LinOTP 3.4.1

netgo software GmbH is pleased to announce the availability of the following product release:

On December 3rd we released LinOTP 3.4.1 to the Debian repositories.

LinOTP 3.4.1

LinOTP 3.4 brings dependency updates and fixes. The following list contains the most important changes. Please also refer to the complete changelog at the end.

Fixes:

The token pin was not saved in SelfService during enrollment for HOTP, TOTP, and password tokens. This results in new tokens having an empty pin instead of the expected pin.

Download

LinOTP 3.4.1 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive the release via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Sachsendamm 63-64, 10829 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Constantin Wehmschulte
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 3.4.1

Fixes:

actually set Token PIN in `userservice/enroll`

LinOTP 3.4 and SelfService 1.3.1

netgo software GmbH is pleased to announce the availability of the following product release:

On November 14th we released LinOTP 3.4 and SelfService 1.3.1 to the Debian repositories.

LinOTP 3.4

LinOTP 3.4 brings breaking changes, features and fixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

improved `linotp backup create` CLI
improved audit log entries
reporting api change: If the `realms` parameter is omitted, the realm `/:no realm:/` is now also evaluated

LinOTP SelfService 1.3.1

SelfService 1.3.1 brings bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Fixes:

verify warning is removed when a token is enrolled with successful verification
users can login with, test and verify forwarding tokens targeting any common token

Download

LinOTP 3.4 and SelfService 1.3.1 are available as Debian packages from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive the release via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

Changelog LinOTP 3.4

Breaking Changes:

For the container, the `client=` HTTP POST parameter is deprecated and disabled by default. It will be removed in an upcoming version of LinOTP. It can be re-enabled if the `GET_CLIENT_ADDRESS_FROM_POST_DATA` config is set to a true value (the default is "false", for security reasons). Only if re-enabled, the "Authorization:" config on the "System config" dialog in the web-based management UI is available again and `client=` parameters are looked at.

default of `BACKUP_DIR` is now /var/backups/linotp for the Debian package

the CLI `linotp backup create` uses `BACKUP_DIR` to save backups instead of the current working directory

breaking changes to the `linotp audit cleanup` CLI:

option `--no-export` is removed

option `--export` is added to trigger the export

export is disabled by default. Use `linotp audit cleanup --export` to trigger it. This restores LinOTP 2.x behavior

options `--min` and `--max` are removed. They are replaced by `--max-entries-to-keep` and `--cleanup-threshold`:

`--max-entries-to-keep` (default: 5000) specifies the number of entries to be retained in the audit database.

`--cleanup-threshold`: (optional) cleanup is only initiated if the number of entries exceeds this threshold. Must be greater than --max-entries-to-keep. No threshold is active by default, i.e. technically speaking, this parameter is equal to `--max-entries-to-keep` by default.

Features:

TRUSTED_PROXIES config variable is added to configure LinOTPs proxy trust. This config will override (i.e. disable) the trusted forwarding proxy configuration in the manage ui -> system configuration.

add option `--delete-after-days` to `linotp audit cleanup`: Delete entries older than the given number of days (starting from the beginning of the day). Can't be used alongside `--max-entries-to-keep` or `--cleanup-threshold`!

improved debug log output for TOTP resync routine

improved (mostly by reducing) debug log output during server start and request context.

reporting api change: If the `realms` parameter is omitted, the realm `/:no realm:/` is now also evaluated.

Fixes:

when rolling out a forwarding token via /manage, the serial of the target token is included in the description

faulty JWTs don't cause a `500 Internal Server Error` anymore and the error gets logged properly

login and logout endpoint for admin authentication was mixed into all /api/v2 controllers which made it possible to use e.g. /api/v2/realms/login. Please use only /admin/{login/logout}

faulty policies (e.g. `totp_hashlib=sha256`) now return and log a meaningful error message

audit log entries for `/admin/login` and `admin/logout` now state `success`, `user`, `realm` and `administrator` correctly

audit log entries for userservice API requests state the correct `success` value

the last provider (of any kind) can now be deleted

non-default providers can be now be deleted as expected if and only if they are not part of an authentication policy

audit log entries for `/userservice/logout` now state `user` and `realm` correctly

Restored the `period` return attribute in the /reporting/period API endpoint to resolve missing data issue.

Changelog LinOTP SelfService 1.3.1

Breaking Changes:

verify warning is removed when a token is enrolled with successful verification

users can login with, test and verify forwarding tokens targeting any common token

LinOTP 3.3.3 and SelfService 1.3

netgo software GmbH is pleased to announce the availability of the following product release:

On September 16th we released LinOTP 3.3.3 and SelfService 1.3 to the Debian repositories.

LinOTP 3.3.3

LinOTP 3.3.3 brings one fix. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

SMTP now sends e-mails with a "Date:" header to accommodate picky SMTP servers on the receiving side.

LinOTP SelfService 1.3

SelfService 1.3 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

Added support for custom content placement in specific app sections.
Added support to add a custom page.
Show an error message when the permissions can not be loaded.

Download

LinOTP 3.3.3 and SelfService 1.3 are available as Debian packages from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive the release via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

Changelog LinOTP 3.3.3

Fix:

SMTP now sends e-mails with a "Date:" header to accommodate picky SMTP servers on the receiving side

Changelog LinOTP SelfService 1.3

Features:

Added support for custom content placement in specific app sections.

Added support to add a custom page.

Fix:

Show an error message when the permissions can not be loaded.

Security Update Smart Virtual Appliance / SVA 3.1.1

netgo software GmbH announces the availability of the following security update for the SVA 3:

On July 15th we released update 3.1.1 of the LinOTP Smart Virtual Appliance (SVA) for our customers with an active support and subscription license to mitigate the BlastRADIUS vulnerability.

What is the BlastRADIUS vulnerability?

BlastRADIUS describes a MITM attack that allows to exploit the radius protocol itself. Please read article 2024.07.09 BlastRADIUS Vulnerability at https://www.freeradius.org/security/ for further details regarding the history and criticality of the issue or the practicability of a successful exploit.

Is your LinOTP setup vulnerable to BlastRADIUS?

If your using LinOTP with FreeRADIUS, e.g. on a LinOTP Smart Virtual Appliance, you will be running a vulnerable FreeRADIUS version.

How to mitigate the BlastRADIUS vulnerability?

There is a configuration patch that can be applied to your FreeRADIUS site config. Please refer to the official tutorial in article 2024.07.09 BlastRADIUS Vulnerability - section "If You Cannot Update" on how to apply this patch yourself if you are not running SVA 3.

The update 3.1.1 of LinOTP Smart Virtual Appliance applies this patch, please ensure the update to this version. Please contact the support team for assistance of the regular update or a download link to the latest ISO installer.

For the upcoming container-based architecture, we have already updated FreeRadius to 3.2.5 and provide a new container in our registry. Please contact us at support@linotp.de if you would like to be informed as soon as the new container-based LinOTP Virtual Appliance is available or to get an early-adopter demo version now.

Download

lseappliance 3.3.1 is available as a Debian package from our customer repository.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

LinOTP 3.3 and SelfService 1.2

netgo software GmbH is pleased to announce the availability of the following product release:

On July 15th we released LinOTP 3.3 (including patch release 3.3.2) and SelfService 1.2 to the Debian repositories.

LinOTP 3.3 (patch 3.3.2)

LinOTP 3.3 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

Improved logging configuration
New API endpoints with a more modern interface in preparation for the Manage UI Overhaul
Improved authentication API for the SAML and OpenIDConnect LinOTP IdP
Policies are now validated when saved in Manage-UI
Tokens can be imported in disabled state
LinOTP 3.3 is the first fully supported Container-based release for our customers.

LinOTP SelfService 1.2

SelfService 1.2 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

Warning of potential lockout if user has no active token but MFA login is active
Display and of token limits set by policies
Token dialogs show the token info as references now
If usage time stamps are enabled in LinOTP, we warn users to not leave the selfservice without a verified token
Improved enrollment workflows for HOTP, TOTP and password tokens
SelfService is no-longer embedding CDN-hosted fonts.

Download

LinOTP 3.3.2 and SelfService 1.2 are available as Debian packages from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive the release via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

Changelog LinOTP 3.3.2

Fix:

migration to 3.0.0 no longer fails (due to missing arg)

Changelog LinOTP 3.3.1

Fix:

fix unbound variable in containers `entrypoint.sh`

Changelog LinOTP 3.3

Breaking Changes:

Renamed the following config variables and some changed their defaults:

`LOGGING_FILE_LEVEL` -> `LOG_FILE_LEVEL`

default: `WARNING` -> `DEBUG`

`LOGGING_CONSOLE_LEVEL` -> `LOG_CONSOLE_LEVEL`

default: `WARNING` -> `DEBUG`

`LOGGING_SQLALCHEMY_LEVEL` -> `LOG_LEVEL_DB_CLIENT`

`LOGGING` -> `LOG_CONFIG`

default of `LOGGING_LEVEL` changed from `INFO` to `WARNING`
when migrating from LinOTP 2.x, the audit log is no longer truncated to circumvent issues with privileges in different database handlers. Old audit log entries that are not truncated now, are reported to have a failing signature check because the method has changed with LinOTP version 3.0.

Deprecations:

In the future, config variable `LOGGING_LEVEL` will be replaced by `LOG_LEVEL`. `LOG_LEVEL` can and should be used from now on. `LOG_LEVEL` defaults to `WARNING`.

