Changelogs LinOTP

Warning:

Before updating, please assure, that you have a backup of your encryption key and also of your database. Having a backup of your linotp.ini file is also recommended.

LinOTP 2.9.1.4

Bug Fixes

  • Vasco: Fix token import from file
  • Vasco: Fix authentication
  • Web UI: Fix error if token configuation dialog is cancelled
  • Manage: Remove broken wildcard search using '.' in UserIdResolver searches
  • Migration: Fix migration handling routine
  • Authentication: Fix behaviour of check_status with empty pass and otppin=2

LinOTP 2.9.1.3

Bug Fixes

  • Server: Fix realm configuration reset when renaming resolvers

LinOTP 2.9.1.2

Bug Fixes

  • Server: Fix saving issues with long configuration values

LinOTP 2.9.1.1

Bug Fixes

  • Server: Fix LDAP configuration issue with long certificates
  • Server: Fix empty user list returned by LDAP backend
  • Server: Allow unicode characters in provider configuration
  • Packaging: Fix openssl installation issue caused by Pre-Depends relationship

LinOTP 2.9.1

Enhancements

  • Server: New token type: KeyIdentity PushToken
  • Server: Add optional caching of resolver lookups
  • WebUI: Show welcome and update screens
  • WebUI: Add dialog for duplicating resolvers
  • WebUI: Better password handling in resolver dialogs
  • Reporting: Add paging and CSV output for reporting/show
  • API: Use semicolon as CSV column separator by default
  • UserIdResolver: Add StartTLS support

Bug Fixes

  • Server: Fix remote token
  • Server: Fix evaluating policies for non-existent realms
  • API: Don't localize monitoring json output
  • SMPPSMSProvider: Fix encoding issues for non-ascii characters

LinOTP 2.9.0.5

Bug Fixes

  • Server: Prefer specific policies over wildcard policies
  • Server: Fix QRToken's CT_AUTH case
  • Server: Fix combination of policies 'passthru' and 'passOnNoToken'
  • WebUI: Reject inequal PINs in set PIN dialogs in addition to the visual
  • WebUI: Display certificate in QRToken configuration

LinOTP 2.9.0.4

Bug Fixes

  • Server: In case of a matching PIN and wrong OTP, increment fail counters of PIN-matching tokens only
  • Server: Fix maxtoken policy
  • Server: Fix import of vasco tokens using transport encoding
  • WebUI: Remove policy search bar

LinOTP 2.9.0.3

Bug Fixes:

  • WebUI: Fix realm creation and editing for IE
  • Server: Various small QRToken changes
  • Server: Fix tokencount handling during assignment

LinOTP 2.9.0.2

Bug Fixes

  • Server: Fix token enrollment using the API directly after a server restart

LinOTP 2.9.0.1

Bug Fixes

  • Server: Make constant time comparison compatible with python<=2.7.6

LinOTP 2.9

Enhancements
  • Server: Add support for offline authentication
  • Server: Add QRToken
  • Server: Add forwarding token
  • Server: Add reporting controller
  • Server: Add support for multiple SMS/e-mail providers
  • Server: Add support for long config values
  • Server: Add issuer label to OATH tokens
  • Server: Allow one-time simplepass tokens
  • Server: Allow multiple users with same username in one realm
  • Server: Support migration of resolvers for assigned tokens
  • Server: Add authorization policies for monitoring controller
  • Server: Allow named otppin policies ('token_pin', 'password' and 'only_otp')
  • Server: Add SSL/TLS abilities to SMTPSMSProvider
  • UserIDResolver: Add class registry and class aliases
  • WebUI: Slightly polished look and feel
Bug Fixes
  • WebUI: Hide 'Get OTP' button if getotp is deactivated in config
  • WebUI: Several bug fixes in different dialogs and elements
  • Server: Fix generating transactionids which failed in rare circumstances
  • Server: Handle timestamp rounding instead of truncating in MySQL 5.6
  • Server: Do not copy old PIN on lost simplepass token
  • Packaging: Remove debconf entry 'linotp/generate_enckey'
  • WebUI: Validate resolver configuration on resolver definition
  • WebUI: Alert in realm dialog if no resolvers are selected

LinOTP 2.8.1.7

Changelog

Bug Fixes

  • Server: Prefer specific policies over wildcard policies
  • Server: Fix combination of policies 'passthru' and 'passOnNoToken'

LnOTP 2.8.1.6

Changelog

Bug Fixes

  • Server: In case of a matching PIN and wrong OTP, increment fail counters of PIN-matching tokens only.

LinOTP 2.8.1.5

Changelog

Bug Fixes

  • WebUI: Fix setting token realm

LinOTP 2.8.1.4

Changelog

Bug Fixes

  • WebUI: Fix setting token realm

LinOTP 2.8.1.3

Changelog

Bug Fixes

  • Server: Fix PIN handling in email token

LinOTP 2.8.1.2

Changelog

Enhancements

  • Server: Add support for demo licenses

Bug Fixes

  • Selfservice: Fix setting tokenlabels
  • Server: Set the first created realm as default realm
  • Server: Fix admin/show using a serial number and an active admin policy containing a wildcard
  • Server: Fix import of policies missing scope or action
  • Server: Fix license import using IE

