[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[OATH-Toolkit-help] Re: Storage of credentials
From: |
Simon Josefsson |
Subject: |
[OATH-Toolkit-help] Re: Storage of credentials |
Date: |
Fri, 18 Mar 2011 16:10:01 +0100 |
User-agent: |
Gnus/5.110016 (No Gnus v0.16) Emacs/23.2 (gnu/linux) |
Daniel Pocock <address@hidden> writes:
>> I had a breif discussion with Simon regarding how to store user
>> credentials (alternatives to the /etc/users.oath file) before he
>> pointed me to this mail-list. Let's continue the discussion here!
>
> This is essentially why I built dynalogin as an extra layer around HOTP
> - you can then put dynalogin and the secrets on a dedicated, hardened
> machine. The secrets never travel on the network, it simply gives
> yes/no responses to the auth requests.
Right that is a better approach, for larger installations you will want
to use some protocol between clients and a server. But somewhere the
HOTP validation will need to occur, and there is where pam_oath could be
used -- for example if you are using FreeRadius with pam_oath as the
backend, and using pam_radius on all client hosts. Using the usersfile
there doesn't scale.
/Simon
Re: [OATH-Toolkit-help] Storage of credentials, Jean-Michel Pouré - GOOZE, 2011/03/18