[OATH-Toolkit-help] Re: Storage of credentials

[Simon Josefsson]

Jean-Michel Pouré - GOOZE <address@hidden> writes:

> Le vendredi 18 mars 2011 à 11:14 +0100, Max Thoursie a écrit :
>> I had a breif discussion with Simon regarding how to store user
>> credentials (alternatives to the /etc/users.oath file) before he
>> pointed me to this mail-list. Let's continue the discussion here! 
>
> I would like to point out that PostgreSQL offers X.509 certificates
> encrypted tables. The leak point in OATH is the seed, which must be
> protected using the best tools.
>
> Also, I am against file storage, as you can hardly build a GUI on top of
> it. Using database makes it easier to make a GUI.

Yes, I agree we want to get there, and the PAM module should have an
internal backend-independent interface for this so it won't be difficult
to use either a /etc/users.oath file, or our improved /etc/oath/ scheme,
or LDAP, or PostgreSQL.

But I would also like to see an improved file-based storage for
small-scale deployments -- you don't want PostgreSQL or LDAP when you
are using pam_oath on a sensitive locked-down server for SSH logins.
Then you want the smallest amount of code that does the job.

Generally, the PAM module (or actually liboath) will need to have the
secret available in order to do the validation, so even if it is stored
securely, it will be available in clear text in memory during
validation.

Liboath could support doing the HMAC-SHA1 operations using a key stored
on a HSM through PKCS#11, now THAT would be a big improvement as the key
wouldn't even be accessible to the software... but we are not there yet.

Maybe we need to put ideas in a issue tracker to have more focused
discussion on each aspect.

Thanks for all the ideas!  It is inspiring to work on this project with
all the good feedback.

/Simon