Package: python-yubico-tools
Version: 1.1.0-2
Severity: normal
Dear Maintainer,
when using TOTP (time based), the PIN output by yubikey-totp depends on the
timezone the tool is running in:
kosh@cindy:~$ echo $TZ; yubikey-totp; TZ=UTC yubikey-totp; yubikey-totp
Europe/Berlin
050816
934513
050816
(the first and last should be the same as the one in the middle)
I think this is in violation of RFC6238.
I suspect the cause can be seen in the output of --help, as the tool clearly
doesn't calculate "seconds since the epoch" correctly:
kosh@cindy:~$ echo $TZ; yubikey-totp --help; TZ=UTC yubikey-totp --help;
yubikey-totp --help; date +%s
Europe/Berlin
usage: yubikey-totp [-h] [-v] [--debug] [--time TIME] [--step STEP]
[--digits DIGITS] [--slot SLOT]
Generate OATH TOTP codes using a YubiKey
optional arguments:
-h, --help show this help message and exit
-v, --verbose Enable verbose operation (default: False)
--debug Enable debug operation (default: False)
--time TIME Time to use as number of seconds since epoch (default:
1437119455)
--step STEP Time step in use (in seconds) (default: 30)
--digits DIGITS Length of OTP in decimal digits (default: 6)
--slot SLOT YubiKey slot configured for Challenge-Response (default: 2)
usage: yubikey-totp [-h] [-v] [--debug] [--time TIME] [--step STEP]
[--digits DIGITS] [--slot SLOT]
Generate OATH TOTP codes using a YubiKey
optional arguments:
-h, --help show this help message and exit
-v, --verbose Enable verbose operation (default: False)
--debug Enable debug operation (default: False)
--time TIME Time to use as number of seconds since epoch (default:
1437123055)
--step STEP Time step in use (in seconds) (default: 30)
--digits DIGITS Length of OTP in decimal digits (default: 6)
--slot SLOT YubiKey slot configured for Challenge-Response (default: 2)
usage: yubikey-totp [-h] [-v] [--debug] [--time TIME] [--step STEP]
[--digits DIGITS] [--slot SLOT]
Generate OATH TOTP codes using a YubiKey
optional arguments:
-h, --help show this help message and exit
-v, --verbose Enable verbose operation (default: False)
--debug Enable debug operation (default: False)
--time TIME Time to use as number of seconds since epoch (default:
1437119455)
--step STEP Time step in use (in seconds) (default: 30)
--digits DIGITS Length of OTP in decimal digits (default: 6)
--slot SLOT YubiKey slot configured for Challenge-Response (default: 2)
1437123055
The "default" for "number of seconds since epoch" in the description of the
--time parameter clearly changes with TZ, which is wrong. Compare the output of
"date +%s" which returns the same value "TZ=UTC yubikey-totp --help" returns.
The fix is rather trivial:
--- yubikey-totp.old 2012-06-08 14:21:39.000000000 +0200
+++ yubikey-totp 2015-07-17 11:06:39.265867405 +0200
@@ -41,7 +41,7 @@
import argparse
default_slot=2
-default_time=int(time.mktime(time.gmtime()))
+default_time=int(time.time())
default_step=30
default_digits=6
Cheers,
Marc
-- System Information:
Debian Release: 8.1
APT prefers stable
APT policy: (500, 'stable'), (255, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages python-yubico-tools depends on:
ii libpython2.7-stdlib [python-argparse] 2.7.9-2
ii python 2.7.9-1
ii python-yubico 1.1.0-2
python-yubico-tools recommends no packages.
python-yubico-tools suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
