KeyIdentity LinOTP 2.9.1 released

On February 15th we released LinOTP 2.9.1 to the repositories.

LinOTP 2.9.1

KeyIdentity GmbH is pleased to announce the availability of the following product release:

LinOTP 2.9.1 introduces many improvements, small features, cleanups and bug fixes. The highlights are the implementation of the KeyIdentity Push Token, a new caching functionality to significantly speed up performance for UserIdResolvers and the switch to StartTLS by default to improve the connection security to LDAP UserIdResolvers.

The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter

Highlights

  • New Feature: KeyIdentity Push Token

LinOTP 2.9.1 is the first release to include support for the KeyIdentity Push Token to secure logins and transactions while providing a high level of usability on Android and iOS.
Based on the established cryptographic principles of the QRToken we improved the workflows of the authentication process while conserving a high level of security. It utilizes the native push mechanisms of Android and iOS for the highest level of compatibility based on the KeyIdentity Authenticator.

Please contact us for more information and about details on how to integrate the KeyIdentity Push Token in your setup.

  • New Feature: Caching for LDAP UserIdResolvers

The new caching feature is designed to improve the performance of LinOTP significantly in environments with a large number of users, complex realm setups and slow UserIdResolvers. Details about the configuration can be found at Caching-Feature.

  • New Feature: StartTLS by default

LinOTP 2.9.1 switches to StartTLS by default in order to secure the communication with LDAP UserIdResolvers in environments without a LDAPS infrastructure. Please have a look at StartTLS for details.

Download

LinOTP 2.9.1 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the KeyIdentity LinOTP Smart Virtual Appliance will receive LinOTP 2.9.1 via the integrated auto-update mechanism after February 20th 2017.

Note

With LinOTP 2.9.1 large parts of the LDAP UserIdResolver code was rewritten and the default for StartTLS have changed. Although LinOTP 2.9.1 has been tested thoroughly by KeyIdentity we recommend to setup LinOTP 2.9.1 in a staging environment before putting it into production.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at keyidentity@keyidentity.com

The KeyIdentity LinOTP team


Changelog LinOTP 2.9.1

Enhancements
  • Server: New token type: KeyIdentity PushToken
  • Server: Add optional caching of resolver lookups
  • Server: Show welcome and update screens
  • WebUI: Add dialog for duplicating resolvers
  • WebUI: Better password handling in resolver dialogs
  • Reporting: Add paging and CSV output for reporting/show
  • API: Use semicolon as CSV column separator by default
  • UserIdResolver: Add StartTLS support
Bug Fixes
  • Server: Fix remote token
  • Server: Fix evaluating policies for non-existent realms
  • API: Don't localize monitoring json output
  • SMPPSMSProvider: Fix encoding issues for non-ascii characters
  • WebUI: Alert in realm dialog if no resolvers are selected
more ...
Date

Hackathon 2FA

Wissenschaft und Praxis zeigen: Passwörter taugen nichts! Im Gegenteil, sie stellen eine der Hauptursachen für die erfolgreiche Kompromittierung von Benutzerkonten oder ganzen Systemen dar. Benutzer wählen oft schwache Passwörter, Cracker greifen komplette Benutzer-Datenbanken ab, die möglicherweise gar nicht oder ungeschickt verschlüsselte Passwörter enthalten, und Schadsoftware, die auch das beste Passwort mitschneidet, wird immer ausgefeilter. Auch Phishing, vor allem gezieltes „Spear-Phishing“, ist ein großes Problem in der Praxis.

Unsere Antwort bei der KeyIdentity GmbH ist LinOTP. LinOTP (https://linotp.org) ist eine leistungsfähige und flexible Open-Source-Lösung für Zwei-Faktor-Authentifizierung, mit der traditionelle Passwörter durch weitere Mechanismen ersetzt oder ergänzt werden können. Dazu gehören zum Beispiel Hardware-Tokens oder Authentifizierungslösungen auf der Basis von mobilen Apps. LinOTP bietet ein bequemes API zur Integration in existierende Applikationen.

Wir wissen: Authentifizierung muss sicherer werden. Aus diesem Grund veranstalten wir einen Hackathon, bei dem Ihr mit LinOTP die Sicherheit Eurer Applikationen erhöhen könnt. Vernetzt Euch mit anderen, und lasst uns gemeinsam unsere Applikationen sicherer machen und das Paradigma „Such Dir ein möglichst komplexes Passwort, das Du Dir nicht merken kannst, und schreib es nirgends auf“ brechen.

Wir laden am 3.12.2016 zu uns in die Räumlichkeiten der KeyIdentity GmbH in Weiterstadt ein, stellen Pizza und Getränke und helfen euch dabei, LinOTP über die API in Eure Software zu integrieren.

