[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] TOTP - pam module doesn't store h/w key drift
|
From: |
Ilkka Virta |
|
Subject: |
Re: [OATH-Toolkit-help] TOTP - pam module doesn't store h/w key drift |
|
Date: |
Sun, 28 Apr 2013 19:53:09 +0300 |
|
User-agent: |
Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 |
On 18.4.2013 19:16, Sergey wrote:
I have a h/w key which works okay but is ~ 1 hour back in past.
Hmm. I thought about this (for other reasons) one day.
I can see two different issues here:
1) The hw clock has a constant offset
2) The hw clock actually drifts during use, so the offset changes
I guess you only saw the first problem right?
I wonder if the drift actually would be a problem, and how does
commercial stuff (like RSA) deal with it, if it does.
I've crawled through the sources and I've made a test.
The problem is — I have to set my window = at least 150, and then,
after some successful authentications I can't change it to normal
3—4. PAM library just doesn't use all that time drift info. The field
called ‘start_moving_factor’ just keeps increasing by 130 every time
I log in. And, as I see in the code it's not used with TOTP =( I
can't keep window=150, this make the whole thing useless.
Is the current code even supposed to do anything to handle this?
Are you planning on fixing this?
--
Ilkka Virta / itvirta at iki.fi