[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] pam_oath and multiple tokens for a user
|
From: |
Simon Josefsson |
|
Subject: |
Re: [OATH-Toolkit-help] pam_oath and multiple tokens for a user |
|
Date: |
Thu, 31 May 2012 22:07:36 +0200 |
|
User-agent: |
Gnus/5.130006 (Ma Gnus v0.6) Emacs/23.3 (gnu/linux) |
Tim Eggleston <address@hidden> writes:
>
>
> Hello,
>
> Is there a way to have multiple tokens (sets of shared
> secrets and counter values/timestamps in /etc/users.oath) for a single
> account in pam_oath? I have a couple of Yubikeys, a Nano which I keep in
> my home laptop and a normal one which is on my keyring for travelling.
> I'd love to be able to use either token to authenticate myself in a
> robust way (i.e. not just set the "window" parameter to be a really
> large number like 50). Is this possible? I figure it might be do-able by
> chaining together a couple of users.oath files in successive PAM
> modules, but that seems a bit ugly.
Hi Tim!
Having the same secret in several devices is usually not a good idea --
instead, how about a scheme to have multiple lines in users.oath for the
same user but with different OATH secrets? Then each OTP could be
tested against all lines for a user, to find which device is relevant,
and then that line could be updated.
I have not thought about how easy it would be to implement, or if there
are other disadvantages, but it is a starting pointer.
I think that generally we shouldn't create solutions that leads people
to putting the same shared secret in multiple devices (what to do when
you lose one of them but not the others?).
Alternatively, if you are using 2FA, each device could have a different
password, then the library could use the password to select the OATH
secret to use.
/Simon