Lernt, wie einfach es ist, Eure Applikationen abzusichern, erhaltet freie Hilfe, vernetzt Euch untereinander und habt einfach einen tollen Tag! Zur besseren Planung bitten wir um eine Anmeldung via E-Mail unter: hackathon@keyidentity.com

more ...
Date

LSE LinOTP 2.9 released

On August 15th we released LinOTP 2.9 to the repositories.

LinOTP 2.9

LSE Leading Security Experts GmbH is pleased to announce the availability of LinOTP 2.9.

LinOTP 2.9 is one of our biggest releases with over 500 commits. Introducing many improvements, small features, cleanups and fixed bugs. The highlights are the preparation for the offline authentication, utilizing our new QRToken, the new Reporting API and the extended SMS and E-Mail Provider configuration.

Highlights

  • New Feature: Offline Authentication

LinOTP 2.9 introduces the next generation of our QR-Code based soft token, which will be complemented by the releases of our LinOTP Authentication Providers for operating system Microsoft Windows and LinOTP mobile apps in the next weeks to allow for an integrated and secure Offline Authentication with high usability in addition to the traditional secure, transaction based authentication.

  • New Feature: Reporting API

To allow for integration into reporting environments and to simplify the accounting in multi-tenant environments LinOTP provides a new powerful reporting API to collect information like the number of current active tokens and the highest number of tokens over time for certain realms.

  • New Feature: Realm specific SMS Providers

LinOTP 2.9 supports the management of multiple SMS and e-mail providers. These providers allow to specify SMS or e-mail settings for different customers, realms or users in a diverse LinOTP environment.

Download

LinOTP 2.9 is available as Debian and RPM packages from linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.9 via the integrated auto-update mechanism after August 16th 2016.

The LSE team would be pleased to answer any questions you may have about LinOTP 2.8.1.3 and assist upgrading your environment to the latest release at support@lsexperts.de

The LSE LinOTP team


Changelog LinOTP 2.9

Enhancements
  • Server: Add support for offline authentication
  • Server: Add QRToken
  • Server: Add forwarding token
  • Server: Add reporting controller
  • Server: Add support for multiple SMS/e-mail providers
  • Server: Add support for long config values
  • Server: Add issuer label to OATH tokens
  • Server: Allow one-time simplepass tokens
  • Server: Allow multiple users with same username in one realm
  • Server: Support migration of resolvers for assigned tokens
  • Server: Add authorization policies for monitoring controller
  • Server: Allow named otppin policies ('token_pin', 'password' and 'only_otp')
  • Server: Add SSL/TLS abilities to SMTPSMSProvider
  • UserIDResolver: Add class registry and class aliases
  • WebUI: Slightly polished look and feel
Bug Fixes
  • WebUI: Hide 'Get OTP' button if getotp is deactivated in config
  • WebUI: Several bug fixes in different dialogs and elements
  • Server: Fix generating transactionids which failed in rare circumstances
  • Server: Handle timestamp rounding instead of truncating in MySQL 5.6
  • Server: Do not copy old PIN on lost simplepass token
  • Packaging: Remove debconf entry 'linotp/generate_enckey'
  • WebUI: Validate resolver configuration on resolver definition
  • WebUI: Alert in realm dialog if no resolvers are selected
more ...
Date

LSE LinOTP 2.8.1.3 released

On July 30th we released LinOTP 2.8.1.3 to the repositories.

LinOTP 2.8.1.3

LSE Leading Security Experts GmbH is introducing LinOTP 2.8.1.3, the latest patch release of its vendor independent solution for adaptive multi-factor and 2-factor authentication.

Download

LinOTP 2.8.1.3 is available as a Debian and RPM (Red Hat/CentOS) packages from linotp.org. Ubuntu packages are available from our PPA on Launchpad. It can also be obtained via the Python Package Index (PyPI). Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.8.1.3 via the integrated update mechanism.

The LSE team would be pleased to answer any questions you may have about LinOTP 2.8.1.3 and assist upgrading your environment to the latest release at support@lsexperts.de

The LSE LinOTP team

--
LSE Leading Security Experts GmbH
Robert-Koch-Straße 9, 64331 Weiterstadt, DE
Sales Hotline: +49 6151 86086-277, Fax: -299
Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Board of Directors: Nils Manegold, Oliver Michel, Arved Graf von Stackelberg, Sven Walther

Changelog:

LinOTP:

  • Server: Fix pin handling in email token
  • more ...
    Date

    LSE LinOTP 2.8.1.2 released

    On July 21th we released LinOTP 2.8.1.2 to the repositories.

