Hi,
we will deploy a new IdP update Thursday 15 January at 14:00. The changes since the previous update in November are:
- Add a new encrypted Google Authenticator twofactor method. This allows the Google Authenticator secret to be stored encrypted in the user directory. (The old "gatest" method will still work, but will be removed in the future.) - Ensure that the userPassword attribute (which may contain the hashed password of the user) never shows up on https://innsyn.feide.no/ . - Log a _very_ truncated hash of the password, to make it easier to tell if a bunch of failed logins are an attempt at brute forcing the password or if it is a browser failure. The logged hash isn't enough to determine the password (too many passwords will share the same value), but it allows us to see if more than one password was attempted. - Include more information about the original cause of the error in the case of authentication errors. E.g. the LDAP error we got when authenticating with the system user.
- Various small twofactor cleanups & fixes: - Fix translation for twofactor SMS web pages. - Fix autofocus on twofactor input fields. - Some more debug logging and statistics wrt. twofactor use. - Consistently redirect on the twofactor-pages, to make sure the language selectors are always present. - Simplify code to make API calls to twofactor SMS providers. - Some code cleanup of the twofactor code.
Best regards, Olav Morken UNINETT / Feide
On Thu, Jan 08, 2015 at 10:17:45 +0100, Olav Morken wrote:
Hi,
we will deploy a new IdP update Thursday 15 January at 14:00. The changes since the previous update in November are:
Add a new encrypted Google Authenticator twofactor method. This allows the Google Authenticator secret to be stored encrypted in the user directory. (The old "gatest" method will still work, but will be removed in the future.)
Ensure that the userPassword attribute (which may contain the hashed password of the user) never shows up on https://innsyn.feide.no/ .
Log a _very_ truncated hash of the password, to make it easier to tell if a bunch of failed logins are an attempt at brute forcing the password or if it is a browser failure. The logged hash isn't enough to determine the password (too many passwords will share the same value), but it allows us to see if more than one password was attempted.
Include more information about the original cause of the error in the case of authentication errors. E.g. the LDAP error we got when authenticating with the system user.
Various small twofactor cleanups & fixes:
- Fix translation for twofactor SMS web pages.
- Fix autofocus on twofactor input fields.
- Some more debug logging and statistics wrt. twofactor use.
- Consistently redirect on the twofactor-pages, to make sure the language selectors are always present.
- Simplify code to make API calls to twofactor SMS providers.
- Some code cleanup of the twofactor code.
Hi,
this update was put into production at 14:00 today.
Best regards, Olav Morken UNINETT / Feide