On January 15th we released LinOTP 2.7.1 to the repositories.

LSE Smart Virtual Appliance 1.2 and LinOTP 2.7.1

LSE Leading Security Experts GmbH is proud to announce the general availability (GA) of the following new product releases:
(1) LSE LinOTP Smart Virtual Appliance 1.2
(2) LSE LinOTP 2.7.1.

We are happy to provide LinOTP 2.7 from now also to our customers running LSE LinOTP Smart Virtual Appliances.

You will find the entire changelogs below. Here we want to mention some highlights:

LinOTP 2.7.1

LinOTP received many improvements in usability and the work flow. This is only a selection of improvements, please also refer to the full Changelog below.

  • LinOTP 2.7.1 now fully supports the handling of LSE LinOTP support and subscription licenses.
  • The PIN dialog was integrated with the enrollment dialog and is conditional according to your policies (e.g. random pin).
  • Saving the Token Config is now also possible with only one part changed.
  • The mechanisms to translate LinOTP were improved and extended, especially in the LinOTP Selfservice.
  • The information boxes now stack to prevent an important message from being overwritten.
  • These messages can be acknowledged together.
  • The overall design was improved and made more consistent.
  • New and improved softtoken like FreeOTP are better integrated and the WebUI and LinOTP Selfservice were improved to better support the features offered by OATH soft tokens beyond the Google Authenticator.
  • The native handling of Yubikeys was improved by supporting resync and uppercase OTPs.
  • The Active Directory UserIDResolver was improved to use objectGUID as the default UIDType.
  • Added configuration options to selectively disable parts of LinOTP (manage, selfservice, validate) to improve security or management in complex HA setups.
  • The audit data can now be written to a log file before it is rotated.

Highlights for customers upgrading from LinOTP EE

  • Improved Oracle database support,
  • memory usage optimization,
  • improved database handling for the audit log,
  • extended CLI toolset.


We are already working on the next releases and want to give a small peak on what is coming.

  • Remote Self Service
  • SMS/E-Mail Token Auto-Enrollment

LSE LinOTP Smart Virtual Appliance 1.2

The LSE Smart Virtual Appliance (SVA) received big improvements in the installation process, usability and the backend.

The Configuration Management was improved to make changes more visible and improve the usability. There is now a clear indication of changes needed to be saved and activated. An info bar appears and the 'Configuration Management' Tab is highlighted until the changes are saved and activated.

The WebUI of the LSE LinOTP SVA is now fully translatable and available in German. The language will be chosen based on you browsers language.

The installation wizard saw substantial improvements. More settings are preset from the installed system and more of the input is checked for errors. The activation step of the wizard was completely rewritten and is now faster and more robust.

There are many improvements in the WebUI which stem from customer input to improve the workflow of administration and management of the SVA.

LinOTP 2.7.1 is available in our repositories on and for customers running LinOTP on the LSE LinOTP Smart Virtual Appliance using the integrated upgrade mechanisms.
If you have any question regarding the new releases, we are happy to answer and support your inquiries.