    LinOTP 2.8.1.2

    LSE Leading Security Experts GmbH is introducing LinOTP 2.8.1.2, the latest patch release of its vendor independent solution for adaptive multi-factor and 2-factor authentication.

    Download

    LinOTP 2.8.1.2 is available as a Debian package from linotp.org. Ubuntu packages are available from our PPA on Launchpad. It can also be obtained via the Python Package Index (PyPI). Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.8.1.2 via the integrated update mechanism.

    The LSE team would be pleased to answer any questions you may have about LinOTP 2.8.1.2 and assist upgrading your environment to the latest release at support@lsexperts.de

    The LSE LinOTP team

    --
    LSE Leading Security Experts GmbH
    Robert-Koch-Straße 9, 64331 Weiterstadt, DE
    Sales Hotline: +49 6151 86086-277, Fax: -299
    Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
    Board of Directors: Nils Manegold, Oliver Michel, Arved Graf von Stackelberg, Sven Walther

    Changelog:

    LinOTP:

    Enhancements:

    • Server: Add support for demo licenses

    Bug Fixes:

    • Selfservice: Fix setting tokenlabels
    • Server: Set the first created realm as default realm
    • Server: Fix admin/show using a serial number and an active admin policy containing a wildcard
    • Server: Fix import of policies missing scope or action
    • Server: Fix license import using IE
    • Server: Fix license decline under certain conditions (available since 2.8.1.1)
    more ...
    Date

    LSE LinOTP 2.8.1 released

    On Apr 5th we released LinOTP 2.8.1 to the repositories.

    LinOTP 2.8.1

    LSE Leading Security Experts GmbH is introducing LinOTP 2.8.1, the latest version of its vendor independent solution for adaptive multi-factor and 2-factor authentication and OTP processes (OTP: one time passwords). LSE is now offering its latest LinOTP version in Spanish, French, Italian, and simplified Chinese in addition to the previously available English and German. In addition to the expanded available languages, LinOTP 2.8.1 has new features for monitoring and improved capabilities for server migration and complex setups. The improved user filters and support for HSM (hardware security module) migrations are also new. With the additional languages, LSE has consistently continued to internationalise the LinOTP product line. The larger selection of available languages applies to both the self-service user portal as well as the management interfaces.

    Highlights:

    • New Feature: Additional Languages

    LSE has consistently continued to internationalise the LinOTP product line. The larger selection of available languages applies to both the self-service user portal as well as the management interfaces.

    • New Feature: Monitoring

    LSE is introducing a new API for monitoring internal LinOTP processes with LinOTP 2.8.1. This provides, for example, information on the statistics and the status of the tokens, the status of the HSM (hardware security module) encoding, and the status of the UserIDResolver with configurable permissions.

    • New Feature: Improved User Filters

    Today's enterprise environments require a differentiated approach to user policy management. LinOTP 2.8.1 adds options for managing the configurations and policies based on user groups, user attributes, and regular expressions. This considerably simplifies detailed and complex permission scenarios in the setup.

    • New Feature: SMPPSMSProvider

    LinOTP now supports SMPP protocol for submitting text messages to Short Message Service centers (SMSC).

    • New Feature: Improved Features for Server Migration and Complex Setups

    Previous features for routing registration data to other authentication servers have been improved with options for generic routing. This means migration scenarios and complex setups with multiple LinOTP instances are easier to model and administer.

    In addition to these features, LinOTP 2.8.1 includes many further improvements and bug fixes in order to improve the user experience.

    Download

    LinOTP 2.8.1 is available as a Debian package from linotp.org. Ubuntu packages are available from our PPA on Launchpad. It can also be obtained via the Python Package Index (PyPI). Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.8.1 via the integrated update mechanism.

    The LSE team would be pleased to answer any questions you may have about LinOTP 2.8.1 and assist upgrading your environment to the latest release at support@lsexperts.de

    The LSE LinOTP team

    --
    LSE Leading Security Experts GmbH
    P.O. Box 100121, 64201 Darmstadt
    Sales Hotline: +49 6151 86086-277, Fax: -299
    Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
    Board of Directors: Nils Manegold, Oliver Michel, Arved Graf von Stackelberg, Sven Walther

    Changelog:

    LinOTP:

    Enhancements:

    • Server: Add monitoring controller
    • Server: Add support for encryption migration (HSM)
    • Server: Add 'forward to server' policy
    • Server: Extended user filter in policies
    • Server: Reduce number of userid authentication calls
    • Server: Enable less services in default configuration
    • WebUI: Update jQuery, jQuery UI and jed

    Bug fixes:

    • Selfservice: Fix access to userservice with UTF-8 characters
    • WebUI: IE11: Deliver requested language
    • WebUI: Support for IE11 logout and cookie deletion

    UserIdResolver:

    • SQL: Add support for ASP.NET hashes

    SMSProvider:

    • Add support for SMPP SMS Provider

    libpam-linotp:

    Enhancements:

    • Major code rewrite
    • Add support for custom CA certificates
    • Improve compatibility with multiple Linux distributions, freeBSD and OS X
    more ...
    Date

    LSE LinOTP 2.8 released

    On Nov 27th we released LinOTP 2.8 to the repositories.

