[Otpasswd-talk] Getting stable + config layout

[Tomasz bla Fortuna]

Hi,
  Not much time for changes in last three days; still I've managed
to implement the last major feature, which was left, and that is
static password prompt when requesting OOB transmission.

There are few things left I'd like to do before declaring a stable
version:
1) Review config file. Proposed new layout is in
examples/otpasswd.conf_new, I'll paste it into this POST so you can
easily comment it and propose any updates. If you think you preferred
the original we can drop this update.

2) Kind of update what make install does... questions:
a) Does it matter for Debian packaging what make install behaves like?
Especially how does it treats manual pages? Gentoo for instance does
compression on its own.

b) Should we install documentation with make install? (Or prepare make
docs, OR leave it totally out and use distribution system for this task)

c) Should we use cmakes CPack for creating packages? Any virtuos of
this approach?

d) Do someone thinks we would be better off with autotools and would
like to do the switch? I've already got used to cmake a bit. ;) It
currently has testcases built in, which might make transition harder.

2a) I've created updated ebuild for Gentoo. 
- Does make install
- Installs additionally README and INSTALL files into share directory
- As Gentoo will ensure ebuild does not overwrite existing configuration
  files in /etc it also copies otpasswd.conf.dist into otpasswd.conf.
- creates otpasswd user
- Ensures /etc/otpasswd is owned by this user

And while those are fairly obvious and mostly are done to ease user with 
DB=user/DB=global transitions it also:
- makes otpasswd suid-root 
- makes config readable only by root (transition to DB=ldap/mysql which 
aren't implemented. ;d)
Those two steps are really optional. It should not make system any 
less secure as privileges in DB=user are dropped fast. If distribution would
not like this default setting it can be left out.

File is here:
http://thera.be/my_public/my_projects/otpasswd/otpasswd-0.5b.ebuild
Latest packaged version which should work with this ebuild is here:
http://thera.be/my_public/my_projects/otpasswd/otpasswd-0.5b.tar.bz2
It should generally match latest git tag 0.5pre2, but this file changes 
from time to time.

3) Test it at least a bit in various configurations. I've lost my freebsd 
installation but I guess I can do it on VM with FreeBSD and see if something 
needs to be updated to make it work there. Rest of systems (Mac, Solaris) can 
be tested in future versions...

4) Ideas?

Proposed config. Multi-value options which didn't match any of this two schemas:
- ENABLED/DISABLED
- DISALLOW, ALLOW, ENFORCE
are left with numeric value and description.
You can comment it here, or add changes directly to the repository
if they are bigger.


##
#    OTPasswd - One-Time Password Authentication System
#    --------------------------------------------------
#       https://savannah.nongnu.org/projects/otpasswd
#                Updated: 03-Jan-10 (v0.5pre1)
#
# Configuration of OTPasswd PAM module and key management utility.
#
# File consists of entries in a form:
# VARIABLE=VALUE
# Whitespaces around '=' are not ignored and values musn't be 
# surrounded with " or '. Whitespace after arguments is trimmed.
#
# Most policy affects administrator and user (length of code
# usable alphabet), but some disable options only for user
# (contact/label changing, account disabling).
#
# There are some options which aren't implemented currently.
# They are here so we won't need to break config compatibility soon.
# Those are labeled with "NI!" (Not implemented) abbreviation.
#
##

##
# General configuration
## 

# Select DB (state database) to use. This is the only option
# that MUST be select before OTPasswd will work.
# global:
#   If enabled we store data in global database.
#   This is required for policies to work, yet this option requires 
#   OTPasswd utility to be SUID. 
# user:
#   Keys located in user home directory. Most of policies are not 
#   enforced, no SUID required. Even if utility is SUID it will drop it's
#   permissions just after reading config file.
# mysql:
#   Not implemented
# ldap:
#   Not implemented
#
# DB=user

# Name of the file used to keep user keys in their homes. Lock file
# will be created by appending .lck, temporary file by .tmp
# suffix. State copy might be created with .old suffix.
DB_USER=.otpasswd

# Option USER defines a user, the utility will have to be run in certain
# conditions. This option is ignored when DB=user, and should be located
# after DB in config file. 
# In situations when this option is not ignored, utility is
# SUID to either:
# root - (NI!) utility will drop it's privileges to USER as fast as it
#        reads config file. This approach protects utility executable 
#        from being tampered by a successful attacker.
# USER - user which owns config file and /etc/otpasswd directory used
#        to hold user database. This option is then used passively to 
#        make sure SUID is configured correctly.
USER=otpasswd