LinOTP 2.8.1.1

Changelog

Bug fixes

  • Server: Fix license decline under certain conditions

LinOTP 2.8.1

Changelog

Enhancements

  • Server: Add monitoring controller
  • Server: Add support for encryption migration (HSM)
  • Server: Add 'forward to server' policy
  • Server: Extended user filter in policies
  • Server: Reduce number of userid authentication calls
  • Server: Enable less services in default configuration
  • Server: Add French, Italian, Spanish and Chinese translations
  • WebUI: Various cosmetic fixes
  • WebUI: Update jQuery, jQuery UI and jed

Bug fixes

  • Server: Fix forwarding policy when parameter list is empty
  • Selfservice: Fix access to userservice with UTF-8 characters
  • Selfservice: Fix resolver user wildcard support in extended policy user def
  • WebUI: IE11: Deliver requested language
  • WebUI: Support for IE11 logout and cookie deletion

LinOTP 2.8.0.3

Changelog

Bug fixes

  • Server: Increment 'failCount' even if maxFailCount is reached
  • Server: Fix TOTP tokens with empty timeshift values
  • Server: Fix export of empty token list
  • Server: Fix policy view showing only realm specific policies
  • Server: Fix token settings saving for TOTP and OCRA2 tokens

LinOTP 2.8.0.2

Changelog

Bug fixes

  • Server: Fix for double escaping when using info_box
  • Server: Fix for information disclosure with audit search
  • Server: Prevent enumeration/information leakage in validate/check
  • Server: Remove session id from URL
  • WebUI: Clear PIN input fields on closing the 'Set PIN' dialog
  • Selfservice: Enforce session and cookie check in all userservice actions
  • Selfservice: Add missing session invalidation on selfservice logout
  • Config examples: Set security relevant headers in example apache config files
  • Config examples: Set X-Permitted-Cross-Domain-Policies header in example Apache config files

LinOTP 2.8.0.1

Changelog

Enhancements

  • Server: Add support for '*' wildcard in policy client definition
  • Server: Add support to set random pin on token import

LinOTP 2.8

Changelog

Enhancements

  • Server: Add FIDO U2F support
  • Selfservice: Enroll FIDO U2F, e-mail and SMS tokens
  • Server: Losttoken: Support enrollment of e-mail and SMS tokens
  • Server: Trigger challenges for multiple challenge-response tokens with one request
  • Server: Support deleting multiple policies with one request
  • Server: Rework and improve token counter logic
  • Server: Add policy actions 'emailtext' and 'emailsubject' in scope 'authentication' to define body and subject of e-mails sent by e-mail tokens
  • Server: Add parameter to define SMS messages sent by SMS tokens
  • Server: Add support for defining multiple OCRA2 callback URLs
  • Server: Add optional ability to save last_accessed timestamps for tokens
  • Server: Add crypto migration controller to change in-use cryptographic techniques, switch to HSMs or replace in-use HSMs
  • Server: Add support for using UserPrincipalName as username
  • Server: Support wildcard '*' for serial number filter in admin/show
  • Tools: linotp-auth-radius: Support for unicode radius requests
  • Selfservice: Support yubikey tokens with public_uid
  • Server: Add target realm input for token imports
  • Server: Prevent accidental admin lock-out using read-only admin policies
  • Server: Support autoassignment policy without action value

Bug fixes

  • Selfservice: Fix getSerialByOtp functionality for yubikey tokens
  • Server: Fix importing yubikey tokens without prefix
  • Server: Fix autoassignment with remote token pointing at yubikey token
  • Server: Fix autoassignment using tokens with different OTP lengths
  • Server: Prevent counter increments of inactive tokens
  • Server: Don't return counter parameter on TOTP enrollment
  • Selfservice: Fix occasional login problems using non-ASCII characters
  • Server: Fix occasional problems sorting userlist with unicode characters
  • Server: Fix usage of otppin policy for remotetoken with local pincheck
  • Server: Don't return error messages on unconfigured autoenrollment
  • Server: Always set OTP length in remote token enrollment
  • Server: Don't return error messages for policy otppin=1 and unassigned tokens
  • Server: Reply to OCRA2 challenge providing only transactionid and OTP
  • WebUI: Don't show dialog asking for realm creation if no useridresolver is configured
  • WebUI: Fix WebUI for recent Internet Explorer versions
  • WebUI: Clear key and PIN input fields after token enrollment
  • Tools: linotp-create-pwidresolver-user: Fix duplicate and ignored command-line arguments
  • Tools: Correctly package linotp-enroll-smstoken tool
  • Tools: Use Digest instead of Basic Authentication in linotp-enroll-smstoken
  • Tools: Display an error message in linotp-enroll-smstoken when dependencies are missing
  • Tools: Fix linotp-sql-janitor crash when executed without --export option
  • Server: Fix for wildcard search with available unassigned tokens
  • Server: Fix LinOTP on pylons 0.9.7
  • Packaging: Remove nose dependency from linotp install process

LinOTP 2.7.2.2

Changelog

  • Fix XSS vulnerabilities in manage WebUI

LinOTP 2.7.2.1

Changelog

Bug fixes

  • Server: Token in autoassignment were assigned randomly instead of the one that actually matched the OTP value
  • Server: When using check_s the realm context was not correctly set. If the token is in a realm, that realm should be used not the default realm
  • Server: Uninitialized variables in remotetoken in case of connection error
  • Server: Always set random PIN during token enroll/assign if the corresponding random PIN policy is set
  • Packaging: If a2dissite linotp2 is unsuccessful during package removal the uninstallation broke off. Now errors with 'a2dissite' are printed to stderr during installation/removal but don't break the scripts
  • Packaging: Add SQLAlchemy<=0.9.99 dependency due to 'SQLAlchemy Migrate'
  • Packaging: Fix for LinOTP installation in a LSE Smart Virtual Appliance on Debian Jessie. Since MySQL lacks a systemd service file use polling to check when MySQL is brought up
  • Server: Fix erroneous reply message about 'unconfigured autoenrollment'
  • Server: Fix for enrolling tokens via the selfservice webprovision with random pin policy set
  • Packaging: Allow WebOb version 1.4 in debian 8 (jessie)
  • Server: Fix for handling users with @ in name (principal name) in selfservice access
  • WebUI: Fix for selfservice (Internet Explorer caches GET requests)
  • Server: Fix extended search in Audit Trail Fix XSS vulnerabilities in manage WebUI

