[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] Patch to include totp validation to the pam modu
|
From: |
Frank Epperlein |
|
Subject: |
Re: [OATH-Toolkit-help] Patch to include totp validation to the pam module |
|
Date: |
Fri, 06 May 2011 11:48:30 +0200 |
|
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10 |
Am 05.05.2011 10:42, schrieb Simon Josefsson:
> Cool. Have you published your code? There was a thread about pam_oath
> with xscreensaver and that didn't work because /etc/usersfile was owned
> by root. With a small setuid-binary to validate OTPs in the usersfile,
> possibly based on your tool, that would be solved.
I've uploaded it to https://shellshark.de/files/auth_oath.tbz - may be
it could help to solve the xscrensaver problem. I think this could also
be interesting to other people who would like to use openvpn server.
It's really rudimentary but it works fine with openvpn for me.
> That code has a somewhat serious security bug that we haven't resolved
> yet: it permits an earlier TOTP to authenticate you as long as that TOTP
> is within the acceptable window and it isn't the last OTP you used.
Ok, this is hard to resolve as long as you don't change the userfile to
record all the used OTPs. An acceptable solution would be to reject all
OTPs that are older then the last used one (if window is 20, and the
last used is the fifth one you could stop to check number 6 to number
20). This wolud also include possibly sniffed OTPs.
Frank