Features:

new API endpoints to retrieve tokens:

/api/v2/tokens

accepts query parameters `userId` and `resolverName` to filter tokens by

accepts query parameter `searchTerm` to filter all other columns

/api/v2/tokens/<serial>

new API endpoint to retrieve realms:

/api/v2/realms

new API endpoint to retrieve users of a realm:

/api/v2/realms/<realm_name>/users

accepts any field of a user as query parameter to filter by

accepts query parameter `searchTerm` to filter users where one field matches the given value

new API endpoint to retrieve resolvers:

/api/v2/resolvers

new API endpoint to retrieve users of a resolver:

/api/v2/resolvers/<resolver_name>/users

accepts any field of a user as query parameter to filter by

accepts query parameter `searchTerm` to filter users where one field matches the given value

sortable by fields

/api/v2/resolvers/<resolver_name>/users/<user_id>

shows the single user info

new API endpoint to retrieve AuditLog:

/api/v2/auditlog

accepts most fields of an AuditEntry as query parameter to filter by

new API endpoint to retrieve all currently reported token statuses:

/system/getReportedStatuses

accepts query parameter `realms` to filter by realms. Use `realms=*` to get all realms including `/:no realm:/`.

new API endpoint to retrieve context information for manage ui (similar to /userservice/context)

/manage/context

the new API endpoints all return dates in ISO 8601-compliant format

limit info-box height in manage-ui. Notifications are scrollable, if combined size exceeds newly limited height.

Server-side invalidation of admin sessions on logout to prevent re-using a JWT after a user dropped its session

tokens can be imported as disabled tokens

when triggering a challenge, the token description is returned to help identify the token

password token now supports the 'onetime' parameter as the former SPASS token type did

added validation for policy actions. The validation is based on the policy definitions and saving a policy with an invalid action is rejected

policies detail_on_success and detail_on_fail apply to all /validate endpoints

/validate endpoints return user information (e.g. given name, phone) when detail_on_success is set

/userservice/context now returns whether usage timestamp logging is enabled in LinOTP

improved audit log messages for /admin/ API

support for MySQL databases that are run with lower_case_table_names=1 (default on Windows)

Fixes:

Removed: LinOTP no longer supports truncated transaction ids or checking partial transaction id matches

Upon user logout, admin sessions weren't properly invalidated, allowing to re-use JWTs of logged-out users

when using pagination, /admin/userlist would not return the last user of the page, if the list of users for that page is greater or equal to the value of `rp` (default: 16)

forward token with an empty pin now supports forwarding to push tokens (was broken since 3.2.4)

filtering for active/inactive token works correctly

legacy selfservice qr and push token enrollment breaks with strings in otppin policy

legacy selfservice customisation not working in login screen

drop ability to define autoassignment policy with values, it is now only acting as a boolean policy

an admin could use `reporting/delete_before` for realms they did not have access to

AdminController and UserserviceController did trigger reporting on unauthorized requests

AdminController was not triggering reporting for the correct realms in some circumstances

UserserviceController was not triggering reporting for the correct realms in some circumstances

requests to userservice API are logging the username in the audit-log instead of the User-Object

replace deprecated `DATA_DIR` with `CACHE_DIR`. Mako template cache now uses `CACHE_DIR`.

trim excessive error logging when accessing `/static` files without a valid session

Changelog LinOTP SelfService 1.2

Features:

Users get warned and have to confirm their action, if that action would prevent them from logging into Selfservice.

Display number of enrolled tokens.

Display the number of remaining tokens that the user is still allowed to enroll.

Users are prevented from enrolling a token, if the token limit has been reached. They're informed instead.

Harmonize form behaviour. E.g. all forms can now be submitted by pressing the `enter` key.

Error messages and notifications have different styles

Dockerfile has been improved in outlook of LinOTPs containerization

Display info about selected token in action dialogs

Show links and recommend the usage of LinOTP Authenticator app for OATH Tokens

Improved enrollment for HOTP and TOTP tokens

Removed non-public dependencies. LinOTP Selfservice can now be build by everyone.

Dynamically change the theme based on the device's color scheme, without requiring a browser refresh.

Display warnings about not verified tokens

Improved enrollment for password tokens

Fix:

Show correct error messages after session timeout

LinOTP 3.2.6 released

On November 24th we released LinOTP 3.2.6 to the repositories.

LinOTP 3.2.6

netgo software GmbH announces a critical vulnerability in LinOTPs Self Service API. This patch is necessary for all versions newer than LinOTP 3.0. A dedicated announcement was published to provide additional details for this vulnerability.

LinOTP 3.2.6 brings one fix. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

Show serial and token type in audit log in case of an error; e.g. if a token exceeded its failcounter

Download

LinOTP 3.2.6 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 3.2.6 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Constantin Wehmschulte
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 3.2.6

Fix:

Show serial and token type in audit log in case of an error; e.g. if a token exceeded its failcounter

Selfservice 1.1.1 released

On January 18th we released Selfservice 1.1.1 to the repositories.

Selfservice 1.1.1

Selfservice 1.1.1 brings one fix.

Highlights:

Language picker displays selected language correctly.

Download

Selfservice 1.1.1 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive Selfservice 1.1.1 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

Changelog Selfservice 1.1.1

Features:

Fix:

Language picker displays selected language correctly

Selfservice 1.1 released

On January 11th we released Selfservice 1.1 to the repositories.

Selfservice 1.1

Selfservice 1.1 brings new features, improvements and fixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

Dark-Mode based on browser/user preference.
Deep-linking to token enrollment.

Download

Selfservice 1.1 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive Selfservice 1.1 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

Changelog Selfservice 1.1

Features:

Dark-Mode based on browser/user preference.

Deep-linking to token enrollment: `/tokens/enroll/:tokentype` opens the selfservice and directly shows the enrollment dialog for the given tokentype.

Refined interfaces.

Fix:

Deep-linking to enrollment page for unauthenticated user after login

Logged in users are redirected from login page to token list

Apache config workaround for customization no longer needed with lseappliance 3.0.2.

Testing a token via the tokens actions menu opens test dialog correctly.

Dependencies:

Update to Angular 15

Update to Node 14.21.1

Security Update LinOTP 3 Self Service / Security Advisory

What You Need to Know

Short Description

An issue with the LinOTP 3 Self Service login's request context safety mechanism can cause a user's session data to be mistakenly replaced with that of another user who is logged in at the same time. This error could potentially reveal personal information (like username, email, and phone number) and allow one user to access and operate with the permissions of another within the LinOTP 3 Self Service.

Affected Products

LinOTP 3 with all versions from LinOTP 3.0 up to LinOTP 3.2.4
LinOTP Virtual Appliance with LinOTP 3.0 and above (Installations based on SVA 3.0 and higher need to update to LinOTP 3.2.5 and newer)

Unaffected Products

LinOTP 2 up to and including the current 2.12.6 is not affected.
LinOTP ADFS Plugin is not affected
LinOTP LAP is not affected
LinOTP SAML IdP, LinOTP RADIUS Authentication Module, LinOTP LDAP Authentication Module are not affected.
LinOTP Virtual Appliance itself is not affected.

Criticality

We are currently calculating with a CVSS 3.1 score of 7.5 (high)

(CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C/CR:M/IR:M/AR:M).

CVE-2023-49706 was published for this vulnerability.

Date of Publication

2023-12-19

Disclaimer:
LinOTP core authentication checks are not directly affected. The validation of logins using the LinOTP core API, including all LinOTP Authentication Modules are not directly affected. This includes all protocols (SAML, RADIUS, LDAP, ), and authentication frontends (i.e. LinOTP Authentication Provider, ADFS) which are not directly affected by this advisory.

Description

Due to an error in the multi-threading safety mechanism in the LinOTP 3 Self Service login, the session check data of a user can be overwritten with the session data of another, concurrent user. This leads to possible information disclosure (username, e-mail, phone number) and allows to act as and with the permissions of the attacked user in the LinOTP 3 Self Service.

This vulnerability could enable unauthorized access without the need for valid credentials. In specific situations, it might be possible to target an individual user. However, any unauthorized access attempts by a malicious entity would only be possible if another user is actively engaged in the self-service portal at the same time. It is important to note that previously expired sessions cannot be exploited in this context.

We currently have no evidence indicating that the identified vulnerability has been exploited.

A customer initially reported a display bug with the Self Service. After further investigations, the LinOTP team was able to identify a related vulnerability and assess its severity. We developed a fix while analyzing the behavior which is provided with this update. Other parts of LinOTP beyond the Self Service were analyzed. No additional occurrence of this implementation pattern was found. The administrative login implemented with LinOTP 3 is not affected.

The provided update to LinOTP 3.2.5 completely fixes this vulnerability. All customers running LinOTP 3 up to version 3.2.4 are strongly advised to install the newest version LinOTP 3.2.5 as soon as possible.

We are providing LinOTP 3.2.5 as a regular update for LinOTP SVA and as native packages for LinOTP 3.2.4 and older (Debian). Please refer to the installation instructions for the correct steps in your environment: Installation Instructions

Customers can contact support@linotp.de if you have any questions about the update. We are happy to assist directly and execute the update together with you, tailored to your environment.

Preventive actions

A complete fix of the vulnerability needs the installation of the provided update. If you can not install the update in a fitting time frame we provide some preventive actions.

Deactivating all active policies in the scope „selfservice“ will remove all permissions for all users. This will prevent a possible misuse until the update can be installed. Please note, regular users will also not be able to configure their tokens, until the policies are reactivated.

Deactivating the „userservice“ backend and the Self Service completely is advised if you cannot update for some time. Please contact support@linotp.de, we are happy to assist in deactivating the backend in the LinOTP configuration.

Important Measures

LinOTP 3 Self Service checks the user and the client IP of the session. A common scenario for LinOTP 3 Self Service is running a proxy or load balancer between the client and the LinOTP backend. Oversight to configure the forwarding of the client IP to LinOTP in this scenario, increases the possibility of the race condition in this advisory to occur, since the clients IP is not contributing to distinguish the session. Please refer to 1.12.4. System Config — LinOTP 3.2 documentation for details. This is independent of the current update.

We understand that this process may be inconvenient, and our technical support team is here to assist our customers.

LinOTP 3.2.5 released

On November 24th we released LinOTP 3.2.5 to the repositories.

LinOTP 3.2.5

LinOTP 3.2.5 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

Ensure that userservice login results in exactly one session cookie per response.
Avoid a race condition in userservice request method setup which could lead to a user being erroneously authenticated as a different user.

Download

LinOTP 3.2.5 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 3.2.5 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

Changelog LinOTP 3.2.5

Features:

Use entirely random values for userservice session cookies.

Fix:

Ensure that userservice login results in exactly one session cookie per response.

Avoid a race condition in userservice request method setup which could lead to a user being erroneously authenticated as a different user.

