LinOTP 3.2.6 released

On November 24th we released LinOTP 3.2.6 to the repositories.

LinOTP 3.2.6

netgo software GmbH announces a critical vulnerability in LinOTPs Self Service API. This patch is necessary for all versions newer than LinOTP 3.0. A dedicated announcement was published to provide additional details for this vulnerability.

LinOTP 3.2.6 brings one fix. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

  • Show serial and token type in audit log in case of an error; e.g. if a token exceeded its failcounter

Download

LinOTP 3.2.6 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 3.2.6 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Constantin Wehmschulte
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 3.2.6


Fix:
  • Show serial and token type in audit log in case of an error; e.g. if a token exceeded its failcounter
Date

Selfservice 1.1.1 released

On January 18th we released Selfservice 1.1.1 to the repositories.

Selfservice 1.1.1

Selfservice 1.1.1 brings one fix.

Highlights:

  • Language picker displays selected language correctly.

Download

Selfservice 1.1.1 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive Selfservice 1.1.1 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Constantin Wehmschulte
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog Selfservice 1.1.1


Features:
Fix:
  • Language picker displays selected language correctly
Date

Selfservice 1.1 released

On January 11th we released Selfservice 1.1 to the repositories.

Selfservice 1.1

Selfservice 1.1 brings new features, improvements and fixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

  • Dark-Mode based on browser/user preference.
  • Deep-linking to token enrollment.

Download

Selfservice 1.1 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive Selfservice 1.1 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Constantin Wehmschulte
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog Selfservice 1.1


Features:
  • Dark-Mode based on browser/user preference.
  • Deep-linking to token enrollment: `/tokens/enroll/:tokentype` opens the selfservice and directly shows the enrollment dialog for the given tokentype.
  • Refined interfaces.

Fix:
  • Deep-linking to enrollment page for unauthenticated user after login
  • Logged in users are redirected from login page to token list
  • Apache config workaround for customization no longer needed with lseappliance 3.0.2.
  • Testing a token via the tokens actions menu opens test dialog correctly.

Dependencies:
  • Update to Angular 15
  • Update to Node 14.21.1
Date

Security Update LinOTP 3 Self Service / Security Advisory

What You Need to Know

Short Description

An issue with the LinOTP 3 Self Service login's request context safety mechanism can cause a user's session data to be mistakenly replaced with that of another user who is logged in at the same time. This error could potentially reveal personal information (like username, email, and phone number) and allow one user to access and operate with the permissions of another within the LinOTP 3 Self Service.

Affected Products

  • LinOTP 3 with all versions from LinOTP 3.0 up to LinOTP 3.2.4
  • LinOTP Virtual Appliance with LinOTP 3.0 and above (Installations based on SVA 3.0 and higher need to update to LinOTP 3.2.5 and newer)

Unaffected Products

  • LinOTP 2 up to and including the current 2.12.6 is not affected.
  • LinOTP ADFS Plugin is not affected
  • LinOTP LAP is not affected
  • LinOTP SAML IdP, LinOTP RADIUS Authentication Module, LinOTP LDAP Authentication Module are not affected.
  • LinOTP Virtual Appliance itself is not affected.

Criticality

We are currently calculating with a CVSS 3.1 score of 7.5 (high)

(CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C/CR:M/IR:M/AR:M).

CVE-2023-49706 was published for this vulnerability.

Date of Publication

2023-12-19

Disclaimer:

LinOTP core authentication checks are not directly affected. The validation of logins using the LinOTP core API, including all LinOTP Authentication Modules are not directly affected. This includes all protocols (SAML, RADIUS, LDAP, ), and authentication frontends (i.e. LinOTP Authentication Provider, ADFS) which are not directly affected by this advisory.

Description

Due to an error in the multi-threading safety mechanism in the LinOTP 3 Self Service login, the session check data of a user can be overwritten with the session data of another, concurrent user. This leads to possible information disclosure (username, e-mail, phone number) and allows to act as and with the permissions of the attacked user in the LinOTP 3 Self Service.

This vulnerability could enable unauthorized access without the need for valid credentials. In specific situations, it might be possible to target an individual user. However, any unauthorized access attempts by a malicious entity would only be possible if another user is actively engaged in the self-service portal at the same time. It is important to note that previously expired sessions cannot be exploited in this context.

We currently have no evidence indicating that the identified vulnerability has been exploited.

A customer initially reported a display bug with the Self Service. After further investigations, the LinOTP team was able to identify a related vulnerability and assess its severity. We developed a fix while analyzing the behavior which is provided with this update. Other parts of LinOTP beyond the Self Service were analyzed. No additional occurrence of this implementation pattern was found. The administrative login implemented with LinOTP 3 is not affected.

The provided update to LinOTP 3.2.5 completely fixes this vulnerability. All customers running LinOTP 3 up to version 3.2.4 are strongly advised to install the newest version LinOTP 3.2.5 as soon as possible.

We are providing LinOTP 3.2.5 as a regular update for LinOTP SVA and as native packages for LinOTP 3.2.4 and older (Debian). Please refer to the installation instructions for the correct steps in your environment: Installation Instructions

Customers can contact support@linotp.de if you have any questions about the update. We are happy to assist directly and execute the update together with you, tailored to your environment.

Preventive actions

A complete fix of the vulnerability needs the installation of the provided update. If you can not install the update in a fitting time frame we provide some preventive actions.

Deactivating all active policies in the scope „selfservice“ will remove all permissions for all users. This will prevent a possible misuse until the update can be installed. Please note, regular users will also not be able to configure their tokens, until the policies are reactivated.

Deactivating the „userservice“ backend and the Self Service completely is advised if you cannot update for some time. Please contact support@linotp.de, we are happy to assist in deactivating the backend in the LinOTP configuration.

Important Measures

LinOTP 3 Self Service checks the user and the client IP of the session. A common scenario for LinOTP 3 Self Service is running a proxy or load balancer between the client and the LinOTP backend. Oversight to configure the forwarding of the client IP to LinOTP in this scenario, increases the possibility of the race condition in this advisory to occur, since the clients IP is not contributing to distinguish the session. Please refer to 1.12.4. System Config — LinOTP 3.2 documentation for details. This is independent of the current update.

We understand that this process may be inconvenient, and our technical support team is here to assist our customers.

Date

LinOTP 3.2.5 released

On November 24th we released LinOTP 3.2.5 to the repositories.

LinOTP 3.2.5

netgo software GmbH announces a critical vulnerability in LinOTPs Self Service API. This patch is necessary for all versions newer than LinOTP 3.0. A dedicated announcement was published to provide additional details for this vulnerability.

LinOTP 3.2.5 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

  • Ensure that userservice login results in exactly one session cookie per response.
  • Avoid a race condition in userservice request method setup which could lead to a user being erroneously authenticated as a different user.

Download

LinOTP 3.2.5 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 3.2.5 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Constantin Wehmschulte
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 3.2.5


Features:
  • Use entirely random values for userservice session cookies.

Fix:
  • Ensure that userservice login results in exactly one session cookie per response.
  • Avoid a race condition in userservice request method setup which could lead to a user being erroneously authenticated as a different user.

Packaging:
  • Debian postinst now correctly restarts the LinOTP service again to ensure running the latest version without the need for manual intervention.
Date

LinOTP 3.2.4 released

On November 15th we released LinOTP 3.2.4 to the repositories.

LinOTP 3.2.4

netgo software GmbH is pleased to announce the availability of the following product release:

LinOTP 3.2.4 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

  • Forward tokens no longer count into the license limit
  • Forward tokens support forwarding to push and qr tokens

Download

LinOTP 3.2.4 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 3.2.4 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Clemens Schmidt, Constantin Wehmschulte
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 3.2.4


Features:
  • when using the forward token and a challenge is triggered, the response detail contains information about the target token
  • forward tokens do not count for license
  • the forward token now supports the offline capability of the qr token

Fix:
  • forward token supports forwarding to a qr and push token
Date

LinOTP 3.2.3 released

On Februaury 16th we released LinOTP 3.2.3 to the repositories.

LinOTP 3.2.3

netgo software GmbH is pleased to announce the availability of the following product release:

LinOTP 3.2.3 brings fixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

  • Ensure all types of token will be migrated
  • Fixes customisation of /manage and /selfservice-legacy

Download

LinOTP 3.2.3 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 3.2.3 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Clemens Schmidt, Constantin Wehmschulte
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 3.2.3


Fix:
  • ensure all types of token will be migrated
  • ensure that dbconfig-common triggers the linotp database migration
  • Customisation of /manage and /selfservice-legacy was broken due to url path changes with LinOTP 3
Date

LinOTP 3.2.2 released

On December 21 we released LinOTP 3.2.2 to the repositories.

LinOTP 3.2.2

netgo software GmbH is pleased to announce the availability of the following product release:

LinOTP 3.2.2 brings fixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

  • Migrate encypted data 'password' with legacy proprietary padding (LinOTP 2.9)
  • Fix migration of yubico token to LinOTP 3.2

Download

LinOTP 3.2.2 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 3.2.2 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Clemens Schmidt, Constantin Wehmschulte
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 3.2.2


Fix:
  • Challenge database is reset once to ensure that Backups pre LinOTP 3 correctly restore existing challenge-response tokens.
  • Migrate encypted data 'password' with legacy proprietary padding (LinOTP 2.9)
  • Fix migration of yubico token to LinOTP 3.2
Date

LinOTP 3.2.1 released

On July 15th we released LinOTP 3.2.1 to the repositories.