LinOTP 2.7.2

Changelog

Enhancements

  • Server: Auto enrollment - enroll an email or sms token if user has no token and authentication with password was correct
  • Server: Support 'now()' in LDAP search expressions
  • Selfservice: Split Selfservice into userservice controller and selfservice renderer to support remote selfservice interface
  • WebUI: SQL and LDAP resolver mapping validation (needs to be valid JSON)
  • WebUI: E-mail and SMS provider definition validation (needs to be valid JSON)
  • Packaging: Support for Ubuntu 14.04 (with Apache 2.4)
  • Packaging/Server: Support for Pylons 1.0.1
  • Packaging: Internal package refactorization to unify structure and version number handling
  • Packaging: Apache linotp2 VirtualHost will no longer be overwritten during Debian package upgrade. VirtualHost example files are copied to the same location where the LinOTP package is installed and only afterwards it is moved to /etc/apache2 (if it does not exist already)
  • Packaging: Cleaned up and hardened Apache linotp2 VirtualHost files
  • Tools: Improved linotp-create-pwidresolver-user and linotp-create-sqliddresolver-user to to generates more secure passwords
  • Tools: Added tool to massenroll SMS tokeni

Bug fixes

  • Server: Fixed support of old licenses, where the expiry is in the date entry
  • Server: Fixed error during token unassign (because of setPin call)
  • Server: Fixed searching for a user in multiple realms
  • Server: Fixed exact search for user in tokenlist
  • Server: Fixed sorting of userlist with unicode
  • Selfservice: Fixed selfservice history browsing

LinOTP 2.7.1.2

Changelog

Server

  • adjust the copyright date from 2014 to 2015

Audit

  • audit query with empty arguments fixed
  • made selfservice history browsing working again

Tools and Resolver

  • enhanced password genenerating tool to generate more secure passwords entries for usage via passwd and sql resolvers

Web UI

  • added ui hints for the sms and email token config
  • use radius token config defaults for radius token enrollment
  • use remote token config defaults for remote token enrollment
  • searching for unknown users in tokenview, showed all tokens that had no user assigned.

LinOTP 2.7.1.1

Changelog

  • Bug Fix: Don't ignore whitespace in license file when calculating signature

LinOTP 2.7.1

Changelog

Enhancements

  • Server: Added check for optional support and subscription license
  • WebUI: Show warnings when the support and subscription has expired or number of supported tokens has been exceeded
  • WebUI: Editing the token config in the WebUI will only save what has been edited
  • WebUI: PIN setting is now part of the 'enroll' dialog instead of being in a separate dialog
  • WebUI: Don't allow setting the token PIN in the token enrollment dialog when the 'random_pin' policy is set
  • WebUI/Server: Added translation of selfservice and policy messages
  • WebUI: Enabled JavaScript localisation (jed based) for 'manage' and 'selfservice' UI
  • Server: Added Yubikey token support for uppercase OTP values
  • Server: Added support for Yubikey token resync
  • WebUI: Info and error boxes in the 'manage' UI now stack instead of overlaying (hiding the older ones). When displaying more than one box a 'Close all' link is shown
  • WebUI: Improve CSS styling for info and error boxes in 'manage' UI
  • WebUI: Adapted the 'selfservice' and 'auth' interfaces to the 'manage' UI style
  • WebUI: Improved display of currently selected user and token
  • WebUI: Restricted the selection to a single user
  • Server: Added system/getPolicy support for 'user' as filter criteria
  • Server: Added system/getPolicy support for 'action' as filter criteria
  • WebUI: Preset LDAPUserIdResolver AD with objectGUID instead of DN
  • WebUI: Rework the selfservice Google web provisioning to refer to FreeOTP and other softokens as well
  • Server: Include OTP length and hash algorithm used in the 'otpauth' URL generated when enrolling HOTP or TOTP tokens
  • WebUI: Display the generated seed in the enrollment tabs in a copyable form
  • WebUI: Extendend the eToken dat import to display start date support with hh:mm:ss
  • Server: Added configuration options to selectively disable parts of LinOTP (manage, selfservice, validate)
  • WebUI: Added 'clear' button to policy form
  • WebUI: Made policies 'active' by default
  • Server: Initialize repoze.who with a random secret during server startup or restart (old 'selfservice' sessions become invalidated)
  • Server/Tools: Added the ability to dump the audit data before deletion
  • Packaging: Removed obsolete SQLAlchemy <0.8.0b2 restriction
  • Server: Random generation: switched to more secure randrange and choice methods
  • WebUI: Updated jQuery to v1.11.1 and all plugins and JS libraries (Superfish, jQuery Cookie, jQuery Validation, ...) to their latest version
  • WebUI: Simplified selfservice tokenlist handling * WebUI: Added warning to auth forms when Javascript is disabled in the browser
  • WebUI: Improved auth form handling of JS errors
  • Server: Removed deprecated /auth/requestsms form because SMS can be requested using the regular /auth/index form (by doing challenge-response)

