[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-Toolkit-help] Patch to include totp validation to the pam modu

From: Simon Josefsson
Subject: Re: [OATH-Toolkit-help] Patch to include totp validation to the pam module
Date: Mon, 25 Apr 2011 23:26:23 +0200
User-agent: Gnus/5.110016 (No Gnus v0.16) Emacs/23.2 (gnu/linux)

Thank you Rien and Max for your work.

I have created a git branch for TOTP support in usersfile.c, the branch
is called 'features/totp-usersfile':


My first stab at a patch (inspired by both of your work) includes some
self-tests.  The patch is at:


You use it by specifying a usersfile line like this:

HOTP/T30       eve     -       00

Where the T30 specify a 30-second step size, also supported is 60-second
step size.  Right now that are the only step sizes supported, but the
code could be rewritten easily to support any value.

The start offset is hard coded to 0, which seems bad.  The simplest way
to solve this, if/when someone needs it, is probably to call the
algorithm something like HOTP/T30-S4711 instead.  Thoughts?  Any reason
this wouldn't work?  I don't think this aspect is important.

The main reason that I didn't push this to master, and an aspect that I
think IS important, is that I haven't figured out how TOTPs are used in
the real-world: do you want the last OTP to successfully authenticate
more than once even if it is within the current window?  Also, the code
right now has a negative search window, which may result in permitting
OTPs that are older than the last OTP seen, if it happens to be within
the search window.  That seems bad.  The code should probably use
start_moving_factor in some way.  Or something.  It has been a long day
and it is too late for me to think about this further now...


reply via email to

[Prev in Thread] Current Thread [Next in Thread]