Packaging:

Debian postinst now correctly restarts the LinOTP service again to ensure running the latest version without the need for manual intervention.

LinOTP 3.2.4 released

On November 15th we released LinOTP 3.2.4 to the repositories.

LinOTP 3.2.4

netgo software GmbH is pleased to announce the availability of the following product release:

LinOTP 3.2.4 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

Forward tokens no longer count into the license limit
Forward tokens support forwarding to push and qr tokens

Download

LinOTP 3.2.4 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 3.2.4 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Clemens Schmidt, Constantin Wehmschulte
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 3.2.4

Features:

when using the forward token and a challenge is triggered, the response detail contains information about the target token

forward tokens do not count for license

the forward token now supports the offline capability of the qr token

Fix:

forward token supports forwarding to a qr and push token

LinOTP 3.2.3 released

On Februaury 16th we released LinOTP 3.2.3 to the repositories.

LinOTP 3.2.3

netgo software GmbH is pleased to announce the availability of the following product release:

LinOTP 3.2.3 brings fixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

Ensure all types of token will be migrated
Fixes customisation of /manage and /selfservice-legacy

Download

LinOTP 3.2.3 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 3.2.3 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Clemens Schmidt, Constantin Wehmschulte
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 3.2.3

Fix:

ensure all types of token will be migrated

ensure that dbconfig-common triggers the linotp database migration

Customisation of /manage and /selfservice-legacy was broken due to url path changes with LinOTP 3

LinOTP 3.2.2 released

On December 21 we released LinOTP 3.2.2 to the repositories.

LinOTP 3.2.2

netgo software GmbH is pleased to announce the availability of the following product release:

LinOTP 3.2.2 brings fixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

Migrate encypted data 'password' with legacy proprietary padding (LinOTP 2.9)
Fix migration of yubico token to LinOTP 3.2

Download

LinOTP 3.2.2 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 3.2.2 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Clemens Schmidt, Constantin Wehmschulte
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 3.2.2

Fix:

Challenge database is reset once to ensure that Backups pre LinOTP 3 correctly restore existing challenge-response tokens.

Migrate encypted data 'password' with legacy proprietary padding (LinOTP 2.9)

Fix migration of yubico token to LinOTP 3.2

LinOTP 3.2.1 released

On July 15th we released LinOTP 3.2.1 to the repositories.

LinOTP 3.2.1

netgo software GmbH is pleased to announce the availability of the following product release:

LinOTP 3.2.1 brings fixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

Fix audit key verification errors
Fix migration of QR-tokens from SVA-2.12.5 to SVA-3.0
Ensure that inactive policies are not evaluated

Download

LinOTP 3.2.1 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 3.2.1 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Clemens Schmidt, Constantin Wehmschulte
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 3.2.1

Fix:

Audit key verification errors solved by using newer version of pycryptodomex.

Remove weak file permissions in config dir.

Solved migration of QR-tokens which broke backup-restore from SVA-2.12.5 to SVA-3.0

Database re-encoding during database migration now also migrates managed users that were previously not correctly migrated.

Debian postinst trying to add admin users via htdigest. This is no longer supported and therefore removed. Use the linotp CLI manually instead.

Ensure that inactive policies are not evaluated. Previously, inactive policies were being evaluated in certain situations, leading to wrongly attributed permissions to logged-in administrators.

LinOTP 3 released

On July 15th we released LinOTP 3.2, the first stable release of LinOTP 3.

LinOTP 3.2

netgo software GmbH is pleased to announce the availability of the following product release:

LinOTP 3.2 brings many improvements, new features and bugfixes. The following list contains the most important changes to LinOTP 2.

See the full changelog of LinOTP 3.0, LinOTP 3.1, and LinOTP 3.2 for more details and the full list of changes and deprecations.
See the migration guide in the LinOTP documentation for more details for your upcoming install of LinOTP 3.

Highlights:

Python 3 & Flask: LinOTP 3 is based on Python 3 and the main framework was ported from Pylons to Flask to future proof the foundation.
New Selfservice: LinOTP 3 ships with a completely new Token Selfservice user interface.
Administrative Login: LinOTP 3 ships with a brand new JWT based admin authentication for the Management UI and the administrative APIs.

New Selfservice

It completely overhauls the workflow for users to self-manage their own authentication tokens. The new selfservice is installed as a dependency of the LinOTP package.
The new selfservice integrates itself into the apache configuration on installation and is the default selfservice of your LinOTP server.
The SelfService design from LinOTP 2 is deprecated but still available under it’s own path /selfservice-legacy. You can change the apache configuration to change the default.
Footer texts and links to your privacy and imprint informations can be configured by LinOTP policies. The logo image can be changed and the CSS rules can be customized.
The new Selfservice supports the workflow of users testing their tokens after enrollment. This verifies the correct functionality of the token and eases future debugging login problems.

Administrative Login

LinOTP 3 ships with a brand new JWT based admin authentication for the Management UI and the administrative APIs.
It is no longer necessary to configure apache to protect admin access
LinOTP 3 no longer uses digest authentication.
LinOTP Administrators are now configured in LinOTP itself. Administrators can be configured using the `linotp` CLI command for bootstraping or automation or graphically using the known UserIDResolvers and Realms.
The internal administration allows an improved handling of admin policies and permissions based on groups and resolvers

Configuration Files

To facilitate the migration to flask and to improve the handling of configuration files in modern environments, LinOTP 3 no longer supports the linotp.ini configuration file format. Instead, a new linotp.cfg file format is in place. See the migration guide for detailed information about the configuration changes.

General Improvements

Managed resolvers (Internally stored users) that are managed via "Import users" in the Manage-UI now work with replicated databases, high-availability setups and if restored from database backups.
A new 'linotp' CLI replaces different scripts and tools. This improves the integration and feature set of all CLI scenarios. It also provides new features to administrate different parts of LinOTP. See 'linotp --help' for information about the different sub-command groups.
The audit trail can now be used with an sqlite database. Note that sqlite still has concurency limitations and we advise you to use a database server for production environments.
'Cross site scripting request forgery (CSRF)' is no longer handled via the session request parameter. The session parameter that was used before should be omitted. API endpoints that are modifying data are restricted to accept only 'POST' requests and must use the new header. See the Migration guide for further details.
All providers allow configuring a TIMEOUT parameter.
SMS blocking time is now configurable in the SMS token configuration dialog. The blocking time (in seconds) is the period that needs to pass before another challenge can be triggered by the same user.
Improved handling of timestamps in logs and reports. The audit trail is now storing ISO 8601 formatted timestamps in UTC timezone instead of server local time.
LinOTP 3 now fully relies on the system trusted certificates for TLS security like it is used with LDAP resolvers.
Improved handling of encrypted LDAP resolver connections.
Specific policies override wildcard policies. This ensures that actions can be restricted for a subset of users.
Improved token monitoring and more precise token counting
Improved audit log entries
Improved integration of supported databases
LinOTP 3 supports reencoding of LinOTP 2 databases from ISO 8859-1 (Latin1) to UTF-8 via the LinOTP CLI. Latin1 used to be the default for Python 2 against mysql but is no longer valid for Python 3. The 'linotp.log' will instruct users on how to use the migration command if necessary. The LinOTP Smart Virtual Appliance (SVA 3.0) will automatically apply the reencoding during the restore setup.

Download

LinOTP 3.2 is available as a Debian package from www.linotp.org.

Users with a support and subscription license can migrate to the new LinOTP Smart Virtual Appliance in version 3.0. An SVA installer ISO download link can be requested from the support team.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Clemens Schmidt
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

LinOTP 2.12.5 released

On March 17th we released LinOTP 2.12.5 to the repositories.

LinOTP 2.12.5

netgo software GmbH is pleased to announce the availability of the following product release:

LinOTP 2.12.5 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

Dependencies: jQuery and jQuery-Migrate are updated to the latest versions

Download

LinOTP 2.12.5 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 2.12.5 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Clemens Schmidt
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 2.12.5

Dependencies:

Server: Debian buster, update jQuery and jQuery-Migrate

LinOTP 2.12.4 released

On February 16th we released LinOTP 2.12.4 to the repositories.

LinOTP 2.12.4

netgo software GmbH is pleased to announce the availability of the following product release:

LinOTP 2.12.4 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

HOTP / TOTP token: Enrollment now properly encodes the token issuer setting in the QR code.
Forward token: Support for multiple challenges mode added.
Manage UI: System write permission now required to import users.

Download

LinOTP 2.12.4 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 2.12.4 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Clemens Schmidt
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 2.12.4

Bug Fixes:

Include Readme.rst in packaging artifacts

Tool to import users now enforces system write permission, which is required because resolvers are created or updated

Import User dialog layout fix

Improve help text output of linotp-create-htdigest script

No longer deploy obsolete who.ini config file

Forward tokens support multiple challenges

HMAC enrollment QR-code correctly URL-encodes tokenissuer

LinOTP 2.12.3 released

On April 7th we released LinOTP 2.12.3 to the repositories.

LinOTP 2.12.3

arxes-tolina GmbH is pleased to announce the availability of the following product release:

LinOTP 2.12.3 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

Reporting API: New API to collect reports for specific time periods.

Download

LinOTP 2.12.3 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 2.12.3 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
arxes-tolina GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Robert-Koch-Straße 9, 64331 Weiterstadt
Main office, Piesporter Straße 37, 13088 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 84278
Board of Directors: Dr. Peter Heilmann, Ralf Berndt, Sebastian Meyer
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 2.12.3

Enhancements:

Server: Add API /reporting/period to query reporting for a period in a Range between 'from' and 'to', where the 'from' date is included in the range and the 'to' date is not included. If a range defined and the 'to' date is not included. The API will search for the last repoting entry before the period if no entry for the given period is found.

LinOTP 2.12.2 released

On Febuary 15th we released LinOTP 2.12.2 to the repositories.

LinOTP 2.12.2

arxes-tolina GmbH is pleased to announce the availability of the following product release:

LinOTP 2.12.2 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

Rollout token: The rollout token can now be allowed for specific /validate requests.

