[OATH-Toolkit-help] using pam_oath with the use_first

oath-toolkit-help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OATH-Toolkit-help] using pam_oath with the use_first_pass option

From:	Thomas Stewart
Subject:	[OATH-Toolkit-help] using pam_oath with the use_first_pass option
Date:	Sun, 29 Dec 2013 22:39:12 +0000
User-agent:	Mutt/1.5.21 (2010-09-15)

Hi,

Sorry for the wall of text, when I started writing this I did not
realise how long it would get!

I've been trying to use pam_oath with the use_first_pass option but have
not had much success. The documentation states that it uses the previous
stacked passwords and will never prompt for a password. I want to be
able to use pam_unix and pam_oath in conjunction so that I could type my
password and otp concatenated at the password prompt to successfully
authenticate. Hopefully in order to enable applications that are not
fully pam aware to use otp.

I've just had a quick look at the code and am not sure what was
originally intended. In pam_oath.c at line 264 you can see it branch. It
assumes that if the digits option is supplied and the password length is
longer than the digits then the password has a otp concatenated to it.
It then goes on to populate the onlypasswd variable with just the
password. It then copies the otp part into the otp variable. It then
puts the onlypasswd back into the pam password stack with pam_set_item.

The above mentioned password (onlypasswd) is then passed into
oath_authenticate_usersfile at line 296. This password is then checked
against the 3rd field in the usersfile, this appears to be more of a
static pin than a password. This is fine if you want to use a pin in
conjunction to the otp.

However if you use the use_first_pass option then the code appears to
correctly extract the otp from the password and push that password back
into the pam stack, but it them passes this supplied password which
could be from say pam_unix to the oath_authenticate_usersfile. As I'm
not using the 3rd field at all this means that
oath_authenticate_usersfile always fails because my pam_unix password is
not stored in plain text inside the oath users file.

I've written a tiny patch that resets onlypasswd back to NULL if
use_first_pass or try_first_pass have been given as options. This seems
to work for me.

So if I set the passwd in the 3rd field in the users file to tom and configure 
pam as follows:
auth optional pam_unix.so
auth requisite pam_oath.so usersfile=/etc/users.oath window=20 debug digits=6
auth requisite pam_unix.so use_first_pass

I get asked for my pam_unix password and then type "tom225568" as the OATH 
prompt, a sample auth looks like:
thomas$ su - thomas
Password:
[pam_oath.c:parse_cfg(118)] called.
[pam_oath.c:parse_cfg(119)] flags 0 argc 4
[pam_oath.c:parse_cfg(121)] argv[0]=usersfile=/etc/users.oath
[pam_oath.c:parse_cfg(121)] argv[1]=window=20
[pam_oath.c:parse_cfg(121)] argv[2]=debug
[pam_oath.c:parse_cfg(121)] argv[3]=digits=6
[pam_oath.c:parse_cfg(122)] debug=1
[pam_oath.c:parse_cfg(123)] alwaysok=0
[pam_oath.c:parse_cfg(124)] try_first_pass=0
[pam_oath.c:parse_cfg(125)] use_first_pass=0
[pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath
[pam_oath.c:parse_cfg(127)] digits=6
[pam_oath.c:parse_cfg(128)] window=20
[pam_oath.c:pam_sm_authenticate(157)] get user returned: thomas
One-time password (OATH) for `thomas':
[pam_oath.c:pam_sm_authenticate(232)] conv returned: tom225568
[pam_oath.c:pam_sm_authenticate(273)] Password: tom
[pam_oath.c:pam_sm_authenticate(290)] passwd: tom
[pam_oath.c:pam_sm_authenticate(298)] OTP: 225568
[pam_oath.c:pam_sm_authenticate(308)] authenticate rc 0 (OATH_OK: Successful 
return) last otp Sun Dec 29 21:42:07 2013
[pam_oath.c:pam_sm_authenticate(329)] done. [Success]
thomas $

And likewise if I put a dash in the 3rd field in the users file and configure 
pam as follows:
auth optional pam_unix.so
auth requisite pam_oath.so usersfile=/etc/users.oath window=20 debug digits=6   
use_first_pass
auth requisite pam_unix.so use_first_pass

At the pam_unix prompt I enter "SECRET388241", a sample auth looks like:
thomas$ su - thomas
Password:
[pam_oath.c:parse_cfg(118)] called.
[pam_oath.c:parse_cfg(119)] flags 0 argc 5
[pam_oath.c:parse_cfg(121)] argv[0]=usersfile=/etc/users.oath
[pam_oath.c:parse_cfg(121)] argv[1]=window=20
[pam_oath.c:parse_cfg(121)] argv[2]=debug
[pam_oath.c:parse_cfg(121)] argv[3]=digits=6
[pam_oath.c:parse_cfg(121)] argv[4]=use_first_pass
[pam_oath.c:parse_cfg(122)] debug=1
[pam_oath.c:parse_cfg(123)] alwaysok=0
[pam_oath.c:parse_cfg(124)] try_first_pass=0
[pam_oath.c:parse_cfg(125)] use_first_pass=1
[pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath
[pam_oath.c:parse_cfg(127)] digits=6
[pam_oath.c:parse_cfg(128)] window=20
[pam_oath.c:pam_sm_authenticate(157)] get user returned: thomas
[pam_oath.c:pam_sm_authenticate(168)] get password returned: SECRET388241
[pam_oath.c:pam_sm_authenticate(273)] Password: SECRET
[pam_oath.c:pam_sm_authenticate(290)] passwd: (null)
[pam_oath.c:pam_sm_authenticate(298)] OTP: 388241
[pam_oath.c:pam_sm_authenticate(308)] authenticate rc 0 (OATH_OK: Successful 
return) last otp Sun Dec 29 21:39:54 2013
[pam_oath.c:pam_sm_authenticate(329)] done. [Success]
thomas$

Please can someone clear up or explain what was originally intended and
have a look at my attached patch. Hopefully I've not made any blunders.
:-)

Regards
--
Tom

pam_oath.c.patch
Description: Text Data

[Prev in Thread]

Current Thread

[Next in Thread]

[OATH-Toolkit-help] using pam_oath with the use_first_pass option, Thomas Stewart <=

Prev by Date: Re: [OATH-Toolkit-help] libpam-oath vulnerable to replay of OTP as result of incorrectly parsing comments in users file?
Previous by thread: [OATH-Toolkit-help] pam_oath and pam_ldap together?
Index(es):
- Date
- Thread