LinOTP 3.2.1

netgo software GmbH is pleased to announce the availability of the following product release:

LinOTP 3.2.1 brings fixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

  • Fix audit key verification errors
  • Fix migration of QR-tokens from SVA-2.12.5 to SVA-3.0
  • Ensure that inactive policies are not evaluated

Download

LinOTP 3.2.1 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 3.2.1 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Clemens Schmidt, Constantin Wehmschulte
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 3.2.1


Fix:
  • Audit key verification errors solved by using newer version of pycryptodomex.
  • Remove weak file permissions in config dir.
  • Solved migration of QR-tokens which broke backup-restore from SVA-2.12.5 to SVA-3.0
  • Database re-encoding during database migration now also migrates managed users that were previously not correctly migrated.
  • Debian postinst trying to add admin users via htdigest. This is no longer supported and therefore removed. Use the linotp CLI manually instead.
  • Ensure that inactive policies are not evaluated. Previously, inactive policies were being evaluated in certain situations, leading to wrongly attributed permissions to logged-in administrators.
Date

LinOTP 3 released

On July 15th we released LinOTP 3.2, the first stable release of LinOTP 3.

LinOTP 3.2

netgo software GmbH is pleased to announce the availability of the following product release:

LinOTP 3.2 brings many improvements, new features and bugfixes. The following list contains the most important changes to LinOTP 2.

  • See the full changelog of LinOTP 3.0, LinOTP 3.1, and LinOTP 3.2 for more details and the full list of changes and deprecations.
  • See the migration guide in the LinOTP documentation for more details for your upcoming install of LinOTP 3.

Highlights:

  • Python 3 & Flask: LinOTP 3 is based on Python 3 and the main framework was ported from Pylons to Flask to future proof the foundation.
  • New Selfservice: LinOTP 3 ships with a completely new Token Selfservice user interface.
  • Administrative Login: LinOTP 3 ships with a brand new JWT based admin authentication for the Management UI and the administrative APIs.

New Selfservice

  • It completely overhauls the workflow for users to self-manage their own authentication tokens. The new selfservice is installed as a dependency of the LinOTP package.
  • The new selfservice integrates itself into the apache configuration on installation and is the default selfservice of your LinOTP server.
  • The SelfService design from LinOTP 2 is deprecated but still available under it’s own path /selfservice-legacy. You can change the apache configuration to change the default.
  • Footer texts and links to your privacy and imprint informations can be configured by LinOTP policies. The logo image can be changed and the CSS rules can be customized.
  • The new Selfservice supports the workflow of users testing their tokens after enrollment. This verifies the correct functionality of the token and eases future debugging login problems.

Administrative Login

  • LinOTP 3 ships with a brand new JWT based admin authentication for the Management UI and the administrative APIs.
  • It is no longer necessary to configure apache to protect admin access
  • LinOTP 3 no longer uses digest authentication.
  • LinOTP Administrators are now configured in LinOTP itself. Administrators can be configured using the `linotp` CLI command for bootstraping or automation or graphically using the known UserIDResolvers and Realms.
  • The internal administration allows an improved handling of admin policies and permissions based on groups and resolvers

Configuration Files

  • To facilitate the migration to flask and to improve the handling of configuration files in modern environments, LinOTP 3 no longer supports the linotp.ini configuration file format. Instead, a new linotp.cfg file format is in place. See the migration guide for detailed information about the configuration changes.

General Improvements

  • Managed resolvers (Internally stored users) that are managed via "Import users" in the Manage-UI now work with replicated databases, high-availability setups and if restored from database backups.
  • A new 'linotp' CLI replaces different scripts and tools. This improves the integration and feature set of all CLI scenarios. It also provides new features to administrate different parts of LinOTP. See 'linotp --help' for information about the different sub-command groups.
  • The audit trail can now be used with an sqlite database. Note that sqlite still has concurency limitations and we advise you to use a database server for production environments.
  • 'Cross site scripting request forgery (CSRF)' is no longer handled via the session request parameter. The session parameter that was used before should be omitted. API endpoints that are modifying data are restricted to accept only 'POST' requests and must use the new header. See the Migration guide for further details.
  • All providers allow configuring a TIMEOUT parameter.
  • SMS blocking time is now configurable in the SMS token configuration dialog. The blocking time (in seconds) is the period that needs to pass before another challenge can be triggered by the same user.
  • Improved handling of timestamps in logs and reports. The audit trail is now storing ISO 8601 formatted timestamps in UTC timezone instead of server local time.
  • LinOTP 3 now fully relies on the system trusted certificates for TLS security like it is used with LDAP resolvers.
  • Improved handling of encrypted LDAP resolver connections.
  • Specific policies override wildcard policies. This ensures that actions can be restricted for a subset of users.
  • Improved token monitoring and more precise token counting
  • Improved audit log entries
  • Improved integration of supported databases
  • LinOTP 3 supports reencoding of LinOTP 2 databases from ISO 8859-1 (Latin1) to UTF-8 via the LinOTP CLI. Latin1 used to be the default for Python 2 against mysql but is no longer valid for Python 3. The 'linotp.log' will instruct users on how to use the migration command if necessary. The LinOTP Smart Virtual Appliance (SVA 3.0) will automatically apply the reencoding during the restore setup.

Download

LinOTP 3.2 is available as a Debian package from www.linotp.org.

Users with a support and subscription license can migrate to the new LinOTP Smart Virtual Appliance in version 3.0. An SVA installer ISO download link can be requested from the support team.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Clemens Schmidt
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Date

LinOTP 2.12.5 released

On March 17th we released LinOTP 2.12.5 to the repositories.

LinOTP 2.12.5

netgo software GmbH is pleased to announce the availability of the following product release:

LinOTP 2.12.5 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

  • Dependencies: jQuery and jQuery-Migrate are updated to the latest versions

Download

LinOTP 2.12.5 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 2.12.5 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Clemens Schmidt
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 2.12.5


Dependencies:
  • Server: Debian buster, update jQuery and jQuery-Migrate
Date

LinOTP 2.12.4 released

On February 16th we released LinOTP 2.12.4 to the repositories.

LinOTP 2.12.4

netgo software GmbH is pleased to announce the availability of the following product release:

LinOTP 2.12.4 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

  • HOTP / TOTP token: Enrollment now properly encodes the token issuer setting in the QR code.
  • Forward token: Support for multiple challenges mode added.
  • Manage UI: System write permission now required to import users.

Download

LinOTP 2.12.4 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 2.12.4 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Clemens Schmidt
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 2.12.4


Bug Fixes:
  • Include Readme.rst in packaging artifacts
  • Tool to import users now enforces system write permission, which is required because resolvers are created or updated
  • Import User dialog layout fix
  • Improve help text output of linotp-create-htdigest script
  • No longer deploy obsolete who.ini config file
  • Forward tokens support multiple challenges
  • HMAC enrollment QR-code correctly URL-encodes tokenissuer
Date

LinOTP 2.12.3 released

On April 7th we released LinOTP 2.12.3 to the repositories.

LinOTP 2.12.3

arxes-tolina GmbH is pleased to announce the availability of the following product release:

LinOTP 2.12.3 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

  • Reporting API: New API to collect reports for specific time periods.

Download

LinOTP 2.12.3 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 2.12.3 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
arxes-tolina GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Robert-Koch-Straße 9, 64331 Weiterstadt
Main office, Piesporter Straße 37, 13088 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 84278
Board of Directors: Dr. Peter Heilmann, Ralf Berndt, Sebastian Meyer
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 2.12.3


Enhancements:
  • Server: Add API /reporting/period to query reporting for a period in a Range between 'from' and 'to', where the 'from' date is included in the range and the 'to' date is not included. If a range defined and the 'to' date is not included. The API will search for the last repoting entry before the period if no entry for the given period is found.
Date

LinOTP 2.12.2 released

On Febuary 15th we released LinOTP 2.12.2 to the repositories.

LinOTP 2.12.2

arxes-tolina GmbH is pleased to announce the availability of the following product release:

LinOTP 2.12.2 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

  • Rollout token: The rollout token can now be allowed for specific /validate requests.

Download

LinOTP 2.12.2 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 2.12.2 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
arxes-tolina GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Robert-Koch-Straße 9, 64331 Weiterstadt
Main office, Piesporter Straße 37, 13088 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 84278
Board of Directors: Dr. Peter Heilmann, Ralf Berndt, Sebastian Meyer
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 2.12.2


Enhancements:
  • Make rollout token behavior consistent when also used for general validation.
Date

LinOTP 2.12.1 released

On Ocober 23rd we released LinOTP 2.12.1 to the repositories.

LinOTP 2.12.1

arxes-tolina GmbH is pleased to announce the availability of the following product release:

LinOTP 2.12.1 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

  • Policies: Improved deterministic evaluation across all scopes.
  • Selfservice: MFA login fixed with LinOTP Push- and QR-Token.

Download

LinOTP 2.12.1 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 2.12.1 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
arxes-tolina GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Robert-Koch-Straße 9, 64331 Weiterstadt
Main office, Piesporter Straße 37, 13088 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 84278
Board of Directors: Dr. Peter Heilmann, Ralf Berndt, Sebastian Meyer
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 2.12.1


Bug Fixes:
  • Policies: Consistent evaluation of policies is ensured in the "enrollment" scope. Evaluation is adjusted to match all actions for a given user if some of the actions are less explicitly defined regarding user and realm fields
  • Selfservice: MFA login with Push Token and QR Token is correctly processed
  • Incorrect max token count evaluation is fixed if a different, more specific (not user:'*') policy with other actions is defined.
Date

LinOTP 2.12 released

On July 28th we released LinOTP 2.12 to the repositories.