Download

LinOTP 2.12.2 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 2.12.2 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

Changelog LinOTP 2.12.2

Enhancements:

Make rollout token behavior consistent when also used for general validation.

LinOTP 2.12.1 released

On Ocober 23rd we released LinOTP 2.12.1 to the repositories.

LinOTP 2.12.1

arxes-tolina GmbH is pleased to announce the availability of the following product release:

LinOTP 2.12.1 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

Policies: Improved deterministic evaluation across all scopes.
Selfservice: MFA login fixed with LinOTP Push- and QR-Token.

Download

LinOTP 2.12.1 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 2.12.1 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

Changelog LinOTP 2.12.1

Bug Fixes:

Policies: Consistent evaluation of policies is ensured in the "enrollment" scope. Evaluation is adjusted to match all actions for a given user if some of the actions are less explicitly defined regarding user and realm fields

Selfservice: MFA login with Push Token and QR Token is correctly processed

Incorrect max token count evaluation is fixed if a different, more specific (not user:'*') policy with other actions is defined.

LinOTP 2.12 released

On July 28th we released LinOTP 2.12 to the repositories.

LinOTP 2.12

arxes-tolina GmbH is pleased to announce the availability of the following product release:

LinOTP 2.12 brings many improvements, new features and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

Token usage datescan now optionally be tracked for newly enrolled tokens if activated
Challenge validity time is now configurable in the Manage-UI

Download

LinOTP 2.12 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 2.12 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

Changelog LinOTP 2.12

Enhancements:

Server and UI: Add three new columns to the token table, they can be viewed under the admin/show endpoint, and in the Manage UI under TokenInfo. The system settings dialog in the Manage UI provides an option to enable and configure their visualisation

LinOtpCreationDate - contains the date of creation of the token

LinOtpLastAuthSuccess - last successful login with this token

LinOtpLastAuthMatch - last use of the token with several tokens and otppin is not PIN or the tokens have identical PIN

Server: Expired or wrong cookies in userservice requests will return a HTTP 401 (session abort) error

UI: Browser tab icons match the current LinOTP logo

UI: Browser tab titles start with the name of the web application, to make it easier to distinguish between Manage and Selfservice UI in small tabs

UI: Challenge validity time for SMS and email tokens can now be set via the Manage UI

Bug Fixes:

Server: Failed userservice 2nd factor logins increase the fail counter of the respective token

Server: Replication setups on the SVA no longer fail due to faulty userservice cookie handling

LinOTP 2.11.2 released

On May 5th we released LinOTP 2.11.2 to the repositories.

LinOTP 2.11.2

netgo software GmbH is pleased to announce the availability of the following product release:

LinOTP 2.11.2 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

Email token: Challenge blocking behaviour
Apache configuration: Modular extension for a separate Selfservice config

Download

LinOTP 2.11.2 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 2.11.2 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

Changelog LinOTP 2.11.2

Enhancements:

Email token accept a new challenge as soon as the previous challenge is correctly answered

Update LinOTP Apache configuration to include additional configuration supplied by a related package such as the Selfservice

Bug Fixes:

Respect maxtoken policy when creating new token in selfservice frontend

In Selfservice cookie expiration date now reflects timezone

IE11 Browser rendering fixed, where content height was not respected before

LinOTP 2.11.1 released

On March 31st we released LinOTP 2.11.1 to the repositories.

LinOTP 2.11.1

netgo GmbH is pleased to announce the availability of the following product release:

LinOTP 2.11.1 brings many improvements, new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

New Feature: Support for dynamic email address for email token submission.
New Feature: Support for autoenrollment enrollment notification via e-mail templates.
New Feature: New API endpoint for helpdesk support.

LinOTP can now update e-mail addresses in the user token when they are changed in the user store. The automatic rolling out of tokens for users can now be combined with the notification of users. The sent mail can be customized with templates. Details can be followed here. The API endpoint for the helpdesk makes selected token management functions available to user support staff.

Download

LinOTP 2.11.1 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the LinOTP Smart Virtual Appliance will receive LinOTP 2.11.1 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
arxes-tolina GmbH
https://www.linotp.de
https://www.linotp.de/produkte/multi-faktor-authentifizierung.html
Branch office Darmstadt, Robert-Koch-Straße 9, 64331 Weiterstadt
Main office, Piesporter Straße 37, 13088 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 84278
Board of Directors: Dr. Peter Heilmann, Ralf Berndt, Sebastian Meyer
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@keyidentity.com

Changelog LinOTP 2.11.1

Server changes:

Server: Support for dynamic email address for email token submission
Server: Add support for autoenrollment enrollment notification

LinOTP hotfix and advisory

LinOTP hotfix and security advisory

KeyIdentity GmbH announces a critical vulnerability in LinOTP. CVE-2019-12887 was published for this vulnerability.

KeyIdentity GmbH recommends to apply the hotfix described below for a secure operation of LinOTP if the conditions apply.

The vulnerability is relevant if you are using TOTP (time based OATH HMAC) token and enabled the auto resynchronization feature. Automatic resynchronization is inactive by default after installation.

With activated resynchronization it is possible to successfully log in using an OTP value recorded earlier.

The hotfix prevents this attack vector.

If you cannot update or patch immediately and have automatic resynchronization activated with TOTP token, you should deactivate the automatic resynchronization until you can update. We provide a configuration guide.

We explicitly thank Sébastien Foutrel for his diagnostics and valuable report for this vulnerability.

Installation

We provide packages in different formats and versions. These packages do not contain changes beyond the hotfix for this issue.

KeyIdentity provides an installation guide with download links for all available packages.

Available Packages

2.10.5.2 updated to 2.10.5.3 (Debian Jessie, Debian Stretch, RPM)

2.9.3.4 updated to 2.9.3.5 (Debian Jessie)

2.8.1.7 updated to 2.8.1.8 (Debian Jessie)

All versions of LinOTP

If you are using an older version of LinOTP (<2.8) or cannot immediately install the packages provided, we also provide a patch file with a patch guide

KeyIdentity LinOTP Smart Virtual Appliance

Customers using the LinOTP SVA will receive the update when automatic updates are activated. We recommend until your scheduled automatic update to deactivate the automatic resynchronization if enabled, used with TOTP token and you can not apply the immediate updates described above. We offer a configuration guide.

If you have questions about applying the hotfix, we are happy to assist you:

E-Mail: support@keyidentity.com

Telefon: +49 6151 86086 115

KeyIdentity LinOTP 2.10.5.1 released

On May 07th we released LinOTP 2.10.5.1 to the repositories.

LinOTP 2.10.5

KeyIdentity GmbH is pleased to announce the availability of the following product release:

LinOTP 2.10.5.1 brings many improvements, new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

New Feature: Prevent dirty cache when resolver is not avialable.
New Feature: Resolver and realm cache is wiped when the cache is switched off.

Both improve the resolution of user information from the LDAP resolver. The use of negative information by the failure is avoided. Details can be found here

Download

LinOTP 2.10.5.1 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the KeyIdentity LinOTP Smart Virtual Appliance will receive LinOTP 2.10.5.1 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@keyidentity.com

The KeyIdentity LinOTP team

--
KeyIdentity GmbH
https://www.keyidentity.com
Robert-Koch-Straße 9, 64331 Weiterstadt
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@keyidentity.com
Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Board of Directors: Nils Manegold

Changelog LinOTP 2.10.5.1

Server changes:

Server: Prevent dirty cache if resolver is not avialable

Server: Resolver and realm cache is wiped when the cache is switched off

KeyIdentity LinOTP 2.10.4 released

On February 26th we released LinOTP 2.10.4 to the repositories.

LinOTP 2.10.4

KeyIdentity GmbH is pleased to announce the availability of the following product release:

LinOTP 2.10.4 introduces many improvements, new features, cleanups and bug fixes. The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

New Feature: SMSProvider failover

Besides an improved handling of Provider outages LinOTP now provides a fail over configuration for SMSProvider via policies. Details can be found here

Download

LinOTP 2.10.4 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the KeyIdentity LinOTP Smart Virtual Appliance will receive LinOTP 2.10.4 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@keyidentity.com

The KeyIdentity LinOTP team

Changelog LinOTP 2.10.4

Server changes:

Server: SMSProvider failover

KeyIdentity LinOTP 2.10.3 released

On January 25th we released LinOTP 2.10.3 to the repositories.

LinOTP 2.10.3

KeyIdentity GmbH is pleased to announce the availability of the following product release:

LinOTP 2.10.3 introduces many improvements, new features, cleanups and bug fixes. The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

New Feature: Rollout Token

Protect the self service login with an initial roll out token. Details can be found here

Download

LinOTP 2.10.3 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the KeyIdentity LinOTP Smart Virtual Appliance will receive LinOTP 2.10.3 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@keyidentity.com

The KeyIdentity LinOTP team

Changelog LinOTP 2.10.3

Server changes:

Server: Public release of rollout token

KeyIdentity LinOTP 2.10.1 released

On October 17th we released LinOTP 2.10.1 to the repositories.

LinOTP 2.10.1

KeyIdentity GmbH is pleased to announce the availability of the following product release:

LinOTP 2.10.1 introduces many improvements, new features, cleanups and bug fixes. The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

New Feature: RestSMSProvider

This new SMSProvider enables LinOTP to submit SMS to any SMS Provider (e.g. CLX Communication) with a support for REST API based on a JSON payload. Details about the configuration can be found here: http://linotp.org/doc/latest/part-management/smsprovider.html#restsmsprovider http://linotp.org/doc/latest/part-management/smsprovider.html#id4

Download

LinOTP 2.10.1 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the KeyIdentity LinOTP Smart Virtual Appliance will receive LinOTP 2.10.1 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@keyidentity.com

The KeyIdentity LinOTP team

Changelog LinOTP 2.10.1

Server changes:

Server: LDAPUserIdResolver failover: stay with working LDAP-Servers for an incrementing time before retry connecting the first server

Server: Add charset/collate clauses to database generation commands: ensures compatibility with recent versions of MariaDB

Server: New policy 'forward_on_no_token' to support forwarding of request to remote server if user has no token

Server: Allow configuration of the challenge prompt via system/setConfig?SMS_CHALLENGE_PROMPT=MESSAGE

Server: New policy 'enforce_smstext' to ignore request param data

Server: Support to configure HTTP headers in Rest SMS Provider

API changes:

API: Show token enrollment status in userservice/usertokenlist

API: Support check_status without user parameter

Web UI changes:

Web UI: Add timezone entry to token info dialog

Web UI: Update visuals for manage token info

Selfservice changes:

Selfservice Portal: Support optional landing page for selfservice portal

Selfservice Portal: Show token description in selfservice portal

Bug Fixes:

Server: Fix LDAPUserIdResolver failover

Server: Search token list with userPrincipalName

Server: Fix RADIUS Forward Token

Server: otppin=ignore_pin now works alternatively to otppin=3

Server: LinOTP server now handles forward proxy definition correctly

Server: Fix storing of timeout tuples within the DefaultPushProvider

Server: Fix backend for setExpiration UI dialog which failed in some cases

Server: Provide error message if update of a license key was failing

Server: Set default time zone to make time based tokens work in all setups

Server: Support for SQLUserIdResolvers where the user id is defined as int. This fixes actions in the selfservice portal.