# MySQL configuration (NI!)
#
# create table state (
#   `username` char(30) PRIMARY KEY,
#   `key` long,
#   `counter` long,
#   `latest_card` long,
#   `flags` int,
#   `codelength` int,
#   `alphabet` int,
#   `spass` char(64),
#   `label` char(30),
#   `contact` char (60),
# 
#   `failures` int,
#   `recent_failures` int,
#   `oob_timestamp` long
# );
SQL_HOST=127.0.0.1
SQL_DATABASE=otpasswd
SQL_USER=otpasswd
SQL_PASS=generate something random and write here

# LDAP configuration (NI!)
LDAP_HOST=127.0.0.1
LDAP_USER=otpasswd
LDAP_PASS=ldap password
LDAP_DN=ou=users,dc=domain,dc=com

##
# PAM Module configuration
##

# How many messages will be logged into syslog by PAM.
# (Utility works on level 1, can be switched into 2 by -v option)
#
# 0 - Nothing will be logged
# 1 - Normal: Errors
# 2 - High: Errors, Warnings (i.e. all authentication tries)
# 3 - Verbose: Errors, Warnings, Notices (-v option to utility)
#     Verbose mode is enabled by "debug" module option.
#     Normal mode can be enabled by passing "audit" option to module.
PAM_LOGGING=1

# This option can be set for both auth and session modules here 
# or for selected one in /etc/pam.d as a module option.
# DISABLED - Normal
#     User will get additional information on some types of errors during
#     login (like, otp is enforced and he doesn't have generated key, 
#     OOB sent, policy error etc.)
# ENABLED - Silent 
#     Inhibit any not important messages sent to user during authentication
#     (including "last passcard warnings" of PAM session.).
#     Can be also enabled by "silent" module option.
PAM_SILENT=DISABLED

# If enabled only users who exists in DB will be able to authenticate.
PAM_ENFORCE=DISABLED

# Should PAM fail any authentication if user state doesn't match policy?
# If DB=user and some of the policies should be enforced this should be
# set to 1. When DB=global the user should not be able to set his state
# against the policy, but, administrator can escalate policies which can
# cause previously-valid states not to authenticate. Setting this option
# to 0 can allow such account to authenticate successfully.
PAM_ENFORCE_POLICY=DISABLED

# Passcode prompt retry configuration.
# 0 - Do not retry passcode question
# 1 - retry using next passcode
# 2 - retry asking the same passcode
PAM_RETRY=0

# Number of retries (2 to 5)
PAM_RETRIES=3

# NI! User can request key regeneration
# with PAM prompt (by entering , instead of passcode)
# The user is then requested a static password which
# he must have set before.
PAM_KEY_REGENERATION_PROMPT=DISABLED

# After authentication display user a number of failed
# authentication tries.
PAM_FAILURE_WARNING=1

# NI! Number of failures after which delay is incremented.
PAM_FAILURE_BOUNDARY=3

# NI! Seconds of delay after recent failure count reaches FAILURE_BOUNDARY 
PAM_FAILURE_DELAY=5

# Require SPASS on each logon. Before user is prompted a passcode.
PAM_SPASS_REQUIRE=DISABLED

##
# 0 - OOB disabled
# 1 - OOB available on user request (by entering '.' on passcode prompt)
# 2 - OOB on request, requires static password prompt
# 3 - Sent OOB at the beginning of all authentication sessions.
##
PAM_OOB=0

# Path to OOB script
# This script gets two arguments: User contact field and current
# passcode. Script musn't be SUID, and must be readable/executable by
# user defined in OOB_USER as OTPasswd will drop root privilages in
# order to run it.
PAM_OOB_PATH=/etc/otpasswd/otpasswd_oob.sh

# User used to run script (don't set to root!)
PAM_OOB_USER=nobody

# NI! Minimum delay in seconds between two consecutive uses of OOB
PAM_OOB_DELAY=10


#################################################################
# Utility Policy Configuration
#
# As oppossed to "System Policy" this works only if user doesn't
# have direct access to state database himself.
#################################################################

