Upgraded to 5.8.1 and authentication now fails for all users?

Upgraded to 5.8.1 on the VM version by copying the new files over the original and its stopped working... All users are failing authentication. If I test locally from the GUI I get 'failed (99 ERROR: Authentication failed (and other possible unknown errors)). Not sure how to debug it?

Comments

  • Rolled it back to 5.6.1.5 and it works locally (i.e. check user now works from the GUI), however RADIUS clients are failing.. Spun up another VM with the 5.4.0.7 .ova file, updated it to 5.6.1.5 by copying the files (Raspberry Pi files) and restored the various files and its back working again. Took a snapshot of the VM then upgraded it to 5.8.1 by copying the files and its dead again... Restored the snapshot and back working.
  • Hello, The issue has been fixed already, and the new 5.8.1.1 has fixed that. Regards,
  • edited March 16
    We have clearly identified a bug in the version 5.8.1.0 of multiOTP, which was related to the current time and the multibyte handling of the length of characters.
    A new 5.8.1.1 version has been immediately published the 2021-03-14 before noon on GitHub.

    The bug detail is hereunder :

    The OTP tokens are calculated based on:
    - a secret key per token
    - an incremental counter

    For HOTP tokens, the counter is simply incrementing each time we ask for a new code to display.

    For TOTP tokens (like the tokens used in almost all case now), the counter value is the Unix Epoch (number of elapsed seconds since 01.01.1970) divided by a time windows (most of the time 30 or 60). This will generate a new code every 30 or 60 seconds.

    Based on the secret key and the incremental counter, an OTP is calculated, based on an hash-based message authentication code (generally HMAC-SHA1). The data is obtained by transforming the counter into a suite of unsigned chars.

    After running a lot of unit tests on the non-patched (5.8.1.0) version on our side, we found that the problem occurs from 2021-03-13 14:20:00 - 2021-03-18 03:08:00 (for the 30 seconds tokens).
    The multibyte version of the native string length function was faulty in some cases, and we have replaced it by the non-multibyte version of the native string length function.
This discussion has been closed.