[OATH-Toolkit-help] Linger feature for OTPs

[Daniel Goß]

Hello everyone,

I'm using pam_oath for authentication with an apache webserver to sync 
some files via WebDAV. Basic authentication over TLS is used for this. 
Entering a new OTP on every access of a web-resource (using a TOTP 
token) does obviously not work well. So I created a patch that allows a 
time (in seconds) to be set where the old OTP is considered valid. This 
reduces security a bit, but has the advantage of working really well 
with WebDAV or other protocols that authenticate the user over and over 
again.

Even for VPN users this may be an option to allow the VPN client to 
automatically reconnect within a specified time range without forcing 
the user to generate a new OTP value.

If the linger time is within a few minutes the reduction in security 
should be acceptable. Even if someone uses a keylogger to get the OTP 
value, he has to be quick before the linger time is over and the OTP 
isn't accepted anymore.

I've attached the patch (changing pam_oath.c and the README). Maybe 
someone finds this feature useful.

Greetings,
Daniel

pam_oath.patch
Description: Text document