Changelogs LinOTP

Warning:

Before updating, please assure, that you have a backup of your encryption key and the database. Having a backup of your linotp.cfg / linotp.ini file is also recommended.

If you want to upgrade from LinOTP 2.12 to LinOTP 3, please refer to to the LinOTP 3 migration guide.

LinOTP 3.2.6

Fixes

  • Show serial and token type in audit log in case of an error; e.g. if a token exceeded its failcounter

LinOTP 3.2.5

Release 3.2.5 patches a session handling vulnerability in the Self Service API. This patch is necessary for all versions newer than LinOTP 3.0. See https://linotp.org/security-update-linotp3-selfservice.html for more details.

Fixes

  • Ensure that userservice login results in exactly one session cookie per response.
  • Avoid a race condition in userservice request method setup which could lead to a user being erroneously authenticated as a different user.

Features

  • Use entirely random values for userservice session cookies.

Packaging

  • Debian postinst now correctly restarts the LinOTP service again to ensure running the latest version without the need for manual intervention.

LinOTP 3.2.4

Features

  • when using the forward token and a challenge is triggered, the response detail contains information about the target token
  • forward tokens do not count for license
  • the forward token now supports the offline capability of the qr token

Fixes

  • forward token supports forwarding to a qr and push token

LinOTP 3.2.3

Fixes

  • ensure all types of token will be migrated
  • ensure that dbconfig-common triggers the linotp database migration
  • Customisation of /manage and /selfservice-legacy was broken due to url path changes with LinOTP 3

LinOTP 3.2.2

Fixes

  • Challenge database is reset once to ensure that Backups pre LinOTP 3 correctly restore existing challenge-response tokens.
  • Migrate encypted data 'password' with legacy proprietary padding (LinOTP 2.9)
  • Fix migration of yubico token to LinOTP 3.2

LinOTP 3.2.1

Fixes

  • Audit key verification errors solved by using newer version of pycryptodomex.
  • Remove weak file permissions in config dir.
  • Solved migration of QR-tokens which broke backup-restore from SVA-2.12.5 to SVA-3.0
  • Database re-encoding during database migration now also migrates managed users that were previously not correctly migrated.
  • Debian postinst trying to add admin users via htdigest. This is no longer supported and therefore removed. Use the linotp CLI manually instead.
  • Ensure that inactive policies are not evaluated. Previously, inactive policies were being evaluated in certain situations, leading to wrongly attributed permissions to logged-in administrators.

LinOTP 3.2

Enhancements

  • Added grace to license volume exceeding and display accordingly a message in the the web ui.
  • Added extended information in HOTP/TOTP CSV import UI.
  • The CLI now uses a common time format for all backup filenames. The format is configurable via config BACKUP_FILE_TIME_FORMAT.
  • CLI command linotp audit cleanup now writes a backup file of the deleted audit entries by default. Export dir defaults to the LinOTP backup dir. Exporting can be disabled with a new flag --no-export.
  • Added the configuration option for the HttpSmsProvider to define the server certificate verification option.
  • Added a jwt based admin authentication into LinOTP, so that configuring apache to protect admin access to linotp is not needed any more. Linotp therefore uses a special realm, the admin realm, which contains the resolvers that are allowed to adminstrate LinOTP. For bootstraping, an internal reserved managed resolver is used for which users could be added via the linotp command line tool (s. README.md). The Manage-ui and the corresponding interfaces have been extended to indicate if a realm or resolver is used for administration.
  • Prevent overwriting of the local admin resolver via the user import.
  • New linotp admin cli command to set support license, get support info and verify the current support status.
  • Endpoint delRealm does not cause Error if no realm argument is passed
  • Added configuration settings JWT_SECRET_KEY, JWT_SECRET_SALT, and JWT_SECRET_ITERATIONS. The latter two control the PBKDF2 function that is applied to the default secret (the first key from SECRET_FILE) if JWT_SECRET_KEY is not given or is empty. Refer to linotp config explain for details.
  • Email challenge can have a custom message for the user which can be set in the config by the EMAIL_CHALLENGE_PROMPT entry.
  • Extended sms provider logging
  • Added TIMEOUT parameter for all networking providers
  • SMS blocking time is now configurable in the SMS token configuration dialog. The blocking time (in seconds) is the period that needs to pass before another challenge can be triggered by the same user.
  • Admin policies now support resolver defintion for admin users
  • A new API endpoint /manage/context provides context information for logged in Manage-UI users.
  • Reimplement additional getToken safeguard by defining the settings DISABLE_CONTROLLERS and ENABLE_CONTROLLERS - by default the DISABLE_CONTROLLERS contains the 'gettoken' controller.

Breaking Changes

  • The helpdesk controller has been removed.
  • Apache-based admin authentication is no longer supported.
  • Audit Trail export is now ordered descending (latest logs first) when done from the Manage-UI.
  • Admin authentication: 'Cross site scripting request forgery (CSRF)' is no longer handled via the session request parameter. Instead, a CSRF-protection token, which is available via cookies, must be sent in the request header. Non-modifying requests can be requested via 'GET' and do not need to send the CSRF token. The session parameter that was used before should be omitted. API endpoints restricted to accept only via 'POST' must use the new header. See the Migration guide for further details.
  • Some API endpoints are now restricted to the specific HTTP method which they can be used with. Endpoints requiring an admin authentication are now restricted to the POST method if they are modifying data. The allowed HTTP methods are highlighted in the API documentation.
  • Logging has more configurations now whose config variables are starting by LOG like LOG_FOO. Different formatting or log level can be set for the LOG_FILE or the LOG_CONSOLE. Some of the older config variables for logging are renamed for consistency.

Deprecations

  • In the future, all API endpoints will only allow certain HTTP methods. Data-modifying endpoints - that are not restricted yet- will only allow POST requests in the future, and read-only endpoints will only allow GET requests. The now deprecated HTTP methods are also highlighted in the API documentation.

Bug Fixes:

  • License limits are now enforced during userservice token enrollment.
  • Prevent creating or importing OATH (HOTP, TOTP, Ocra2) tokens with malformatted seeds.
  • License monitoring shows license usage for user-based licenses.
  • User-based license reporting now filters for date and realm correctly and supports wildcards in realm and status.
  • In a Debian environment with a MySQL database, it is not anymore required to set the charset=utf8 parameter as otherwise, resolvers would not correctly display imported users if they contain utf-8 characters. Using flask- mysqlalchemy connection solved this problem.
  • License exception messages are improved and in case of the user service the message suggests asking the system administrator.
  • Comprehensive message after importing tokens.
  • Adjusted functional_special tests to become regular tests.
  • Porting issue for radius token with forwarding transactions.
  • Reply to sms challenge with pin+otp.
  • User import now always deletes users in the correct managed resolver.
  • The linotp support cmd can now install demo licenses.
  • The linotp cli commands would not break anymore if localization is involved.
  • Resolver names are now always treated case-sensitive.
  • setConfig is now called from the UI only once to save all parameters in one api call.
  • Audit key verification errors solved by using newer version of pycryptodomex.

Dependencies:

  • Update jQuery and jQuery-Migrate

Packaging

  • The linotp package now Suggests: python3-smpplib.

LinOTP 3.1

Enhancements

  • ManageUI policy editor utilizes full window width for improved layout.
  • Inform the admin via audit log if there is a challenge integrity error.
  • Userservice allows enrollment of HOTP tokens with the webprovisionGOOGLE policy.
  • Userservice allows enrollment of TOTP tokens with the webprovisionGOOGLEtime policy.
  • RestSMSProvider allows access to nested JSON request data structure items by path.
  • Use database config value to enable get_otp feature
  • Simplify the HMAC acountname and tokenissuer fallback rules for a more predictable behavior in the google authenticator url.
  • Token monitoring now better sanitizes the status parameter
  • Improved Manage-UI error message if something fails in the initial config load phase.
  • sqlite can be used as audit database - the response of audit/search now skips streaming the response data for sqlite audit databases.
  • The server now checks whether the audit table exists or not on start.

Breaking changes

  • No longer support AUDIT_POOL_RECYCLE configuration setting.
  • Sqlite audit databases can no longer share the same file with LinOTP. If configured to share the same file, LinOTP will add a suffix to the audit database file name.
  • Audit database timestamp is now ISO 8601 formatted. The timestamp is saved in UTC timezone instead of server local time.

Bug Fixes

  • mOTP tokens can now be used in challenge response mode
  • Adjust yubico token config text to make it clear that a dedicated API key from yubico is required.
  • An error message is now shown in the Manage UI if a token import fails
  • API /admin/testconnection accepts only the name of an existing resolver as parameter. Other parameters are ignored. This fixes the ability to submit unauthorized ldap connection requests.
  • Manage-UI no longer hangs on failed resolver save requests.
  • Token monitoring now correctly counts tokens that are assigned to multiple realms only once in mysql and sqlite databases.
  • Dynamic user data (e.g. e-mail addresses and phone numbers) are always refreshed during resolver lookups triggered by the authentication workflow. The policies sms_dynamic_mobile_number, dynamic_email_address, and voice_dynamic_mobile_number therefore directly reflect external user data changes.
  • Legacy Selfservice now correctly recognizes type=yubikey tokens in MFA login.
  • Manage-UI no longer gets stuck in the interface initializtaion if the logged in user is missing required system permissions. Now, it is guaranteed that a logout is always possible.
  • support the assignment of multiple tokens within one request to prevent race conditions for example with token_count policies
  • getotp view is now working with python3
  • Token validity period (stored in UTC) is now compared against current time in UTC instead of the server's timezone.
  • Log username, realm, serial and token type in audit table when performing a validate/check_status request.
  • Fix padding of crypted data by migrating to pkcs7 padding via the linotp init database command.
  • Validate no longer wrongly references autoenrollment for users that do not own any tokens as the error message.

