[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] Patch to include totp validation to the pam modu
|
From: |
Simon Josefsson |
|
Subject: |
Re: [OATH-Toolkit-help] Patch to include totp validation to the pam module |
|
Date: |
Thu, 05 May 2011 10:42:47 +0200 |
|
User-agent: |
Gnus/5.110018 (No Gnus v0.18) Emacs/23.2 (gnu/linux) |
"Epperlein, Frank" <address@hidden> writes:
> Hi,
>
> i have built a tool to simply authenticate an openvpn client again the
> oath-toolkit. More precisely it is a lite c tool which uses the
> oath_authenticate_usersfile function and is static built against
> liboath. I use it to run openvpn server in a chroot environment -
> where it's really hard to use pam.
Hi and welcome!
Cool. Have you published your code? There was a thread about pam_oath
with xscreensaver and that didn't work because /etc/usersfile was owned
by root. With a small setuid-binary to validate OTPs in the usersfile,
possibly based on your tool, that would be solved.
> Therefore I would like to use TOTP and tried the
> features/totp-usersfile branch. But yesterday version 1.8 came out
> without this feature merged in. I really have no problems with 1.6.4 -
> but when do you plan to merge this feature? It does a good job for me
> even in the existing implementation.
That code has a somewhat serious security bug that we haven't resolved
yet: it permits an earlier TOTP to authenticate you as long as that TOTP
is within the acceptable window and it isn't the last OTP you used.
I'll try to get this resolved...
/Simon