Bug Fixes

  • Packaging: Fixed ask_createdb debconf question that kept being asked on upgrade of the Debian packages
  • WebUI: Cleaned up selfservice mOTP Token enrollment
  • WebUI: Some fixes for localisation and wrong validation of seed input field
  • Server: Fixed the search for ee-resolver tokens and user
  • Server: Raise exception for empty 'user' in 'system' or 'admin' policy
  • Server: Load the HSM before the LinOTP config, so that the config can hold decrypted values
  • Server: Fixed help_url to always use linotp.org site with version * Server: Added support for migrating old linotpee resolvers entries
  • Server: Fixed reinitialisation of Yubikey token
  • Server: Yubikey checkOtp should not raise exception if the OTP is too short
  • Server: Fixed bug in Yubikey CSV import
  • Server: Fixed padding and unpadding code for PKCS11 module
  • Server: Fixed padding and unpadding code for YubiHSM module
  • Server: Added LinOTP config options 'pkcs11.accept_invalid_padding' and 'yubihsm.accept_invalid_padding'
  • Server: Fixed token import to support ocra2 token
  • WebUI: Fixed small display error when deleting or modifying multiple tokens in the 'manage' UI
  • WebUI: Fixed selfservice enroll of mOTP token
  • Server: Fixed token serial not appearing in the audit log in some cases

LinOTP 2.7.0.2

Changelog

  • Fixed PSKC import with plain input
  • Fixed SecretObj cleanup in some corner-cases
  • Cleaned up default parameters in functions to prevent memory leaks
  • Added late binding to ORM mapping
  • Fixed several issues with Oracle databases such as: reserved words in columns, None/empty values not being mapped correctly to Python objects, Unicode handling
  • Made significant modifications to SQLAudit to fix a memory leak
  • Fixed checkPolicyPost() in admin/init without serial (#12603)
  • Added /:no realm:/ search option for token list
  • Removed empty token config tabs in the WebUI (#12634)
  • Added linotpAudit.error_on_truncation config option to control DB behaviour when writing large values to the DB

LinOTP 2.7.0.1

Changelog

  • Integrated linotp-ee package into this package, adding: - Support for SQL Audit - Tools such as: linotp-decrypt-otpkey, linotp-tokens-used, linotp-backup, linotp-restore, etc. - Support for HSM - eTokenDat, PSKC, DPWplain and vasco token import
  • Fixed broken custom-template handling (#12555)
  • Fixed some corner cases of JSON and CSV audit output (#12550, #12556)
  • Fixed erroneous QR-Code generation
  • Pinned WebOb version to < 1.4 due to incompatibility with Pylons (#12586)
  • WebUI: Moved 'License' menu entry to 'Help/Support'
  • WebUI: Added 'Help/About' dialog
  • WebUI: Cleaned up a little and exchanged the LinOTP logos

Updating from LinOTP 2.6.1.1 to LinOTP 2.7

LinOTP 2.7 is a major release that contains some big package structure changes.

In our effort to be completely open source we have removed our EE (Enterprise Edition) packages and merged them into the old CE (Community Edition) packages leaving you with packages that contain all the features. The CE/EE terminology is obsolete.

If you had previously edited your linotp.ini to activate the audit trail please update the file and replace:

linotpAudit.type = linotp.lib.Audit.SQLAudit

with:

linotpAudit.type = linotp.lib.audit.SQLAudit

Updating a deb install

If you are updating from one of our repositories simply:

apt-get update && apt-get upgrade

If you previously had a LinOTP Community Edition you may want to additionally install the linotp-smsprovider package:

apt-get install linotp-smsprovider

If you are installing via dpkg you have to remove the obsolete packages first:

apt-get remove linotp-ee linotp-useridresolver-ee
dpkg -i linotp linotp-useridresolver linotp-smsprovider

The LinOTP Admin clients have been renamed:

  • linotp-adminclient-ce is now called linotp-adminclient-cli
  • linotp-adminclient-ee is now called linotp-adminclient-gui

Install them like this:

sudo apt-get install linotp-adminclient-gui linotp-adminclient-cli

Updating a pip install

Before upgrading to LinOTP 2.7 you need to remove the obsolete EE packages:

pip uninstall LinOTP-EE LinOtpUserIdResolverEE

Issue the following command to update your pip installation:

pip install --upgrade LinOTP LinOtpUserIdResolver SMSProvider

After this you need to restart your LinOTP webserver.

To upgrade the LinOTP Admin clients you have to remove the obsolete packages first:

pip uninstall LinOTPAdminClientCE LinOTPAdminClientEE
pip install LinOTPAdminClientCLI LinOTPAdminClientGUI

Changelog

LinOTP core

  • Integrated linotp-ee package into this package, adding:
    • Support for SQL Audit
    • Tools such as: linotp-decrypt-otpkey, linotp-tokens-used, linotp-backup, linotp-restore, etc.
    • Support for HSM
    • eTokenDat, PSKC, DPWplain and vasco token import
  • Fixed broken custom-template handling (#12555)
  • Fixed some corner cases of JSON and CSV audit output (#12550, #12556)
  • Fixed erroneous QR-Code generation
  • Pinned WebOb version to < 1.4 due to incompatibility with Pylons (#12586)
  • WebUI: Moved 'License' menu entry to 'Help/Support'
  • WebUI: Added 'Help/About' dialog
  • WebUI: Cleaned up a little and exchanged the LinOTP logos