LinOTP 3.0

Enhancements

  • LinOTP is ported from Python 2.7 to Python 3.6.
  • LinOTP is ported from Pylons to Flask.
  • Managed resolvers (Internally stored users) now use the LinOTP database connection session to work with replicated databases and after db restores on different database connection parameters.
  • New Token Selfservice user interface is installed as a recommended dependency for "/selfservice". The existing SelfService is deprecated but still available under /selfservice-legacy.
  • New config value SITE_ROOT_REDIRECT allows to customize the redirect path if the user requests the site root path ("/"). If not set, the browser is redirected to the legacy selfservice. The new Selfservice will pick priority over the deprecated Selfservice if installed.
  • Support reencoding of LinOTP 2 databases from ISO 8859-1 (Latin1) to UTF-8 via the LinOTP CLI. Latin1 used to be the default for Python 2 against mysql but is no longer valid for Python 3.
  • Selfservice supports testing tokens after enrollment via the policy verify. This feature only works in the new Selfservice.
  • Selfservice improved handling of expired sessions.
  • A new 'linotp' CLI installed on the path provides:
    • admin - administrative commands to manage the linotp application server.
    • audit - administrative commands to manage the audit log.
    • backup - manage database backups.
    • config - configuration file diagnostics.
    • dbsnapshot - Manage system-independent database 'snapshots'.
    • init - key generation and database initialisation/migration.
    • ldap-test - extensive testing of LDAP backends.
    • routes - show the available URL endpoints of LinOTP.
    • run - run a development server.
    • shell - run a shell in the app context.
  • Settings can now be configured using environment variables LINOTP_<SETTING_NAME>.
  • Improved config file handling via LINOTP_CFG environment variable:
    • LINOTP_CFG env allows to set a custom search path for config files.
    • /usr/share/linotp/linotp.cfg contains distribution default settings.
    • Support for wildcard paths.
    • By default, /etc/linotp/linotp.cfg and /etc/linotp/conf.d/*.cfg are configured for adminsistrator configuration overrides.
    • LINOTP_CFG env treats directory /foo like /foo/*.cfg.
    • Read config file list from file if LINOTP_CFG doesn't exist.
  • Support for SoftHSMv2.
  • Migration of standalone scripts to linotp CLI subcommands:
    • linotp-backup is now available as linotp backup create.
    • linotp-restore is now available as linotp backup restore.
    • linotp-create-enckey is now available as linotp init enc-key.
  • Improved path settings. See DEVELOP.md on how the new options ROOT_DIR, CACHE_DIR, DATA_DIR, and LOGFILE_DIR are used and how they are configured by default.
  • Improved error code separation to differentiate between different problems preventing token enrollment.
  • The /userservice/enroll API now honors default values for hotp and totp tokens defined by the folowing selfservice policies:
    • hmac_otplen, totp_otplen: for the number of digits of an OTP.
    • hmac_hashlib, totp_hashlib: the HMAC hashing algorithm used.
    • totp_timestep: the time stepping for totp tokens.
  • Customization of Selfservice information fields via policies:
    • footer_text: Can be used to display e.g. copyright notices.
    • imprint_url: URL to an imprint/ legal notice page.
    • privacy_notice: URL to a privacy notice page.

Removed and no longer supported

  • Support for Debian versions before Buster.
  • Apache 2.2 configuration.
  • linotp.ini configuration file format.
  • non-systemd init script.
  • OCRA token.
  • Vasco token.
  • OSIAM SCIM UserIdResolver.
  • The following tools scripts are no longer part of LinOTP:
    • linotp-auth-radius
    • linotp-convert-gemalto
    • linotp-convert-token
    • linotp-convert-xml-to-CSV
    • linotp-create-ad-users
    • linotp-create-auditkeys
    • linotp-create-certificate
    • linotp-create-database
    • linotp-create-pwidresolver-user
    • linotp-create-sqlidresolver-user
    • linotp-decrypt-otpkey
    • linotp-enroll-smstoken
    • linotp-fix-access-rights
    • linotp-pip-update
    • linotp-qrtoken-shell.py
    • linotp-setpins
    • linotp-sql-janitor
    • linotp-token-usage
    • linotp-tokens-used
    • testRadiusChallResponse.sh
    • totp-token

Breaking changes

  • Translations fr, it, es, and zh are removed because of their bad state.
  • LinOTP no longer accepts custom LDAP trusted certificates in the UserIDREsolver interface. Instead, it now fully relies on the system trusted certificates.
  • LDAP resolver connections to "ldap://" URLs with encryption switched off no longer attempt "stealth" encryption behind the user's back with an optional fallback to a plain connection. Instead, the encryption state can be explicitly controlled. (In the UI, the LDAP resolver dialog now defaults to "use STARTTLS" when an "ldap://" URL is specified, but if the user deselects this then TLS will not be used at all.)
  • LinOTP 3.0 removes all existing audit log entries during automatic database migrations because signatures from old audit log entries - written in LinOTP 2.x (using Python 2) - can not be validated with python 3.
  • Replace unmaintained mysql driver with mysqlclient driver.
  • LinOTP no longer works with ISO 8859-1 (Latin1) encoded databases. LinOTP provides a migration path if it detects a database that might require reencoding.
  • LinOTP no longer initilizes all required data automatically on startup to increase server speed. Instead, the server now only performs a simple database check at startup; the linotp init database command must be run manually if the database check fails. The postinst script will still initialize the database though.

Bug Fixes

  • /gettoken/getotp now works on tokens that are not in a realm.
  • LinOTP legacy Selfservice authorization is now correctly responding with an "unauthorized" http response instead of an internal server error.
  • After enrollment, Push- and QR-Token enrollment status will stay completed even when these tokens are disabled.
  • CSV user import now works correctly with files using quote escaping.
  • Ensure consistent policy behaviour in all scopes:
    • Specific policies override wildcard policies. This ensures that actions can be restricted for a subset of users.
    • Fix quoting of actions such as sms_text="Hello, your otp='<otp>'".
    • All actions are matched for a given user if some of the actions are less explicitly defined regarding user and realm fields.
  • User based license evaluation now correctly only counts distinct users.
  • Translate maxtoken errors correctly.
  • Changing the TOTP time step for an existing token now adjusts the otp counter to allow the token to keep working. The otp counter is used to prevent replay attacks.
  • Unintentional inclusion of file config values in Config database is removed to not have security critical information API accessible.

Packaging

  • Include README.md in packaging artifacts.
  • Ensure configuration files and generated directories are owned by the linotp service user.
  • Support added to set up linotp with postgres in postinst through migration to dbconfig-common for database setup.
  • Downgrade mysql dependency to Recommends. The system administrator should install the package for their database or allow apt to install recommended packages.

LinOTP 2.12.5

Dependencies:

  • Server: Debian buster, update jQuery and jQuery-Migrate

LinOTP 2.12.4

Bug Fixes:

  • Include Readme.rst in packaging artifacts
  • Tool to import users now enforces system write permission, which is required because resolvers are created or updated
  • Import User dialog layout fix
  • Improve help text output of linotp-create-htdigest script
  • No longer deploy obsolete who.ini config file
  • Forward tokens support multiple challenges
  • HMAC enrollment QR-code correctly URL-encodes tokenissuer

LinOTP 2.12.3

Enhancements:

  • Server: Add API /reporting/period to query reporting for a period in a Range between 'from' and 'to', where the 'from' date is included in the range and the 'to' date is not included. If a range defined and the 'to' date is not included. The API will search for the last repoting entry before the period if no entry for the given period is found.

LinOTP 2.12.2

Enhancements:

  • Make rollout token behavior consistent when also used for general validation.

LinOTP 2.12.1

Bug Fixes:

  • Policies: Consistent evaluation of policies is ensured in the "enrollment" scope. Evaluation is adjusted to match all actions for a given user if some of the actions are less explicitly defined regarding user and realm fields
  • Selfservice: MFA login with Push Token and QR Token is correctly processed
  • Incorrect max token count evaluation is fixed if a different, more specific (not user:'*') policy with other actions is defined.