LinOTP 2.12

arxes-tolina GmbH is pleased to announce the availability of the following product release:

LinOTP 2.12 brings many improvements, new features and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

  • Token usage datescan now optionally be tracked for newly enrolled tokens if activated
  • Challenge validity time is now configurable in the Manage-UI

Download

LinOTP 2.12 is available as a Debian package from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive LinOTP 2.12 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
arxes-tolina GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Robert-Koch-Straße 9, 64331 Weiterstadt
Main office, Piesporter Straße 37, 13088 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 84278
Board of Directors: Dr. Peter Heilmann, Ralf Berndt, Sebastian Meyer
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 2.12


Enhancements:
  • Server and UI: Add three new columns to the token table, they can be viewed under the admin/show endpoint, and in the Manage UI under TokenInfo. The system settings dialog in the Manage UI provides an option to enable and configure their visualisation
    • LinOtpCreationDate - contains the date of creation of the token
    • LinOtpLastAuthSuccess - last successful login with this token
    • LinOtpLastAuthMatch - last use of the token with several tokens and otppin is not PIN or the tokens have identical PIN
  • Server: Expired or wrong cookies in userservice requests will return a HTTP 401 (session abort) error
  • UI: Browser tab icons match the current LinOTP logo
  • UI: Browser tab titles start with the name of the web application, to make it easier to distinguish between Manage and Selfservice UI in small tabs
  • UI: Challenge validity time for SMS and email tokens can now be set via the Manage UI

  • Bug Fixes:
  • Server: Failed userservice 2nd factor logins increase the fail counter of the respective token
  • Server: Replication setups on the SVA no longer fail due to faulty userservice cookie handling
  • Date

    LinOTP 2.11.2 released

    On May 5th we released LinOTP 2.11.2 to the repositories.

    LinOTP 2.11.2

    netgo software GmbH is pleased to announce the availability of the following product release:

    LinOTP 2.11.2 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

    Highlights:

    • Email token: Challenge blocking behaviour
    • Apache configuration: Modular extension for a separate Selfservice config

    Download

    LinOTP 2.11.2 is available as a Debian package from www.linotp.org.

    Users of the LinOTP Smart Virtual Appliance will receive LinOTP 2.11.2 via the integrated auto-update mechanism.

    We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

    The LinOTP team

    --
    arxes-tolina GmbH
    https://www.linotp.de
    Strong MFA solution by netgo
    Branch office Darmstadt, Robert-Koch-Straße 9, 64331 Weiterstadt
    Main office, Piesporter Straße 37, 13088 Berlin
    Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 84278
    Board of Directors: Dr. Peter Heilmann, Ralf Berndt, Sebastian Meyer
    Germany

    Sales Hotline: +49 6151 86086-277, Fax: -299
    Email: sales@linotp.de

    Changelog LinOTP 2.11.2


    Enhancements:
    • Email token accept a new challenge as soon as the previous challenge is correctly answered
    • Update LinOTP Apache configuration to include additional configuration supplied by a related package such as the Selfservice

    Bug Fixes:
    • Respect maxtoken policy when creating new token in selfservice frontend
    • In Selfservice cookie expiration date now reflects timezone
    • IE11 Browser rendering fixed, where content height was not respected before
    Date

    LinOTP 2.11.1 released

    On March 31st we released LinOTP 2.11.1 to the repositories.

    LinOTP 2.11.1

    netgo GmbH is pleased to announce the availability of the following product release:

    LinOTP 2.11.1 brings many improvements, new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

    Highlights:

    • New Feature: Support for dynamic email address for email token submission.
    • New Feature: Support for autoenrollment enrollment notification via e-mail templates.
    • New Feature: New API endpoint for helpdesk support.

    LinOTP can now update e-mail addresses in the user token when they are changed in the user store. The automatic rolling out of tokens for users can now be combined with the notification of users. The sent mail can be customized with templates. Details can be followed here. The API endpoint for the helpdesk makes selected token management functions available to user support staff.

    Download

    LinOTP 2.11.1 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the LinOTP Smart Virtual Appliance will receive LinOTP 2.11.1 via the integrated auto-update mechanism.

    We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

    The LinOTP team

    --
    arxes-tolina GmbH
    https://www.linotp.de
    https://www.linotp.de/produkte/multi-faktor-authentifizierung.html
    Branch office Darmstadt, Robert-Koch-Straße 9, 64331 Weiterstadt
    Main office, Piesporter Straße 37, 13088 Berlin
    Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 84278
    Board of Directors: Dr. Peter Heilmann, Ralf Berndt, Sebastian Meyer
    Germany

    Sales Hotline: +49 6151 86086-277, Fax: -299
    Email: sales@keyidentity.com

    Changelog LinOTP 2.11.1


    Server changes:
    • Server: Support for dynamic email address for email token submission
    • Server: Add support for autoenrollment enrollment notification
    Date

    LinOTP hotfix and advisory

    LinOTP hotfix and security advisory

    KeyIdentity GmbH announces a critical vulnerability in LinOTP. CVE-2019-12887 was published for this vulnerability.

    KeyIdentity GmbH recommends to apply the hotfix described below for a secure operation of LinOTP if the conditions apply.

    The vulnerability is relevant if you are using TOTP (time based OATH HMAC) token and enabled the auto resynchronization feature. Automatic resynchronization is inactive by default after installation.

    With activated resynchronization it is possible to successfully log in using an OTP value recorded earlier.

    The hotfix prevents this attack vector.

    If you cannot update or patch immediately and have automatic resynchronization activated with TOTP token, you should deactivate the automatic resynchronization until you can update. We provide a configuration guide.

    We explicitly thank Sébastien Foutrel for his diagnostics and valuable report for this vulnerability.

    Installation

    We provide packages in different formats and versions. These packages do not contain changes beyond the hotfix for this issue.

    KeyIdentity provides an installation guide with download links for all available packages.

    Available Packages

    2.10.5.2 updated to 2.10.5.3 (Debian Jessie, Debian Stretch, RPM)

    2.9.3.4 updated to 2.9.3.5 (Debian Jessie)

    2.8.1.7 updated to 2.8.1.8 (Debian Jessie)

    All versions of LinOTP

    If you are using an older version of LinOTP (<2.8) or cannot immediately install the packages provided, we also provide a patch file with a patch guide

    KeyIdentity LinOTP Smart Virtual Appliance

    Customers using the LinOTP SVA will receive the update when automatic updates are activated. We recommend until your scheduled automatic update to deactivate the automatic resynchronization if enabled, used with TOTP token and you can not apply the immediate updates described above. We offer a configuration guide.

    If you have questions about applying the hotfix, we are happy to assist you:

    E-Mail: support@keyidentity.com

    Telefon: +49 6151 86086 115

    Date

    KeyIdentity LinOTP 2.10.5.1 released

    On May 07th we released LinOTP 2.10.5.1 to the repositories.

    LinOTP 2.10.5

    KeyIdentity GmbH is pleased to announce the availability of the following product release:

    LinOTP 2.10.5.1 brings many improvements, new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

    Highlights:

    • New Feature: Prevent dirty cache when resolver is not avialable.
    • New Feature: Resolver and realm cache is wiped when the cache is switched off.

    Both improve the resolution of user information from the LDAP resolver. The use of negative information by the failure is avoided. Details can be found here

    Download

    LinOTP 2.10.5.1 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the KeyIdentity LinOTP Smart Virtual Appliance will receive LinOTP 2.10.5.1 via the integrated auto-update mechanism.

    We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@keyidentity.com

    The KeyIdentity LinOTP team

    --
    KeyIdentity GmbH
    https://www.keyidentity.com
    Robert-Koch-Straße 9, 64331 Weiterstadt
    Germany

    Sales Hotline: +49 6151 86086-277, Fax: -299
    Email: sales@keyidentity.com
    Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
    Board of Directors: Nils Manegold

    Changelog LinOTP 2.10.5.1


    Server changes:
    • Server: Prevent dirty cache if resolver is not avialable
    • Server: Resolver and realm cache is wiped when the cache is switched off
    Date

    KeyIdentity LinOTP 2.10.4 released

    On February 26th we released LinOTP 2.10.4 to the repositories.

    LinOTP 2.10.4

    KeyIdentity GmbH is pleased to announce the availability of the following product release:

    LinOTP 2.10.4 introduces many improvements, new features, cleanups and bug fixes. The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter.

    Highlights:

    • New Feature: SMSProvider failover

    Besides an improved handling of Provider outages LinOTP now provides a fail over configuration for SMSProvider via policies. Details can be found here

    Download

    LinOTP 2.10.4 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the KeyIdentity LinOTP Smart Virtual Appliance will receive LinOTP 2.10.4 via the integrated auto-update mechanism.

    We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@keyidentity.com

    The KeyIdentity LinOTP team

    --
    KeyIdentity GmbH
    https://www.keyidentity.com
    Robert-Koch-Straße 9, 64331 Weiterstadt
    Germany

    Sales Hotline: +49 6151 86086-277, Fax: -299
    Email: sales@keyidentity.com
    Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
    Board of Directors: Nils Manegold, Dr. Amir Alsbih

    Changelog LinOTP 2.10.4


    Server changes:
    • Server: SMSProvider failover
    Date

    KeyIdentity LinOTP 2.10.3 released

    On January 25th we released LinOTP 2.10.3 to the repositories.