Documentation

  • Adapted to new package structure (linotp and linotp-ee as well as linotp-useridresolver and linotp-useridresolver-ee have been integrated into a single package)
  • Fixed warnings and made general corrections
  • Exchanged LinOTP logo

LinOTP admin client

  • Renamed package from linotp-adminclient-ce to linotp-adminclient-cli
  • Renamed package from linotp-adminclient-ee to linotp-adminclient-gui
  • Exchanged LinOTP logo
  • Removed M2Crypto dependency, since license verification is done on the server

UserIdResolver

  • Integrated linotp-useridresolver-ee package into this package, adding support for:
    • LDAP and AD UserIdResolvers
    • SQL UserIdResolvers

Updating from LinOTP 2.6.1 to LinOTP 2.6.1.1

LinOTP 2.6.1.1 is a patch release for LinOTP 2.6.1

SMSProvider 2.6.1.1 has one new dependency:

  • socksipy, either contained in httplib2 >= 0.7 or from its own package.

Updating a deb install

Install the necessary dependencies:

apt-get install python-socksipy

Unfortunately on Debian and Ubuntu you are forced to install the python-socksipy package because Debian Squeeze does not support python-httplib2 >= 0.7 and therefore requires python-socksipy.

If you have downloaded all packages you need to issue the following command:

dpkg -i linotp_2.6.1.1-1_all.deb \
        linotp-smsprovider_2.6.1.1-1_all.deb \
        libpam-linotp_2.6.1.1-1_all.deb

Updating a pip install

Issue the following command to update your pip installation:

pip install --upgrade linotp pam_py_linotp

A SMSProvider pip installation will need following additional python package:

  • httplib2 >= 0.7 or socksipy.

To upgrade the enterprise edition components you need to download the latest version from the customer portal and issue the commands:

pip install --upgrade /path/to/SMSProvider-2.6.1.1.tar.gz

After this you need to restart your LinOTP webserver.

Changelog

LinOTP core

  • Fixed Yubikey token so it supports LinOTP/RADIUS challenge-response
  • Removed 'const' JS variable that broke IE9
  • Added Yubikey public ID to token description when importing CSV file (#12417)
  • Fixed erroneous active-token-count in WebUI (#12523)

SMS Provider

  • Fixed HTTPSMSProvider on Debian Squeeze with httplib2 0.6 (#12510)

PAM LinOTP

  • Fix build of binary package on Launchpad

PAM Python LinOTP

  • Fixed package build

Updating from LinOTP 2.6.0.3 to LinOTP 2.6.1

LinOTP 2.6.1 has two new dependencies:

  • python-migrate for additional client information in the Audit trail and
  • python-httplib2.

Updating a deb install

Install the necessary dependencies:

apt-get install python-migrate python-httplib

Download all necessary LinOTP packages and issue the following command:

dpgk -i linotp_2.6.1-1_all.deb \
        linotp-ee_2.6.1-1_all.deb \
        linotp-useridresolver_2.6.1-1_all.deb \
        linotp-useridresolver-ee_2.6.1-1_all.deb \
        linotp-smsprovider_2.6.1-1_all.deb

Updating a pip install

A pip installation will need following additional python packages:

  • httplib2,
  • sqlalchemy-migrate.

These should be installed automatically when issuing the commands:

pip install --upgrade linotp
pip install /path/to/LinOtpUserIdResolverEE-2.6.1.tar.gz
pip install /path/to/LinOtpUserIdResolver-2.6.1.tar.gz
pip install /path/to/SMSProvider-2.6.1.tar.gz

Check with:

pip freeze

Changelog

LinOTP core

  • Added support for BasicAuthentication to HttpSMSProvider
  • Prevent resolver creation with same name (and different case)
  • Improved /auth/index forms and deprecated /auth/requestsms
  • Improve entropy by using /dev/urandom (#12243)
  • Added streaming output to audit/search JSON and CSV (#12392)
  • Made wildcard search in SQL Resolver more precise (#12135)
  • Small graphical WebUI fixes (#12229)
  • Added possibility to change the phone number of SMS token (#2953)
  • Require * for wildcard token search (#2838)
  • Removed PIL as a hard dependency (you may use pillow-pil) (#12409)
  • Only enable apache site on first installation (not upgrade) (#12246, #12457)
  • Supress error during installation if no 'lse_release' exists #(12237)
  • Shorten UserIdResolver display string in UserView (#2678)
  • Added python-httplib2 dependency
  • Added challenge-response and http-POST to remote token (#12433, #12451)
  • Added challenge-response to RADIUS token (#12432)
  • Added client information to audit log (#12417)
  • Enable 'Enter' key in auth/index forms (#12103, #12446)
  • Allow SmtpSMSProvider to raise exceptions (#12419)
  • Several challenge-response error handling fixes (#12416, #12420, #12427)
  • Several OpenID fixes (#12415, #12428, #12265, #12190, #12264)
  • Fix hostname/port FQDN splitting (#12410)
  • Added man page for linotp-auth-radius
  • Removed obsolete log warnings and errors (#12396, #12443)
  • Prevent challenges from being sent when multiple tokens match (#12413)
  • Fixed check_yubikey so that it supports two slots (#12477)
  • Enabled realm assignment during Yubikey enrollment
  • Added autoassignment for Yubikeys
  • Added new policy 'ignore_autoassignment_pin'
  • Removed newlines in token CSV export (#12465)

