Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to login with userpass method and totp when SHA256 algorithm is used for totp. #17389

Closed
KarlKatz opened this issue Oct 3, 2022 · 7 comments
Closed

Unable to login with userpass method and totp when SHA256 algorithm is used for totp. #17389

KarlKatz opened this issue Oct 3, 2022 · 7 comments
Labels
auth/mfa bug Used to indicate a potential bug secret/totp

Comments

@KarlKatz
Copy link

KarlKatz commented Oct 3, 2022

Describe the bug
Unable to login via vault web ui or vault cli using userpass authentication method and TOTP which use SHA256 algorithm. /v1/sys/mfa/validate endpoint returns 403 error.

To Reproduce
Steps to reproduce the behavior:

  1. Setup TOTP MFA with following parameters Period: 30, Key size: 20, QR size: 200, Algorithm: SHA256, Digits: 6, Skew: 0, Max validation attempts: 5
  2. Setup TOTP enforcement where entity is used as target.
  3. Setup TOTP secret for entity.
  4. Login with userpass method via web ui or vault cli.
  5. You should get 403 http error from /v1/sys/mfa/validate endpoint.

Expected behavior
It should login user to vault no matter what TOTP algorithm is used.

Environment:

  • Vault Server Version:
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            5
Threshold               3
Version                 1.11.4
Build Date              2022-09-23T06:01:14Z
Storage Type            raft
HA Enabled              true
HA Cluster              https://127.0.0.1:8201
HA Mode                 active
Active Since            2022-10-03T14:10:03.969200818Z
Raft Committed Index    35779
Raft Applied Index      35779

  • Vault CLI Version:
    Vault v1.11.4 (b47a9e72942719f217f7750df18be36ec21dfc0e), built 2022-09-23T06:01:14Z

  • Server Operating System/Architecture:
    Debian 10

  • Vault server configuration file(s):

ui = true

disable_mlock = true

storage "raft" {
  path = "/opt/vault_raft_storage/"
  node_id = "...vault-01"
}

cluster_addr = "http://127.0.0.1:8201"

listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = 1
}

api_addr = "https://vault...com"

Additional context
Login does not work only when SHA256 or SHA512 TOTP algorithms are used. If SHA1 algorithm is used for TOTP setup user is able to login to vault either via web ui or vault cli no matter what version of cli is used.
@hsimon-hashicorp hsimon-hashicorp added secret/totp auth/mfa bug Used to indicate a potential bug labels Oct 3, 2022
@portnoy
Copy link

portnoy commented Oct 4, 2022

I can confirm, that until I changed the TOTP hashing algorithm to SHA1, logins were denied with

Code: 403. Errors:

* failed to satisfy enforcement admins. error: 2 errors occurred:
	* failed to validate TOTP passcode
	* login MFA validation failed for methodID: [xxx-xxx-xxx]

(vault Version 1.11.3, both server and client)

@chris-burn-phocas
Copy link

I'm also running into this using the OIDC auth method.
(Vault server versions 1.11.3 and 1.12.0, client 1.12.0)

@petrasl1976
Copy link

Me too facing the same issue. Would be good to get it fixed.

@mpalmi
Copy link
Contributor

mpalmi commented Oct 24, 2022

After investigating, we were only able to reproduce by allowing the TOTP passcode to expire. Is it possible that your TOTP passcode has expired in the scenarios you're testing?

I would recommend using the passcode within the configured 30s to eliminate that source of error. If everything works as expected, great! If not, we may need to dig a bit deeper.

You can follow the docs to admin-generate a TOTP passcode URL. That URL can then be used in the TOTP secrets engine guidance to get a TOTP code.

If any of these steps don't work, please report back and we'll look into any potential bugs.

I'm not certain why this is SHA1, but not SHA256/512, unless you're using a third-party TOTP provider. If so, maybe the configuration is incompatible with Vault as it stands. If that's the case, we can work with you to find a correct configuration and identify any potential bugs.

@KarlKatz
Copy link
Author

I was using 2 different TOTP providers: Google Authenticator and https://authenticator.cc/ extension for google chrome browser. Both were generating correct codes but codes were not accepted by vault login if SHA256/512 was used.

After more digging I found that Google Authenticator most probably supports SHA1 only. So looks like its more like Google Authenticators issue than vault. I was able to setup https://authenticator.cc/ to work with SHA256 and able to login to vault. So I guess this issue is not relevant any more.

@hghaf099
Copy link
Contributor

Thanks for the reporting on that! Going to close this ticket. Please feel free to open a new one in case any further issues are seen.

@chris-burn-phocas
Copy link

I can confirm that the authenticator apps I was using were the problem too. I had tried Microsoft Authenticator, Authy, and Google Authenticator, all on Android.

Perhaps worth noting though that I was following the tutorial here, which states Google Authenticator supports SHA256 (which does appear to be true of iOS version the tutorial says it's using further up the page, but notably not the Android version).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth/mfa bug Used to indicate a potential bug secret/totp
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@portnoy @mpalmi @petrasl1976 @hghaf099 @hsimon-hashicorp @chris-burn-phocas @KarlKatz