[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Hotp-toolkit-help] Possible bug in HOTP / support for TOTP, OCRA?
|
From: |
Simon Josefsson |
|
Subject: |
Re: [Hotp-toolkit-help] Possible bug in HOTP / support for TOTP, OCRA? |
|
Date: |
Mon, 27 Dec 2010 17:23:23 +0100 |
|
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.2 (gnu/linux) |
Simon Josefsson <address@hidden> writes:
>> I had trouble getting it started, and the reason appears to be the "-" in the
>> proposed initial /etc/users.hotp file. To get the PAM module working, I had
>> to
>> uncomment these lines from usersfile.c:
>>
>> if (strcmp (p, "-") == 0 && *p != '\0')
>> return HOTP_BAD_PASSWORD;
>> if (strcmp (p, passwd) != 0)
>> return HOTP_BAD_PASSWORD;
>>
>> Without it, I always got the HOTP_BAD_PASSWORD return. Looking at the code,
>> I
>> was confused why the test *p != '\0' is done after strcmp (p, "0") == 0 as it
>> does not add anything? Possibly this code is mistaken?
>>
>> I am uncertain about the purpose of this code, and am I the only one who
>> cannot
>> get the PAM module going with the proposed initial /etc/users.hotp file? I
>> used
>> the README-proposed contents:
>>
>> HOTP root - 00
>
> I am looking at this now, first to see whether I can reproduce it
> locally. Indeed the strcmp if case looks a bit strange.
Should be fixed in 1.0.1 now. The code should have read:
if (strcmp (p, "-") == 0 && *passwd != '\0')
return HOTP_BAD_PASSWORD;
if (strcmp (p, passwd) != 0)
return HOTP_BAD_PASSWORD;
The intention being that if the user provided a non-empty password, and
the system did not know any password, authentication will fail. This
helps to alert users that the security is only one-factor even if the
user thought that it would be two-factor because of the password.
Thanks,
/Simon