Documentation:

  • Update Readme.rst with latest installation instructions for PIP

LinOTP 2.12

Enhancements:

  • Server and UI: Add three new columns to the token table, they can be viewed under the admin/show endpoint, and in the Manage UI under TokenInfo. The system settings dialog in the Manage UI provides an option to enable and configure their visualisation
    • LinOtpCreationDate - contains the date of creation of the token
    • LinOtpLastAuthSuccess - last successful login with this token
    • LinOtpLastAuthMatch - last use of the token with several tokens and otppin is not PIN or the tokens have identical PIN
  • Server: Expired or wrong cookies in userservice requests will return a HTTP 401 (session abort) error
  • UI: Browser tab icons match the current LinOTP logo
  • UI: Browser tab titles start with the name of the web application, to make it easier to distinguish between Manage and Selfservice UI in small tabs
  • UI: Challenge validity time for SMS and email tokens can now be set via the Manage UI

Bug Fixes:

  • Server: Failed userservice 2nd factor logins increase the fail counter of the respective token
  • Server: Replication setups on the SVA no longer fail due to faulty userservice cookie handling

LinOTP 2.11.2

Enhancements:

  • Server: email token accept a new challenge as soon as the previous challenge is correctly answered
  • Server: Update LinOTP Apache configuration to include additional configuration supplied by a related package such as the Selfservice

Bug Fixes:

  • Server: respect maxtoken policy when creating new token in selfservice frontend
  • Server: in Selfservice cookie expiration date now reflects timezone
  • Server: IE11 Browser rendering fixed, where content height was not respected before

LinOTP 2.11.1

Enhancements:

  • Server: add support for autoenrollment enrollment notification

LinOTP 2.11

Enhancements:

  • Server: add api endpoint for helpdesk support
  • Server: support for dynamic email address for email token submission

LinOTP 2.10.7.2

Bug Fixes:

  • Server: /manage - search for tokens with /:no user info:/

LinOTP 2.10.7.1

Bug Fixes:

  • Server: yubikey token import for otp length 8
  • Server: get otp calculation by using utc as base

LinOTP 2.10.7

Enhancements:

  • Server: Support for Atlassian’s PBKDF2-based passwords in sqlresolver
  • Server: Support for BCrypt based passwords in sqlresolver

Bug Fixes:

  • Server: Fix php password support in sqlresolver

LinOTP 2.10.6.1

Bug Fixes:

  • Server: Double failcounter increment fixed
  • Server: Add the last access info also for tokens which failed to verify

LinOTP 2.10.6

Enhancements:

  • Server: Emailprovider supports now ssl/tls and start_tls

LinOTP 2.10.5.3

Bug Fixes:

  • Server: Hotfix for the autoresync vulnerability

LinOTP 2.10.5.2

Bug Fixes:

  • Server: Preserve leading zeros of QR Token offline TAN

LinOTP 2.10.5.1

Enhancements:

  • Server: Prevent dirty cache if resolver is not available
  • Server: Resolver and realm cache is wiped when the cache is switched off

LinOTP 2.10.3.1

Bug Fixes:

  • Server: Using the rollout token outside of the selfservice scope should not increment the failcounter

LinOTP 2.10.3

Enhancements:

  • Server: Public release of rollout token

LinOTP 2.10.2

Enhancements:

  • Server: Support for rollout token declaration, so that a token can only be used for the selfservice login - the token will have the default description 'rollout token'. According to the declared policy, the rollout tokens will automatically be removed after the first authentication with a different token, which will be annotated in the audit log.

Bug Fixes:

  • Server: Fix the sqlalchemy warnings about unicode conversion
  • Server: Fix for missing translation function pointer in exception
  • Server: Fix for passwd files with empty lines

LinOTP 2.10.1.4

Bug Fixes:

  • Server: Fix a problem regarding the ldap connection- and response timeouts

LinOTP 2.10.1.3

Bug Fixes:

  • Server: Support database migration from any previous version
  • Server: fix for Yubico verification URL to be configurable, by default use the new https:// verification URLs and support connection fallback and blocking

LinOTP 2.10.1.2

Enhancements:

  • Server: Make the Push Token enrollment more robust in case that the challenge service callback would fail
  • Server: Support large challenges

Bug Fixes:

  • Server: Show serial and token type in audit log for Push Token enrollment
  • Server: Several fixes for the initial config handling

LinOTP 2.10.1.1

Bug Fixes:

  • Server: validate/check_status query with user parameter now returns token serial
  • Server: Use userid instead of user name to identify open challenges. This mitigates the usage of capitals in user names with Active Directory as UserIdResolver backend.

LinOTP 2.10.1

Enhancements:

  • Server: LDAPUserIdResolver failover: stay with working LDAP-Servers for an incrementing time before retrying the first server
  • Server: Add charset/collate clauses to database generation commands: ensures compatibility with recent versions of MariaDB
  • Server: New policy 'forward_on_no_token' to forward request to server if user has no token
  • Server: Allow configuration of the challenge prompt via system/setConfig?SMS_CHALLENGE_PROMPT=MESSAGE
  • Server: New policy 'enforce_smstext' to ignore request param data
  • Server: Support to configure HTTP headers in Rest SMS Provider
  • API: Show token enrollment status in userservice/usertokenlist
  • API: Support check_status without user parameter
  • Web UI: Add hint about timezones to manage tokeninfo
  • Web UI: Update visuals for manage tokeninfo
  • Selfservice Portal: Support optional landing page for selfservice portal
  • Selfservice Portal: Show token details in selfservice portal

Bug Fixes:

  • Server: Fix LDAPUserIdResolver failover
  • Server: Search token list with userPrincipalName
  • Server: Fix RADIUS Forward Token
  • Server: String 'ignore_pin' instead of '3' is now correctly processed for 'otppin' policy action
  • Server: LinOTP server now handles forward proxy definition correctly
  • Server: Fix storing of timeout tuples within the DefaultPushProvider
  • Server: Fix backend for setExpiration UI dialog which failed in some cases
  • Server: Provide error message if the setup of a license fails
  • Server: Set default time zone to make time-based tokens work in all setups
  • Server: Support for SQLUserIdResolvers where the user id is defined as int. This fixes actions in the selfservice portal.
  • Web UI: Default for splitAtSign is now correctly displayed in the UI

LinOTP 2.10.0.6

Bug Fixes:

  • Fix handling of multiple active challenges for KeyIdentity Push Token
  • Policy: Correction of an index error when evaluating the wildcard value list

LinOTP 2.10.0.5

Enhancements:

  • Add redundant challenge service configuration
  • Add new SMS Provider which supports HTTP REST interface

LinOTP 2.10.0.4

Bug Fixes:

  • Use utc time as base for cookie expiration

LinOTP 2.10.0.3

Enhancements:

Bug fixes:

  • Fix /auth/pushtoken test page

LinOTP 2.10.0.2

Bug Fixes:

  • Tools: Fix exception in linotp-token-usage/tokens-used

LinOTP 2.10.0.1

Bug Fixes:

  • Server: Restrict the userservice/context API

LinOTP 2.10

Token changes:

  • Introduce new token: Voice Token
  • Enhance Push Token (incompatible with previous Push Token version)

Server changes:

  • Adjust default TransactionId length to 17
  • Implement explicit-deny for pushtoken
  • Add token type specific enrollment limits
  • Support loading provider via configuartion in linotp.ini
  • Enable new policy engine by default
  • Moved tokens to new location in src tree
  • Support shorter lost token duration (days, hours, and minutes added)
  • Autoassign a token if a request arrives with only username (without password)
  • Document the otppin policy 3=ignore_pin in the policy UI
  • Removed IE compatibility mode from templates
  • Take the already stored mobile number of a token owner (available from UserIdResolver) if it exists, otherwise take the number stored in the token info
  • Autoassignment without password
  • OATH csv import with sha256 + sha512

Web UI changes:

  • Add Auth Demo pages for challenge-response and push token
    • /auth/challenge-response
    • /auth/pushtoken
  • Add expiration dialog for tokens
  • Refactor dialog button icon generation
  • Performance improvement by removing mouseover effects on Manage-UI
  • Extract custom form validators into seperate files
  • Removed IE compatibility mode from templates
  • Update favicon to follow company rename
  • Add UI in manage and selfservice for "static password" token
  • Improved Selfservice login with MFA support

Other changes:

  • SMSProvider: Moved the SMSProviders to become part of linotp
  • UserIdresolver: Moved UserIdresolvers into linotp package

Bug Fixes:

  • Server: Fix evaluation of forward policy to match most specific user definition
  • Server: Fix password comparison of password token
  • Server: Adjust location of token makos for translation
  • Server: Fix typo in getUserFromRequest in case of basic auth
  • Server: Fix missing 'serial' for audit and policy check in selfservice.enroll
  • Server: Fix for loading active token modules
  • Server: On LDAP test connection always close dialog
  • Server: Fix encoding error that prevented Token View from being displayed in the web interface.
  • Server: Fix challenge validation to check only one request at a time. Prevent (positive) double authentication with the same transaction ID and OTP. This used to happen when a user submitted the OTP for a transaction ID more than once within a very short timeframe
  • Server: Fix for missing LDAP uft-8 conversion
  • Server: Fix default hash algorithm. This was causing issues in the YubiKey import
  • Server: Fix wrong audit log entries where "failcounter exceeded" was incorrectly being replaced with "no token found"
  • Server: Fix QRToken to use the tan length defined at enrollment
  • Server: Fix password and lost token password comparison
  • Server: Fix to show deactivated policies in Manage UI again.
  • Server: Fix for better user/owner comparison
  • Server: Fix to show inactive policies
  • Server: Fix import of policies with empty realm
  • Server: Verify that only active policies are used
  • Server: Fix for policy export to export inactive too
  • Server: Fix for target realm handling on token import
  • Server: Fix select only active policies for admin policies
  • Server: Fix getResolverClassName
  • Web UI: Fix UI crash check if backend response is array in ldap testconnection
  • Selfservice: Fix QR token enrollment and activation

LinOTP 2.9.3.4

Bug Fixes:

  • Server: Fix encoding error that prevented Token View from being displayed in the web interface
  • Server: Fix Hashlib heuristic on token import (support sha265 when key length is 64 hex chars)

LinOTP 2.9.3.3

Bug Fixes:

  • Server: Fix HMAC-based tokens:
    • prevent (positive) double authentication with the same OTP. This used to happen when you submitted the OTP more than once within a very short timeframe.

