Bug 7000 - The ThinLinc Client is not compatible with standard-compliant TOTP implementations
Summary: The ThinLinc Client is not compatible with standard-compliant TOTP implementa...
Status: CLOSED DUPLICATE of bug 5614
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Other (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.9.0
Assignee: Peter Åstrand
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-28 13:39 CEST by Karl Mikaelsson
Modified: 2017-08-14 13:37 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Karl Mikaelsson cendio 2017-06-28 13:39:15 CEST 
The ThinLinc Client requires a TOTP code to be usable twice - once for logging in to the ThinLinc Master and once for logging in to the ThinLinc Agent.

RFC 6238, which describes TOTP: Time-Based One-Time Password Algorithm, explicitly forbids this.

https://tools.ietf.org/html/rfc6238
>  Note that a prover may send the same OTP inside a given time-step
>  window multiple times to a verifier.  The verifier MUST NOT accept
>  the second attempt of the OTP after the successful validation has
>  been issued for the first OTP, which ensures one-time only use of an
>  OTP.


This is not a problem for Web Access, as it does not perform multiple authentications when logging in a user.
Comment 1 Peter Åstrand cendio 2017-08-14 10:59:42 CEST 
Duplicate of bug 2545?
Comment 2 Pierre Ossman cendio 2017-08-14 13:37:37 CEST 

*** This bug has been marked as a duplicate of bug 5614 ***
Note You need to log in before you can comment on or make changes to this bug.