    LinOTP 2.10.3

    KeyIdentity GmbH is pleased to announce the availability of the following product release:

    LinOTP 2.10.3 introduces many improvements, new features, cleanups and bug fixes. The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter.

    Highlights:

    • New Feature: Rollout Token

    Protect the self service login with an initial roll out token. Details can be found here

    Download

    LinOTP 2.10.3 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the KeyIdentity LinOTP Smart Virtual Appliance will receive LinOTP 2.10.3 via the integrated auto-update mechanism.

    We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@keyidentity.com

    The KeyIdentity LinOTP team

    --
    KeyIdentity GmbH
    https://www.keyidentity.com
    Robert-Koch-Straße 9, 64331 Weiterstadt
    Germany

    Sales Hotline: +49 6151 86086-277, Fax: -299
    Email: sales@keyidentity.com
    Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
    Board of Directors: Nils Manegold, Dr. Amir Alsbih

    Changelog LinOTP 2.10.3


    Server changes:
    • Server: Public release of rollout token
    Date

    KeyIdentity LinOTP 2.10.1 released

    On October 17th we released LinOTP 2.10.1 to the repositories.

    LinOTP 2.10.1

    KeyIdentity GmbH is pleased to announce the availability of the following product release:

    LinOTP 2.10.1 introduces many improvements, new features, cleanups and bug fixes. The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter.

    Highlights:

    • New Feature: RestSMSProvider

    This new SMSProvider enables LinOTP to submit SMS to any SMS Provider (e.g. CLX Communication) with a support for REST API based on a JSON payload. Details about the configuration can be found here: http://linotp.org/doc/latest/part-management/smsprovider.html#restsmsprovider http://linotp.org/doc/latest/part-management/smsprovider.html#id4

    Download

    LinOTP 2.10.1 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the KeyIdentity LinOTP Smart Virtual Appliance will receive LinOTP 2.10.1 via the integrated auto-update mechanism.

    We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@keyidentity.com

    The KeyIdentity LinOTP team

    --
    KeyIdentity GmbH
    https://www.keyidentity.com
    Robert-Koch-Straße 9, 64331 Weiterstadt
    Germany

    Sales Hotline: +49 6151 86086-277, Fax: -299
    Email: sales@keyidentity.com
    Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
    Board of Directors: Nils Manegold, Dr. Amir Alsbih

    Changelog LinOTP 2.10.1


    Server changes:
    • Server: LDAPUserIdResolver failover: stay with working LDAP-Servers for an incrementing time before retry connecting the first server
    • Server: Add charset/collate clauses to database generation commands: ensures compatibility with recent versions of MariaDB
    • Server: New policy 'forward_on_no_token' to support forwarding of request to remote server if user has no token
    • Server: Allow configuration of the challenge prompt via system/setConfig?SMS_CHALLENGE_PROMPT=MESSAGE
    • Server: New policy 'enforce_smstext' to ignore request param data
    • Server: Support to configure HTTP headers in Rest SMS Provider
    API changes:
    • API: Show token enrollment status in userservice/usertokenlist
    • API: Support check_status without user parameter
    Web UI changes:
    • Web UI: Add timezone entry to token info dialog
    • Web UI: Update visuals for manage token info
    Selfservice changes:
    • Selfservice Portal: Support optional landing page for selfservice portal
    • Selfservice Portal: Show token description in selfservice portal
    Bug Fixes:
    • Server: Fix LDAPUserIdResolver failover
    • Server: Search token list with userPrincipalName
    • Server: Fix RADIUS Forward Token
    • Server: otppin=ignore_pin now works alternatively to otppin=3
    • Server: LinOTP server now handles forward proxy definition correctly
    • Server: Fix storing of timeout tuples within the DefaultPushProvider
    • Server: Fix backend for setExpiration UI dialog which failed in some cases
    • Server: Provide error message if update of a license key was failing
    • Server: Set default time zone to make time based tokens work in all setups
    • Server: Support for SQLUserIdResolvers where the user id is defined as int. This fixes actions in the selfservice portal.
    • Web UI: Default for splitAtSign is now correctly displayed in the UI
    Date

    KeyIdentity LinOTP 2.10 released

    On January 15th we released LinOTP 2.10 to the repositories.

    LinOTP 2.10

    KeyIdentity GmbH is pleased to announce the availability of the following product release:

    LinOTP 2.10 introduces many improvements, new features, cleanups and bug fixes. The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter.

    The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter

    Highlights

    • New Feature: Voice Token

    LinOTP 2.10 is the first release to include support for Voice Tokens. Thus, in addition to the already known challenge response token (e.g. KeyIdentity's Push Token, SMS Token), provides another barrier-free possibility to deliver OTP to users.

    Currently Twilio is supported as Voice Token Provider. The Voice Token requies a dedicated Voice Challenge Service which is made available to customers by KeyIdentity GmbH. Documentation for the Voice Token can be found here: Voice Token.

    Details about the Voice Challenge Service can be obtained from support@keyidentity.com.

    • New Feature: Securing the Selfservice Portal with MFA

    The Selfservice Portal can be additionally protected with MFA. This is particularly useful for environments where the Selfservice Portal stands exposed to the Internet. The MFA feature is configureable and allows the retention of existing workflows with addtional security.

    Details can be found here: MFA Selfservice Portal .

    • Improvements: KeyIdentity Push Token

    LinOTP 2.10 improves the functionality of KeyIdentity's Push Token. A dedicated Challenge Service is introduced. This service allows the separation of the external communication with the user's mobile and the sensitive data stored in LinOTP. The updated KeyIdentity Authenticator Apps for iOS and Android can now actively query existing challenges of the user. Thus makes transaction validation more reliable. The Challenge Service and comprehensive documentation are provided by the KeyIdentity GmbH and can be obtained from support@keyidentity.com.

    • Token Validity

    Number of uses and the expiry date of tokens can be limited. Starting with LinOTP 2.10 these limits can be configured conveniently via WEB GUI (token management) - e.g. by the help desk personnel. This is useful, for example, to enroll temporary tokens for visitors. More information can be found here: Token Validity.

    Download

    LinOTP 2.10 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the KeyIdentity LinOTP Smart Virtual Appliance will receive LinOTP 2.10 via the integrated auto-update mechanism.

    We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@keyidentity.com

    The KeyIdentity LinOTP team

    --
    KeyIdentity GmbH
    https://www.keyidentity.com
    Robert-Koch-Straße 9, 64331 Weiterstadt
    Germany

    Sales Hotline: +49 6151 86086-277, Fax: -299
    Email: sales@keyidentity.com
    Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
    Board of Directors: Nils Manegold, Dr. Amir Alsbih


    Changelog LinOTP 2.10

    Token Changes:
    • Introduce new token: Voice Token
    • Enhance Push Token (incompatible with previous Push Token version)
    Server Changes:
    • Adjust default transactionId length to 17
    • Implement explicit-deny for push token
    • Add token type specific enrollment limits
    • Support loading provider via configuartion in linotp.ini
    • Enable new policy engine by default
    • Moved tokens to new location in src tree
    • Support shorter lost token duration (days, hours, and minutes added)
    • Autoassign a token if a request arrives with only username (without password)
    • Document the otppin policy 3 (ignore_pin) in the policy UI
    • Removed IE compatibility mode from templates
    • Take the already stored mobile number of a token owner (available from UserIdResolver) if it exists, otherwise take the number stored in the token info
    • Autoassignment without password
    • OATH csv import with sha256 + sha512
    Web UI Changes:
    • Add Auth Demo pages for challenge-response and push token
    • /auth/challenge-response
    • /auth/pushtoken
    • Add expiration dialog for tokens
    • Refactor dialog button icon generation
    • Performance improvement by removing mouseover effects on Manage-UI
    • Extract custom form validators into separate files
    • Removed IE compatibility mode from templates
    • Update favicon to follow company rename
    • Add UI in manage and Selfservice for "static password" token
    • Improved Selfservice login with MFA support
    Bug Fixes:
    • Server: Fix evaluation of forward policy to match most specific user definition
    • Server: Fix password comparison of password token
    • Server: Adjust location of token makos for translation
    • Server: Fix typo in getUserFromRequest in case of basic auth
    • Server: Fix missing 'serial' for audit and policy check in selfservice.enroll
    • Server: Fix for loading active token modules
    • Server: On LDAP test connection always close dialog
    • Server: Fix encoding error that prevented Token View from being displayed in the web interface.
    • Server: Fix challenge validation to check only one request at a time. Prevent (positive) double authentication with the same transaction ID and OTP.
      This used to happen when a user submitted the OTP for a transaction ID more than once within a very short timeframe
    • Server: Fix for missing LDAP uft-8 conversion
    • Server: Fix default hash algorithm. This was causing issues in the YubiKey import
    • Server: Fix wrong audit log entries where "failcounter exceeded" was incorrectly being replaced with "no token found"
    • Server: Fix QRToken to use the tan length defined at enrollment
    • Server: Fix password and lost token password comparison
    • Server: Fix to show deactivated policies in Manage UI again.
    • Server: Fix for better user/owner comparison
    • Server: Fix to show inactive policies
    • Server: Fix import of policies with empty realm
    • Server: Verify that only active policies are used
    • Server: Fix for policy export to export inactive too
    • Server: Fix for target realm handling on token import
    • Server: Fix select only active policies for admin policies
    • Server: Fix getResolverClassName
    • Web UI: Fix UI crash check if backend response is array in ldap testconnection
    • Selfservice: Fix QR token enrollment and activation
    Date

    KeyIdentity LinOTP 2.9.1 released

    On February 15th we released LinOTP 2.9.1 to the repositories.