    LinOTP 2.8

    LSE Leading Security Experts GmbH is pleased to announce the availability of the following product release:

    LinOTP 2.8 contains full support for the FIDO U2F standard, along with additional new features, usability improvements and bug fixes.

    The list below provides details of the most important changes. The complete changelog is provided at the end of this article.

    Highlights:

    • New feature: FIDO U2F support
    LinOTP 2.8 now fully supports the FIDO alliance U2F protocol. It is now possible to use user friendly U2F tokens provided by various manufacturers in order to implement the second authentication factor. By using public key techniques, It is now possible to use just one token to access multiple authentication systems. In addition, it is possible to implement Bring Your Own Token (BYOT) scenarios.
    • New feature: User enrollment of FIDO U2F, email and SMS tokens via the self service portal
    In order to simplify the rollout process, it is now possible to allow users to use the self service portal to enroll new token types (FIDO U2F, email and SMS) in addition to those previously available. As with other token types, access to these new types is under the control of the LinOTP administrator via the policy system.
    • New feature: Temporary email and SMS token
    If a token is lost or stolen, it is now possible to define a temporary email or SMS token instead of a temporary password.
    • New feature: More than one challenge response token per user with identical token PIN
    The API in LinOTP 2.8 supports generation of more than one challenge for various tokens and token types. This now makes it possible to use different challenge response tokens with the same token PIN. It is also possible to use different challenge response token types with identical token PINs.
    • Improvements and bug fixes

    In addition to these features, LinOTP 2.8 includes many further improvements and bug fixes in order to improve the user experience.

    Download

    LinOTP 2.8 is available as a Debian package from linotp.org. Ubuntu packages are available from our PPA on Launchpad. It can also be obtained via the Python Package Index (PyPI). Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.8 via the integrated update mechanism.

    The LSE team would be pleased to answer any questions you may have about LinOTP 2.8 and assist upgrading your environment to the latest release at support@lsexperts.de

    The LSE LinOTP team

    --
    LSE Leading Security Experts GmbH
    P.O. Box 100121, 64201 Darmstadt
    Sales Hotline: +49 6151 86086-277, Fax: -299
    Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
    Board of Directors: Nils Manegold, Oliver Michel, Sven Walther

    Changelog:

    LinOTP:

    Enhancements:

    • Server: Add FIDO U2F support
    • Selfservice: Enroll FIDO U2F, e-mail and SMS tokens
    • Server: Losttoken: Support enrollment of e-mail and SMS tokens
    • Server: Trigger challenges for multiple challenge-response tokens with one request
    • Server: Support autoassignment policy without action value

    Bug fixes:

    • Selfservice: Fix getSerialByOtp functionality for yubikey tokens
    • Server: Fix importing yubikey tokens without prefix
    • Server: Fix autoassignment with remote token pointing at yubikey token
    • Server: Fix autoassignment using tokens with different OTP lengths
    • Server: Prevent counter increments of inactive tokens
    • Server: Don't return counter parameter on TOTP enrollment
    • Selfservice: Fix occasional login problems using non-ASCII characters
    • Server: Fix occasional problems sorting userlist with unicode characters
    • Server: Fix usage of otppin policy for remotetoken with local pincheck
    • Server: Don't return error messages on unconfigured autoenrollment
    • Server: Always set OTP length in remote token enrollment
    • Server: Don't return error messages for policy otppin=1 and unassigned tokens
    • Server: Reply to OCRA2 challenge providing only transactionid and OTP
    • WebUI: Don't show dialog asking for realm creation if no useridresolver is configured
    • WebUI: Fix WebUI for recent Internet Explorer versions
    • WebUI: Clear key and PIN input fields after token enrollment
    • Tools: linotp-create-pwidresolver-user: Fix duplicate and ignored command-line arguments
    • Tools: Correctly package linotp-enroll-smstoken tool
    • Tools: Use Digest instead of Basic Authentication in linotp-enroll-smstoken
    • Tools: Display an error message in linotp-enroll-smstoken when dependencies are missing
    • Tools: Fix linotp-sql-janitor crash when executed without --export option
    • Server: Fix for wildcard search with available unassigned tokens
    • Server: Fix LinOTP on pylons 0.9.7
    • Packaging: Remove nose dependency from linotp install process

    UserIdResolver:

    • Add support for Unicode passwords in PasswdIdResolver
    • Add LDAP proxy support
    • Support for LDAP cursoring during fetch of userlist
    • Add support for odbc_connect in SQLIdResolver

    SMSProvider:

    • Encode spaces in request params as '%20', not as '+'
    • Fix GET requests using the requests library
    • Add ability to convert the phone number to MSISDN format
    more ...
    Date

    LSE LinOTP Hotfix / Security Advisory

    LSE Leading Security Experts GmbH recommend the application of the hotfix described below in oder to ensure secure operation with LinOTP. It is only necessary to carry out these steps on those installations which do not use automatic update mechanisms (see below under "LSE LinOTP Smart Virtual Appliance"). Users of automatic update mechansims are not affected, as LinOTP will already have been updated.

    The hotfix closes a critical issue and prevents potential misuse.

    This issue can potentially allow an unauthorised user to submit input containing unwanted characters, that is written to LinOTP's logs and database. At a later date under certian conditions, it is possible that these could be executed under admin context. It is possible that malicious code could be exected as a result. This is due to unescaped output being passed to a widget used by LinOTP.

    A security advisory has been released for our product LinOTP containing further details. We would especially like to thank Tomas Rzepka for his valued input and assistance.

    As far as we are aware, there have not been any cases of this issue being exploited.

    We have provided the hotfix to our customer in various formats and versions. The fixed packages do not contain any changes apart from the hotfix itself. We recommend applying this update as soon as possible.

    Please use the instructions provided below to install the hotfix.

    In future versions of LinOTP (2.8 and above), we will make changes to reduce the potential risk of similar issues through use of the API.

    Hotfix installation

    The following updated LinOTP versions are available:

    • 2.6.1.1 --> 2.6.1.2
    • 2.7.0.2 --> 2.7.0.3
    • 2.7.1.2 --> 2.7.1.3
    • 2.7.2.1 --> 2.7.2.2

    The installation instructions contain download links.

    Systems prior to LinOTP 2.6 or which do not use packages should refer to the installation instructions. In this case the fix should be applied by manually copying a fixed version of the file in question.

    LSE LinOTP Smart Virtual Appliance

    Customers who use the LinOTP SVA with automatic updates enabled will automatically obtain the new package when updates are applied according to their system configuration.

    It is possible to start the update process from the command line by executing the command "appliance-update.sh".

    Please note: appliance-update.sh will download and apply all pending operating system updates. If your system has not been updated for some time, this may result in a lengthy download and installation process.

    more ...
    Date

    LSE LinOTP 2.7.2 released

    On May 11th we released LinOTP 2.7.2 to the repositories.

    LSE LinOTP 2.7.2

    LSE Leading Security Experts GmbH is announcing the availability of the new release of LSE LinOTP (2.7.2)

    You will find the complete Changelogs and the most important changes in LinOTP 2.7.1 at the end of this newsletter. We hereby want to mention some highlights in 2.7.2.

    LinOTP 2.7.2

    LinOTP 2.7.2 includes some interesting new features as well as improvements in usability and bug fixes. This is only a selection, please refer to the full Changelog below.

    • New feature: Autoenrollment

      Users without a token assigned, can trigger the creation and assignment of a new SMS or email token by providing correct credentials during login using username and password. This feature can be configured in a new policy (e.g. for certain users only) and relieves the administrator from enrolling and assigning these tokens manually.

      For more information please refer to the Autoenrollment Howto

    • New feature: New Self Service API

      The new Userservice API allows for the implementation of independently hosted self service portals and easier integration of self service tasks in existing customer portals.

    • New feature: mass enrollment of SMS token from the CLI
    • New packages: Ubuntu 14.04 "Trusty Tahr".
    • Improved input validation for SQL and LDAP resolver, and E-mail and SMS provider definitions.

    Download

    LinOTP 2.7.2 is available in our repositories on linotp.org and for customers running LinOTP on the LSE LinOTP Smart Virtual Appliance using the integrated upgrade mechanisms.

    We are happy to answer your questions about this release: sales@lsexperts.de.

