[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-Toolkit-help] Patch to include totp validation to the pam modu

From: Max Thoursie
Subject: Re: [OATH-Toolkit-help] Patch to include totp validation to the pam module
Date: Wed, 13 Apr 2011 12:50:55 +0200

On Wed, Apr 6, 2011 at 2:03 PM, Rien Broekstra <address@hidden> wrote:
> On 4/6/2011 11:30 AM, Max Thoursie wrote:
>> One comment I got from Simon was that it should include an option to
>> disable reuse of a token in the same time window.
> I didn't change that from the original, every token can be used to
> authenticate once, because the last succesful authentication is logged to
> the userfile (otp and date), and if the user-supplied otp matches the
> last-used otp the authentication fails

Yes, but possibly it should be optional with totp. It's also probably
a good idea to store all used token within a window. If a newer token
is used in the next time period, it will reenable the previous one.
I've seen that google authenticator does this.

>> Using the moving factor for time step size was a good move, I've
>> should have thought of that. But why hardcode the window size when it
>> can be configured for HOTP?
> (I only spent a couple of hours reading the source, so what I'm writing
> below might be inaccurate:)
> Can it? Afaik, the hotp-module saves token type, name, password, seed,
> movingfactor, and optionally the last used otp and the timestamp of last
> authentication. For totp-authentication we need all of those, except for the
> moving factor.

The window size can be configured as a parameter to the pam module.
It's value available in the window variable when you call the
totp_validate function.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]