    LinOTP 2.9.1

    KeyIdentity GmbH is pleased to announce the availability of the following product release:

    LinOTP 2.9.1 introduces many improvements, small features, cleanups and bug fixes. The highlights are the implementation of the KeyIdentity Push Token, a new caching functionality to significantly speed up performance for UserIdResolvers and the switch to StartTLS by default to improve the connection security to LDAP UserIdResolvers.

    The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter

    Highlights

    • New Feature: KeyIdentity Push Token

    LinOTP 2.9.1 is the first release to include support for the KeyIdentity Push Token to secure logins and transactions while providing a high level of usability on Android and iOS.
    Based on the established cryptographic principles of the QRToken we improved the workflows of the authentication process while conserving a high level of security. It utilizes the native push mechanisms of Android and iOS for the highest level of compatibility based on the KeyIdentity Authenticator.

    Please contact us for more information and about details on how to integrate the KeyIdentity Push Token in your setup.

    • New Feature: Caching for LDAP UserIdResolvers

    The new caching feature is designed to improve the performance of LinOTP significantly in environments with a large number of users, complex realm setups and slow UserIdResolvers. Details about the configuration can be found at Caching-Feature.

    • New Feature: StartTLS by default

    LinOTP 2.9.1 switches to StartTLS by default in order to secure the communication with LDAP UserIdResolvers in environments without a LDAPS infrastructure. Please have a look at StartTLS for details.

    Download

    LinOTP 2.9.1 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the KeyIdentity LinOTP Smart Virtual Appliance will receive LinOTP 2.9.1 via the integrated auto-update mechanism after February 20th 2017.

    Note

    With LinOTP 2.9.1 large parts of the LDAP UserIdResolver code was rewritten and the default for StartTLS have changed. Although LinOTP 2.9.1 has been tested thoroughly by KeyIdentity we recommend to setup LinOTP 2.9.1 in a staging environment before putting it into production.

    We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at keyidentity@keyidentity.com.

    The KeyIdentity LinOTP team

    --
    KeyIdentity GmbH
    https://www.keyidentity.com
    Robert-Koch-Straße 9, 64331 Weiterstadt
    Germany

    Sales Hotline: +49 6151 86086-277, Fax: -299
    Email: sales@keyidentity.com
    Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
    Board of Directors: Nils Manegold, Dr. Amir Alsbih


    Changelog LinOTP 2.9.1

    Enhancements
    • Server: New token type: KeyIdentity PushToken
    • Server: Add optional caching of resolver lookups
    • Server: Show welcome and update screens
    • WebUI: Add dialog for duplicating resolvers
    • WebUI: Better password handling in resolver dialogs
    • Reporting: Add paging and CSV output for reporting/show
    • API: Use semicolon as CSV column separator by default
    • UserIdResolver: Add StartTLS support
    Bug Fixes
    • Server: Fix remote token
    • Server: Fix evaluating policies for non-existent realms
    • API: Don't localize monitoring json output
    • SMPPSMSProvider: Fix encoding issues for non-ascii characters
    • WebUI: Alert in realm dialog if no resolvers are selected
    Date

    Hackathon 2FA

    Wissenschaft und Praxis zeigen: Passwörter taugen nichts! Im Gegenteil, sie stellen eine der Hauptursachen für die erfolgreiche Kompromittierung von Benutzerkonten oder ganzen Systemen dar. Benutzer wählen oft schwache Passwörter, Cracker greifen komplette Benutzer-Datenbanken ab, die möglicherweise gar nicht oder ungeschickt verschlüsselte Passwörter enthalten, und Schadsoftware, die auch das beste Passwort mitschneidet, wird immer ausgefeilter. Auch Phishing, vor allem gezieltes „Spear-Phishing“, ist ein großes Problem in der Praxis.

    Unsere Antwort bei der KeyIdentity GmbH ist LinOTP. LinOTP (https://linotp.org) ist eine leistungsfähige und flexible Open-Source-Lösung für Zwei-Faktor-Authentifizierung, mit der traditionelle Passwörter durch weitere Mechanismen ersetzt oder ergänzt werden können. Dazu gehören zum Beispiel Hardware-Tokens oder Authentifizierungslösungen auf der Basis von mobilen Apps. LinOTP bietet ein bequemes API zur Integration in existierende Applikationen.

    Wir wissen: Authentifizierung muss sicherer werden. Aus diesem Grund veranstalten wir einen Hackathon, bei dem Ihr mit LinOTP die Sicherheit Eurer Applikationen erhöhen könnt. Vernetzt Euch mit anderen, und lasst uns gemeinsam unsere Applikationen sicherer machen und das Paradigma „Such Dir ein möglichst komplexes Passwort, das Du Dir nicht merken kannst, und schreib es nirgends auf“ brechen.

    Wir laden am 3.12.2016 zu uns in die Räumlichkeiten der KeyIdentity GmbH in Weiterstadt ein, stellen Pizza und Getränke und helfen euch dabei, LinOTP über die API in Eure Software zu integrieren.

    Lernt, wie einfach es ist, Eure Applikationen abzusichern, erhaltet freie Hilfe, vernetzt Euch untereinander und habt einfach einen tollen Tag! Zur besseren Planung bitten wir um eine Anmeldung via E-Mail unter: hackathon@keyidentity.com

    Date

    LSE LinOTP 2.9 released

    On August 15th we released LinOTP 2.9 to the repositories.

    LinOTP 2.9

    LSE Leading Security Experts GmbH is pleased to announce the availability of LinOTP 2.9.

    LinOTP 2.9 is one of our biggest releases with over 500 commits. Introducing many improvements, small features, cleanups and fixed bugs. The highlights are the preparation for the offline authentication, utilizing our new QRToken, the new Reporting API and the extended SMS and E-Mail Provider configuration.

    Highlights

    • New Feature: Offline Authentication

    LinOTP 2.9 introduces the next generation of our QR-Code based soft token, which will be complemented by the releases of our LinOTP Authentication Providers for operating system Microsoft Windows and LinOTP mobile apps in the next weeks to allow for an integrated and secure Offline Authentication with high usability in addition to the traditional secure, transaction based authentication.

    • New Feature: Reporting API

    To allow for integration into reporting environments and to simplify the accounting in multi-tenant environments LinOTP provides a new powerful reporting API to collect information like the number of current active tokens and the highest number of tokens over time for certain realms.

    • New Feature: Realm specific SMS Providers

    LinOTP 2.9 supports the management of multiple SMS and e-mail providers. These providers allow to specify SMS or e-mail settings for different customers, realms or users in a diverse LinOTP environment.

    Download

    LinOTP 2.9 is available as Debian and RPM packages from linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.9 via the integrated auto-update mechanism after August 16th 2016.

    The LSE team would be pleased to answer any questions you may have about LinOTP 2.8.1.3 and assist upgrading your environment to the latest release at support@lsexperts.de.

    The KeyIdentity LinOTP team

    --
    KeyIdentity GmbH
    https://www.keyidentity.com
    Robert-Koch-Straße 9, 64331 Weiterstadt
    Germany

    Sales Hotline: +49 6151 86086-277, Fax: -299
    Email: sales@keyidentity.com
    Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
    Board of Directors: Nils Manegold, Dr. Amir Alsbih


    Changelog LinOTP 2.9

    Enhancements
    • Server: Add support for offline authentication
    • Server: Add QRToken
    • Server: Add forwarding token
    • Server: Add reporting controller
    • Server: Add support for multiple SMS/e-mail providers
    • Server: Add support for long config values
    • Server: Add issuer label to OATH tokens
    • Server: Allow one-time simplepass tokens
    • Server: Allow multiple users with same username in one realm
    • Server: Support migration of resolvers for assigned tokens
    • Server: Add authorization policies for monitoring controller
    • Server: Allow named otppin policies ('token_pin', 'password' and 'only_otp')
    • Server: Add SSL/TLS abilities to SMTPSMSProvider
    • UserIDResolver: Add class registry and class aliases
    • WebUI: Slightly polished look and feel
    Bug Fixes
    • WebUI: Hide 'Get OTP' button if getotp is deactivated in config
    • WebUI: Several bug fixes in different dialogs and elements
    • Server: Fix generating transactionids which failed in rare circumstances
    • Server: Handle timestamp rounding instead of truncating in MySQL 5.6
    • Server: Do not copy old PIN on lost simplepass token
    • Packaging: Remove debconf entry 'linotp/generate_enckey'
    • WebUI: Validate resolver configuration on resolver definition
    • WebUI: Alert in realm dialog if no resolvers are selected
    Date

    LSE LinOTP 2.8.1.3 released

    On July 30th we released LinOTP 2.8.1.3 to the repositories.

    LinOTP 2.8.1.3

    LSE Leading Security Experts GmbH is introducing LinOTP 2.8.1.3, the latest patch release of its vendor independent solution for adaptive multi-factor and 2-factor authentication.

    Download

    LinOTP 2.8.1.3 is available as a Debian and RPM (Red Hat/CentOS) packages from linotp.org. Ubuntu packages are available from our PPA on Launchpad. It can also be obtained via the Python Package Index (PyPI). Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.8.1.3 via the integrated update mechanism.

    The LSE team would be pleased to answer any questions you may have about LinOTP 2.8.1.3 and assist upgrading your environment to the latest release at support@lsexperts.de.

