|
From: | Rien Broekstra |
Subject: | Re: [OATH-Toolkit-help] Patch to include totp validation to the pam module |
Date: | Wed, 06 Apr 2011 14:03:13 +0200 |
User-agent: | Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15) Gecko/20110303 Lightning/1.0b2 Thunderbird/3.1.9 |
On 4/6/2011 11:30 AM, Max Thoursie wrote:
[snip: totp pam patch]
>
One comment I got from Simon was that it should include an option to disable reuse of a token in the same time window.
I didn't change that from the original, every token can be used to authenticate once, because the last succesful authentication is logged to the userfile (otp and date), and if the user-supplied otp matches the last-used otp the authentication fails
[snip]
>
Using the moving factor for time step size was a good move, I've should have thought of that. But why hardcode the window size when it can be configured for HOTP?
(I only spent a couple of hours reading the source, so what I'm writing below might be inaccurate:)
Can it? Afaik, the hotp-module saves token type, name, password, seed, movingfactor, and optionally the last used otp and the timestamp of last authentication. For totp-authentication we need all of those, except for the moving factor.
Of course it would be possible to add a column to the usersfile to also specify the windowsize, but that would break compatibility of the usersfile with older versions.
Cheers, -- Rien
[Prev in Thread] | Current Thread | [Next in Thread] |