LinOTP 2.9.3.2

Bug Fixes:

  • Server: Fix YubiKey import, Authentication error corrected after import and assign
  • Server: Give realm parameter priority over @user@realm if not @split@sign

LinOTP 2.9.3.1

Enhancements:

  • Server: Accept DB2 format database urls

Bug Fixes:

  • Policy: Fix support for filtering on <UserIdResolver>: in user field
  • Web UI: Simplify user import dialog by removing realm section
  • Server: Fix OTP counter for email token
  • Server: Remove user related data from logs:
    • Password hash from SQL resolver
    • User information from user.py

LinOTP 2.9.3

Enhancements:

  • Server: Add support for QR Token unpairing via API
  • Server: Support for deleting / disabling token if usage exceeded
  • Server: Logging enhancements including unique request IDs and timestamps
  • Server: Logging message cleanup to remove unecessary messages
  • Server: Support Ocra token with current LinOTP
  • Server: Prefer HTTP_X_FORWARDED_HOST to HTTP_HOST for logout_url
  • Server: Use HTTP_AUTHORIZATION to determine login name for Basic auth
  • Server: Support rfc7239 HTTP_X_FORWARDED_FOR to determine client IP
  • Server: Add token issuer to 'otpauth' URLs
  • Server: Add FIPS security provider to comply with some operations
  • Server: Add experimental new policy engine implementation (off by default)
  • Server: Refactor lib.user
    • changed isEmpty into a property
    • removed methods getRealm, getUser
    • getUserFromParam signature
  • Server: Refactor resolvers
    • setResolver and testresolver
    • configuration handling
  • Server: Email provider added support for SMTP port configuration
  • Server: Add support for read only (managed) provider configurations

  • Web UI: Version static resources to bust browser caching
  • Web UI: Add support for importing users via flat CSV file
  • Web UI: Add limited support for setting the admin password via the UI
  • Web UI: Improvements to LDAP edit dialog

  • API: Support dynamic logging via new maintainence controller
  • API: Add server healthcheck: maintainence/ok
  • API: Support filtering by token type using token_type parameter

  • Tools: Add CI Jenkins build pipeline
  • Tools: Add central makefile with targets for Docker, packages, tests
  • Tools: Add Docker image build infrastructure

  • Packaging: Soften hard dependency on libapache2-mod-wsgi
  • Packaging: Split auth modules into separate repositories on Github
  • Packaging: Move LinOTP client GUI into separate repository on Github

  • Config examples: Add example Logstash configuration
  • Config examples: Modify logging configuration to prevent duplicate lines

Bug Fixes

  • Server: Fix challenge response authentication (Yubikey)
  • Server: Fix enroll of QR Token when username in multiple realms
  • Server: Allow utf-8 filenames in FileSMSProvider configuration
  • Server: fix for HSM migration problems
  • Server: Fix reusing OTP counter for email token if challenge timed out
  • Server: Fix typo in error message

  • Web UI: Allow more than 80 characters in user field
  • Web UI: Fix filtering in policies tab
  • Web UI: Fix parsing of duration configuration fields
  • Web UI: Fix link to https://keyidentity.com

  • API: Add validation of resolver name in defineResolver
  • Tools: create-pwidresolver-user: Fix phone fields

LinOTP 2.9.1.4

Bug Fixes

  • Vasco: Fix token import from file
  • Vasco: Fix authentication
  • Web UI: Fix error if token configuation dialog is cancelled
  • Manage: Remove broken wildcard search using '.' in UserIdResolver searches
  • Migration: Fix migration handling routine
  • Authentication: Fix behaviour of check_status with empty pass and otppin=2

LinOTP 2.9.1.3

Bug Fixes

  • Server: Fix realm configuration reset when renaming resolvers

LinOTP 2.9.1.2

Bug Fixes

  • Server: Fix saving issues with long configuration values

LinOTP 2.9.1.1

Bug Fixes

  • Server: Fix LDAP configuration issue with long certificates
  • Server: Fix empty user list returned by LDAP backend
  • Server: Allow unicode characters in provider configuration
  • Packaging: Fix openssl installation issue caused by Pre-Depends relationship

LinOTP 2.9.1

Enhancements

  • Server: New token type: KeyIdentity PushToken
  • Server: Add optional caching of resolver lookups
  • WebUI: Show welcome and update screens
  • WebUI: Add dialog for duplicating resolvers
  • WebUI: Better password handling in resolver dialogs
  • Reporting: Add paging and CSV output for reporting/show
  • API: Use semicolon as CSV column separator by default
  • UserIdResolver: Add StartTLS support

Bug Fixes

  • Server: Fix remote token
  • Server: Fix evaluating policies for non-existent realms
  • API: Don't localize monitoring json output
  • SMPPSMSProvider: Fix encoding issues for non-ascii characters

LinOTP 2.9.0.5

Bug Fixes

  • Server: Prefer specific policies over wildcard policies
  • Server: Fix QRToken's CT_AUTH case
  • Server: Fix combination of policies 'passthru' and 'passOnNoToken'
  • WebUI: Reject inequal PINs in set PIN dialogs in addition to the visual
  • WebUI: Display certificate in QRToken configuration

LinOTP 2.9.0.4

Bug Fixes

  • Server: In case of a matching PIN and wrong OTP, increment fail counters of PIN-matching tokens only
  • Server: Fix maxtoken policy
  • Server: Fix import of vasco tokens using transport encoding
  • WebUI: Remove policy search bar

LinOTP 2.9.0.3

Bug Fixes:

  • WebUI: Fix realm creation and editing for IE
  • Server: Various small QRToken changes
  • Server: Fix tokencount handling during assignment

LinOTP 2.9.0.2

Bug Fixes

  • Server: Fix token enrollment using the API directly after a server restart

LinOTP 2.9.0.1

Bug Fixes

  • Server: Make constant time comparison compatible with python<=2.7.6

LinOTP 2.9

Enhancements
  • Server: Add support for offline authentication
  • Server: Add QRToken
  • Server: Add forwarding token
  • Server: Add reporting controller
  • Server: Add support for multiple SMS/e-mail providers
  • Server: Add support for long config values
  • Server: Add issuer label to OATH tokens
  • Server: Allow one-time simplepass tokens
  • Server: Allow multiple users with same username in one realm
  • Server: Support migration of resolvers for assigned tokens
  • Server: Add authorization policies for monitoring controller
  • Server: Allow named otppin policies ('token_pin', 'password' and 'only_otp')
  • Server: Add SSL/TLS abilities to SMTPSMSProvider
  • UserIDResolver: Add class registry and class aliases
  • WebUI: Slightly polished look and feel
Bug Fixes
  • WebUI: Hide 'Get OTP' button if getotp is deactivated in config
  • WebUI: Several bug fixes in different dialogs and elements
  • Server: Fix generating transactionids which failed in rare circumstances
  • Server: Handle timestamp rounding instead of truncating in MySQL 5.6
  • Server: Do not copy old PIN on lost simplepass token
  • Packaging: Remove debconf entry 'linotp/generate_enckey'
  • WebUI: Validate resolver configuration on resolver definition
  • WebUI: Alert in realm dialog if no resolvers are selected

LinOTP 2.8.1.7

Changelog

Bug Fixes

  • Server: Prefer specific policies over wildcard policies
  • Server: Fix combination of policies 'passthru' and 'passOnNoToken'

LnOTP 2.8.1.6

Changelog

Bug Fixes

  • Server: In case of a matching PIN and wrong OTP, increment fail counters of PIN-matching tokens only.

LinOTP 2.8.1.5

Changelog

Bug Fixes

  • WebUI: Fix setting token realm

LinOTP 2.8.1.4

Changelog

Bug Fixes

  • WebUI: Fix setting token realm

LinOTP 2.8.1.3

Changelog

Bug Fixes

  • Server: Fix PIN handling in email token

LinOTP 2.8.1.2

Changelog

Enhancements

  • Server: Add support for demo licenses

Bug Fixes

  • Selfservice: Fix setting tokenlabels
  • Server: Set the first created realm as default realm
  • Server: Fix admin/show using a serial number and an active admin policy containing a wildcard
  • Server: Fix import of policies missing scope or action
  • Server: Fix license import using IE

LinOTP 2.8.1.1

Changelog

Bug fixes

  • Server: Fix license decline under certain conditions

LinOTP 2.8.1

Changelog

Enhancements

  • Server: Add monitoring controller
  • Server: Add support for encryption migration (HSM)
  • Server: Add 'forward to server' policy
  • Server: Extended user filter in policies
  • Server: Reduce number of userid authentication calls
  • Server: Enable less services in default configuration
  • Server: Add French, Italian, Spanish and Chinese translations
  • WebUI: Various cosmetic fixes
  • WebUI: Update jQuery, jQuery UI and jed

Bug fixes

  • Server: Fix forwarding policy when parameter list is empty
  • Selfservice: Fix access to userservice with UTF-8 characters
  • Selfservice: Fix resolver user wildcard support in extended policy user def
  • WebUI: IE11: Deliver requested language
  • WebUI: Support for IE11 logout and cookie deletion

