Re: [OATH-Toolkit-help] TOTP - pam module doesn't store h/w key drift

[Sergey]

> 1) The hw clock has a constant offset
> 2) The hw clock actually drifts during use, so the offset changes

I have a h/w key I use for ~2 years. In fact it has both issues - offset –130 
steps and drift around -3/ steps a year.

The first problem can be solved by either manually setting the shift in config 
or making a big window, so after the first successful login this shift will be 
stored in config. Then one can change window back to normal 3—5.

The second problem is solved by the window — system always check +1/-1 step or 
more and then stores the calculated offset in config.

The current code can be fixed to store the shift... I'm just not very familiar 
with C coding...


--------------
<@)%%>{

On 28.04.2013, at 20:53, Ilkka Virta <address@hidden> wrote:

> On 18.4.2013 19:16, Sergey wrote:
>> I have a h/w key which works okay but is ~ 1 hour back in past.
> 
> Hmm. I thought about this (for other reasons) one day.
> I can see two different issues here:
> 1) The hw clock has a constant offset
> 2) The hw clock actually drifts during use, so the offset changes
> 
> I guess you only saw the first problem right?
> 
> I wonder if the drift actually would be a problem, and how does commercial 
> stuff (like RSA) deal with it, if it does.
> 
>> I've crawled through the sources and I've made a test.
>> 
>> The problem is — I have to set my window = at least 150, and then,
>> after some successful authentications I can't change it to normal
>> 3—4. PAM library just doesn't use all that time drift info. The field
>> called ‘start_moving_factor’ just keeps increasing by 130 every time
>> I log in. And, as I see in the code it's not used with TOTP =( I
>> can't keep window=150, this make the whole thing useless.
> 
> Is the current code even supposed to do anything to handle this?
> 
>> Are you planning on fixing this?
> 
> -- 
> Ilkka Virta / itvirta at iki.fi