LinOTP EE

  • Solved some SQLAlchemy unicode warnings
  • Added streaming output to audit/search JSON and CSV (#12392)
  • Removed deprecated FileAudit (use SQLAudit instead) (#12434)
  • Added client information to audit log (#12417)
  • Improved help message of linotp-sql-janitor tool

UserIdResolver

  • Made wildcard search in SQL Resolver more precise (#12135)
  • Fix LDAP Resolver error that occurs during checkstatus (#12442)

LinOTP admin client

  • Added dependency for python-usb
  • Enabled realm assignment during Yubikey enrollment
  • Added client information to audit log (#12417)

Documentation

  • Removed FileAudit documentation since FileAudit is deprecated (#12434)
  • Documented additional PasswdResolver fields (e-mail, telephone) (#12418)
  • Added Howtos from website to documentation (#12430)
  • Documented new OpenID storage database options (#12415)
  • Updated package dependencies (#12395, #12452, #12409)
  • Documented new policy 'ignore_autoassignment_pin'

libpam LinOTP

  • Remove user check in libpam-linotp since the existence of the user is not a prerequisite (VPN, automount) (#12429)

SMSProvider

  • Allow SmtpSMSProvider to raise exceptions (#12419)

Updating from LinOTP 2.6 to LinOTP 2.6.0.3

LinOTP 2.6.0.3 is a patch release for LinOTP 2.6 and 2.6.0.x.

Updating a deb install

If you have downloaded all packages you need to issue the following command:

dpkg -i linotp_2.6.0.3-1_all.deb \
        linotp-useridresolver-ee_2.6.0.3-1_all.deb

Updating a pip install

Issue the following command to update your pip installation:

pip install --upgrade linotp

Then upgrade the enterprise edition components. You need to download the latest version from the customer portal and issue the commands:

pip install --upgrade /path/to/LinOtpUserIdResolverEE-2.6.0.3.tar.gz

After this you need to restart your LinOTP webserver.

Changelog

LinOTP core

  • Fix problem with LDAPS connection (#12431)
  • Catch token exceptions to prevent errors when processing several tokens (#12416)

UserIdResolver

  • Fix error that prevented LDAP Resolver from unbinding (#12423)

Updating from LinOTP 2.6 to LinOTP 2.6.0.1

LinOTP 2.6.0.1 is a patch release for LinOTP 2.6.

Updating a deb install

If you have downloaded all packages you need to issue the following command:

dpkg -i linotp_2.6.0.1-1_all.deb \
        linotp-useridresolver_2.6.0.1-1_all.deb \
        linotp-useridresolver-ee_2.6.0.1-1_all.deb \

Updating a pip install

Issue the following command to update your pip installation:

pip install --upgrade linotp

Then upgrade the enterprise edition components. You need to download the latest version from the customer portal and issue the commands:

pip install --upgrade /path/to/LinOtpUserIdResolverEE-2.6.0.1.tar.gz

After this you need to restart your LinOTP webserver.

Changelog

LinOTP core

  • Added RADIUS client testing tool "linotp-auth-radius", which supports challenge response
  • Fix the otppin=2 (no pin) problems with E-mail and TOTP Token (#12399 #12398)
  • Fix for E-mail Token to support otppin=2 (closes #12398)
  • Fix 'Logout' button (closes #12371)

UserIdResolver

  • Bind the resolvers object to the request for performance. closes #12372
  • Improved sqlresolver checkpass to also support {sha} and {ssha} passwords.

Command line client

  • Added automation, send token list via email or upload to windows share (#12390)

Updating from LinOTP 2.5.2 to LinOTP 2.6

LinOTP 2.6 introduces a common challenge response mechanism. For this a new table "challenges" was added to the database model.

Updating a deb install

If you have downloaded all packages, you need to issue the following command:

dpkg -i linotp_2.6-1_all.deb \
        linotp-ee_2.6-1_all.deb \
        linotp-useridresolver_2.6-1_all.deb \
        linotp-useridresolver-ee_2.6-1_all.deb \
        linotp-doc_2.6-1_all.deb \
        linotp-smsprovider_2.6-1_all.deb

Note

If you want to use the new challenge response mechanism with your RADIUS clients, you also need to update the FreeRADIUS packages.

Updating a pip install

Issue the following command to update your pip installation:

pip install --upgrade linotp

Then upgrade the enterprise edition components. You need to download the latest version from the customer portal and issue the commands:

pip install --upgrade /path/to/LinOTP-EE-2.6.tar.gz
pip install --upgrade /path/to/LinOtpUserIdResolverEE-2.6.tar.gz
pip install --upgrade /path/to/LinOtpDoc-2.6.tar.gz
pip install --upgrade /path/to/Smsprovider-2.6.tar.gz

To create the new table "challenges" run:

paster setup-app <your-path-to>/etc/linotp2/linotp.ini

After this you need to restart your LinOTP webserver.