# Can user generate himself a key?
KEY_GENERATION=ALLOW

# Can user generate himself a key if he already has one?
KEY_REGENERATION=ALLOW

# Can user disable AND enable his state? 
# Disabled state is ignored if ENFORCE=0
DISABLING=DISALLOW

# NI! Allow user to specify a (small) file or a string.
# Instead of random data this file will be used to generate
# key (with salted SHA256 hash).
SOURCED_KEY_GENERATION=DISALLOW

# Allow user to remove his state information
KEY_REMOVAL=ALLOW

# Can user print himself any passcodes?
PASSCODE_PRINT=ALLOW

# Can user display his key/counter pair?
# Will disable also state export.
KEY_PRINT=ALLOW

# Allow user to skip passcodes?
SKIPPING=ALLOW

# Allow backward skip of passcodes?
BACKWARD_SKIPPING=DISALLOW

# Can user authenticate on prompt with -a option?
SHELL_AUTH=ALLOW

# Allow user to use -v option?
VERBOSE_OUTPUT=ALLOW

# NI! Allow ascii state import/export.
STATE_EXPORT=ALLOW
STATE_IMPORT=DISALLOW

# Can user set his contact information?
CONTACT_CHANGE=ALLOW

# Can user change label printed on cards?
LABEL_CHANGE=ALLOW

##
# Static password (spass)
##

# Allow setting/clearing of spass
SPASS_CHANGE=ALLOW

# Minimal length
SPASS_MIN_LENGTH=7
# How many digits to require in spass
SPASS_REQUIRE_DIGIT=1
# How many special characters to require (non-digit, non-alpha)
SPASS_REQUIRE_SPECIAL=1
# How many uppercase alpha characters we require. 
SPASS_REQUIRE_UPPERCASE=1


##
# Alphabet configuration
##

# Allow selection of alphabet or stick to default?
ALPHABET_CHANGE=ALLOW

# 0 - Custom alphabet defined in config (by default 0123456789)
# 1 - 64 characters ("PPP standard"):
# !#%+23456789:address@hidden
# 2 - 88 characters  ("PPP standard"):
# !"#$%&'()*+,-./23456789:;<=>address@hidden
# [\\]^_abcdefghijkmnopqrstuvwxyz{|}~
# NI! 3 - 54 characters, no vowels:
# !#%+23456789:address@hidden
# NI! 4 - 78 characters, no vowels:
# !"#$%&'()*+,-./23456789:;<=>address@hidden|}~
# NI! 5 - 56 characters, only alphanumeric + digits
# 23456789abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPRSTUVWXYZ
ALPHABET_DEF=1

# Custom alphabet.
ALPHABET_CUSTOM=0123456789


## Salt parameters
# By default:
# DISABLED - Use key without salt (PPPv3.1 compatible)
# ENABLED  - Use salted key ("Safer", but not compatible)
##
SALT_DEF=ENABLED

# Policy configuration:
# DISALLOW - Disallow generation of salt
# ALLOW    - Allow user to use salt
# ENFORCE  - Enforce usage of salt
SALT=ALLOW

##
# Show flag policy
# ENABLED  - display entered passcodes
# DISABLED - do not display entered passcodes
##
SHOW_DEF=ENABLED

#################################################################
# System Policy Configuration
#
# As oppossed to "Utility Policy" this is can be enforced
# additionaly by PAM module if PAM_ENFORCE_POLICY is enabled.
# User can't simply avoid this policy by mangling directly
# with his state file. If user manages to distroy his state file
# or its compatibility with this policy then his authentication 
# will be denied.
#################################################################

##
# Set minimal/maximal/default length of passcode.
# Acceptable passcode length is between 2 and 16.
# Those are enforced also by PAM module.
##
PASSCODE_MIN_LENGTH=2
PASSCODE_MAX_LENGTH=16
PASSCODE_DEF_LENGTH=4

##
# Minimal/maximal acceptable length of alphabet.
# Can be used to enforce usage of one, choosen, alphabet.
##
ALPHABET_MIN_LENGTH=32
ALPHABET_MAX_LENGTH=88


## 
# Show flag policy
# DISALLOW - Disallow display of passcode
# ALLOW    - Allow user to select option
# ENFORCE  - Enforce display of passcode
##
SHOW_PASSCODE=ALLOW

-- 
Tomasz bla Fortuna
jid: bla(at)af.gliwice.pl
pgp: 0x90746E79 @ pgp.mit.edu
www: http://bla.thera.be

signature.asc
Description: PGP signature