[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] libpam-oath vulnerable to replay of OTP as res
Bas van Schaik
Re: [OATH-Toolkit-help] libpam-oath vulnerable to replay of OTP as result of incorrectly parsing comments in users file?
Sat, 14 Dec 2013 14:42:55 +0100
Simon, how do you want to proceed? AFAICT, comments in the usersfile
aren't explicitly supported and one is supposed to maintain separation
between the usersfile, which controls authentication, and an
authorisation file/mechanism, but I imagine that because it Just Works
for usersfiles that don't contain duplicate usernames that there are a
few people using it in this way...
Thanks for looking into this. I didn't expect comments to work in the
user file, and they are indeed not documented. It seems, however, that a
simple typo might have the same result and lead pam-oath to update the
wrong line? Note the example in my original email: even if the
commented-out line contains information regarding a completely different
secret key K', pam-oath will still update that line as long as the
username matches that of an OTP generated using key K.
On an unrelated note: how is the users file protected against concurrent
modification by two processes using pam-oath?