    The LSE LinOTP team

    --
    LSE Leading Security Experts GmbH
    https://www.lsexperts.de
    Robert-Koch-Straße 9, 64331 Weiterstadt
    Germany

    Sales Hotline: +49 6151 86086-277, Fax: -299
    Email: sales@lsexperts.de
    Board of Directors: Nils Manegold, Oliver Michel, Arved Graf von Stackelberg, Sven Walther

    Changelog:

    LinOTP:

  • Server: Fix pin handling in email token
  • Date

    LSE LinOTP 2.8.1.2 released

    On July 21th we released LinOTP 2.8.1.2 to the repositories.

    LinOTP 2.8.1.2

    LSE Leading Security Experts GmbH is introducing LinOTP 2.8.1.2, the latest patch release of its vendor independent solution for adaptive multi-factor and 2-factor authentication.

    Download

    LinOTP 2.8.1.2 is available as a Debian package from linotp.org. Ubuntu packages are available from our PPA on Launchpad. It can also be obtained via the Python Package Index (PyPI). Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.8.1.2 via the integrated update mechanism.

    The LSE team would be pleased to answer any questions you may have about LinOTP 2.8.1.2 and assist upgrading your environment to the latest release at support@lsexperts.de

    The LSE LinOTP team

    --
    LSE Leading Security Experts GmbH
    https://www.lsexperts.de
    Robert-Koch-Straße 9, 64331 Weiterstadt
    Germany

    Sales Hotline: +49 6151 86086-277, Fax: -299
    Email: sales@lsexperts.de
    Board of Directors: Nils Manegold, Oliver Michel, Arved Graf von Stackelberg, Sven Walther

    Changelog:

    LinOTP:

    Enhancements:

    • Server: Add support for demo licenses

    Bug Fixes:

    • Selfservice: Fix setting tokenlabels
    • Server: Set the first created realm as default realm
    • Server: Fix admin/show using a serial number and an active admin policy containing a wildcard
    • Server: Fix import of policies missing scope or action
    • Server: Fix license import using IE
    • Server: Fix license decline under certain conditions (available since 2.8.1.1)
    Date

    LSE LinOTP 2.8.1 released

    On Apr 5th we released LinOTP 2.8.1 to the repositories.

    LinOTP 2.8.1

    LSE Leading Security Experts GmbH is introducing LinOTP 2.8.1, the latest version of its vendor independent solution for adaptive multi-factor and 2-factor authentication and OTP processes (OTP: one time passwords). LSE is now offering its latest LinOTP version in Spanish, French, Italian, and simplified Chinese in addition to the previously available English and German. In addition to the expanded available languages, LinOTP 2.8.1 has new features for monitoring and improved capabilities for server migration and complex setups. The improved user filters and support for HSM (hardware security module) migrations are also new. With the additional languages, LSE has consistently continued to internationalise the LinOTP product line. The larger selection of available languages applies to both the self-service user portal as well as the management interfaces.

    Highlights:

    • New Feature: Additional Languages

    LSE has consistently continued to internationalise the LinOTP product line. The larger selection of available languages applies to both the self-service user portal as well as the management interfaces.

    • New Feature: Monitoring

    LSE is introducing a new API for monitoring internal LinOTP processes with LinOTP 2.8.1. This provides, for example, information on the statistics and the status of the tokens, the status of the HSM (hardware security module) encoding, and the status of the UserIDResolver with configurable permissions.

    • New Feature: Improved User Filters

    Today's enterprise environments require a differentiated approach to user policy management. LinOTP 2.8.1 adds options for managing the configurations and policies based on user groups, user attributes, and regular expressions. This considerably simplifies detailed and complex permission scenarios in the setup.

    • New Feature: SMPPSMSProvider

    LinOTP now supports SMPP protocol for submitting text messages to Short Message Service centers (SMSC).

    • New Feature: Improved Features for Server Migration and Complex Setups

    Previous features for routing registration data to other authentication servers have been improved with options for generic routing. This means migration scenarios and complex setups with multiple LinOTP instances are easier to model and administer.

    In addition to these features, LinOTP 2.8.1 includes many further improvements and bug fixes in order to improve the user experience.

    Download

    LinOTP 2.8.1 is available as a Debian package from linotp.org. Ubuntu packages are available from our PPA on Launchpad. It can also be obtained via the Python Package Index (PyPI). Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.8.1 via the integrated update mechanism.

    The LSE team would be pleased to answer any questions you may have about LinOTP 2.8.1 and assist upgrading your environment to the latest release at support@lsexperts.de

    The LSE LinOTP team

    --
    LSE Leading Security Experts GmbH
    https://www.lsexperts.de
    Robert-Koch-Straße 9, 64331 Weiterstadt
    Germany

    Sales Hotline: +49 6151 86086-277, Fax: -299
    Email: sales@lsexperts.de
    Board of Directors: Nils Manegold, Oliver Michel, Arved Graf von Stackelberg, Sven Walther

    Changelog:

    LinOTP:

    Enhancements:

    • Server: Add monitoring controller
    • Server: Add support for encryption migration (HSM)
    • Server: Add 'forward to server' policy
    • Server: Extended user filter in policies
    • Server: Reduce number of userid authentication calls
    • Server: Enable less services in default configuration
    • WebUI: Update jQuery, jQuery UI and jed

    Bug fixes:

    • Selfservice: Fix access to userservice with UTF-8 characters
    • WebUI: IE11: Deliver requested language
    • WebUI: Support for IE11 logout and cookie deletion

    UserIdResolver:

    • SQL: Add support for ASP.NET hashes

    SMSProvider:

    • Add support for SMPP SMS Provider

    libpam-linotp:

    Enhancements:

    • Major code rewrite
    • Add support for custom CA certificates
    • Improve compatibility with multiple Linux distributions, freeBSD and OS X
    Date

    LSE LinOTP 2.8 released

    On Nov 27th we released LinOTP 2.8 to the repositories.

    LinOTP 2.8

    LSE Leading Security Experts GmbH is pleased to announce the availability of the following product release:

    LinOTP 2.8 contains full support for the FIDO U2F standard, along with additional new features, usability improvements and bug fixes.

    The list below provides details of the most important changes. The complete changelog is provided at the end of this article.

    Highlights:

    • New feature: FIDO U2F support
    LinOTP 2.8 now fully supports the FIDO alliance U2F protocol. It is now possible to use user friendly U2F tokens provided by various manufacturers in order to implement the second authentication factor. By using public key techniques, It is now possible to use just one token to access multiple authentication systems. In addition, it is possible to implement Bring Your Own Token (BYOT) scenarios.
    • New feature: User enrollment of FIDO U2F, email and SMS tokens via the self service portal
    In order to simplify the rollout process, it is now possible to allow users to use the self service portal to enroll new token types (FIDO U2F, email and SMS) in addition to those previously available. As with other token types, access to these new types is under the control of the LinOTP administrator via the policy system.
    • New feature: Temporary email and SMS token
    If a token is lost or stolen, it is now possible to define a temporary email or SMS token instead of a temporary password.
    • New feature: More than one challenge response token per user with identical token PIN
    The API in LinOTP 2.8 supports generation of more than one challenge for various tokens and token types. This now makes it possible to use different challenge response tokens with the same token PIN. It is also possible to use different challenge response token types with identical token PINs.
    • Improvements and bug fixes

    In addition to these features, LinOTP 2.8 includes many further improvements and bug fixes in order to improve the user experience.

    Download

    LinOTP 2.8 is available as a Debian package from linotp.org. Ubuntu packages are available from our PPA on Launchpad. It can also be obtained via the Python Package Index (PyPI). Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.8 via the integrated update mechanism.

    The LSE team would be pleased to answer any questions you may have about LinOTP 2.8 and assist upgrading your environment to the latest release at support@lsexperts.de

    The LSE LinOTP team

    --
    LSE Leading Security Experts GmbH
    https://www.lsexperts.de
    Robert-Koch-Straße 9, 64331 Weiterstadt
    Germany

    Sales Hotline: +49 6151 86086-277, Fax: -299
    Email: sales@lsexperts.de
    Board of Directors: Nils Manegold, Oliver Michel, Arved Graf von Stackelberg, Sven Walther

    Changelog:

    LinOTP:

    Enhancements:

    • Server: Add FIDO U2F support
    • Selfservice: Enroll FIDO U2F, e-mail and SMS tokens
    • Server: Losttoken: Support enrollment of e-mail and SMS tokens
    • Server: Trigger challenges for multiple challenge-response tokens with one request
    • Server: Support autoassignment policy without action value

    Bug fixes:

    • Selfservice: Fix getSerialByOtp functionality for yubikey tokens
    • Server: Fix importing yubikey tokens without prefix
    • Server: Fix autoassignment with remote token pointing at yubikey token
    • Server: Fix autoassignment using tokens with different OTP lengths
    • Server: Prevent counter increments of inactive tokens
    • Server: Don't return counter parameter on TOTP enrollment
    • Selfservice: Fix occasional login problems using non-ASCII characters
    • Server: Fix occasional problems sorting userlist with unicode characters
    • Server: Fix usage of otppin policy for remotetoken with local pincheck
    • Server: Don't return error messages on unconfigured autoenrollment
    • Server: Always set OTP length in remote token enrollment
    • Server: Don't return error messages for policy otppin=1 and unassigned tokens
    • Server: Reply to OCRA2 challenge providing only transactionid and OTP
    • WebUI: Don't show dialog asking for realm creation if no useridresolver is configured
    • WebUI: Fix WebUI for recent Internet Explorer versions
    • WebUI: Clear key and PIN input fields after token enrollment
    • Tools: linotp-create-pwidresolver-user: Fix duplicate and ignored command-line arguments
    • Tools: Correctly package linotp-enroll-smstoken tool
    • Tools: Use Digest instead of Basic Authentication in linotp-enroll-smstoken
    • Tools: Display an error message in linotp-enroll-smstoken when dependencies are missing
    • Tools: Fix linotp-sql-janitor crash when executed without --export option
    • Server: Fix for wildcard search with available unassigned tokens
    • Server: Fix LinOTP on pylons 0.9.7
    • Packaging: Remove nose dependency from linotp install process

    UserIdResolver:

    • Add support for Unicode passwords in PasswdIdResolver
    • Add LDAP proxy support
    • Support for LDAP cursoring during fetch of userlist
    • Add support for odbc_connect in SQLIdResolver

    SMSProvider:

    • Encode spaces in request params as '%20', not as '+'
    • Fix GET requests using the requests library
    • Add ability to convert the phone number to MSISDN format
    Date

    LSE LinOTP Hotfix / Security Advisory

    LSE Leading Security Experts GmbH recommend the application of the hotfix described below in oder to ensure secure operation with LinOTP. It is only necessary to carry out these steps on those installations which do not use automatic update mechanisms (see below under "LSE LinOTP Smart Virtual Appliance"). Users of automatic update mechansims are not affected, as LinOTP will already have been updated.

