[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-Toolkit-help] libpam-oath vulnerable to replay of OTP as res

From: Bas van Schaik
Subject: Re: [OATH-Toolkit-help] libpam-oath vulnerable to replay of OTP as result of incorrectly parsing comments in users file?
Date: Sat, 14 Dec 2013 14:42:55 +0100
User-agent: Roundcube Webmail/0.9.2


Simon, how do you want to proceed? AFAICT, comments in the usersfile
aren't explicitly supported and one is supposed to maintain separation
between the usersfile, which controls authentication, and an
authorisation file/mechanism, but I imagine that because it Just Works
for usersfiles that don't contain duplicate usernames that there are a
few people using it in this way...

Thanks for looking into this. I didn't expect comments to work in the user file, and they are indeed not documented. It seems, however, that a simple typo might have the same result and lead pam-oath to update the wrong line? Note the example in my original email: even if the commented-out line contains information regarding a completely different secret key K', pam-oath will still update that line as long as the username matches that of an OTP generated using key K.

On an unrelated note: how is the users file protected against concurrent modification by two processes using pam-oath?



reply via email to

[Prev in Thread] Current Thread [Next in Thread]