Re: [OATH-Toolkit-help] Patch to include totp validation to the pam module

[Simon Josefsson]

Thank you Rien and Max for your work.

I have created a git branch for TOTP support in usersfile.c, the branch
is called 'features/totp-usersfile':

http://git.savannah.gnu.org/gitweb/?p=oath-toolkit.git;a=shortlog;h=refs/heads/features/totp-usersfile

My first stab at a patch (inspired by both of your work) includes some
self-tests.  The patch is at:

http://git.savannah.gnu.org/gitweb/?p=oath-toolkit.git;a=commitdiff;h=8703e8afb2882b6c3fa1096b4b13041589b050c1

You use it by specifying a usersfile line like this:

HOTP/T30       eve     -       00

Where the T30 specify a 30-second step size, also supported is 60-second
step size.  Right now that are the only step sizes supported, but the
code could be rewritten easily to support any value.

The start offset is hard coded to 0, which seems bad.  The simplest way
to solve this, if/when someone needs it, is probably to call the
algorithm something like HOTP/T30-S4711 instead.  Thoughts?  Any reason
this wouldn't work?  I don't think this aspect is important.

The main reason that I didn't push this to master, and an aspect that I
think IS important, is that I haven't figured out how TOTPs are used in
the real-world: do you want the last OTP to successfully authenticate
more than once even if it is within the current window?  Also, the code
right now has a negative search window, which may result in permitting
OTPs that are older than the last OTP seen, if it happens to be within
the search window.  That seems bad.  The code should probably use
start_moving_factor in some way.  Or something.  It has been a long day
and it is too late for me to think about this further now...

/Simon