[OATH-Toolkit-help] Compatibility with mod_authn_ot p

[Giovanni Bajo]

Hello,

i was evaluating the deploy of HOTP through oath-toolkit (for PAM) and
mod_authn_otp (for Apache). I saw that the two packages share the same
users file, with just small differences. It looks like mod_authn_otp
predates, and oath-toolkit adopted the same user file; but then
mod_authn_otp evolved by adding more features/syntax in that user file,
that they are now incompatible with oath-toolkit. To the best of my
understanding, there are now the differences in the format supported by the
two packages:

 * mod_authn_otp added an additional field which is the last IP address
from which each user successfully authenticated. This field is used to
automatically log out an user if it changes IP address, for security
concerns. I don't think it matters in the context of auth-toolkit (which
doesn't have the same issues of repeated/multiple HTTP requests).
 * mod_authn_otp describes more accurately token types in the first field
(eg: HOTP/T60/6 to specify a TOTP token with a 60-seconds window and 6
digits of output), while oath-toolkit only support a few types.

Everything else looks exactly the same (including lock file semantic,
which is obviously very important since there could be contemporary logins
from both HTTP and pam).

I was wondering if oath-toolkit's mantainer is interested in keeping full
compatibility with mod_authn_otp; I believe that it would be well worth it,
because it would totally simplify deploy for users of both packages. In
that case, I would suggest that the two maintainers agree on the file
format and stay in touch in case of future modifications.

Thanks!
-- 
Giovanni Bajo   ::  address@hidden
Develer S.r.l.  ::  http://www.develer.com

My Blog: http://giovanni.bajo.it