[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OATH Toolkit 2.6.8

From: Simon Josefsson
Subject: OATH Toolkit 2.6.8
Date: Sun, 09 Jul 2023 00:42:55 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (darwin)

OATH Toolkit provide components to build one-time password
authentication systems.  It contains shared C libraries, command line
tools and a PAM module.  Supported technologies include the event-based
HOTP algorithm (RFC 4226), the time-based TOTP algorithm (RFC 6238), and
Portable Symmetric Key Container (PSKC, RFC 6030) to manage secret key
data.  OATH stands for Open AuTHentication, which is the organization
that specify the algorithms.

The following components are included:

 * liboath: A shared and static C library for OATH handling.
 * oathtool: A command line tool for generating and validating OTPs.
 * pam_oath: A PAM module for pluggable login authentication for OATH.
 * libpskc: A shared and static C library for PSKC handling.
 * pskctool: A command line tool for manipulating PSKC data.

The project's web page is available at:

Documentation for the command line tools oathtool and pskctool:

Tutorial on PSKC:

Manual for PAM module:

Liboath Manual:

Libpskc Manual

General information on contributing:

OATH Toolkit GitLab project page:

OATH Toolkit Savannah project page:

Code coverage charts:

Clang code analysis:

If you need help to use the OATH Toolkit, or want to help others, you
are invited to join our oath-toolkit-help mailing list, see:

Here are the compressed sources and a GPG detached signature:

Here are the SHA1 and SHA224 checksums:

139e535dfb51016d37a3afebfcd9d00d14c47ed4  oath-toolkit-2.6.8.tar.gz

Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify oath-toolkit-2.6.8.tar.gz.sig

The signature should match the fingerprint of the following key:

  pub   ed25519 2019-03-20 [SC]
        B1D2 BD13 75BE CB78 4CF4  F8C4 D73C F638 C53C 06BE
  uid   Simon Josefsson <simon@josefsson.org>

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --locate-external-key simon@josefsson.org

  gpg --recv-keys 51722B08FE4745A2

  wget -q -O- https://josefsson.org/key-20190320.txt | gpg --import


* Version 2.6.8 (released 2023-07-09)

** libpskc: Fixes for recent libxmlsec releases.

** pam_oath: Provide fallback pam_modutil_getpwnam implementation.
Fixes <https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/26> on
Mac OS.  Patch from Nick Gaya <nicholasgaya+github@gmail.com>.

** pam_oath: Don't fail authentication when pam_modutil_getpwnam doesn't
** know the user when usersfile don't include ${USER} or ${HOME}. Closes: #27.
Regression introduced in previous release.  Reported by Nick Gaya

** pam_oath: Self-test improvements.
Patch from Nick Gaya <nicholasgaya+github@gmail.com>.

** liboath: Builds on Windows.
The oath_authenticate_usersfile function is just a stub that returns
an error.  This allows for use of the rest of the library on Windows.
Thanks to David Woodhouse, see

** Disable PAM self-tests on Mac.  Fix --enable-root-tests logic.

** Don't ship gtk-doc PDF's in tarball.

** Use gitlog-to-changelog instead of git2cl.

** Codespell typo fixes.
Patch by Dimitri Papadopoulos.

Happy hacking,

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]