|
| From: | Bas van Schaik |
| Subject: | Re: [OATH-Toolkit-help] libpam-oath vulnerable to replay of OTP as result of incorrectly parsing comments in users file? |
| Date: | Sat, 14 Dec 2013 14:42:55 +0100 |
| User-agent: | Roundcube Webmail/0.9.2 |
Hi,
(...) Simon, how do you want to proceed? AFAICT, comments in the usersfile aren't explicitly supported and one is supposed to maintain separation between the usersfile, which controls authentication, and an authorisation file/mechanism, but I imagine that because it Just Works for usersfiles that don't contain duplicate usernames that there are a few people using it in this way...
Thanks for looking into this. I didn't expect comments to work in the user file, and they are indeed not documented. It seems, however, that a simple typo might have the same result and lead pam-oath to update the wrong line? Note the example in my original email: even if the commented-out line contains information regarding a completely different secret key K', pam-oath will still update that line as long as the username matches that of an OTP generated using key K.
On an unrelated note: how is the users file protected against concurrent modification by two processes using pam-oath?
Cheers, Bas
| [Prev in Thread] | Current Thread | [Next in Thread] |