LinOTP 2.8.0.3

Changelog

Bug fixes

  • Server: Increment 'failCount' even if maxFailCount is reached
  • Server: Fix TOTP tokens with empty timeshift values
  • Server: Fix export of empty token list
  • Server: Fix policy view showing only realm specific policies
  • Server: Fix token settings saving for TOTP and OCRA2 tokens

LinOTP 2.8.0.2

Changelog

Bug fixes

  • Server: Fix for double escaping when using info_box
  • Server: Fix for information disclosure with audit search
  • Server: Prevent enumeration/information leakage in validate/check
  • Server: Remove session id from URL
  • WebUI: Clear PIN input fields on closing the 'Set PIN' dialog
  • Selfservice: Enforce session and cookie check in all userservice actions
  • Selfservice: Add missing session invalidation on selfservice logout
  • Config examples: Set security relevant headers in example apache config files
  • Config examples: Set X-Permitted-Cross-Domain-Policies header in example Apache config files

LinOTP 2.8.0.1

Changelog

Enhancements

  • Server: Add support for '*' wildcard in policy client definition
  • Server: Add support to set random pin on token import

LinOTP 2.8

Changelog

Enhancements

  • Server: Add FIDO U2F support
  • Selfservice: Enroll FIDO U2F, e-mail and SMS tokens
  • Server: Losttoken: Support enrollment of e-mail and SMS tokens
  • Server: Trigger challenges for multiple challenge-response tokens with one request
  • Server: Support deleting multiple policies with one request
  • Server: Rework and improve token counter logic
  • Server: Add policy actions 'emailtext' and 'emailsubject' in scope 'authentication' to define body and subject of e-mails sent by e-mail tokens
  • Server: Add parameter to define SMS messages sent by SMS tokens
  • Server: Add support for defining multiple OCRA2 callback URLs
  • Server: Add optional ability to save last_accessed timestamps for tokens
  • Server: Add crypto migration controller to change in-use cryptographic techniques, switch to HSMs or replace in-use HSMs
  • Server: Add support for using UserPrincipalName as username
  • Server: Support wildcard '*' for serial number filter in admin/show
  • Tools: linotp-auth-radius: Support for unicode radius requests
  • Selfservice: Support yubikey tokens with public_uid
  • Server: Add target realm input for token imports
  • Server: Prevent accidental admin lock-out using read-only admin policies
  • Server: Support autoassignment policy without action value

Bug fixes

  • Selfservice: Fix getSerialByOtp functionality for yubikey tokens
  • Server: Fix importing yubikey tokens without prefix
  • Server: Fix autoassignment with remote token pointing at yubikey token
  • Server: Fix autoassignment using tokens with different OTP lengths
  • Server: Prevent counter increments of inactive tokens
  • Server: Don't return counter parameter on TOTP enrollment
  • Selfservice: Fix occasional login problems using non-ASCII characters
  • Server: Fix occasional problems sorting userlist with unicode characters
  • Server: Fix usage of otppin policy for remotetoken with local pincheck
  • Server: Don't return error messages on unconfigured autoenrollment
  • Server: Always set OTP length in remote token enrollment
  • Server: Don't return error messages for policy otppin=1 and unassigned tokens
  • Server: Reply to OCRA2 challenge providing only transactionid and OTP
  • WebUI: Don't show dialog asking for realm creation if no useridresolver is configured
  • WebUI: Fix WebUI for recent Internet Explorer versions
  • WebUI: Clear key and PIN input fields after token enrollment
  • Tools: linotp-create-pwidresolver-user: Fix duplicate and ignored command-line arguments
  • Tools: Correctly package linotp-enroll-smstoken tool
  • Tools: Use Digest instead of Basic Authentication in linotp-enroll-smstoken
  • Tools: Display an error message in linotp-enroll-smstoken when dependencies are missing
  • Tools: Fix linotp-sql-janitor crash when executed without --export option
  • Server: Fix for wildcard search with available unassigned tokens
  • Server: Fix LinOTP on pylons 0.9.7
  • Packaging: Remove nose dependency from linotp install process

LinOTP 2.7.2.2

Changelog

  • Fix XSS vulnerabilities in manage WebUI

LinOTP 2.7.2.1

Changelog

Bug fixes

  • Server: Token in autoassignment were assigned randomly instead of the one that actually matched the OTP value
  • Server: When using check_s the realm context was not correctly set. If the token is in a realm, that realm should be used not the default realm
  • Server: Uninitialized variables in remotetoken in case of connection error
  • Server: Always set random PIN during token enroll/assign if the corresponding random PIN policy is set
  • Packaging: If a2dissite linotp2 is unsuccessful during package removal the uninstallation broke off. Now errors with 'a2dissite' are printed to stderr during installation/removal but don't break the scripts
  • Packaging: Add SQLAlchemy<=0.9.99 dependency due to 'SQLAlchemy Migrate'
  • Packaging: Fix for LinOTP installation in a LSE Smart Virtual Appliance on Debian Jessie. Since MySQL lacks a systemd service file use polling to check when MySQL is brought up
  • Server: Fix erroneous reply message about 'unconfigured autoenrollment'
  • Server: Fix for enrolling tokens via the selfservice webprovision with random pin policy set
  • Packaging: Allow WebOb version 1.4 in debian 8 (jessie)
  • Server: Fix for handling users with @ in name (principal name) in selfservice access
  • WebUI: Fix for selfservice (Internet Explorer caches GET requests)
  • Server: Fix extended search in Audit Trail Fix XSS vulnerabilities in manage WebUI

LinOTP 2.7.2

Changelog

Enhancements

  • Server: Auto enrollment - enroll an email or sms token if user has no token and authentication with password was correct
  • Server: Support 'now()' in LDAP search expressions
  • Selfservice: Split Selfservice into userservice controller and selfservice renderer to support remote selfservice interface
  • WebUI: SQL and LDAP resolver mapping validation (needs to be valid JSON)
  • WebUI: E-mail and SMS provider definition validation (needs to be valid JSON)
  • Packaging: Support for Ubuntu 14.04 (with Apache 2.4)
  • Packaging/Server: Support for Pylons 1.0.1
  • Packaging: Internal package refactorization to unify structure and version number handling
  • Packaging: Apache linotp2 VirtualHost will no longer be overwritten during Debian package upgrade. VirtualHost example files are copied to the same location where the LinOTP package is installed and only afterwards it is moved to /etc/apache2 (if it does not exist already)
  • Packaging: Cleaned up and hardened Apache linotp2 VirtualHost files
  • Tools: Improved linotp-create-pwidresolver-user and linotp-create-sqliddresolver-user to to generates more secure passwords
  • Tools: Added tool to massenroll SMS tokeni

Bug fixes

  • Server: Fixed support of old licenses, where the expiry is in the date entry
  • Server: Fixed error during token unassign (because of setPin call)
  • Server: Fixed searching for a user in multiple realms
  • Server: Fixed exact search for user in tokenlist
  • Server: Fixed sorting of userlist with unicode
  • Selfservice: Fixed selfservice history browsing

LinOTP 2.7.1.2

Changelog

Server

  • adjust the copyright date from 2014 to 2015

Audit

  • audit query with empty arguments fixed
  • made selfservice history browsing working again

Tools and Resolver

  • enhanced password genenerating tool to generate more secure passwords entries for usage via passwd and sql resolvers

Web UI

  • added ui hints for the sms and email token config
  • use radius token config defaults for radius token enrollment
  • use remote token config defaults for remote token enrollment
  • searching for unknown users in tokenview, showed all tokens that had no user assigned.

LinOTP 2.7.1.1

Changelog

  • Bug Fix: Don't ignore whitespace in license file when calculating signature

LinOTP 2.7.1

Changelog

Enhancements

  • Server: Added check for optional support and subscription license
  • WebUI: Show warnings when the support and subscription has expired or number of supported tokens has been exceeded
  • WebUI: Editing the token config in the WebUI will only save what has been edited
  • WebUI: PIN setting is now part of the 'enroll' dialog instead of being in a separate dialog
  • WebUI: Don't allow setting the token PIN in the token enrollment dialog when the 'random_pin' policy is set
  • WebUI/Server: Added translation of selfservice and policy messages
  • WebUI: Enabled JavaScript localisation (jed based) for 'manage' and 'selfservice' UI
  • Server: Added Yubikey token support for uppercase OTP values
  • Server: Added support for Yubikey token resync
  • WebUI: Info and error boxes in the 'manage' UI now stack instead of overlaying (hiding the older ones). When displaying more than one box a 'Close all' link is shown
  • WebUI: Improve CSS styling for info and error boxes in 'manage' UI
  • WebUI: Adapted the 'selfservice' and 'auth' interfaces to the 'manage' UI style
  • WebUI: Improved display of currently selected user and token
  • WebUI: Restricted the selection to a single user
  • Server: Added system/getPolicy support for 'user' as filter criteria
  • Server: Added system/getPolicy support for 'action' as filter criteria
  • WebUI: Preset LDAPUserIdResolver AD with objectGUID instead of DN
  • WebUI: Rework the selfservice Google web provisioning to refer to FreeOTP and other softokens as well
  • Server: Include OTP length and hash algorithm used in the 'otpauth' URL generated when enrolling HOTP or TOTP tokens
  • WebUI: Display the generated seed in the enrollment tabs in a copyable form
  • WebUI: Extendend the eToken dat import to display start date support with hh:mm:ss
  • Server: Added configuration options to selectively disable parts of LinOTP (manage, selfservice, validate)
  • WebUI: Added 'clear' button to policy form
  • WebUI: Made policies 'active' by default
  • Server: Initialize repoze.who with a random secret during server startup or restart (old 'selfservice' sessions become invalidated)
  • Server/Tools: Added the ability to dump the audit data before deletion
  • Packaging: Removed obsolete SQLAlchemy <0.8.0b2 restriction
  • Server: Random generation: switched to more secure randrange and choice methods
  • WebUI: Updated jQuery to v1.11.1 and all plugins and JS libraries (Superfish, jQuery Cookie, jQuery Validation, ...) to their latest version
  • WebUI: Simplified selfservice tokenlist handling * WebUI: Added warning to auth forms when Javascript is disabled in the browser
  • WebUI: Improved auth form handling of JS errors
  • Server: Removed deprecated /auth/requestsms form because SMS can be requested using the regular /auth/index form (by doing challenge-response)

