[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[OATH-Toolkit-help] [sr #108435] Documentation doesn't talk about keys,
|
From: |
Robin |
|
Subject: |
[OATH-Toolkit-help] [sr #108435] Documentation doesn't talk about keys, proposes very insecure configuration |
|
Date: |
Thu, 07 Nov 2013 23:07:15 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0 |
URL:
<http://savannah.nongnu.org/support/?108435>
Summary: Documentation doesn't talk about keys, proposes very
insecure configuration
Project: OATH Toolkit
Submitted by: eythian
Submitted on: Thu 07 Nov 2013 11:07:14 PM GMT
Category: None
Priority: 5 - Normal
Severity: 4 - Important
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Operating System: None
_______________________________________________________
Details:
>From the manual:
> The above added an OATH secret of all-zeros.
this is the worst thing to do. It should be replaced with instructions on how
to create a randomly generated key that isn't all zeros. If you follow these
instructions at all naively, you'll end up with the most insecure OTP system
possible. Additionally, the manual should show you where in the config the
keys go because at the moment you can't really tell.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/support/?108435>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [OATH-Toolkit-help] [sr #108435] Documentation doesn't talk about keys, proposes very insecure configuration,
Robin <=