[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] oath.users: encrypted passwords and management t
|
From: |
Simon Josefsson |
|
Subject: |
Re: [OATH-Toolkit-help] oath.users: encrypted passwords and management tool |
|
Date: |
Tue, 19 May 2015 21:26:03 +0200 |
|
User-agent: |
Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux) |
Chris J <address@hidden> writes:
> The idea is that the users.oath file is group read/writable only (i.e.,
> mode 660), and the tools in this chain are setgid (so don't need root,
> yet keeps users.oath secret)
>
> If people want to play, the sources are available from Bitbucket at:
> https://bitbucket.org/rangerchris/otpsetpin
>
> There are programs to manage users.oath, allows users to change their
> PIN and generate QR codes for use with (say) FreeOTP on Android.
Thanks for sharing!
I'm a bit mixed whether this is the best path to pursue, or wheter it
would be better to recommend an indirect path such as Radius or
something else. The indirect approach would be to have a server (which
could be on the same host) perform the OATH validation, and then use a
PAM module that talks to that server. This has the advantage of
allowing full privilege separation of the secret handling part from the
the login flow path. It comes with some additional complexity cost,
though, but maybe it is not significant.
Still, as you suggest, the direct path is relatively easy to put
together and solves the problem. Perhaps there is room for documenting
how to do both properly.
/Simon
signature.asc
Description: PGP signature