Bug Fixes

  • Packaging: Fixed ask_createdb debconf question that kept being asked on upgrade of the Debian packages
  • WebUI: Cleaned up selfservice mOTP Token enrollment
  • WebUI: Some fixes for localisation and wrong validation of seed input field
  • Server: Fixed the search for ee-resolver tokens and user
  • Server: Raise exception for empty 'user' in 'system' or 'admin' policy
  • Server: Load the HSM before the LinOTP config, so that the config can hold decrypted values
  • Server: Fixed help_url to always use linotp.org site with version * Server: Added support for migrating old linotpee resolvers entries
  • Server: Fixed reinitialisation of Yubikey token
  • Server: Yubikey checkOtp should not raise exception if the OTP is too short
  • Server: Fixed bug in Yubikey CSV import
  • Server: Fixed padding and unpadding code for PKCS11 module
  • Server: Fixed padding and unpadding code for YubiHSM module
  • Server: Added LinOTP config options 'pkcs11.accept_invalid_padding' and 'yubihsm.accept_invalid_padding'
  • Server: Fixed token import to support ocra2 token
  • WebUI: Fixed small display error when deleting or modifying multiple tokens in the 'manage' UI
  • WebUI: Fixed selfservice enroll of mOTP token
  • Server: Fixed token serial not appearing in the audit log in some cases

LinOTP 2.7.0.2

Changelog

  • Fixed PSKC import with plain input
  • Fixed SecretObj cleanup in some corner-cases
  • Cleaned up default parameters in functions to prevent memory leaks
  • Added late binding to ORM mapping
  • Fixed several issues with Oracle databases such as: reserved words in columns, None/empty values not being mapped correctly to Python objects, Unicode handling
  • Made significant modifications to SQLAudit to fix a memory leak
  • Fixed checkPolicyPost() in admin/init without serial (#12603)
  • Added /:no realm:/ search option for token list
  • Removed empty token config tabs in the WebUI (#12634)
  • Added linotpAudit.error_on_truncation config option to control DB behaviour when writing large values to the DB

LinOTP 2.7.0.1

Changelog

  • Integrated linotp-ee package into this package, adding: - Support for SQL Audit - Tools such as: linotp-decrypt-otpkey, linotp-tokens-used, linotp-backup, linotp-restore, etc. - Support for HSM - eTokenDat, PSKC, DPWplain and vasco token import
  • Fixed broken custom-template handling (#12555)
  • Fixed some corner cases of JSON and CSV audit output (#12550, #12556)
  • Fixed erroneous QR-Code generation
  • Pinned WebOb version to < 1.4 due to incompatibility with Pylons (#12586)
  • WebUI: Moved 'License' menu entry to 'Help/Support'
  • WebUI: Added 'Help/About' dialog
  • WebUI: Cleaned up a little and exchanged the LinOTP logos

Updating from LinOTP 2.6.1.1 to LinOTP 2.7

LinOTP 2.7 is a major release that contains some big package structure changes.

In our effort to be completely open source we have removed our EE (Enterprise Edition) packages and merged them into the old CE (Community Edition) packages leaving you with packages that contain all the features. The CE/EE terminology is obsolete.

If you had previously edited your linotp.ini to activate the audit trail please update the file and replace:

linotpAudit.type = linotp.lib.Audit.SQLAudit

with:

linotpAudit.type = linotp.lib.audit.SQLAudit

Updating a deb install

If you are updating from one of our repositories simply:

apt-get update && apt-get upgrade

If you previously had a LinOTP Community Edition you may want to additionally install the linotp-smsprovider package:

apt-get install linotp-smsprovider

If you are installing via dpkg you have to remove the obsolete packages first:

apt-get remove linotp-ee linotp-useridresolver-ee
dpkg -i linotp linotp-useridresolver linotp-smsprovider

The LinOTP Admin clients have been renamed:

  • linotp-adminclient-ce is now called linotp-adminclient-cli
  • linotp-adminclient-ee is now called linotp-adminclient-gui

Install them like this:

sudo apt-get install linotp-adminclient-gui linotp-adminclient-cli

Updating a pip install

Before upgrading to LinOTP 2.7 you need to remove the obsolete EE packages:

pip uninstall LinOTP-EE LinOtpUserIdResolverEE

Issue the following command to update your pip installation:

pip install --upgrade LinOTP LinOtpUserIdResolver SMSProvider

After this you need to restart your LinOTP webserver.

To upgrade the LinOTP Admin clients you have to remove the obsolete packages first:

pip uninstall LinOTPAdminClientCE LinOTPAdminClientEE
pip install LinOTPAdminClientCLI LinOTPAdminClientGUI

Changelog

LinOTP core

  • Integrated linotp-ee package into this package, adding:
    • Support for SQL Audit
    • Tools such as: linotp-decrypt-otpkey, linotp-tokens-used, linotp-backup, linotp-restore, etc.
    • Support for HSM
    • eTokenDat, PSKC, DPWplain and vasco token import
  • Fixed broken custom-template handling (#12555)
  • Fixed some corner cases of JSON and CSV audit output (#12550, #12556)
  • Fixed erroneous QR-Code generation
  • Pinned WebOb version to < 1.4 due to incompatibility with Pylons (#12586)
  • WebUI: Moved 'License' menu entry to 'Help/Support'
  • WebUI: Added 'Help/About' dialog
  • WebUI: Cleaned up a little and exchanged the LinOTP logos

Documentation

  • Adapted to new package structure (linotp and linotp-ee as well as linotp-useridresolver and linotp-useridresolver-ee have been integrated into a single package)
  • Fixed warnings and made general corrections
  • Exchanged LinOTP logo

LinOTP admin client

  • Renamed package from linotp-adminclient-ce to linotp-adminclient-cli
  • Renamed package from linotp-adminclient-ee to linotp-adminclient-gui
  • Exchanged LinOTP logo
  • Removed M2Crypto dependency, since license verification is done on the server

UserIdResolver

  • Integrated linotp-useridresolver-ee package into this package, adding support for:
    • LDAP and AD UserIdResolvers
    • SQL UserIdResolvers

Updating from LinOTP 2.6.1 to LinOTP 2.6.1.1

LinOTP 2.6.1.1 is a patch release for LinOTP 2.6.1

SMSProvider 2.6.1.1 has one new dependency:

  • socksipy, either contained in httplib2 >= 0.7 or from its own package.

Updating a deb install

Install the necessary dependencies:

apt-get install python-socksipy

Unfortunately on Debian and Ubuntu you are forced to install the python-socksipy package because Debian Squeeze does not support python-httplib2 >= 0.7 and therefore requires python-socksipy.

If you have downloaded all packages you need to issue the following command:

dpkg -i linotp_2.6.1.1-1_all.deb \
        linotp-smsprovider_2.6.1.1-1_all.deb \
        libpam-linotp_2.6.1.1-1_all.deb

Updating a pip install

Issue the following command to update your pip installation:

pip install --upgrade linotp pam_py_linotp

A SMSProvider pip installation will need following additional python package:

  • httplib2 >= 0.7 or socksipy.

To upgrade the enterprise edition components you need to download the latest version from the customer portal and issue the commands:

pip install --upgrade /path/to/SMSProvider-2.6.1.1.tar.gz

After this you need to restart your LinOTP webserver.

Changelog

LinOTP core

  • Fixed Yubikey token so it supports LinOTP/RADIUS challenge-response
  • Removed 'const' JS variable that broke IE9
  • Added Yubikey public ID to token description when importing CSV file (#12417)
  • Fixed erroneous active-token-count in WebUI (#12523)

SMS Provider

  • Fixed HTTPSMSProvider on Debian Squeeze with httplib2 0.6 (#12510)

PAM LinOTP

  • Fix build of binary package on Launchpad

PAM Python LinOTP

  • Fixed package build

Updating from LinOTP 2.6.0.3 to LinOTP 2.6.1

LinOTP 2.6.1 has two new dependencies:

  • python-migrate for additional client information in the Audit trail and
  • python-httplib2.