Web UI: Default for splitAtSign is now correctly displayed in the UI

KeyIdentity LinOTP 2.10 released

On January 15th we released LinOTP 2.10 to the repositories.

LinOTP 2.10

KeyIdentity GmbH is pleased to announce the availability of the following product release:

LinOTP 2.10 introduces many improvements, new features, cleanups and bug fixes. The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter.

The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter

Highlights

New Feature: Voice Token

LinOTP 2.10 is the first release to include support for Voice Tokens. Thus, in addition to the already known challenge response token (e.g. KeyIdentity's Push Token, SMS Token), provides another barrier-free possibility to deliver OTP to users.

Currently Twilio is supported as Voice Token Provider. The Voice Token requies a dedicated Voice Challenge Service which is made available to customers by KeyIdentity GmbH. Documentation for the Voice Token can be found here: Voice Token.

Details about the Voice Challenge Service can be obtained from support@keyidentity.com.

New Feature: Securing the Selfservice Portal with MFA

The Selfservice Portal can be additionally protected with MFA. This is particularly useful for environments where the Selfservice Portal stands exposed to the Internet. The MFA feature is configureable and allows the retention of existing workflows with addtional security.

Details can be found here: MFA Selfservice Portal .

Improvements: KeyIdentity Push Token

LinOTP 2.10 improves the functionality of KeyIdentity's Push Token. A dedicated Challenge Service is introduced. This service allows the separation of the external communication with the user's mobile and the sensitive data stored in LinOTP. The updated KeyIdentity Authenticator Apps for iOS and Android can now actively query existing challenges of the user. Thus makes transaction validation more reliable. The Challenge Service and comprehensive documentation are provided by the KeyIdentity GmbH and can be obtained from support@keyidentity.com.

Token Validity

Number of uses and the expiry date of tokens can be limited. Starting with LinOTP 2.10 these limits can be configured conveniently via WEB GUI (token management) - e.g. by the help desk personnel. This is useful, for example, to enroll temporary tokens for visitors. More information can be found here: Token Validity.

Download

LinOTP 2.10 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the KeyIdentity LinOTP Smart Virtual Appliance will receive LinOTP 2.10 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@keyidentity.com

The KeyIdentity LinOTP team

Changelog LinOTP 2.10

Token Changes:

Introduce new token: Voice Token

Enhance Push Token (incompatible with previous Push Token version)

Server Changes:

Adjust default transactionId length to 17

Implement explicit-deny for push token

Add token type specific enrollment limits

Support loading provider via configuartion in linotp.ini

Enable new policy engine by default

Moved tokens to new location in src tree

Support shorter lost token duration (days, hours, and minutes added)

Autoassign a token if a request arrives with only username (without password)

Document the otppin policy 3 (ignore_pin) in the policy UI

Removed IE compatibility mode from templates

Take the already stored mobile number of a token owner (available from UserIdResolver) if it exists, otherwise take the number stored in the token info

Autoassignment without password

OATH csv import with sha256 + sha512

Web UI Changes:

Add Auth Demo pages for challenge-response and push token

/auth/challenge-response

/auth/pushtoken

Add expiration dialog for tokens

Refactor dialog button icon generation

Performance improvement by removing mouseover effects on Manage-UI

Extract custom form validators into separate files

Removed IE compatibility mode from templates

Update favicon to follow company rename

Add UI in manage and Selfservice for "static password" token

Improved Selfservice login with MFA support

Bug Fixes:

Server: Fix evaluation of forward policy to match most specific user definition

Server: Fix password comparison of password token

Server: Adjust location of token makos for translation

Server: Fix typo in getUserFromRequest in case of basic auth

Server: Fix missing 'serial' for audit and policy check in selfservice.enroll

Server: Fix for loading active token modules

Server: On LDAP test connection always close dialog

Server: Fix encoding error that prevented Token View from being displayed in the web interface.

Server: Fix challenge validation to check only one request at a time. Prevent (positive) double authentication with the same transaction ID and OTP.
This used to happen when a user submitted the OTP for a transaction ID more than once within a very short timeframe

Server: Fix for missing LDAP uft-8 conversion

Server: Fix default hash algorithm. This was causing issues in the YubiKey import

Server: Fix wrong audit log entries where "failcounter exceeded" was incorrectly being replaced with "no token found"

Server: Fix QRToken to use the tan length defined at enrollment

Server: Fix password and lost token password comparison

Server: Fix to show deactivated policies in Manage UI again.

Server: Fix for better user/owner comparison

Server: Fix to show inactive policies

Server: Fix import of policies with empty realm

Server: Verify that only active policies are used

Server: Fix for policy export to export inactive too

Server: Fix for target realm handling on token import

Server: Fix select only active policies for admin policies

Server: Fix getResolverClassName

Web UI: Fix UI crash check if backend response is array in ldap testconnection

Selfservice: Fix QR token enrollment and activation

KeyIdentity LinOTP 2.9.1 released

On February 15th we released LinOTP 2.9.1 to the repositories.

LinOTP 2.9.1

KeyIdentity GmbH is pleased to announce the availability of the following product release:

LinOTP 2.9.1 introduces many improvements, small features, cleanups and bug fixes. The highlights are the implementation of the KeyIdentity Push Token, a new caching functionality to significantly speed up performance for UserIdResolvers and the switch to StartTLS by default to improve the connection security to LDAP UserIdResolvers.

The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter

Highlights

New Feature: KeyIdentity Push Token

LinOTP 2.9.1 is the first release to include support for the KeyIdentity Push Token to secure logins and transactions while providing a high level of usability on Android and iOS.
Based on the established cryptographic principles of the QRToken we improved the workflows of the authentication process while conserving a high level of security. It utilizes the native push mechanisms of Android and iOS for the highest level of compatibility based on the KeyIdentity Authenticator.

Please contact us for more information and about details on how to integrate the KeyIdentity Push Token in your setup.

New Feature: Caching for LDAP UserIdResolvers

The new caching feature is designed to improve the performance of LinOTP significantly in environments with a large number of users, complex realm setups and slow UserIdResolvers. Details about the configuration can be found at Caching-Feature.

New Feature: StartTLS by default

LinOTP 2.9.1 switches to StartTLS by default in order to secure the communication with LDAP UserIdResolvers in environments without a LDAPS infrastructure. Please have a look at StartTLS for details.

Download

LinOTP 2.9.1 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the KeyIdentity LinOTP Smart Virtual Appliance will receive LinOTP 2.9.1 via the integrated auto-update mechanism after February 20th 2017.

Note

With LinOTP 2.9.1 large parts of the LDAP UserIdResolver code was rewritten and the default for StartTLS have changed. Although LinOTP 2.9.1 has been tested thoroughly by KeyIdentity we recommend to setup LinOTP 2.9.1 in a staging environment before putting it into production.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at keyidentity@keyidentity.com.

The KeyIdentity LinOTP team

Changelog LinOTP 2.9.1

Enhancements

Server: New token type: KeyIdentity PushToken

Server: Add optional caching of resolver lookups

Server: Show welcome and update screens

WebUI: Add dialog for duplicating resolvers

WebUI: Better password handling in resolver dialogs

Reporting: Add paging and CSV output for reporting/show

API: Use semicolon as CSV column separator by default

UserIdResolver: Add StartTLS support

Bug Fixes

Server: Fix remote token

Server: Fix evaluating policies for non-existent realms

API: Don't localize monitoring json output

SMPPSMSProvider: Fix encoding issues for non-ascii characters

WebUI: Alert in realm dialog if no resolvers are selected

Hackathon 2FA

Wissenschaft und Praxis zeigen: Passwörter taugen nichts! Im Gegenteil, sie stellen eine der Hauptursachen für die erfolgreiche Kompromittierung von Benutzerkonten oder ganzen Systemen dar. Benutzer wählen oft schwache Passwörter, Cracker greifen komplette Benutzer-Datenbanken ab, die möglicherweise gar nicht oder ungeschickt verschlüsselte Passwörter enthalten, und Schadsoftware, die auch das beste Passwort mitschneidet, wird immer ausgefeilter. Auch Phishing, vor allem gezieltes „Spear-Phishing“, ist ein großes Problem in der Praxis.

Unsere Antwort bei der KeyIdentity GmbH ist LinOTP. LinOTP (https://linotp.org) ist eine leistungsfähige und flexible Open-Source-Lösung für Zwei-Faktor-Authentifizierung, mit der traditionelle Passwörter durch weitere Mechanismen ersetzt oder ergänzt werden können. Dazu gehören zum Beispiel Hardware-Tokens oder Authentifizierungslösungen auf der Basis von mobilen Apps. LinOTP bietet ein bequemes API zur Integration in existierende Applikationen.

Wir wissen: Authentifizierung muss sicherer werden. Aus diesem Grund veranstalten wir einen Hackathon, bei dem Ihr mit LinOTP die Sicherheit Eurer Applikationen erhöhen könnt. Vernetzt Euch mit anderen, und lasst uns gemeinsam unsere Applikationen sicherer machen und das Paradigma „Such Dir ein möglichst komplexes Passwort, das Du Dir nicht merken kannst, und schreib es nirgends auf“ brechen.

