[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] oath.users: encrypted passwords and management t
|
From: |
Chris J |
|
Subject: |
Re: [OATH-Toolkit-help] oath.users: encrypted passwords and management tool |
|
Date: |
Tue, 19 May 2015 15:58:05 +0100 |
|
User-agent: |
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 |
Hi,
>> 2. In some situations it would be nice to let users set up their
>> password precix and OTP secret. What would be needed is a tool like
>> /usr/bin/passwd that managed the libpam-oath users file, letting users
>> to change their relevant data after authentication. I couldn't find such
>> a tool. Is somebody working on it?
>
> Not to my knowledge. It would indeed be a usable tool. The
> alternative, of course, is to not perform the OATH stuff locally but on
> a remote server, and setup RADIUS or something else and use a pam_radius
> or whatever.
>
> /Simon
>
I've been working on one although the caveats are that I've only used it
myself, on my server with less than 10 users - so feedback welcome. I've
not announced it mostly due to having a busy year and not able to do
much more with it for another month or so.
The idea is that the users.oath file is group read/writable only (i.e.,
mode 660), and the tools in this chain are setgid (so don't need root,
yet keeps users.oath secret)
If people want to play, the sources are available from Bitbucket at:
https://bitbucket.org/rangerchris/otpsetpin
There are programs to manage users.oath, allows users to change their
PIN and generate QR codes for use with (say) FreeOTP on Android.
As mentioned, feedback welcome: I'm in the middle of other stuff at the
moment and then a holiday, so changes to the codebase, if required, will
take some time.
Cheers,
Chris