Updating a deb install

Install the necessary dependencies:

apt-get install python-migrate python-httplib

Download all necessary LinOTP packages and issue the following command:

dpgk -i linotp_2.6.1-1_all.deb \
        linotp-ee_2.6.1-1_all.deb \
        linotp-useridresolver_2.6.1-1_all.deb \
        linotp-useridresolver-ee_2.6.1-1_all.deb \
        linotp-smsprovider_2.6.1-1_all.deb

Updating a pip install

A pip installation will need following additional python packages:

  • httplib2,
  • sqlalchemy-migrate.

These should be installed automatically when issuing the commands:

pip install --upgrade linotp
pip install /path/to/LinOtpUserIdResolverEE-2.6.1.tar.gz
pip install /path/to/LinOtpUserIdResolver-2.6.1.tar.gz
pip install /path/to/SMSProvider-2.6.1.tar.gz

Check with:

pip freeze

Changelog

LinOTP core

  • Added support for BasicAuthentication to HttpSMSProvider
  • Prevent resolver creation with same name (and different case)
  • Improved /auth/index forms and deprecated /auth/requestsms
  • Improve entropy by using /dev/urandom (#12243)
  • Added streaming output to audit/search JSON and CSV (#12392)
  • Made wildcard search in SQL Resolver more precise (#12135)
  • Small graphical WebUI fixes (#12229)
  • Added possibility to change the phone number of SMS token (#2953)
  • Require * for wildcard token search (#2838)
  • Removed PIL as a hard dependency (you may use pillow-pil) (#12409)
  • Only enable apache site on first installation (not upgrade) (#12246, #12457)
  • Supress error during installation if no 'lse_release' exists #(12237)
  • Shorten UserIdResolver display string in UserView (#2678)
  • Added python-httplib2 dependency
  • Added challenge-response and http-POST to remote token (#12433, #12451)
  • Added challenge-response to RADIUS token (#12432)
  • Added client information to audit log (#12417)
  • Enable 'Enter' key in auth/index forms (#12103, #12446)
  • Allow SmtpSMSProvider to raise exceptions (#12419)
  • Several challenge-response error handling fixes (#12416, #12420, #12427)
  • Several OpenID fixes (#12415, #12428, #12265, #12190, #12264)
  • Fix hostname/port FQDN splitting (#12410)
  • Added man page for linotp-auth-radius
  • Removed obsolete log warnings and errors (#12396, #12443)
  • Prevent challenges from being sent when multiple tokens match (#12413)
  • Fixed check_yubikey so that it supports two slots (#12477)
  • Enabled realm assignment during Yubikey enrollment
  • Added autoassignment for Yubikeys
  • Added new policy 'ignore_autoassignment_pin'
  • Removed newlines in token CSV export (#12465)

LinOTP EE

  • Solved some SQLAlchemy unicode warnings
  • Added streaming output to audit/search JSON and CSV (#12392)
  • Removed deprecated FileAudit (use SQLAudit instead) (#12434)
  • Added client information to audit log (#12417)
  • Improved help message of linotp-sql-janitor tool

UserIdResolver

  • Made wildcard search in SQL Resolver more precise (#12135)
  • Fix LDAP Resolver error that occurs during checkstatus (#12442)

LinOTP admin client

  • Added dependency for python-usb
  • Enabled realm assignment during Yubikey enrollment
  • Added client information to audit log (#12417)

Documentation

  • Removed FileAudit documentation since FileAudit is deprecated (#12434)
  • Documented additional PasswdResolver fields (e-mail, telephone) (#12418)
  • Added Howtos from website to documentation (#12430)
  • Documented new OpenID storage database options (#12415)
  • Updated package dependencies (#12395, #12452, #12409)
  • Documented new policy 'ignore_autoassignment_pin'

libpam LinOTP

  • Remove user check in libpam-linotp since the existence of the user is not a prerequisite (VPN, automount) (#12429)

SMSProvider

  • Allow SmtpSMSProvider to raise exceptions (#12419)

Updating from LinOTP 2.6 to LinOTP 2.6.0.3

LinOTP 2.6.0.3 is a patch release for LinOTP 2.6 and 2.6.0.x.

Updating a deb install

If you have downloaded all packages you need to issue the following command:

dpkg -i linotp_2.6.0.3-1_all.deb \
        linotp-useridresolver-ee_2.6.0.3-1_all.deb

Updating a pip install

Issue the following command to update your pip installation:

pip install --upgrade linotp

Then upgrade the enterprise edition components. You need to download the latest version from the customer portal and issue the commands:

pip install --upgrade /path/to/LinOtpUserIdResolverEE-2.6.0.3.tar.gz

After this you need to restart your LinOTP webserver.

Changelog

LinOTP core

  • Fix problem with LDAPS connection (#12431)
  • Catch token exceptions to prevent errors when processing several tokens (#12416)

UserIdResolver

  • Fix error that prevented LDAP Resolver from unbinding (#12423)

Updating from LinOTP 2.6 to LinOTP 2.6.0.1

LinOTP 2.6.0.1 is a patch release for LinOTP 2.6.

Updating a deb install

If you have downloaded all packages you need to issue the following command:

dpkg -i linotp_2.6.0.1-1_all.deb \
        linotp-useridresolver_2.6.0.1-1_all.deb \
        linotp-useridresolver-ee_2.6.0.1-1_all.deb \

Updating a pip install

Issue the following command to update your pip installation:

pip install --upgrade linotp

Then upgrade the enterprise edition components. You need to download the latest version from the customer portal and issue the commands:

pip install --upgrade /path/to/LinOtpUserIdResolverEE-2.6.0.1.tar.gz

After this you need to restart your LinOTP webserver.

Changelog

LinOTP core

  • Added RADIUS client testing tool "linotp-auth-radius", which supports challenge response
  • Fix the otppin=2 (no pin) problems with E-mail and TOTP Token (#12399 #12398)
  • Fix for E-mail Token to support otppin=2 (closes #12398)
  • Fix 'Logout' button (closes #12371)

UserIdResolver

  • Bind the resolvers object to the request for performance. closes #12372
  • Improved sqlresolver checkpass to also support {sha} and {ssha} passwords.

Command line client

  • Added automation, send token list via email or upload to windows share (#12390)

Updating from LinOTP 2.5.2 to LinOTP 2.6

LinOTP 2.6 introduces a common challenge response mechanism. For this a new table "challenges" was added to the database model.

Updating a deb install

If you have downloaded all packages, you need to issue the following command:

dpkg -i linotp_2.6-1_all.deb \
        linotp-ee_2.6-1_all.deb \
        linotp-useridresolver_2.6-1_all.deb \
        linotp-useridresolver-ee_2.6-1_all.deb \
        linotp-doc_2.6-1_all.deb \
        linotp-smsprovider_2.6-1_all.deb

Note

If you want to use the new challenge response mechanism with your RADIUS clients, you also need to update the FreeRADIUS packages.

Updating a pip install

Issue the following command to update your pip installation:

pip install --upgrade linotp

Then upgrade the enterprise edition components. You need to download the latest version from the customer portal and issue the commands:

pip install --upgrade /path/to/LinOTP-EE-2.6.tar.gz
pip install --upgrade /path/to/LinOtpUserIdResolverEE-2.6.tar.gz
pip install --upgrade /path/to/LinOtpDoc-2.6.tar.gz
pip install --upgrade /path/to/Smsprovider-2.6.tar.gz

To create the new table "challenges" run:

paster setup-app <your-path-to>/etc/linotp2/linotp.ini

After this you need to restart your LinOTP webserver.

Changelog

  • Added Challenge Response functionality for all tokens.
  • Added Challenge Response Policy (#12234)
  • Searching for tokens in the WebUI now uses wildcards. To find "benjamin" you will have to search for "ben*". "ben" will return nothing.
  • Added UserPassOnNoToken Policy (#12145)
  • Export token list to csv (#2963)
  • Add additional user attributes in the token list api (#12187)
  • Export audit list to csv (#2963)
  • Added /auth/index3 with 3 lines (#12138)
  • Use YubiKey with prefix like the serial number (#12039)
  • Enroll YubiKey with Challenge Response and YubiKey NEO (#12186)
  • SMS-Token: The mobile number can now be used in the mailto field (#12151)
  • Add non-blocking behaviour when sending SMS OTP (#2986)
  • The token description can be set in the WebUI (#12163)
  • The Resolver dialog now start the realm dialog if no realm is defined (#12160)
  • The YubiKey in Yubivo mode (with 44 characters output) is supported (#2989)
  • Import Yubico CSV in Yubico mode for Yubikeys, that were generated with the Yubico personalization tool (#12326)
  • The token type list is sorted when enrolling in the management WebUI (#12231)
  • The authorize policies can contain regular expressions for the token serial number (#12197)
  • Added script 'linotp-token-usage' for token statistics (#12299)
  • Added severals cripts for simpler installation and maintenance: linotp-create-certificate, linotp-create-enckey, linotp-create-auditkeys, linotp-fix-access-rights (#2883)
  • /validate/check can return addition token details of the authenticated token. Configured by the policy 'detail_on_success' (#2661)
  • Support for eToken dat file import (#12124)
  • Policies can now be deactivated and activated (#2903)
  • Added new token type E-mail token, that sends OTP via smtp (#2704, #12332)
  • Improve pam_linotp for build process and challenge response support (#12176)
  • Using POST instead of GET requests in selfservice UI (#12161)
  • Improved the HTML online help, to be available online from linotp.org or installed on the server
  • Removed several misleading error messages during installation
  • Improved several error messages
  • rlm_linotp now also builds on Ubuntu 12.04 (#12154)
  • Improved the certificate handling for the LDAP resolver (#12089)
  • Improved the performance when loading many users in the WebUI (#12076)
  • Fixed a padding problem in the OCRA token (#12202)
  • Fixed the logout link in the management Web UI (#12022)
  • Fixed SMS token without serial number (#12322)
  • Fixed the signature checking in the SQL audit module (#12267, #2700)
  • Fixed apache config to use secure cookies (#12148)

Updating from LinOTP 2.5.1 to LinOTP 2.5.2

Updating a deb install

With version 2.5.2 the naming of some packages changed:

old name in version 2.5.1 new name in version 2.5.2
linotpuseridresolver linotp-useridresolver
linotpuseridresolveree linotp-useridresolver-ee
linotpdoc linotp-doc
smsprovider linotp-smsprovider

Transition packages with the old names are used to perform the update.