Wir laden am 3.12.2016 zu uns in die Räumlichkeiten der KeyIdentity GmbH in Weiterstadt ein, stellen Pizza und Getränke und helfen euch dabei, LinOTP über die API in Eure Software zu integrieren.

Lernt, wie einfach es ist, Eure Applikationen abzusichern, erhaltet freie Hilfe, vernetzt Euch untereinander und habt einfach einen tollen Tag! Zur besseren Planung bitten wir um eine Anmeldung via E-Mail unter: hackathon@keyidentity.com

LSE LinOTP 2.9 released

On August 15th we released LinOTP 2.9 to the repositories.

LinOTP 2.9

LSE Leading Security Experts GmbH is pleased to announce the availability of LinOTP 2.9.

LinOTP 2.9 is one of our biggest releases with over 500 commits. Introducing many improvements, small features, cleanups and fixed bugs. The highlights are the preparation for the offline authentication, utilizing our new QRToken, the new Reporting API and the extended SMS and E-Mail Provider configuration.

Highlights

New Feature: Offline Authentication

LinOTP 2.9 introduces the next generation of our QR-Code based soft token, which will be complemented by the releases of our LinOTP Authentication Providers for operating system Microsoft Windows and LinOTP mobile apps in the next weeks to allow for an integrated and secure Offline Authentication with high usability in addition to the traditional secure, transaction based authentication.

New Feature: Reporting API

To allow for integration into reporting environments and to simplify the accounting in multi-tenant environments LinOTP provides a new powerful reporting API to collect information like the number of current active tokens and the highest number of tokens over time for certain realms.

New Feature: Realm specific SMS Providers

LinOTP 2.9 supports the management of multiple SMS and e-mail providers. These providers allow to specify SMS or e-mail settings for different customers, realms or users in a diverse LinOTP environment.

Download

LinOTP 2.9 is available as Debian and RPM packages from linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.9 via the integrated auto-update mechanism after August 16th 2016.

The LSE team would be pleased to answer any questions you may have about LinOTP 2.8.1.3 and assist upgrading your environment to the latest release at support@lsexperts.de.

The KeyIdentity LinOTP team

Changelog LinOTP 2.9

Enhancements

Server: Add support for offline authentication
Server: Add QRToken
Server: Add forwarding token
Server: Add reporting controller
Server: Add support for multiple SMS/e-mail providers
Server: Add support for long config values
Server: Add issuer label to OATH tokens
Server: Allow one-time simplepass tokens
Server: Allow multiple users with same username in one realm
Server: Support migration of resolvers for assigned tokens
Server: Add authorization policies for monitoring controller
Server: Allow named otppin policies ('token_pin', 'password' and 'only_otp')
Server: Add SSL/TLS abilities to SMTPSMSProvider
UserIDResolver: Add class registry and class aliases
WebUI: Slightly polished look and feel

Bug Fixes

WebUI: Hide 'Get OTP' button if getotp is deactivated in config
WebUI: Several bug fixes in different dialogs and elements
Server: Fix generating transactionids which failed in rare circumstances
Server: Handle timestamp rounding instead of truncating in MySQL 5.6
Server: Do not copy old PIN on lost simplepass token
Packaging: Remove debconf entry 'linotp/generate_enckey'
WebUI: Validate resolver configuration on resolver definition
WebUI: Alert in realm dialog if no resolvers are selected

LSE LinOTP 2.8.1.3 released

On July 30th we released LinOTP 2.8.1.3 to the repositories.

LinOTP 2.8.1.3

LSE Leading Security Experts GmbH is introducing LinOTP 2.8.1.3, the latest patch release of its vendor independent solution for adaptive multi-factor and 2-factor authentication.

Download

LinOTP 2.8.1.3 is available as a Debian and RPM (Red Hat/CentOS) packages from linotp.org. Ubuntu packages are available from our PPA on Launchpad. It can also be obtained via the Python Package Index (PyPI). Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.8.1.3 via the integrated update mechanism.

The LSE team would be pleased to answer any questions you may have about LinOTP 2.8.1.3 and assist upgrading your environment to the latest release at support@lsexperts.de.

The LSE LinOTP team

--
LSE Leading Security Experts GmbH
https://www.lsexperts.de
Robert-Koch-Straße 9, 64331 Weiterstadt
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@lsexperts.de
Board of Directors: Nils Manegold, Oliver Michel, Arved Graf von Stackelberg, Sven Walther

Changelog:

LinOTP:

Server: Fix pin handling in email token

LSE LinOTP 2.8.1.2 released

On July 21th we released LinOTP 2.8.1.2 to the repositories.

LinOTP 2.8.1.2

LSE Leading Security Experts GmbH is introducing LinOTP 2.8.1.2, the latest patch release of its vendor independent solution for adaptive multi-factor and 2-factor authentication.

Download

LinOTP 2.8.1.2 is available as a Debian package from linotp.org. Ubuntu packages are available from our PPA on Launchpad. It can also be obtained via the Python Package Index (PyPI). Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.8.1.2 via the integrated update mechanism.

The LSE team would be pleased to answer any questions you may have about LinOTP 2.8.1.2 and assist upgrading your environment to the latest release at support@lsexperts.de

The LSE LinOTP team

Changelog:

LinOTP:

Enhancements:

Server: Add support for demo licenses

Bug Fixes:

Selfservice: Fix setting tokenlabels

Server: Set the first created realm as default realm

Server: Fix admin/show using a serial number and an active admin policy containing a wildcard

Server: Fix import of policies missing scope or action

Server: Fix license import using IE

Server: Fix license decline under certain conditions (available since 2.8.1.1)

LSE LinOTP 2.8.1 released

On Apr 5th we released LinOTP 2.8.1 to the repositories.

LinOTP 2.8.1

LSE Leading Security Experts GmbH is introducing LinOTP 2.8.1, the latest version of its vendor independent solution for adaptive multi-factor and 2-factor authentication and OTP processes (OTP: one time passwords). LSE is now offering its latest LinOTP version in Spanish, French, Italian, and simplified Chinese in addition to the previously available English and German. In addition to the expanded available languages, LinOTP 2.8.1 has new features for monitoring and improved capabilities for server migration and complex setups. The improved user filters and support for HSM (hardware security module) migrations are also new. With the additional languages, LSE has consistently continued to internationalise the LinOTP product line. The larger selection of available languages applies to both the self-service user portal as well as the management interfaces.

Highlights:

New Feature: Additional Languages

LSE has consistently continued to internationalise the LinOTP product line. The larger selection of available languages applies to both the self-service user portal as well as the management interfaces.

New Feature: Monitoring

LSE is introducing a new API for monitoring internal LinOTP processes with LinOTP 2.8.1. This provides, for example, information on the statistics and the status of the tokens, the status of the HSM (hardware security module) encoding, and the status of the UserIDResolver with configurable permissions.

New Feature: Improved User Filters

Today's enterprise environments require a differentiated approach to user policy management. LinOTP 2.8.1 adds options for managing the configurations and policies based on user groups, user attributes, and regular expressions. This considerably simplifies detailed and complex permission scenarios in the setup.

New Feature: SMPPSMSProvider

LinOTP now supports SMPP protocol for submitting text messages to Short Message Service centers (SMSC).

New Feature: Improved Features for Server Migration and Complex Setups

Previous features for routing registration data to other authentication servers have been improved with options for generic routing. This means migration scenarios and complex setups with multiple LinOTP instances are easier to model and administer.

In addition to these features, LinOTP 2.8.1 includes many further improvements and bug fixes in order to improve the user experience.

Download

LinOTP 2.8.1 is available as a Debian package from linotp.org. Ubuntu packages are available from our PPA on Launchpad. It can also be obtained via the Python Package Index (PyPI). Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.8.1 via the integrated update mechanism.

The LSE team would be pleased to answer any questions you may have about LinOTP 2.8.1 and assist upgrading your environment to the latest release at support@lsexperts.de

The LSE LinOTP team

Changelog:

LinOTP:

Enhancements:

Server: Add monitoring controller

Server: Add support for encryption migration (HSM)

Server: Add 'forward to server' policy

Server: Extended user filter in policies

Server: Reduce number of userid authentication calls

Server: Enable less services in default configuration

WebUI: Update jQuery, jQuery UI and jed

Bug fixes:

Selfservice: Fix access to userservice with UTF-8 characters

WebUI: IE11: Deliver requested language

WebUI: Support for IE11 logout and cookie deletion

UserIdResolver:

SQL: Add support for ASP.NET hashes

SMSProvider:

Add support for SMPP SMS Provider

libpam-linotp:

Enhancements:

Major code rewrite

Add support for custom CA certificates

Improve compatibility with multiple Linux distributions, freeBSD and OS X

LSE LinOTP 2.8 released

On Nov 27th we released LinOTP 2.8 to the repositories.

LinOTP 2.8

LSE Leading Security Experts GmbH is pleased to announce the availability of the following product release:

LinOTP 2.8 contains full support for the FIDO U2F standard, along with additional new features, usability improvements and bug fixes.

The list below provides details of the most important changes. The complete changelog is provided at the end of this article.

Highlights:

New feature: FIDO U2F support

LinOTP 2.8 now fully supports the FIDO alliance U2F protocol. It is now possible to use user friendly U2F tokens provided by various manufacturers in order to implement the second authentication factor. By using public key techniques, It is now possible to use just one token to access multiple authentication systems. In addition, it is possible to implement Bring Your Own Token (BYOT) scenarios.

New feature: User enrollment of FIDO U2F, email and SMS tokens via the self service portal

In order to simplify the rollout process, it is now possible to allow users to use the self service portal to enroll new token types (FIDO U2F, email and SMS) in addition to those previously available. As with other token types, access to these new types is under the control of the LinOTP administrator via the policy system.

New feature: Temporary email and SMS token

If a token is lost or stolen, it is now possible to define a temporary email or SMS token instead of a temporary password.

