|
From: | Daniel Goß |
Subject: | [OATH-Toolkit-help] Linger feature for OTPs |
Date: | Sun, 8 Nov 2015 17:25:58 +0100 |
User-agent: | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 |
Hello everyone,I'm using pam_oath for authentication with an apache webserver to sync some files via WebDAV. Basic authentication over TLS is used for this. Entering a new OTP on every access of a web-resource (using a TOTP token) does obviously not work well. So I created a patch that allows a time (in seconds) to be set where the old OTP is considered valid. This reduces security a bit, but has the advantage of working really well with WebDAV or other protocols that authenticate the user over and over again.
Even for VPN users this may be an option to allow the VPN client to automatically reconnect within a specified time range without forcing the user to generate a new OTP value.
If the linger time is within a few minutes the reduction in security should be acceptable. Even if someone uses a keylogger to get the OTP value, he has to be quick before the linger time is over and the OTP isn't accepted anymore.
I've attached the patch (changing pam_oath.c and the README). Maybe someone finds this feature useful.
Greetings, Daniel
pam_oath.patch
Description: Text document
[Prev in Thread] | Current Thread | [Next in Thread] |