You need to issue the following command:

dpkg -i linotpuseridresolver_2.5.2-1_all.deb \
        linotpuseridresolveree_2.5.2-1_all.deb \
        linotpdoc_2.5.2-1_all.deb \
        smsprovider_2.5.2-1_all.deb \
        linotp_2.5.2-1_all.deb \
        linotp-ee_2.5.2-1_all.deb \
        linotp-useridresolver_2.5.2-1_all.deb \
        linotp-useridresolver-ee_2.5.2-1_all.deb \
        linotp-doc_2.5.2-1_all.deb \
        linotp-smsprovider_2.5.2-1_all.deb

Afterwards you can remove the old packages:

dpkg -r linotpdoc linotpuseridresolver linotpuseridresolveree smsprovider

Updating a pip install

Issue the following command to update your pip installation:

pip install --upgrade linotp

Then upgrade the enterprise edition components. You need to download the latest version from the customer portal and issue the commands:

pip install --upgrade /path/to/LinOTP-EE-2.5.2.tar.gz
pip install --upgrade /path/to/LinOtpUserIdResolverEE-2.5.2.tar.gz
pip install --upgrade /path/to/LinOtpDoc-2.5.2.tar.gz
pip install --upgrade /path/to/Smsprovider-2.5.2.tar.gz

Changelog

Dokumentation

  • Added documentation for MS SQL server support.
  • Added how to for forwarding RADIUS request depending on LDAP group membership.
  • Added YubiKey documentation for YubiKey NANO.

LinOTP Server

  • Added dynamic token modules. All tokens can now be loaded dynamically.
  • Added policy import and export.
  • Added possibility to display action history in selfservice.
  • Added new Token: YubiKey in original YubiKey mode (44 characters) to authenticate with the yubico online cloud service.
  • Added a script (linotp-pip-update) to update a pip installation.
  • Added authentication to ocra controller.
  • Added the possibility to give the CA certificate with the LDAP Resolver when using LDAPS.
  • Added univention UCS / LinOTP documentation.
  • Added users and resolvers to policies in selfservice, authentication, enrollment and authorization.
  • Added a policy checker to the WebUI.
  • Assign Token by OTP value in selfservice.
  • Implemented additional API to to a get_serial_by_otp in selfservice.
  • Improved policies: exclude clients.
  • Improved PSKC import to import OCRA suite.
  • Increase font size (style italic) to make it easier to assign a token to a user.
  • Limit size of realm and resolver dialogs. If hundred resolvers or realms are defined, the dialog is too big.
  • Make the cookie a secure cookie, means it must be transferred via SSL
  • Performance fix - reduce user ID lookup.
  • Add possibility to set maximum auth count and validity period.
  • The mobile number (instead of phone) will now be used in selfservice for SMS token.
  • closed: More detailed information when the SMS is sent via /validate/check of /validate/smspin.
  • closed: The preset of the mobile number for an SMS token is now contained in the token.mako file.
  • closed: The user was not able to authenticate to selfservice.
  • closed: Deprecation Information about searching tokens.
  • closed: Use SecureFormatter in linotp.ini.
  • closed: The sms text from the policy is used to send the SMS.
  • closed: We require python 2.6.
  • closed: Make sure that genkey is in defined range.
  • Renamed the webprovissionOCRA to activateQR.
  • Reverted to the timeStepping=30 for the setup.
  • fixed: Correct audit entry, when the userpassword (otppin=1) is wrong.
  • fixed: Added a search button to flexigrid.
  • fixed: Added SecureFormatter to be able to remove non printable characters from the log args
  • fixed: The audit trail does not show entries with SQLAlchemy 0.8.0
  • fixed: The setting of the OCRA PIN does not work in the WebUI.
  • fixed: Return space instead of empty string in case of MS SQL server
  • fixed: Problems with redundant MS SQL server.
  • fixed: Problem, that an admin was not able to view the users in the realm he has rights to.
  • fixed: The broken FileAudit module.
  • fixed: The possibility to do cross site scripting in the doc controller. (serve documentation statically)
  • fixed: Problems in token search.
  • fixed: User enumeration with validate/smsping.
  • fixed: Token iterator exact user match.
  • fixed: Permissions for SSL privkey and who.ini.
  • fixed: The system settings (WebUI) are not stored, if data on another tab is missing.
  • fixed: OCRA bug for missing leading zeros - truncation to last digit.

GTK Client

  • The YubiKey can now be enrolled with GTK client based on python 2.7.
  • Modified the GTK client this way, that the realm filter is always available.
  • Added the possibility to give the CA certificate with the LDAP Resolver.
  • Added import of policies to GTK client.
  • Added the possibility to export the policies to a file.
  • Audit log now shows the last entry first.
  • Added eToken enrollment command line tools.
  • Fixed missing dependency for configobj.
  • Fixed the jumping of the filter cursor.
  • Fixed display of policy in GTK client.

Updating from LinOTP 2.5.0 to LinOTP 2.5.1

Updating a deb install

Issue the command:

dpkg -i linotp_2.5.1_all.deb linotp-ee_2.5.1_all.deb linotpuseridresolveree_2.5.1_all.deb \
    linotpdoc_2.5.1_all.deb python-qrcode_2.4.2_all.deb

Updating a pip install

Warning

Before updating a pip installation you very much need to backup your files in /etc/linotp2! The pip installing logic is not that sophisticated, it might overwrite existing config files. So please backup at least: /etc/linotp2/linotp.ini and /etc/linotp2/encKey!

You first can upgrade the main server components via the internet to the latest version:

pip install -–upgrade linotp

Then upgrade the enterprise edition components. You need to download the newer version the customers portal:

pip install qrcode
pip install –-upgrade /path/to/packages/LinOTP-EE-2.5.1.tar.gz
pip install –-upgrade /path/to/packages/LinOtpUserIdResolverEE-2.5.1.tar.gz
pip install –-upgrade /path/to/packages/LinOtpDoc-2.5.1.tar.gz

Changelog

LinOTP Server

  • added QR-Code enrollment in management web UI and selfservice portal
  • added QR-Code image to reply
  • added HTML documentation for LinOTP Web UI
  • added import OCRA seeds via CSV
  • added possibility to send 500er HTTP error instead of status:false
  • added alert-box (pop under)
  • added support for AD uidType DN, objectGUID and sAMAccountName
  • added man pages for command line tools
  • improved python PIP installation
  • improved performance with dynamic token classes
  • define the contents of the lost password token (#806)
  • only active tokens are counted for the licensing (#810)
  • using SQLAlchemy for where clauses in SQLResolver
  • fixed translation
  • fixed broken totp resync
  • fixed empty password are neglected ldap_simple bind
  • fixed connection close() in checkMapping()

Updating from LinOTP 2.4.4 to LinOTP 2.5.0

Updating a deb install

Before updating, please assure, that you have a backup of your encryption key and also of your token database.

Issue the command:

dpkg -i linotp_2.5.0-8_all.deb linotp-ee_2.5.0_all.deb linotpuseridresolveree_2.5.0-2_all.deb

If you want to use OCRA functionality you also need to update your database. You can do this by issuing the command:

paster setup-app /etc/linotp2/linotp.ini

After this please check the access rights of your logfiles in /var/log/linotp/.

Updating a pip install

Warning

Before updating a pip installation you very much need to backup your files in /etc/linotp2! The pip installing logic is not that sophisticated, it might overwrite existing config files. So please backup at least: /etc/linotp2/linotp.ini and /etc/linotp2/encKey!

You first can upgrade the main server components via the internet to the latest version:

pip install –-upgrade linotp

Then upgrade the enterprise edition components. You need to download the newer version the customers portal:

pip install –-upgrade /path/to/packages/LinOTP-EE-2.5.0.tar.gz
pip install –-upgrade /path/to/packages/LinOtpUserIdResolverEE-2.5.0-2.tar.gz

Changelog

LinOTP Server

  • Added OCRA token and QR-TAN functionality.
  • Make TOTP token honor DefaultOTPLength configuration.
  • Fixed bug, where a previous OTP value could be used again.
  • Added support for DB2 Token database.
  • Added framework of security modules to support HSMs to store the encryption keys.
  • Added TOTP Google authenticator to self service .
  • Improved SQLuserIdResolver (Performance).
  • Improved LDAPResolver (entryUUID or ObjectGUID).
  • Added passthru policy to authenticate users without token.
  • Added client IPs to policies.
  • Selfservice: added reset of failcounter.