

[GoogleCodeExporter]

Can you confirm that the one-time password you are providing is actually valid 
(i.e., within the window of 100 sequence numbers)?

For example, for a time-based token with 60 second interval, you'd do this:
{{{
$ otptool -w 100 0123456789abcdef 555555
one-time password "555555" was not found within the counter range 0 ... 100
}}}
See the otptool(1) man page for details.

Original comment by archie.c...@gmail.com on 14 Apr 2011 at 8:39

[GoogleCodeExporter]

One more short note. The problem was for a new user, ie someone who has never 
logged on yet.

Original comment by dancvr...@gmail.com on 14 Apr 2011 at 8:40

[GoogleCodeExporter]

to comment 4.

Yes, I recompiled the module with the default value increased to 50. I could 
log on and the counter value in the users file was updated to 26.

Original comment by dancvr...@gmail.com on 14 Apr 2011 at 8:42

[GoogleCodeExporter]

I don't see anything obviously wrong in the code (of course that doesn't mean 
there's not a bug).

If you have some time to play with it, add some ap_log_rerror() statements 
everywhere you see a function handling the "max_offset" field and see if you 
can trace what's going wrong.

Thanks.

Original comment by archie.c...@gmail.com on 14 Apr 2011 at 9:18