-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to login with userpass method and totp when SHA256 algorithm is used for totp. #17389
Comments
I can confirm, that until I changed the TOTP hashing algorithm to SHA1, logins were denied with
(vault Version 1.11.3, both server and client) |
I'm also running into this using the OIDC auth method. |
Me too facing the same issue. Would be good to get it fixed. |
After investigating, we were only able to reproduce by allowing the TOTP passcode to expire. Is it possible that your TOTP passcode has expired in the scenarios you're testing? I would recommend using the passcode within the configured 30s to eliminate that source of error. If everything works as expected, great! If not, we may need to dig a bit deeper. You can follow the docs to If any of these steps don't work, please report back and we'll look into any potential bugs. I'm not certain why this is SHA1, but not SHA256/512, unless you're using a third-party TOTP provider. If so, maybe the configuration is incompatible with Vault as it stands. If that's the case, we can work with you to find a correct configuration and identify any potential bugs. |
I was using 2 different TOTP providers: Google Authenticator and https://authenticator.cc/ extension for google chrome browser. Both were generating correct codes but codes were not accepted by vault login if SHA256/512 was used. After more digging I found that Google Authenticator most probably supports SHA1 only. So looks like its more like Google Authenticators issue than vault. I was able to setup https://authenticator.cc/ to work with SHA256 and able to login to vault. So I guess this issue is not relevant any more. |
Thanks for the reporting on that! Going to close this ticket. Please feel free to open a new one in case any further issues are seen. |
I can confirm that the authenticator apps I was using were the problem too. I had tried Microsoft Authenticator, Authy, and Google Authenticator, all on Android. Perhaps worth noting though that I was following the tutorial here, which states Google Authenticator supports SHA256 (which does appear to be true of iOS version the tutorial says it's using further up the page, but notably not the Android version). |
Describe the bug
Unable to login via vault web ui or vault cli using userpass authentication method and TOTP which use SHA256 algorithm.
/v1/sys/mfa/validate
endpoint returns 403 error.To Reproduce
Steps to reproduce the behavior:
Period: 30, Key size: 20, QR size: 200, Algorithm: SHA256, Digits: 6, Skew: 0, Max validation attempts: 5
/v1/sys/mfa/validate
endpoint.Expected behavior
It should login user to vault no matter what TOTP algorithm is used.
Environment:
Vault CLI Version:
Vault v1.11.4 (b47a9e72942719f217f7750df18be36ec21dfc0e), built 2022-09-23T06:01:14Z
Server Operating System/Architecture:
Debian 10
Vault server configuration file(s):
Additional context
Login does not work only when SHA256 or SHA512 TOTP algorithms are used. If SHA1 algorithm is used for TOTP setup user is able to login to vault either via web ui or vault cli no matter what version of cli is used.
The text was updated successfully, but these errors were encountered: