[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] Patch to include totp validation to the pam modu
From: |
Max Thoursie |
Subject: |
Re: [OATH-Toolkit-help] Patch to include totp validation to the pam module |
Date: |
Wed, 6 Apr 2011 11:30:48 +0200 |
On Tue, Apr 5, 2011 at 4:31 PM, Rien Broekstra <address@hidden> wrote:
> I just bought a number of feitian C200 OTP tokens, found this project, and
> saw that totp support was present but not yet in the pam module. Therefore I
> took the liberty of making a patch which enables PAM authentication with
> totp tokens. It should apply cleanly to oath-toolkit-1.6.2.
Great to see some work in this area! I wrote a similar patch a few
weeks ago, but I never got around to update the documentation or
test-cases, and neither to send it to the list. I'll include my
version for comparsion.
One comment I got from Simon was that it should include an option to
disable reuse of a token in the same time window.
> Users who wish to authenticate via totp should use 'TOTP' as the first
> column in the usersfile. The field which normally contains the moving factor
> for hotp contains the time step size for totp. The window size is hardcoded
> to 0. I.e:
>
> TOTP name - <seed> 60 207470 2011-04-05T16:04:02L
Using the moving factor for time step size was a good move, I've
should have thought of that. But why hardcode the window size when it
can be configured for HOTP?
Here's my patch:
diff --git a/liboath/usersfile.c b/liboath/usersfile.c
index 8d9ce9a..b509b28 100644
--- a/liboath/usersfile.c
+++ b/liboath/usersfile.c
@@ -31,19 +31,29 @@
#include <errno.h> /* For errno. */
#include <sys/stat.h> /* For S_IRUSR, S_IWUSR. */
+typedef enum
+{
+ OATH_DIGITS_MASK = 0xff,
+ OATH_TYPE_HOTP = 1 << 8,
+ OATH_TYPE_TOTP = 2 << 8,
+ OATH_TYPE_MASK = 0xff00
+} oath_type;
+
static unsigned
parse_type (const char *str)
{
if (strcmp (str, "HOTP/E/6") == 0)
- return 6;
+ return OATH_TYPE_HOTP | 6;
if (strcmp (str, "HOTP/E/7") == 0)
- return 7;
+ return OATH_TYPE_HOTP | 7;
if (strcmp (str, "HOTP/E/8") == 0)
- return 8;
+ return OATH_TYPE_HOTP | 8;
if (strcmp (str, "HOTP/E") == 0)
- return 6;
+ return OATH_TYPE_HOTP | 6;
if (strcmp (str, "HOTP") == 0)
- return 6;
+ return OATH_TYPE_HOTP | 6;
+ if (strcmp (str, "TOTP") == 0)
+ return OATH_TYPE_TOTP | 6;
return 0;
}
@@ -69,12 +79,15 @@ parse_usersfile (const char *username,
uint64_t start_moving_factor = 0;
int rc;
char *prev_otp = NULL;
+ int type = 0;
if (p == NULL)
continue;
/* Read token type */
- digits = parse_type (p);
+ rc = parse_type (p);
+ type = rc & OATH_TYPE_MASK;
+ digits = rc & OATH_DIGITS_MASK;
if (digits == 0)
continue;
@@ -142,8 +155,16 @@ parse_usersfile (const char *username,
if (prev_otp && strcmp (prev_otp, otp) == 0)
return OATH_REPLAYED_OTP;
- rc = oath_hotp_validate (secret, secret_length,
- start_moving_factor, window, otp);
+ if (type == OATH_TYPE_HOTP) {
+ rc = oath_hotp_validate (secret, secret_length,
+ start_moving_factor, window, otp);
+ } else if (type == OATH_TYPE_TOTP) {
+ rc = oath_totp_validate (secret, secret_length,
+ time(NULL), 30, 0,
+ window, otp);
+ } else {
+ continue;
+ }
if (rc < 0)
return rc;
*new_moving_factor = start_moving_factor + rc;