[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] Patch to include totp validation to the pam modu
From: |
Max Thoursie |
Subject: |
Re: [OATH-Toolkit-help] Patch to include totp validation to the pam module |
Date: |
Wed, 13 Apr 2011 12:50:55 +0200 |
On Wed, Apr 6, 2011 at 2:03 PM, Rien Broekstra <address@hidden> wrote:
> On 4/6/2011 11:30 AM, Max Thoursie wrote:
>> One comment I got from Simon was that it should include an option to
>> disable reuse of a token in the same time window.
>
> I didn't change that from the original, every token can be used to
> authenticate once, because the last succesful authentication is logged to
> the userfile (otp and date), and if the user-supplied otp matches the
> last-used otp the authentication fails
Yes, but possibly it should be optional with totp. It's also probably
a good idea to store all used token within a window. If a newer token
is used in the next time period, it will reenable the previous one.
I've seen that google authenticator does this.
>> Using the moving factor for time step size was a good move, I've
>> should have thought of that. But why hardcode the window size when it
>> can be configured for HOTP?
>
> (I only spent a couple of hours reading the source, so what I'm writing
> below might be inaccurate:)
>
> Can it? Afaik, the hotp-module saves token type, name, password, seed,
> movingfactor, and optionally the last used otp and the timestamp of last
> authentication. For totp-authentication we need all of those, except for the
> moving factor.
The window size can be configured as a parameter to the pam module.
It's value available in the window variable when you call the
totp_validate function.
Cheers,
Max