    The hotfix closes a critical issue and prevents potential misuse.

    This issue can potentially allow an unauthorised user to submit input containing unwanted characters, that is written to LinOTP's logs and database. At a later date under certian conditions, it is possible that these could be executed under admin context. It is possible that malicious code could be exected as a result. This is due to unescaped output being passed to a widget used by LinOTP.

    A security advisory has been released for our product LinOTP containing further details. We would especially like to thank Tomas Rzepka for his valued input and assistance.

    As far as we are aware, there have not been any cases of this issue being exploited.

    We have provided the hotfix to our customer in various formats and versions. The fixed packages do not contain any changes apart from the hotfix itself. We recommend applying this update as soon as possible.

    Please use the instructions provided below to install the hotfix.

    In future versions of LinOTP (2.8 and above), we will make changes to reduce the potential risk of similar issues through use of the API.

    Hotfix installation

    The following updated LinOTP versions are available:

    • 2.6.1.1 --> 2.6.1.2
    • 2.7.0.2 --> 2.7.0.3
    • 2.7.1.2 --> 2.7.1.3
    • 2.7.2.1 --> 2.7.2.2

    Systems prior to LinOTP 2.6 or which do not use packages should refer to the installation instructions. In this case the fix should be applied by manually copying a fixed version of the file in question.

    LSE LinOTP Smart Virtual Appliance

    Customers who use the LinOTP SVA with automatic updates enabled will automatically obtain the new package when updates are applied according to their system configuration.

    It is possible to start the update process from the command line by executing the command "appliance-update.sh".

    Please note: appliance-update.sh will download and apply all pending operating system updates. If your system has not been updated for some time, this may result in a lengthy download and installation process.

    Date

    LSE LinOTP 2.7.2 released

    On May 11th we released LinOTP 2.7.2 to the repositories.

    LSE LinOTP 2.7.2

    LSE Leading Security Experts GmbH is announcing the availability of the new release of LSE LinOTP (2.7.2)

    You will find the complete Changelogs and the most important changes in LinOTP 2.7.1 at the end of this newsletter. We hereby want to mention some highlights in 2.7.2.

    LinOTP 2.7.2

    LinOTP 2.7.2 includes some interesting new features as well as improvements in usability and bug fixes. This is only a selection, please refer to the full Changelog below.

    • New feature: Autoenrollment

      Users without a token assigned, can trigger the creation and assignment of a new SMS or email token by providing correct credentials during login using username and password. This feature can be configured in a new policy (e.g. for certain users only) and relieves the administrator from enrolling and assigning these tokens manually.

      For more information please refer to the Autoenrollment Howto

    • New feature: New Self Service API

      The new Userservice API allows for the implementation of independently hosted self service portals and easier integration of self service tasks in existing customer portals.

    • New feature: mass enrollment of SMS token from the CLI
    • New packages: Ubuntu 14.04 "Trusty Tahr".
    • Improved input validation for SQL and LDAP resolver, and E-mail and SMS provider definitions.

    Download

    LinOTP 2.7.2 is available in our repositories on linotp.org and for customers running LinOTP on the LSE LinOTP Smart Virtual Appliance using the integrated upgrade mechanisms.

    We are happy to answer your questions about this release: sales@lsexperts.de.

    Changelogs:

    LinOTP 2.7.2
    Enhancements:
    • Server: Autoenrollment - enroll an email or SMS token if user has no token and authentication with password was correct.
    • Server: Support 'now()' in LDAP search expressions
    • Selfservice: Split Selfservice into userservice controller and selfservice renderer to support remote selfservice interface
    • WebUI: SQL and LDAP resolver mapping validation (needs to be valid JSON)
    • WebUI: email and SMS provider definition validation (needs to be valid JSON)
    • Packaging: Support for Ubuntu 14.04 (with Apache 2.4)
    • Packaging/Server: Support for Pylons 1.0.1
    • Packaging: Internal package refactorization to unify structure and version number handling
    • Packaging: Apache linotp2 VirtualHost will no longer be overwritten during Debian package upgrade. VirtualHost example files are copied to the same location where the LinOTP package is installed and only afterwards it is moved to /etc/apache2 (if it does not exist already)
    • Packaging: Cleaned up and hardened Apache linotp2 VirtualHost files
    • Tools: Improved linotp-create-pwidresolver-user and linotp-create-sqliddresolver-user to to generates more secure passwords
    • Tools: Added tool to mass enroll SMS token
    Bug fixes:
    • Server: Fixed support of old licenses, where the expiry is in the date entry
    • Server: Fixed error during token unassign (because of setPin call)
    • Server: Fixed searching for a user in multiple realms
    • Server: Fixed exact search for user in tokenlist
    • Server: Fixed sorting of userlist with unicode
    • Selfservice: Fixed selfservice history browsing
    Date

    LSE Smart Virtual Appliance 1.2 and LinOTP 2.7.1 released

    On January 15th we released LinOTP 2.7.1 to the repositories.

    LSE Smart Virtual Appliance 1.2 and LinOTP 2.7.1

    LSE Leading Security Experts GmbH is proud to announce the general availability (GA) of the following new product releases:
    (1) LSE LinOTP Smart Virtual Appliance 1.2
    (2) LSE LinOTP 2.7.1.

    We are happy to provide LinOTP 2.7 from now also to our customers running LSE LinOTP Smart Virtual Appliances.

    You will find the entire changelogs below. Here we want to mention some highlights:

    LinOTP 2.7.1

    LinOTP received many improvements in usability and the work flow. This is only a selection of improvements, please also refer to the full Changelog below.

    • LinOTP 2.7.1 now fully supports the handling of LSE LinOTP support and subscription licenses.
    • The PIN dialog was integrated with the enrollment dialog and is conditional according to your policies (e.g. random pin).
    • Saving the Token Config is now also possible with only one part changed.
    • The mechanisms to translate LinOTP were improved and extended, especially in the LinOTP Selfservice.
    • The information boxes now stack to prevent an important message from being overwritten.
    • These messages can be acknowledged together.
    • The overall design was improved and made more consistent.
    • New and improved softtoken like FreeOTP are better integrated and the WebUI and LinOTP Selfservice were improved to better support the features offered by OATH soft tokens beyond the Google Authenticator.
    • The native handling of Yubikeys was improved by supporting resync and uppercase OTPs.
    • The Active Directory UserIDResolver was improved to use objectGUID as the default UIDType.
    • Added configuration options to selectively disable parts of LinOTP (manage, selfservice, validate) to improve security or management in complex HA setups.
    • The audit data can now be written to a log file before it is rotated.

    Highlights for customers upgrading from LinOTP EE 2.6.1.1:

    • Improved Oracle database support,
    • memory usage optimization,
    • improved database handling for the audit log,
    • extended CLI toolset.

    Preview

    We are already working on the next releases and want to give a small peak on what is coming.

    • Remote Self Service
    • SMS/E-Mail Token Auto-Enrollment

    LSE LinOTP Smart Virtual Appliance 1.2

    The LSE Smart Virtual Appliance (SVA) received big improvements in the installation process, usability and the backend.

    The Configuration Management was improved to make changes more visible and improve the usability. There is now a clear indication of changes needed to be saved and activated. An info bar appears and the 'Configuration Management' Tab is highlighted until the changes are saved and activated.

    The WebUI of the LSE LinOTP SVA is now fully translatable and available in German. The language will be chosen based on you browsers language.

    The installation wizard saw substantial improvements. More settings are preset from the installed system and more of the input is checked for errors. The activation step of the wizard was completely rewritten and is now faster and more robust.

    There are many improvements in the WebUI which stem from customer input to improve the workflow of administration and management of the SVA.

    LinOTP 2.7.1 is available in our repositories on linotp.org and for customers running LinOTP on the LSE LinOTP Smart Virtual Appliance using the integrated upgrade mechanisms.
    If you have any question regarding the new releases, we are happy to answer and support your inquiries.