New feature: More than one challenge response token per user with identical token PIN

The API in LinOTP 2.8 supports generation of more than one challenge for various tokens and token types. This now makes it possible to use different challenge response tokens with the same token PIN. It is also possible to use different challenge response token types with identical token PINs.

Improvements and bug fixes

In addition to these features, LinOTP 2.8 includes many further improvements and bug fixes in order to improve the user experience.

Download

LinOTP 2.8 is available as a Debian package from linotp.org. Ubuntu packages are available from our PPA on Launchpad. It can also be obtained via the Python Package Index (PyPI). Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.8 via the integrated update mechanism.

The LSE team would be pleased to answer any questions you may have about LinOTP 2.8 and assist upgrading your environment to the latest release at support@lsexperts.de

The LSE LinOTP team

Changelog:

LinOTP:

Enhancements:

Server: Add FIDO U2F support

Selfservice: Enroll FIDO U2F, e-mail and SMS tokens

Server: Losttoken: Support enrollment of e-mail and SMS tokens

Server: Trigger challenges for multiple challenge-response tokens with one request

Server: Support autoassignment policy without action value

Bug fixes:

Selfservice: Fix getSerialByOtp functionality for yubikey tokens

Server: Fix importing yubikey tokens without prefix

Server: Fix autoassignment with remote token pointing at yubikey token

Server: Fix autoassignment using tokens with different OTP lengths

Server: Prevent counter increments of inactive tokens

Server: Don't return counter parameter on TOTP enrollment

Selfservice: Fix occasional login problems using non-ASCII characters

Server: Fix occasional problems sorting userlist with unicode characters

Server: Fix usage of otppin policy for remotetoken with local pincheck

Server: Don't return error messages on unconfigured autoenrollment

Server: Always set OTP length in remote token enrollment

Server: Don't return error messages for policy otppin=1 and unassigned tokens

Server: Reply to OCRA2 challenge providing only transactionid and OTP

WebUI: Don't show dialog asking for realm creation if no useridresolver is configured

WebUI: Fix WebUI for recent Internet Explorer versions

WebUI: Clear key and PIN input fields after token enrollment

Tools: linotp-create-pwidresolver-user: Fix duplicate and ignored command-line arguments

Tools: Correctly package linotp-enroll-smstoken tool

Tools: Use Digest instead of Basic Authentication in linotp-enroll-smstoken

Tools: Display an error message in linotp-enroll-smstoken when dependencies are missing

Tools: Fix linotp-sql-janitor crash when executed without --export option

Server: Fix for wildcard search with available unassigned tokens

Server: Fix LinOTP on pylons 0.9.7

Packaging: Remove nose dependency from linotp install process

UserIdResolver:

Add support for Unicode passwords in PasswdIdResolver

Add LDAP proxy support

Support for LDAP cursoring during fetch of userlist

Add support for odbc_connect in SQLIdResolver

SMSProvider:

Encode spaces in request params as '%20', not as '+'

Fix GET requests using the requests library

Add ability to convert the phone number to MSISDN format

LSE LinOTP Hotfix / Security Advisory

LSE Leading Security Experts GmbH recommend the application of the hotfix described below in oder to ensure secure operation with LinOTP. It is only necessary to carry out these steps on those installations which do not use automatic update mechanisms (see below under "LSE LinOTP Smart Virtual Appliance"). Users of automatic update mechansims are not affected, as LinOTP will already have been updated.

The hotfix closes a critical issue and prevents potential misuse.

This issue can potentially allow an unauthorised user to submit input containing unwanted characters, that is written to LinOTP's logs and database. At a later date under certian conditions, it is possible that these could be executed under admin context. It is possible that malicious code could be exected as a result. This is due to unescaped output being passed to a widget used by LinOTP.

A security advisory has been released for our product LinOTP containing further details. We would especially like to thank Tomas Rzepka for his valued input and assistance.

As far as we are aware, there have not been any cases of this issue being exploited.

We have provided the hotfix to our customer in various formats and versions. The fixed packages do not contain any changes apart from the hotfix itself. We recommend applying this update as soon as possible.

Please use the instructions provided below to install the hotfix.

In future versions of LinOTP (2.8 and above), we will make changes to reduce the potential risk of similar issues through use of the API.

Hotfix installation

The following updated LinOTP versions are available:

2.6.1.1 --> 2.6.1.2
2.7.0.2 --> 2.7.0.3
2.7.1.2 --> 2.7.1.3
2.7.2.1 --> 2.7.2.2

Systems prior to LinOTP 2.6 or which do not use packages should refer to the installation instructions. In this case the fix should be applied by manually copying a fixed version of the file in question.

LSE LinOTP Smart Virtual Appliance

Customers who use the LinOTP SVA with automatic updates enabled will automatically obtain the new package when updates are applied according to their system configuration.

It is possible to start the update process from the command line by executing the command "appliance-update.sh".

Please note: appliance-update.sh will download and apply all pending operating system updates. If your system has not been updated for some time, this may result in a lengthy download and installation process.

LSE LinOTP 2.7.2 released

On May 11th we released LinOTP 2.7.2 to the repositories.

LSE LinOTP 2.7.2

LSE Leading Security Experts GmbH is announcing the availability of the new release of LSE LinOTP (2.7.2)

You will find the complete Changelogs and the most important changes in LinOTP 2.7.1 at the end of this newsletter. We hereby want to mention some highlights in 2.7.2.

LinOTP 2.7.2

LinOTP 2.7.2 includes some interesting new features as well as improvements in usability and bug fixes. This is only a selection, please refer to the full Changelog below.

New feature: Autoenrollment

Users without a token assigned, can trigger the creation and assignment of a new SMS or email token by providing correct credentials during login using username and password. This feature can be configured in a new policy (e.g. for certain users only) and relieves the administrator from enrolling and assigning these tokens manually.

For more information please refer to the Autoenrollment Howto
New feature: New Self Service API

The new Userservice API allows for the implementation of independently hosted self service portals and easier integration of self service tasks in existing customer portals.
New feature: mass enrollment of SMS token from the CLI
New packages: Ubuntu 14.04 "Trusty Tahr".
Improved input validation for SQL and LDAP resolver, and E-mail and SMS provider definitions.

Download

LinOTP 2.7.2 is available in our repositories on linotp.org and for customers running LinOTP on the LSE LinOTP Smart Virtual Appliance using the integrated upgrade mechanisms.

We are happy to answer your questions about this release: sales@lsexperts.de.

Changelogs:

LinOTP 2.7.2

Enhancements:

Server: Autoenrollment - enroll an email or SMS token if user has no token and authentication with password was correct.
Server: Support 'now()' in LDAP search expressions
Selfservice: Split Selfservice into userservice controller and selfservice renderer to support remote selfservice interface
WebUI: SQL and LDAP resolver mapping validation (needs to be valid JSON)
WebUI: email and SMS provider definition validation (needs to be valid JSON)
Packaging: Support for Ubuntu 14.04 (with Apache 2.4)
Packaging/Server: Support for Pylons 1.0.1
Packaging: Internal package refactorization to unify structure and version number handling
Packaging: Apache linotp2 VirtualHost will no longer be overwritten during Debian package upgrade. VirtualHost example files are copied to the same location where the LinOTP package is installed and only afterwards it is moved to /etc/apache2 (if it does not exist already)
Packaging: Cleaned up and hardened Apache linotp2 VirtualHost files
Tools: Improved linotp-create-pwidresolver-user and linotp-create-sqliddresolver-user to to generates more secure passwords
Tools: Added tool to mass enroll SMS token

Bug fixes:

Server: Fixed support of old licenses, where the expiry is in the date entry
Server: Fixed error during token unassign (because of setPin call)
Server: Fixed searching for a user in multiple realms
Server: Fixed exact search for user in tokenlist
Server: Fixed sorting of userlist with unicode
Selfservice: Fixed selfservice history browsing

LSE Smart Virtual Appliance 1.2 and LinOTP 2.7.1 released

On January 15th we released LinOTP 2.7.1 to the repositories.

LSE Smart Virtual Appliance 1.2 and LinOTP 2.7.1

LSE Leading Security Experts GmbH is proud to announce the general availability (GA) of the following new product releases:
(1) LSE LinOTP Smart Virtual Appliance 1.2
(2) LSE LinOTP 2.7.1.

We are happy to provide LinOTP 2.7 from now also to our customers running LSE LinOTP Smart Virtual Appliances.

You will find the entire changelogs below. Here we want to mention some highlights:

LinOTP 2.7.1

LinOTP received many improvements in usability and the work flow. This is only a selection of improvements, please also refer to the full Changelog below.

LinOTP 2.7.1 now fully supports the handling of LSE LinOTP support and subscription licenses.
The PIN dialog was integrated with the enrollment dialog and is conditional according to your policies (e.g. random pin).
Saving the Token Config is now also possible with only one part changed.
The mechanisms to translate LinOTP were improved and extended, especially in the LinOTP Selfservice.
The information boxes now stack to prevent an important message from being overwritten.
The overall design was improved and made more consistent.
New and improved softtoken like FreeOTP are better integrated and the WebUI and LinOTP Selfservice were improved to better support the features offered by OATH soft tokens beyond the Google Authenticator.
The native handling of Yubikeys was improved by supporting resync and uppercase OTPs.
The Active Directory UserIDResolver was improved to use objectGUID as the default UIDType.
Added configuration options to selectively disable parts of LinOTP (manage, selfservice, validate) to improve security or management in complex HA setups.
The audit data can now be written to a log file before it is rotated.

Highlights for customers upgrading from LinOTP EE 2.6.1.1:

Improved Oracle database support,
memory usage optimization,
improved database handling for the audit log,
extended CLI toolset.

Preview

We are already working on the next releases and want to give a small peak on what is coming.

Remote Self Service
SMS/E-Mail Token Auto-Enrollment

LSE LinOTP Smart Virtual Appliance 1.2

The LSE Smart Virtual Appliance (SVA) received big improvements in the installation process, usability and the backend.

The Configuration Management was improved to make changes more visible and improve the usability. There is now a clear indication of changes needed to be saved and activated. An info bar appears and the 'Configuration Management' Tab is highlighted until the changes are saved and activated.