LinOTP 2.7.1
  • Server: Added check for optional support and subscription license
  • WebUI: Show warnings when the support and subscription has expired or number of supported tokens has been exceeded
  • WebUI: Editing the token config in the WebUI will only save what has been edited
  • WebUI: PIN setting is now part of the 'enroll' dialog instead of being in a separate dialog
  • WebUI: Don't allow setting the token PIN in the token enrollment dialog when the 'random_pin' policy is set
  • WebUI/Server: Added translation of selfservice and policy messages
  • WebUI: Enabled JavaScript localization (jed based) for 'manage' and 'selfservice' UI
  • Server: Added Yubikey token support for uppercase OTP values
  • Server: Added support for Yubikey token resync
  • WebUI: Info and error boxes in the 'manage' UI now stack instead of overlaying (hiding the older ones). When displaying more than one box a 'Close all' link is shown
  • WebUI: Improve CSS styling for info and error boxes in 'manage' UI
  • WebUI: Adapted the 'selfservice' and 'auth' interfaces to the 'manage' UI style
  • WebUI: Improved display of currently selected user and token
  • WebUI: Restricted the selection to a single user
  • Server: Added system/getPolicy support for 'user' as filter criteria
  • Server: Added system/getPolicy support for 'action' as filter criteria
  • WebUI: Preset LDAPUserIdResolver AD with objectGUID instead of DN
  • WebUI: Rework the selfservice Google web provisioning to refer to FreeOTP and other softokens as well
  • Server: Include OTP length and hash algorithm used in the 'otpauth' URL generated when enrolling HOTP or TOTP tokens
  • WebUI: Display the generated seed in the enrollment tabs in a copyable form
  • WebUI: Extended the eToken DAT import to display start date support with hh:mm:ss
  • Server: Added configuration options to selectively disable parts of LinOTP (manage, selfservice, validate)
  • WebUI: Added 'clear' button to policy form
  • WebUI: Made policies 'active' by default
  • Server: Initialize repoze.who with a random secret during server start up or restart (old 'selfservice' sessions become invalidated)
  • Server/Tools: Added the ability to dump the audit data before deletion
  • Packaging: Removed obsolete SQLAlchemy <0.8.0b2 restriction
  • Server: Random generation: switched to more secure randrange and choice methods
  • WebUI: Updated jQuery to v1.11.1 and all plugins and JS libraries (Superfish, jQuery Cookie, jQuery Validation, ...) to their latest version
  • WebUI: Simplified selfservice tokenlist handling
  • WebUI: Added warning to auth forms when Javascript is disabled in the browser
  • WebUI: Improved auth form handling of JS errors
  • Server: Removed deprecated /auth/requestsms form because SMS can be requested using the regular /auth/index form (by doing challenge-response)
Bug Fixes:
  • Packaging: Fixed ask_createdb debconf question that kept being asked on upgrade of the Debian packages
  • WebUI: Cleaned up selfservice mOTP Token enrollment
  • WebUI: Some fixes for localization and wrong validation of seed input field
  • Server: Fixed the search for ee-resolver tokens and user
  • Server: Raise exception for empty 'user' in 'system' or 'admin' policy
  • Server: Load the HSM before the LinOTP config, so that the config can hold decrypted values
  • Server: Fixed help_url to always use site with version
  • Server: Added support for migrating old linotpee resolvers entries
  • Server: Fixed reinitialization of Yubikey token
  • Server: Yubikey checkOtp should not raise exception if the OTP is too short
  • Server: Fixed bug in Yubikey CSV import
  • Server: Fixed padding and unpadding code for PKCS11 module
  • Server: Fixed padding and unpadding code for YubiHSM module
  • Server: Added LinOTP config options 'pkcs11.accept_invalid_padding' and 'yubihsm.accept_invalid_padding'
  • Server: Fixed token import to support ocra2 token
  • WebUI: Fixed small display error when deleting or modifying multiple tokens in the 'manage' UI
  • WebUI: Fixed selfservice enroll of mOTP token
  • Server: Fixed token serial not appearing in the audit log in some cases

LSE Smart Virtual Appliance 1.2

  • Added German translation of the WebUI. The language will be chosen based on you browser settings.
  • Improved 'Config changed' notification when the administrator makes changes in the WebUI
    • An info bar appears once at the top of the site
    • The 'Configuration Management' Tab is highlighted in orange until the changes are saved
  • LinOTP support and subscription licenses can be added and updated in the Appliance WebUI. When installing via the Wizard you are required to upload a license file.
  • The signature of the LinOTP license file is verified
  • When running the wizard the network settings are preset with the 'current settings' (e.g. as set by DHCP)
  • Added title bar to WebUI, containing links for 'About', 'Help' and 'Logout'
  • Browser session cookies become invalid when Apache2 is restarted (i.e. you have to login again)
  • If the Appliance is unconfigured redirect directly to the Wizard
  • Removed direct link to the Wizard in the dashboard, can explicitly be called by going to /wizard
  • better arrangement of the Tabs in the WebUI
  • version infromation is displayed in the login screen
  • More information such as version of lseappliance and linotp packages as well as serial number and number of licensed tokens is displayed in the dashboard
  • Compatibility improvements for current Versions of Chrome (Chromium), Firefox and IE10+
  • In the Wizard you can skip the RADIUS client configuration if you do plan to only use the WebAPI
  • Upgraded jQuery to version 1.11.1, jQuery UI to version 1.11.0 and other jQuery Plugins to their newest version
  • Made HTML forms more fault tolerant (e.g. DNS server list verifies correct separators, netmask is verified, whitespace is stripped, verify RADIUS secret with second field ...)
  • Fixed so it generates functional initial settings
  • Fixed the Wizard finalization by better synchronizing the steps. This tries to prevent the Appliance being left in a semi-configured state
  • Fixed dhclient still running even after setting static IP settings
  • Fixed security critical information written to log files
  • Use POST requests throughout the application to prevent Apache logging critical information
  • Fixed log file ownership/permissions
  • Changes in other settings no longer re-generate the freeradius settings
  • Force the unconfigured Appliance to always generate a new MySQL password to prevent a semi-configured state.
  • Added dependency for freeradius-ldap
  • Updated dependency for LinOTP to >= 2.7.1 since older version don't implement the new licensing mechanism
  • Make sure the squeeze-lts repository is included in sources.list, otherwise include it
  • In Wizard: Allow moving between already filled out tabs, even if last tab fails to validate
  • Fixed restoration of saved Appliance configurations
  • Increased cookie timeout