[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] Patch to include totp validation to the pam modu
|
From: |
Giovanni Bajo |
|
Subject: |
Re: [OATH-Toolkit-help] Patch to include totp validation to the pam module |
|
Date: |
Fri, 06 May 2011 12:56:20 +0200 |
On Fri, 2011-05-06 at 11:48 +0200, Frank Epperlein wrote:
> Am 05.05.2011 10:42, schrieb Simon Josefsson:
> > That code has a somewhat serious security bug that we haven't resolved
> > yet: it permits an earlier TOTP to authenticate you as long as that TOTP
> > is within the acceptable window and it isn't the last OTP you used.
> Ok, this is hard to resolve as long as you don't change the userfile to
> record all the used OTPs.
In fact, if you look at the documentation of the UsersFile here:
http://code.google.com/p/mod-authn-otp/wiki/UsersFile
the 6th field is "The previous successfully used one-time password". I
guess this is to support TOTP correctly.
BTW, does the branch code correctly identify a TOTP token as "HOTP/TXX"
in the users file?
--
Giovanni Bajo :: address@hidden
Develer S.r.l. :: http://www.develer.com
My Blog: http://giovanni.bajo.it
Last post: Compile-time Function Execution in D