On Няд, 17 сне 2023, Jeff Kirkley via FreeIPA-users wrote:
Hello,
Very new to freeipa but find it to be very powerful and very capable. I have been using Keycloak for some time now and am interested in using FreeIPA as a OTP password provider (if possible).
I am running FreeIPA 4.10.2 and am having problems with a plain/regular user creating a OTP token from the GUI and the created token is based as SHA1. I would like for it to be either SHA256 or SHA512. I have spent many hours scouring the web and am unable to find where this is a user-selectable option under the user's login. I am also unable to find it in any of the settings while logged in as admin. I did make a change to:
/usr/share/ipa/ui/js/freeipa/app.js
and changed the default to sha512 and if I were to login as admin and create a new token for a user (testuser), I do have a GUI ability to choose the strength of the OTP token. However, this is not presented to a normal user (belonging to only ipausers group).
How do I change/enable this ability for a plain user to login to freeipa server, create a OTP token and change the hash strength?
https://pagure.io/freeipa/issue/6430 covers our state. There is also a helpful table in the link https://gist.github.com/gwelch-contegix/afa52c7b45693a19c198ab0bfb886fe2 about the state of authenticators that support (or rather not) other OTP algorithms. Until that state changes, making a different default is counter-productive as in most cases people will have to handle an increasing amount of end user complaints about them not being able to use a new OTP token in their software.
There is currently no plan to change existing FreeIPA Web UI to add that default. You can already choose OTP algorithm when creating a token from IPA CLI/API. New Web UI which hopefully will be put in production next year will have ability to select the OTP algorithm.