Changelog

  • Added Challenge Response functionality for all tokens.
  • Added Challenge Response Policy (#12234)
  • Searching for tokens in the WebUI now uses wildcards. To find "benjamin" you will have to search for "ben*". "ben" will return nothing.
  • Added UserPassOnNoToken Policy (#12145)
  • Export token list to csv (#2963)
  • Add additional user attributes in the token list api (#12187)
  • Export audit list to csv (#2963)
  • Added /auth/index3 with 3 lines (#12138)
  • Use YubiKey with prefix like the serial number (#12039)
  • Enroll YubiKey with Challenge Response and YubiKey NEO (#12186)
  • SMS-Token: The mobile number can now be used in the mailto field (#12151)
  • Add non-blocking behaviour when sending SMS OTP (#2986)
  • The token description can be set in the WebUI (#12163)
  • The Resolver dialog now start the realm dialog if no realm is defined (#12160)
  • The YubiKey in Yubivo mode (with 44 characters output) is supported (#2989)
  • Import Yubico CSV in Yubico mode for Yubikeys, that were generated with the Yubico personalization tool (#12326)
  • The token type list is sorted when enrolling in the management WebUI (#12231)
  • The authorize policies can contain regular expressions for the token serial number (#12197)
  • Added script 'linotp-token-usage' for token statistics (#12299)
  • Added severals cripts for simpler installation and maintenance: linotp-create-certificate, linotp-create-enckey, linotp-create-auditkeys, linotp-fix-access-rights (#2883)
  • /validate/check can return addition token details of the authenticated token. Configured by the policy 'detail_on_success' (#2661)
  • Support for eToken dat file import (#12124)
  • Policies can now be deactivated and activated (#2903)
  • Added new token type E-mail token, that sends OTP via smtp (#2704, #12332)
  • Improve pam_linotp for build process and challenge response support (#12176)
  • Using POST instead of GET requests in selfservice UI (#12161)
  • Improved the HTML online help, to be available online from linotp.org or installed on the server
  • Removed several misleading error messages during installation
  • Improved several error messages
  • rlm_linotp now also builds on Ubuntu 12.04 (#12154)
  • Improved the certificate handling for the LDAP resolver (#12089)
  • Improved the performance when loading many users in the WebUI (#12076)
  • Fixed a padding problem in the OCRA token (#12202)
  • Fixed the logout link in the management Web UI (#12022)
  • Fixed SMS token without serial number (#12322)
  • Fixed the signature checking in the SQL audit module (#12267, #2700)
  • Fixed apache config to use secure cookies (#12148)

Updating from LinOTP 2.5.1 to LinOTP 2.5.2

Updating a deb install

With version 2.5.2 the naming of some packages changed:

old name in version 2.5.1 new name in version 2.5.2
linotpuseridresolver linotp-useridresolver
linotpuseridresolveree linotp-useridresolver-ee
linotpdoc linotp-doc
smsprovider linotp-smsprovider

Transition packages with the old names are used to perform the update.

You need to issue the following command:

dpkg -i linotpuseridresolver_2.5.2-1_all.deb \
        linotpuseridresolveree_2.5.2-1_all.deb \
        linotpdoc_2.5.2-1_all.deb \
        smsprovider_2.5.2-1_all.deb \
        linotp_2.5.2-1_all.deb \
        linotp-ee_2.5.2-1_all.deb \
        linotp-useridresolver_2.5.2-1_all.deb \
        linotp-useridresolver-ee_2.5.2-1_all.deb \
        linotp-doc_2.5.2-1_all.deb \
        linotp-smsprovider_2.5.2-1_all.deb

Afterwards you can remove the old packages:

dpkg -r linotpdoc linotpuseridresolver linotpuseridresolveree smsprovider

Updating a pip install

Issue the following command to update your pip installation:

pip install --upgrade linotp

Then upgrade the enterprise edition components. You need to download the latest version from the customer portal and issue the commands:

pip install --upgrade /path/to/LinOTP-EE-2.5.2.tar.gz
pip install --upgrade /path/to/LinOtpUserIdResolverEE-2.5.2.tar.gz
pip install --upgrade /path/to/LinOtpDoc-2.5.2.tar.gz
pip install --upgrade /path/to/Smsprovider-2.5.2.tar.gz

Changelog

Dokumentation

  • Added documentation for MS SQL server support.
  • Added how to for forwarding RADIUS request depending on LDAP group membership.
  • Added YubiKey documentation for YubiKey NANO.

LinOTP Server

  • Added dynamic token modules. All tokens can now be loaded dynamically.
  • Added policy import and export.
  • Added possibility to display action history in selfservice.
  • Added new Token: YubiKey in original YubiKey mode (44 characters) to authenticate with the yubico online cloud service.
  • Added a script (linotp-pip-update) to update a pip installation.
  • Added authentication to ocra controller.
  • Added the possibility to give the CA certificate with the LDAP Resolver when using LDAPS.
  • Added univention UCS / LinOTP documentation.
  • Added users and resolvers to policies in selfservice, authentication, enrollment and authorization.
  • Added a policy checker to the WebUI.
  • Assign Token by OTP value in selfservice.
  • Implemented additional API to to a get_serial_by_otp in selfservice.
  • Improved policies: exclude clients.
  • Improved PSKC import to import OCRA suite.
  • Increase font size (style italic) to make it easier to assign a token to a user.
  • Limit size of realm and resolver dialogs. If hundred resolvers or realms are defined, the dialog is too big.
  • Make the cookie a secure cookie, means it must be transferred via SSL
  • Performance fix - reduce user ID lookup.
  • Add possibility to set maximum auth count and validity period.
  • The mobile number (instead of phone) will now be used in selfservice for SMS token.
  • closed: More detailed information when the SMS is sent via /validate/check of /validate/smspin.
  • closed: The preset of the mobile number for an SMS token is now contained in the token.mako file.
  • closed: The user was not able to authenticate to selfservice.
  • closed: Deprecation Information about searching tokens.
  • closed: Use SecureFormatter in linotp.ini.
  • closed: The sms text from the policy is used to send the SMS.
  • closed: We require python 2.6.
  • closed: Make sure that genkey is in defined range.
  • Renamed the webprovissionOCRA to activateQR.
  • Reverted to the timeStepping=30 for the setup.
  • fixed: Correct audit entry, when the userpassword (otppin=1) is wrong.
  • fixed: Added a search button to flexigrid.
  • fixed: Added SecureFormatter to be able to remove non printable characters from the log args
  • fixed: The audit trail does not show entries with SQLAlchemy 0.8.0
  • fixed: The setting of the OCRA PIN does not work in the WebUI.
  • fixed: Return space instead of empty string in case of MS SQL server
  • fixed: Problems with redundant MS SQL server.
  • fixed: Problem, that an admin was not able to view the users in the realm he has rights to.
  • fixed: The broken FileAudit module.
  • fixed: The possibility to do cross site scripting in the doc controller. (serve documentation statically)
  • fixed: Problems in token search.
  • fixed: User enumeration with validate/smsping.
  • fixed: Token iterator exact user match.
  • fixed: Permissions for SSL privkey and who.ini.
  • fixed: The system settings (WebUI) are not stored, if data on another tab is missing.
  • fixed: OCRA bug for missing leading zeros - truncation to last digit.