    Changelogs:

    LinOTP 2.7.2
    Enhancements:
    • Server: Autoenrollment - enroll an email or SMS token if user has no token and authentication with password was correct.
    • Server: Support 'now()' in LDAP search expressions
    • Selfservice: Split Selfservice into userservice controller and selfservice renderer to support remote selfservice interface
    • WebUI: SQL and LDAP resolver mapping validation (needs to be valid JSON)
    • WebUI: email and SMS provider definition validation (needs to be valid JSON)
    • Packaging: Support for Ubuntu 14.04 (with Apache 2.4)
    • Packaging/Server: Support for Pylons 1.0.1
    • Packaging: Internal package refactorization to unify structure and version number handling
    • Packaging: Apache linotp2 VirtualHost will no longer be overwritten during Debian package upgrade. VirtualHost example files are copied to the same location where the LinOTP package is installed and only afterwards it is moved to /etc/apache2 (if it does not exist already)
    • Packaging: Cleaned up and hardened Apache linotp2 VirtualHost files
    • Tools: Improved linotp-create-pwidresolver-user and linotp-create-sqliddresolver-user to to generates more secure passwords
    • Tools: Added tool to mass enroll SMS token
    Bug fixes:
    • Server: Fixed support of old licenses, where the expiry is in the date entry
    • Server: Fixed error during token unassign (because of setPin call)
    • Server: Fixed searching for a user in multiple realms
    • Server: Fixed exact search for user in tokenlist
    • Server: Fixed sorting of userlist with unicode
    • Selfservice: Fixed selfservice history browsing
    more ...
    Date

    LSE Smart Virtual Appliance 1.2 and LinOTP 2.7.1 released

    On January 15th we released LinOTP 2.7.1 to the repositories.

    LSE Smart Virtual Appliance 1.2 and LinOTP 2.7.1

    LSE Leading Security Experts GmbH is proud to announce the general availability (GA) of the following new product releases:
    (1) LSE LinOTP Smart Virtual Appliance 1.2
    (2) LSE LinOTP 2.7.1.

    We are happy to provide LinOTP 2.7 from now also to our customers running LSE LinOTP Smart Virtual Appliances.

    You will find the entire changelogs below. Here we want to mention some highlights:

    LinOTP 2.7.1

    LinOTP received many improvements in usability and the work flow. This is only a selection of improvements, please also refer to the full Changelog below.

    • LinOTP 2.7.1 now fully supports the handling of LSE LinOTP support and subscription licenses.
    • The PIN dialog was integrated with the enrollment dialog and is conditional according to your policies (e.g. random pin).
    • Saving the Token Config is now also possible with only one part changed.
    • The mechanisms to translate LinOTP were improved and extended, especially in the LinOTP Selfservice.
    • The information boxes now stack to prevent an important message from being overwritten.
    • These messages can be acknowledged together.
    • The overall design was improved and made more consistent.
    • New and improved softtoken like FreeOTP are better integrated and the WebUI and LinOTP Selfservice were improved to better support the features offered by OATH soft tokens beyond the Google Authenticator.
    • The native handling of Yubikeys was improved by supporting resync and uppercase OTPs.
    • The Active Directory UserIDResolver was improved to use objectGUID as the default UIDType.
    • Added configuration options to selectively disable parts of LinOTP (manage, selfservice, validate) to improve security or management in complex HA setups.
    • The audit data can now be written to a log file before it is rotated.

    Highlights for customers upgrading from LinOTP EE 2.6.1.1:

    • Improved Oracle database support,
    • memory usage optimization,
    • improved database handling for the audit log,
    • extended CLI toolset.

    Preview

    We are already working on the next releases and want to give a small peak on what is coming.

    • Remote Self Service
    • SMS/E-Mail Token Auto-Enrollment

    LSE LinOTP Smart Virtual Appliance 1.2

    The LSE Smart Virtual Appliance (SVA) received big improvements in the installation process, usability and the backend.

    The Configuration Management was improved to make changes more visible and improve the usability. There is now a clear indication of changes needed to be saved and activated. An info bar appears and the 'Configuration Management' Tab is highlighted until the changes are saved and activated.

    The WebUI of the LSE LinOTP SVA is now fully translatable and available in German. The language will be chosen based on you browsers language.

    The installation wizard saw substantial improvements. More settings are preset from the installed system and more of the input is checked for errors. The activation step of the wizard was completely rewritten and is now faster and more robust.

    There are many improvements in the WebUI which stem from customer input to improve the workflow of administration and management of the SVA.

    LinOTP 2.7.1 is available in our repositories on linotp.org and for customers running LinOTP on the LSE LinOTP Smart Virtual Appliance using the integrated upgrade mechanisms. If you have any question regarding the new releases, we are happy to answer and support your inquiries.