    Changelogs:

    LinOTP 2.7.1
    Enhancements:
    • Server: Added check for optional support and subscription license
    • WebUI: Show warnings when the support and subscription has expired or number of supported tokens has been exceeded
    • WebUI: Editing the token config in the WebUI will only save what has been edited
    • WebUI: PIN setting is now part of the 'enroll' dialog instead of being in a separate dialog
    • WebUI: Don't allow setting the token PIN in the token enrollment dialog when the 'random_pin' policy is set
    • WebUI/Server: Added translation of selfservice and policy messages
    • WebUI: Enabled JavaScript localization (jed based) for 'manage' and 'selfservice' UI
    • Server: Added Yubikey token support for uppercase OTP values
    • Server: Added support for Yubikey token resync
    • WebUI: Info and error boxes in the 'manage' UI now stack instead of overlaying (hiding the older ones). When displaying more than one box a 'Close all' link is shown
    • WebUI: Improve CSS styling for info and error boxes in 'manage' UI
    • WebUI: Adapted the 'selfservice' and 'auth' interfaces to the 'manage' UI style
    • WebUI: Improved display of currently selected user and token
    • WebUI: Restricted the selection to a single user
    • Server: Added system/getPolicy support for 'user' as filter criteria
    • Server: Added system/getPolicy support for 'action' as filter criteria
    • WebUI: Preset LDAPUserIdResolver AD with objectGUID instead of DN
    • WebUI: Rework the selfservice Google web provisioning to refer to FreeOTP and other softokens as well
    • Server: Include OTP length and hash algorithm used in the 'otpauth' URL generated when enrolling HOTP or TOTP tokens
    • WebUI: Display the generated seed in the enrollment tabs in a copyable form
    • WebUI: Extended the eToken DAT import to display start date support with hh:mm:ss
    • Server: Added configuration options to selectively disable parts of LinOTP (manage, selfservice, validate)
    • WebUI: Added 'clear' button to policy form
    • WebUI: Made policies 'active' by default
    • Server: Initialize repoze.who with a random secret during server start up or restart (old 'selfservice' sessions become invalidated)
    • Server/Tools: Added the ability to dump the audit data before deletion
    • Packaging: Removed obsolete SQLAlchemy <0.8.0b2 restriction
    • Server: Random generation: switched to more secure randrange and choice methods
    • WebUI: Updated jQuery to v1.11.1 and all plugins and JS libraries (Superfish, jQuery Cookie, jQuery Validation, ...) to their latest version
    • WebUI: Simplified selfservice tokenlist handling
    • WebUI: Added warning to auth forms when Javascript is disabled in the browser
    • WebUI: Improved auth form handling of JS errors
    • Server: Removed deprecated /auth/requestsms form because SMS can be requested using the regular /auth/index form (by doing challenge-response)
    Bug Fixes:
    • Packaging: Fixed ask_createdb debconf question that kept being asked on upgrade of the Debian packages
    • WebUI: Cleaned up selfservice mOTP Token enrollment
    • WebUI: Some fixes for localization and wrong validation of seed input field
    • Server: Fixed the search for ee-resolver tokens and user
    • Server: Raise exception for empty 'user' in 'system' or 'admin' policy
    • Server: Load the HSM before the LinOTP config, so that the config can hold decrypted values
    • Server: Fixed help_url to always use linotp.org site with version
    • Server: Added support for migrating old linotpee resolvers entries
    • Server: Fixed reinitialization of Yubikey token
    • Server: Yubikey checkOtp should not raise exception if the OTP is too short
    • Server: Fixed bug in Yubikey CSV import
    • Server: Fixed padding and unpadding code for PKCS11 module
    • Server: Fixed padding and unpadding code for YubiHSM module
    • Server: Added LinOTP config options 'pkcs11.accept_invalid_padding' and 'yubihsm.accept_invalid_padding'
    • Server: Fixed token import to support ocra2 token
    • WebUI: Fixed small display error when deleting or modifying multiple tokens in the 'manage' UI
    • WebUI: Fixed selfservice enroll of mOTP token
    • Server: Fixed token serial not appearing in the audit log in some cases

    LSE Smart Virtual Appliance 1.2

    • Added German translation of the WebUI. The language will be chosen based on you browser settings.
    • Improved 'Config changed' notification when the administrator makes changes in the WebUI
      • An info bar appears once at the top of the site
      • The 'Configuration Management' Tab is highlighted in orange until the changes are saved
    • LinOTP support and subscription licenses can be added and updated in the Appliance WebUI. When installing via the Wizard you are required to upload a license file.
    • The signature of the LinOTP license file is verified
    • When running the wizard the network settings are preset with the 'current settings' (e.g. as set by DHCP)
    • Added title bar to WebUI, containing links for 'About', 'Help' and 'Logout'
    • Browser session cookies become invalid when Apache2 is restarted (i.e. you have to login again)
    • If the Appliance is unconfigured redirect directly to the Wizard
    • Removed direct link to the Wizard in the dashboard, can explicitly be called by going to /wizard
    • better arrangement of the Tabs in the WebUI
    • version infromation is displayed in the login screen
    • More information such as version of lseappliance and linotp packages as well as serial number and number of licensed tokens is displayed in the dashboard
    • Compatibility improvements for current Versions of Chrome (Chromium), Firefox and IE10+
    • In the Wizard you can skip the RADIUS client configuration if you do plan to only use the WebAPI
    • Upgraded jQuery to version 1.11.1, jQuery UI to version 1.11.0 and other jQuery Plugins to their newest version
    • Made HTML forms more fault tolerant (e.g. DNS server list verifies correct separators, netmask is verified, whitespace is stripped, verify RADIUS secret with second field ...)
    • Fixed setup_appliance.py so it generates functional initial settings
    • Fixed the Wizard finalization by better synchronizing the steps. This tries to prevent the Appliance being left in a semi-configured state
    • Fixed dhclient still running even after setting static IP settings
    • Fixed security critical information written to log files
    • Use POST requests throughout the application to prevent Apache logging critical information
    • Fixed log file ownership/permissions
    • Changes in other settings no longer re-generate the freeradius settings
    • Force the unconfigured Appliance to always generate a new MySQL password to prevent a semi-configured state.
    • Added dependency for freeradius-ldap
    • Updated dependency for LinOTP to >= 2.7.1 since older version don't implement the new licensing mechanism
    • Make sure the squeeze-lts repository is included in sources.list, otherwise include it
    • In Wizard: Allow moving between already filled out tabs, even if last tab fails to validate
    • Fixed restoration of saved Appliance configurations
    • Increased cookie timeout
    Date


    LinOTP by LSE is now available with all features as Open Source

    Press Release

    Benowa, Queensland, Australia/ Weiterstadt, Germany 2014-05-21

    LSE LinOTP - a vendor-independent product for two-factor authentication and one-time password methods (OTP) - will be made available by LSE, Leading Security Experts GmbH, as an open source solution with all current features included.

    At the annual AusCERT Information Security Conference in Australia, and in conjunction with a Red Hat tutorial about the internal deployment of LSE LinOTP Enterprise Edition, LSE Leading Security Experts GmbH (LSE) [http://www.lsexperts.de], a member of the MAX21 Group (MAX21 Management- und Beteiligungen AG) [MA1, http://www.max21.de], will announce the expansion of its open source strategy.

    The currently-separate community edition [http://www.linotp.org] and commercially-marketed enterprise edition [http://www.lsexperts.de] will be merged. LSE will provide LinOTP free of charge as an open source software solution licensed under the AGPLv3 and GPLv2. The complete feature set will be available for download when LinOTP 2.7 is released in the second half of May 2014.

    Quoting Sven Walther, CEO and CTO of LSE Leading Security Experts GmbH, "With this step we open the source of a professionally-maintained and scalable product for enterprise-grade sign-in security. Through such licensing and marketing, we expect LinOTP to advance the distribution to the most frequently installed sign-in security solution for two-factor authentication and OTP methods worldwide. We see a global demand for LinOTP. The solution is highly flexible and scalable. LinOTP appeals to a wide range of users and is suited for nearly every enterprise - be it TAN generation for online banking, high-availability deployment in enterprise environments with many dependent users, or secure one-time password sign-in at smaller companies, to name just a few popular use cases."

    LSE Leading Security Experts GmbH will complement the LinOTP software solution with matching LinOTP support and subscription services as well as professional service offerings. These will include extended levels of quality assurance for updates and patches, the availability of LSE LinOTP Smart Virtual Appliance as a fully-integrated turn-key solution, prioritized hotfixes by our development team, and advisory services on top of the usual standard support and consulting services.

    With this recent open source offering, customers now have the option to pick the solution that best suits their usage scenario. This encompasses both deployments that are fully-featured yet completely free-of-charge, as well as business-critical deployments with all their requirements on support and quality-assurance processes, including a firm commitment by LSE to the continuous development of its solution. To enable this, LSE will further expand its technical and human resources in this area.

    About LSE Leading Security Experts GmbH

    LSE Leading Security Experts GmbH is the leading vendor of secure connection technologies centered around vendor independent logon security and identity management and specialises in information and IT security for companies. To LSE’s core competences, the development of security products, count in addition to others the provision of consulting-services concerning logon security, vulnerability analysis & penetration tests, encryption technology, storage and virtualization security also IT-Risk-Management.

    LSE belongs to the MAX21 Group.

    For further information please refer to: http://www.lsexperts.de

    Press Contact:

    LSE Leading Security Experts GmbH
    Sven Walther
    Postfach 10 01 21
    64201 Darmstadt
    Germany
    Telefon: +49 6151 86086-0
    Fax: +49 6151 86086-299
    E-Mail: presse@lsexperts.de
    Web: http://www.lsexperts.de

    Red Hat is the trademark of Red Hat, Inc., registered in the U.S. and other countries.

    Date