Re: [Otpasswd-talk] User state information & OOB usage

otpasswd-talk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Otpasswd-talk] User state information & OOB usage

From:	Tomasz bla Fortuna
Subject:	Re: [Otpasswd-talk] User state information & OOB usage
Date:	Wed, 6 Jan 2010 00:26:20 +0100

Dnia Tue, 5 Jan 2010 00:08:15 -0600
Hannes Beinert <address@hidden> napisał(a):

> Tomasz,
> 
> I noticed that you had a timestamp field for the last OOB channel use.
>  Where is the passcode kept?  Or is the idea that the PAM module get
> that passcode directly, and that it's stored in the process context?
> 
> The latter assumes that one is able to wait at a passcode prompt until
> the OOB channel actually manages to deliver the passcode.  That's
> probably a decent bet, nowadays, I suppose.  But if that delay time
> gets too large, it could be inconvenient.

Two options:
1) We run ssh and otpasswd RESERVES us a passcode. Then it sends it via
OOB and waits for reply. This works with my mobile network and free
gateway. Should work with hardware sms sender (mobile connected to
computer). Is generally most safe approach.

2) We ask system for passcode (via ssh, web or anything). This passcode
we get via sms for example and we then log in to use it. This suffers
DoS condition because passcode is not reserved attacker can fail to
authenticate after we've requested passcode and use this passcode up. 

timestamp field is used to prevent OOB DoS when attacker somehow causes
system to send more OOB than should be accepted.

> Another way to go about this is to use the login prompt (and/or a
> website) to prompt the transmission of the passcode to the user.
> Meanwhile, that passcode would be stuffed into the user state file
> with the timestamp.  Then, next time a login happens, if it's within
> the time window set by policy, the user would use that passcode to
> authenticate.
I doubt it's so easy. Say there's a place for one remembered oob.
requesting next oob removes previously stored information making
previous passcode unusable. Trying to authenticate after user requested
OOB also suffers DoS problem. Hm.

> 
> Just thinking aloud.
Just replying aloud. ;-)

SSH session can be 'held' for at least a minute on authentication
screen as I've tested once.

-- 
Tomasz bla Fortuna
jid: bla(at)af.gliwice.pl
pgp: 0x90746E79 @ pgp.mit.edu
www: http://bla.thera.be

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Otpasswd-talk] User state information & OOB usage, Hannes Beinert, 2010/01/05
- Re: [Otpasswd-talk] User state information & OOB usage, Tomasz bla Fortuna <=
  - Re: [Otpasswd-talk] User state information & OOB usage, Hannes Beinert, 2010/01/05
    - Message not available
    - Re: [Otpasswd-talk] User state information & OOB usage, Hannes Beinert, 2010/01/06

Prev by Date: Re: [Otpasswd-talk] More observations
Next by Date: Re: [Otpasswd-talk] Some questions
Previous by thread: [Otpasswd-talk] User state information & OOB usage
Next by thread: Re: [Otpasswd-talk] User state information & OOB usage
Index(es):
- Date
- Thread