    Changelogs:

    LinOTP 2.7.1
    Enhancements:
    • Server: Added check for optional support and subscription license
    • WebUI: Show warnings when the support and subscription has expired or number of supported tokens has been exceeded
    • WebUI: Editing the token config in the WebUI will only save what has been edited
    • WebUI: PIN setting is now part of the 'enroll' dialog instead of being in a separate dialog
    • WebUI: Don't allow setting the token PIN in the token enrollment dialog when the 'random_pin' policy is set
    • WebUI/Server: Added translation of selfservice and policy messages
    • WebUI: Enabled JavaScript localization (jed based) for 'manage' and 'selfservice' UI
    • Server: Added Yubikey token support for uppercase OTP values
    • Server: Added support for Yubikey token resync
    • WebUI: Info and error boxes in the 'manage' UI now stack instead of overlaying (hiding the older ones). When displaying more than one box a 'Close all' link is shown
    • WebUI: Improve CSS styling for info and error boxes in 'manage' UI
    • WebUI: Adapted the 'selfservice' and 'auth' interfaces to the 'manage' UI style
    • WebUI: Improved display of currently selected user and token
    • WebUI: Restricted the selection to a single user
    • Server: Added system/getPolicy support for 'user' as filter criteria
    • Server: Added system/getPolicy support for 'action' as filter criteria
    • WebUI: Preset LDAPUserIdResolver AD with objectGUID instead of DN
    • WebUI: Rework the selfservice Google web provisioning to refer to FreeOTP and other softokens as well
    • Server: Include OTP length and hash algorithm used in the 'otpauth' URL generated when enrolling HOTP or TOTP tokens
    • WebUI: Display the generated seed in the enrollment tabs in a copyable form
    • WebUI: Extended the eToken DAT import to display start date support with hh:mm:ss
    • Server: Added configuration options to selectively disable parts of LinOTP (manage, selfservice, validate)
    • WebUI: Added 'clear' button to policy form
    • WebUI: Made policies 'active' by default
    • Server: Initialize repoze.who with a random secret during server start up or restart (old 'selfservice' sessions become invalidated)
    • Server/Tools: Added the ability to dump the audit data before deletion
    • Packaging: Removed obsolete SQLAlchemy <0.8.0b2 restriction
    • Server: Random generation: switched to more secure randrange and choice methods
    • WebUI: Updated jQuery to v1.11.1 and all plugins and JS libraries (Superfish, jQuery Cookie, jQuery Validation, ...) to their latest version
    • WebUI: Simplified selfservice tokenlist handling
    • WebUI: Added warning to auth forms when Javascript is disabled in the browser
    • WebUI: Improved auth form handling of JS errors
    • Server: Removed deprecated /auth/requestsms form because SMS can be requested using the regular /auth/index form (by doing challenge-response)
    Bug Fixes:
    • Packaging: Fixed ask_createdb debconf question that kept being asked on upgrade of the Debian packages
    • WebUI: Cleaned up selfservice mOTP Token enrollment
    • WebUI: Some fixes for localization and wrong validation of seed input field
    • Server: Fixed the search for ee-resolver tokens and user
    • Server: Raise exception for empty 'user' in 'system' or 'admin' policy
    • Server: Load the HSM before the LinOTP config, so that the config can hold decrypted values
    • Server: Fixed help_url to always use linotp.org site with version
    • Server: Added support for migrating old linotpee resolvers entries
    • Server: Fixed reinitialization of Yubikey token
    • Server: Yubikey checkOtp should not raise exception if the OTP is too short
    • Server: Fixed bug in Yubikey CSV import
    • Server: Fixed padding and unpadding code for PKCS11 module
    • Server: Fixed padding and unpadding code for YubiHSM module
    • Server: Added LinOTP config options 'pkcs11.accept_invalid_padding' and 'yubihsm.accept_invalid_padding'
    • Server: Fixed token import to support ocra2 token
    • WebUI: Fixed small display error when deleting or modifying multiple tokens in the 'manage' UI
    • WebUI: Fixed selfservice enroll of mOTP token
    • Server: Fixed token serial not appearing in the audit log in some cases