The WebUI of the LSE LinOTP SVA is now fully translatable and available in German. The language will be chosen based on you browsers language.

The installation wizard saw substantial improvements. More settings are preset from the installed system and more of the input is checked for errors. The activation step of the wizard was completely rewritten and is now faster and more robust.

There are many improvements in the WebUI which stem from customer input to improve the workflow of administration and management of the SVA.

LinOTP 2.7.1 is available in our repositories on linotp.org and for customers running LinOTP on the LSE LinOTP Smart Virtual Appliance using the integrated upgrade mechanisms.
If you have any question regarding the new releases, we are happy to answer and support your inquiries.

Changelogs:

LinOTP 2.7.1

Enhancements:

Server: Added check for optional support and subscription license
WebUI: Show warnings when the support and subscription has expired or number of supported tokens has been exceeded
WebUI: Editing the token config in the WebUI will only save what has been edited
WebUI: PIN setting is now part of the 'enroll' dialog instead of being in a separate dialog
WebUI: Don't allow setting the token PIN in the token enrollment dialog when the 'random_pin' policy is set
WebUI/Server: Added translation of selfservice and policy messages
WebUI: Enabled JavaScript localization (jed based) for 'manage' and 'selfservice' UI
Server: Added Yubikey token support for uppercase OTP values
Server: Added support for Yubikey token resync
WebUI: Info and error boxes in the 'manage' UI now stack instead of overlaying (hiding the older ones). When displaying more than one box a 'Close all' link is shown
WebUI: Improve CSS styling for info and error boxes in 'manage' UI
WebUI: Adapted the 'selfservice' and 'auth' interfaces to the 'manage' UI style
WebUI: Improved display of currently selected user and token
WebUI: Restricted the selection to a single user
Server: Added system/getPolicy support for 'user' as filter criteria
Server: Added system/getPolicy support for 'action' as filter criteria
WebUI: Preset LDAPUserIdResolver AD with objectGUID instead of DN
WebUI: Rework the selfservice Google web provisioning to refer to FreeOTP and other softokens as well
Server: Include OTP length and hash algorithm used in the 'otpauth' URL generated when enrolling HOTP or TOTP tokens
WebUI: Display the generated seed in the enrollment tabs in a copyable form
WebUI: Extended the eToken DAT import to display start date support with hh:mm:ss
Server: Added configuration options to selectively disable parts of LinOTP (manage, selfservice, validate)
WebUI: Added 'clear' button to policy form
WebUI: Made policies 'active' by default
Server: Initialize repoze.who with a random secret during server start up or restart (old 'selfservice' sessions become invalidated)
Server/Tools: Added the ability to dump the audit data before deletion
Packaging: Removed obsolete SQLAlchemy <0.8.0b2 restriction
Server: Random generation: switched to more secure randrange and choice methods
WebUI: Updated jQuery to v1.11.1 and all plugins and JS libraries (Superfish, jQuery Cookie, jQuery Validation, ...) to their latest version
WebUI: Simplified selfservice tokenlist handling
WebUI: Added warning to auth forms when Javascript is disabled in the browser
WebUI: Improved auth form handling of JS errors
Server: Removed deprecated /auth/requestsms form because SMS can be requested using the regular /auth/index form (by doing challenge-response)

Bug Fixes:

Packaging: Fixed ask_createdb debconf question that kept being asked on upgrade of the Debian packages
WebUI: Cleaned up selfservice mOTP Token enrollment
WebUI: Some fixes for localization and wrong validation of seed input field
Server: Fixed the search for ee-resolver tokens and user
Server: Raise exception for empty 'user' in 'system' or 'admin' policy
Server: Load the HSM before the LinOTP config, so that the config can hold decrypted values
Server: Fixed help_url to always use linotp.org site with version
Server: Added support for migrating old linotpee resolvers entries
Server: Fixed reinitialization of Yubikey token
Server: Yubikey checkOtp should not raise exception if the OTP is too short
Server: Fixed bug in Yubikey CSV import
Server: Fixed padding and unpadding code for PKCS11 module
Server: Fixed padding and unpadding code for YubiHSM module
Server: Added LinOTP config options 'pkcs11.accept_invalid_padding' and 'yubihsm.accept_invalid_padding'
Server: Fixed token import to support ocra2 token
WebUI: Fixed small display error when deleting or modifying multiple tokens in the 'manage' UI
WebUI: Fixed selfservice enroll of mOTP token
Server: Fixed token serial not appearing in the audit log in some cases

LSE Smart Virtual Appliance 1.2

Added German translation of the WebUI. The language will be chosen based on you browser settings.
Improved 'Config changed' notification when the administrator makes changes in the WebUI
- An info bar appears once at the top of the site
- The 'Configuration Management' Tab is highlighted in orange until the changes are saved
LinOTP support and subscription licenses can be added and updated in the Appliance WebUI. When installing via the Wizard you are required to upload a license file.
The signature of the LinOTP license file is verified
When running the wizard the network settings are preset with the 'current settings' (e.g. as set by DHCP)
Added title bar to WebUI, containing links for 'About', 'Help' and 'Logout'
Browser session cookies become invalid when Apache2 is restarted (i.e. you have to login again)
If the Appliance is unconfigured redirect directly to the Wizard
Removed direct link to the Wizard in the dashboard, can explicitly be called by going to /wizard
better arrangement of the Tabs in the WebUI
version infromation is displayed in the login screen
More information such as version of lseappliance and linotp packages as well as serial number and number of licensed tokens is displayed in the dashboard
Compatibility improvements for current Versions of Chrome (Chromium), Firefox and IE10+
In the Wizard you can skip the RADIUS client configuration if you do plan to only use the WebAPI
Upgraded jQuery to version 1.11.1, jQuery UI to version 1.11.0 and other jQuery Plugins to their newest version
Made HTML forms more fault tolerant (e.g. DNS server list verifies correct separators, netmask is verified, whitespace is stripped, verify RADIUS secret with second field ...)
Fixed setup_appliance.py so it generates functional initial settings
Fixed the Wizard finalization by better synchronizing the steps. This tries to prevent the Appliance being left in a semi-configured state
Fixed dhclient still running even after setting static IP settings
Fixed security critical information written to log files
Use POST requests throughout the application to prevent Apache logging critical information
Fixed log file ownership/permissions
Changes in other settings no longer re-generate the freeradius settings
Force the unconfigured Appliance to always generate a new MySQL password to prevent a semi-configured state.
Added dependency for freeradius-ldap
Updated dependency for LinOTP to >= 2.7.1 since older version don't implement the new licensing mechanism
Make sure the squeeze-lts repository is included in sources.list, otherwise include it
In Wizard: Allow moving between already filled out tabs, even if last tab fails to validate
Fixed restoration of saved Appliance configurations
Increased cookie timeout

LinOTP 2.7.0.2 released

On August 8th we released LinOTP 2.7.0.2 to the repositories on linotp.org, launchpad and PyPI.

This is a patch release with improvments in handling Oracle databases and a memory leak in the audit exports for very large audit databases.

LinOTP by LSE is now available with all features as Open Source

Press Release

Benowa, Queensland, Australia/ Weiterstadt, Germany 2014-05-21

LSE LinOTP - a vendor-independent product for two-factor authentication and one-time password methods (OTP) - will be made available by LSE, Leading Security Experts GmbH, as an open source solution with all current features included.

At the annual AusCERT Information Security Conference in Australia, and in conjunction with a Red Hat tutorial about the internal deployment of LSE LinOTP Enterprise Edition, LSE Leading Security Experts GmbH (LSE) [http://www.lsexperts.de], a member of the MAX21 Group (MAX21 Management- und Beteiligungen AG) [MA1, http://www.max21.de], will announce the expansion of its open source strategy.

The currently-separate community edition [http://www.linotp.org] and commercially-marketed enterprise edition [http://www.lsexperts.de] will be merged. LSE will provide LinOTP free of charge as an open source software solution licensed under the AGPLv3 and GPLv2. The complete feature set will be available for download when LinOTP 2.7 is released in the second half of May 2014.

Quoting Sven Walther, CEO and CTO of LSE Leading Security Experts GmbH, "With this step we open the source of a professionally-maintained and scalable product for enterprise-grade sign-in security. Through such licensing and marketing, we expect LinOTP to advance the distribution to the most frequently installed sign-in security solution for two-factor authentication and OTP methods worldwide. We see a global demand for LinOTP. The solution is highly flexible and scalable. LinOTP appeals to a wide range of users and is suited for nearly every enterprise - be it TAN generation for online banking, high-availability deployment in enterprise environments with many dependent users, or secure one-time password sign-in at smaller companies, to name just a few popular use cases."

LSE Leading Security Experts GmbH will complement the LinOTP software solution with matching LinOTP support and subscription services as well as professional service offerings. These will include extended levels of quality assurance for updates and patches, the availability of LSE LinOTP Smart Virtual Appliance as a fully-integrated turn-key solution, prioritized hotfixes by our development team, and advisory services on top of the usual standard support and consulting services.

With this recent open source offering, customers now have the option to pick the solution that best suits their usage scenario. This encompasses both deployments that are fully-featured yet completely free-of-charge, as well as business-critical deployments with all their requirements on support and quality-assurance processes, including a firm commitment by LSE to the continuous development of its solution. To enable this, LSE will further expand its technical and human resources in this area.

About LSE Leading Security Experts GmbH

LSE Leading Security Experts GmbH is the leading vendor of secure connection technologies centered around vendor independent logon security and identity management and specialises in information and IT security for companies. To LSE’s core competences, the development of security products, count in addition to others the provision of consulting-services concerning logon security, vulnerability analysis & penetration tests, encryption technology, storage and virtualization security also IT-Risk-Management.

LSE belongs to the MAX21 Group.

For further information please refer to: http://www.lsexperts.de

Press Contact:

LSE Leading Security Experts GmbH
Sven Walther
Postfach 10 01 21
64201 Darmstadt
Germany
Telefon: +49 6151 86086-0
Fax: +49 6151 86086-299
E-Mail: presse@lsexperts.de
Web: http://www.lsexperts.de

Red Hat is the trademark of Red Hat, Inc., registered in the U.S. and other countries.