Re: [OATH-Toolkit-help] Patch to include totp validation to the pam module

[Giovanni Bajo]

On Fri, 06 May 2011 17:01:25 +0200, Frank Epperlein <address@hidden>
wrote:
> Am 06.05.2011 12:56, schrieb Giovanni Bajo:
>> In fact, if you look at the documentation of the UsersFile here:
>> http://code.google.com/p/mod-authn-otp/wiki/UsersFile
>> the 6th field is "The previous successfully used one-time password". I
>> guess this is to support TOTP correctly.
> Yes, but this is only the last successfully used OTP. If someone
> captures your logins he can reuse the captured OTP at the moment you
> successfuly commit one more OTP within the window-time. This requires to
> log all used OTP (what would fit the definition of "window") or to
> reject all OTP older then the last successfully committed one (what is
> possible without changing the users-file).
> So - if i understood it correctly all needed information even exists?

Exactly. You can use the "Time of Last OTP" field plus "Counter/Offset"
field to determine the exact timestep of the last OTP that was accepted. In
TOTP mode, the "Counter/Offset" mode basically records the clock skewing
between server and client, expressed in timesteps; eg: if it is "-2", it
means that the client is 2 timesteps ealier than the server; so if the last
OTP was authenticated at 5:12:00 server time (assuming 30sec timesteps), it
means that the client time was about 5:11:00 (1 minute earlier) when it
authenticated, and thus you can easily compute the lower bound of the
window.
-- 
Giovanni Bajo   ::  address@hidden
Develer S.r.l.  ::  http://www.develer.com

My Blog: http://giovanni.bajo.it