    LSE Smart Virtual Appliance 1.2

    • Added German translation of the WebUI. The language will be chosen based on you browser settings.
    • Improved 'Config changed' notification when the administrator makes changes in the WebUI
      • An info bar appears once at the top of the site
      • The 'Configuration Management' Tab is highlighted in orange until the changes are saved
    • LinOTP support and subscription licenses can be added and updated in the Appliance WebUI. When installing via the Wizard you are required to upload a license file.
    • The signature of the LinOTP license file is verified
    • When running the wizard the network settings are preset with the 'current settings' (e.g. as set by DHCP)
    • Added title bar to WebUI, containing links for 'About', 'Help' and 'Logout'
    • Browser session cookies become invalid when Apache2 is restarted (i.e. you have to login again)
    • If the Appliance is unconfigured redirect directly to the Wizard
    • Removed direct link to the Wizard in the dashboard, can explicitly be called by going to /wizard
    • better arrangement of the Tabs in the WebUI
    • version infromation is displayed in the login screen
    • More information such as version of lseappliance and linotp packages as well as serial number and number of licensed tokens is displayed in the dashboard
    • Compatibility improvements for current Versions of Chrome (Chromium), Firefox and IE10+
    • In the Wizard you can skip the RADIUS client configuration if you do plan to only use the WebAPI
    • Upgraded jQuery to version 1.11.1, jQuery UI to version 1.11.0 and other jQuery Plugins to their newest version
    • Made HTML forms more fault tolerant (e.g. DNS server list verifies correct separators, netmask is verified, whitespace is stripped, verify RADIUS secret with second field ...)
    • Fixed setup_appliance.py so it generates functional initial settings
    • Fixed the Wizard finalization by better synchronizing the steps. This tries to prevent the Appliance being left in a semi-configured state
    • Fixed dhclient still running even after setting static IP settings
    • Fixed security critical information written to log files
    • Use POST requests throughout the application to prevent Apache logging critical information
    • Fixed log file ownership/permissions
    • Changes in other settings no longer re-generate the freeradius settings
    • Force the unconfigured Appliance to always generate a new MySQL password to prevent a semi-configured state.
    • Added dependency for freeradius-ldap
    • Updated dependency for LinOTP to >= 2.7.1 since older version don't implement the new licensing mechanism
    • Make sure the squeeze-lts repository is included in sources.list, otherwise include it
    • In Wizard: Allow moving between already filled out tabs, even if last tab fails to validate
    • Fixed restoration of saved Appliance configurations
    • Increased cookie timeout
    more ...
    Date


    LinOTP by LSE is now available with all features as Open Source

    Press Release

    Benowa, Queensland, Australia/ Weiterstadt, Germany 2014-05-21

    LSE LinOTP - a vendor-independent product for two-factor authentication and one-time password methods (OTP) - will be made available by LSE, Leading Security Experts GmbH, as an open source solution with all current features included.

    At the annual AusCERT Information Security Conference in Australia, and in conjunction with a Red Hat tutorial about the internal deployment of LSE LinOTP Enterprise Edition, LSE Leading Security Experts GmbH (LSE) [http://www.lsexperts.de], a member of the MAX21 Group (MAX21 Management- und Beteiligungen AG) [MA1, http://www.max21.de], will announce the expansion of its open source strategy.

    The currently-separate community edition [http://www.linotp.org] and commercially-marketed enterprise edition [http://www.lsexperts.de] will be merged. LSE will provide LinOTP free of charge as an open source software solution licensed under the AGPLv3 and GPLv2. The complete feature set will be available for download when LinOTP 2.7 is released in the second half of May 2014.

    Quoting Sven Walther, CEO and CTO of LSE Leading Security Experts GmbH, "With this step we open the source of a professionally-maintained and scalable product for enterprise-grade sign-in security. Through such licensing and marketing, we expect LinOTP to advance the distribution to the most frequently installed sign-in security solution for two-factor authentication and OTP methods worldwide. We see a global demand for LinOTP. The solution is highly flexible and scalable. LinOTP appeals to a wide range of users and is suited for nearly every enterprise - be it TAN generation for online banking, high-availability deployment in enterprise environments with many dependent users, or secure one-time password sign-in at smaller companies, to name just a few popular use cases."

    LSE Leading Security Experts GmbH will complement the LinOTP software solution with matching LinOTP support and subscription services as well as professional service offerings. These will include extended levels of quality assurance for updates and patches, the availability of LSE LinOTP Smart Virtual Appliance as a fully-integrated turn-key solution, prioritized hotfixes by our development team, and advisory services on top of the usual standard support and consulting services.

    With this recent open source offering, customers now have the option to pick the solution that best suits their usage scenario. This encompasses both deployments that are fully-featured yet completely free-of-charge, as well as business-critical deployments with all their requirements on support and quality-assurance processes, including a firm commitment by LSE to the continuous development of its solution. To enable this, LSE will further expand its technical and human resources in this area.

    About LSE Leading Security Experts GmbH

    LSE Leading Security Experts GmbH is the leading vendor of secure connection technologies centered around vendor independent logon security and identity management and specialises in information and IT security for companies. To LSE’s core competences, the development of security products, count in addition to others the provision of consulting-services concerning logon security, vulnerability analysis & penetration tests, encryption technology, storage and virtualization security also IT-Risk-Management.

    LSE belongs to the MAX21 Group.

    For further information please refer to: http://www.lsexperts.de

    Press Contact:

    LSE Leading Security Experts GmbH
    Sven Walther
    Postfach 10 01 21
    64201 Darmstadt
    Germany
    Telefon: +49 6151 86086-0
    Fax: +49 6151 86086-299
    E-Mail: presse@lsexperts.de
    Web: http://www.lsexperts.de

    Red Hat is the trademark of Red Hat, Inc., registered in the U.S. and other countries.

    more ...
    Date