Re: [OATH-Toolkit-help] Compatibility with mod_authn

oath-toolkit-help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-Toolkit-help] Compatibility with mod_authn_otp

From:	Simon Josefsson
Subject:	Re: [OATH-Toolkit-help] Compatibility with mod_authn_otp
Date:	Tue, 03 May 2011 13:32:37 +0200
User-agent:	Gnus/5.110018 (No Gnus v0.18) Emacs/23.2 (gnu/linux)

Giovanni Bajo <address@hidden> writes:

> Hello,
>
> i was evaluating the deploy of HOTP through oath-toolkit (for PAM) and
> mod_authn_otp (for Apache). I saw that the two packages share the same
> users file, with just small differences. It looks like mod_authn_otp
> predates, and oath-toolkit adopted the same user file; but then
> mod_authn_otp evolved by adding more features/syntax in that user file,
> that they are now incompatible with oath-toolkit.

Hi Giovanni and welcome!  Yes, your assessment is correct.

> To the best of my understanding, there are now the differences in the
> format supported by the two packages:
>
>  * mod_authn_otp added an additional field which is the last IP address
> from which each user successfully authenticated. This field is used to
> automatically log out an user if it changes IP address, for security
> concerns. I don't think it matters in the context of auth-toolkit (which
> doesn't have the same issues of repeated/multiple HTTP requests).

Right, this change seems to be a no-op for us, right?

>  * mod_authn_otp describes more accurately token types in the first field
> (eg: HOTP/T60/6 to specify a TOTP token with a 60-seconds window and 6
> digits of output), while oath-toolkit only support a few types.

Supporting TOTP is in-progress, pending some improved TOTP validation
APIs in the library.  Supporting Mobile-OTP is not in scope for us.

> Everything else looks exactly the same (including lock file semantic,
> which is obviously very important since there could be contemporary logins
> from both HTTP and pam).

Thanks for checking!

> I was wondering if oath-toolkit's mantainer is interested in keeping full
> compatibility with mod_authn_otp; I believe that it would be well worth it,
> because it would totally simplify deploy for users of both packages. In
> that case, I would suggest that the two maintainers agree on the file
> format and stay in touch in case of future modifications.

I'd like consistency around it, and will try to keep full compatibility
unless there is any strong reason to not do so.

However, I also believe that the usersfile is a quite poor credential
format: 1) it stores passwords in plaintext, 2) it requires a rewrite of
the entire file on authentication, 3) it uses one file to store several
possibly unrelated things, 4) there is no per-user ability (e.g.,
~/.oath/) for non-system wide customization.  We have discussed better
formats on this list, but there is no code yet.  Maybe we are reaching
critical mass and can start to sketch out something in more detail and
start coding.

/Simon

[Prev in Thread]

Current Thread

[Next in Thread]

[OATH-Toolkit-help] Compatibility with mod_authn_ot p, Giovanni Bajo, 2011/05/03
- Re: [OATH-Toolkit-help] Compatibility with mod_authn_otp, Simon Josefsson <=

Prev by Date: [OATH-Toolkit-help] Bug#625394: oath-toolkit: ftbfs with gcc-4.6 -Werror
Next by Date: [OATH-Toolkit-help] Bug#625394: oath-toolkit: ftbfs with gcc-4.6 -Werror
Previous by thread: [OATH-Toolkit-help] Compatibility with mod_authn_ot p
Next by thread: [OATH-Toolkit-help] Bug#625394: oath-toolkit: ftbfs with gcc-4.6 -Werror
Index(es):
- Date
- Thread