[OATH-Toolkit-help] oath.users: encrypted passwords and management tool

[Paride Legovini]

Dear oath users,

I'm trying to find a way to set up a secure OTP authentication mechanism
for a multi-user server[1] and at the moment libpam-oath seems the best
solution. Still there are two thing that I'm missing and I'd like to ask
you if you have any workaround to suggest me or if they are somehow
planned features.

1. When using libpam-oath as a two-factor authenticator (fixed prefix +
numeric token), the prefix is stored in the user file in plain text.
This means that if the user file is stolen, the intruder will have all
the information needed to generate new valid password. Why not storing
the prefix encrypted, as it is normally done in /etc/shadow? This should
be quite easy to implement, and I don't see why it shouldn't be done.

Please not that I don't want to use the users' standard unix
(/etc/shadow) password as a prefix. This could be easily implemented
with pam_unix and try_first_pass, but I don't want the users' password
to leak in case the keystrokes are logged, shoulder surfing or similar
attacks.

(Possible workaround: libpam-oath + libpam-pwdfile + try_first_pass. Not
very clean, requires another pam module, another file to manage and keep
secure, a dedicated management tool... Other solutions are welcome.)

2. In some situations it would be nice to let users set up their
password precix and OTP secret. What would be needed is a tool like
/usr/bin/passwd that managed the libpam-oath users file, letting users
to change their relevant data after authentication. I couldn't find such
a tool. Is somebody working on it?

Thank you and kind regards,

Paride Legovini

[1] See: http://ninthfloor.org