[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] libpam-oath vulnerable to replay of OTP as resul
From: |
Ilkka Virta |
Subject: |
Re: [OATH-Toolkit-help] libpam-oath vulnerable to replay of OTP as result of incorrectly parsing comments in users file? |
Date: |
Sun, 22 Dec 2013 02:19:41 +0200 |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 |
On 16.12.2013 22:43, Simon Josefsson wrote:
Thanks for the report and looking into this issue. Alas the timing
here was bad, and I am just returning from vacation and must finish
several things before season holidays -- if someone has worked out a
patch and can do testing that it works and solves the problem I can
review and apply and release it. Ilkka, how much have you tested your
patch?
That one was more like a rough sketch... (iow, I didn't)
The attached one seems to work for me:
--- usersfile before:
#HOTP nobody - 00 1 812658 2013-12-21T19:40:21L
# HOTP nobody - 11
HOTP someone - 22
HOTP nobody - 1234
HOTP nobody - 33
---
- authenticate with OTP=158134 (key 1234, counter 4) -> accepted.
- retry with the same OTP -> denied, as expected.
--- usersfile after:
#HOTP nobody - 00 1 812658 2013-12-21T19:40:21L
# HOTP nobody - 11
HOTP someone - 22
HOTP nobody - 1234 4 158134 2013-12-21T19:40:57L
HOTP nobody - 33
---
I couldn't get back to this sooner, sorry.
liboath-usersfile-parse-type2.diff
Description: Text document