GTK Client

  • The YubiKey can now be enrolled with GTK client based on python 2.7.
  • Modified the GTK client this way, that the realm filter is always available.
  • Added the possibility to give the CA certificate with the LDAP Resolver.
  • Added import of policies to GTK client.
  • Added the possibility to export the policies to a file.
  • Audit log now shows the last entry first.
  • Added eToken enrollment command line tools.
  • Fixed missing dependency for configobj.
  • Fixed the jumping of the filter cursor.
  • Fixed display of policy in GTK client.

Updating from LinOTP 2.5.0 to LinOTP 2.5.1

Updating a deb install

Issue the command:

dpkg -i linotp_2.5.1_all.deb linotp-ee_2.5.1_all.deb linotpuseridresolveree_2.5.1_all.deb \
    linotpdoc_2.5.1_all.deb python-qrcode_2.4.2_all.deb

Updating a pip install

Warning

Before updating a pip installation you very much need to backup your files in /etc/linotp2! The pip installing logic is not that sophisticated, it might overwrite existing config files. So please backup at least: /etc/linotp2/linotp.ini and /etc/linotp2/encKey!

You first can upgrade the main server components via the internet to the latest version:

pip install -–upgrade linotp

Then upgrade the enterprise edition components. You need to download the newer version the customers portal:

pip install qrcode
pip install –-upgrade /path/to/packages/LinOTP-EE-2.5.1.tar.gz
pip install –-upgrade /path/to/packages/LinOtpUserIdResolverEE-2.5.1.tar.gz
pip install –-upgrade /path/to/packages/LinOtpDoc-2.5.1.tar.gz

Changelog

LinOTP Server

  • added QR-Code enrollment in management web UI and selfservice portal
  • added QR-Code image to reply
  • added HTML documentation for LinOTP Web UI
  • added import OCRA seeds via CSV
  • added possibility to send 500er HTTP error instead of status:false
  • added alert-box (pop under)
  • added support for AD uidType DN, objectGUID and sAMAccountName
  • added man pages for command line tools
  • improved python PIP installation
  • improved performance with dynamic token classes
  • define the contents of the lost password token (#806)
  • only active tokens are counted for the licensing (#810)
  • using SQLAlchemy for where clauses in SQLResolver
  • fixed translation
  • fixed broken totp resync
  • fixed empty password are neglected ldap_simple bind
  • fixed connection close() in checkMapping()

Updating from LinOTP 2.4.4 to LinOTP 2.5.0

Updating a deb install

Before updating, please assure, that you have a backup of your encryption key and also of your token database.

Issue the command:

dpkg -i linotp_2.5.0-8_all.deb linotp-ee_2.5.0_all.deb linotpuseridresolveree_2.5.0-2_all.deb

If you want to use OCRA functionality you also need to update your database. You can do this by issuing the command:

paster setup-app /etc/linotp2/linotp.ini

After this please check the access rights of your logfiles in /var/log/linotp/.

Updating a pip install

Warning

Before updating a pip installation you very much need to backup your files in /etc/linotp2! The pip installing logic is not that sophisticated, it might overwrite existing config files. So please backup at least: /etc/linotp2/linotp.ini and /etc/linotp2/encKey!

You first can upgrade the main server components via the internet to the latest version:

pip install –-upgrade linotp

Then upgrade the enterprise edition components. You need to download the newer version the customers portal:

pip install –-upgrade /path/to/packages/LinOTP-EE-2.5.0.tar.gz
pip install –-upgrade /path/to/packages/LinOtpUserIdResolverEE-2.5.0-2.tar.gz

Changelog

LinOTP Server

  • Added OCRA token and QR-TAN functionality.
  • Make TOTP token honor DefaultOTPLength configuration.
  • Fixed bug, where a previous OTP value could be used again.
  • Added support for DB2 Token database.
  • Added framework of security modules to support HSMs to store the encryption keys.
  • Added TOTP Google authenticator to self service .
  • Improved SQLuserIdResolver (Performance).
  • Improved LDAPResolver (entryUUID or ObjectGUID).
  • Added passthru policy to authenticate users without token.
  • Added client IPs to policies.
  • Selfservice: added reset of failcounter.