FS#58588 - [oath-toolkit] "sha512" does not work with pam_oath
Attached to Project:
Community Packages
Opened by Reinardo Escobar (wincraft71) - Monday, 14 May 2018, 09:11 GMT
Last edited by freswa (frederik) - Tuesday, 11 February 2020, 19:10 GMT
Opened by Reinardo Escobar (wincraft71) - Monday, 14 May 2018, 09:11 GMT
Last edited by freswa (frederik) - Tuesday, 11 February 2020, 19:10 GMT
|
Details
In totp mode setting HMAC to "sha512" does not work with
pam_oath. The OTP will generate using "oathtool" but not
validate when using PAM.
This is because pam_oath has no setting for SHA, so when it authenticates the userfile in pam_oath.c: rc = oath_authenticate_usersfile (cfg.usersfile, user, otp, cfg.window, onlypasswd, &last_otp); It has no way of knowing the user intends to use the "totp=sha512" option on the command line with the "oathtool" command. A patch adding this as an option is attached. After building, I can confirm OTPs generated with "totp=sha512" will now validate (and also validate consecutively when the "last otp" field is present in /etc/users.oath). The only configuration necessary is adding the option "hmacsha=2" to the relevant /etc/pam.d/* file. For example: auth required pam_oath.so usersfile=/etc/users.oath digits=8 hmacsha=2 |
This task depends upon
Closed by freswa (frederik)
Tuesday, 11 February 2020, 19:10 GMT
Reason for closing: Upstream
Additional comments about closing: https://gitlab.com/oath-toolkit/oath-too lkit/issues/8
Tuesday, 11 February 2020, 19:10 GMT
Reason for closing: Upstream
Additional comments about closing: https://gitlab.com/oath-toolkit/oath-too lkit/issues/8
Comment by
Reinardo Escobar (wincraft71) -
Monday, 14 May 2018, 09:18 GMT
Comment by
Reinardo Escobar (wincraft71) -
Monday, 14 May 2018, 23:44 GMT
The summary should be '[oath-toolkit] "sha512" does not work with
pam_oath'
An issue has been opened in the upstream repo
"https://gitlab.com/oath-toolkit/oath-toolkit". It's unfortunate
that the patch cannot be implemented on Arch Linux by the package
maintainer since the fix is technically upstream's responsibility,
because the upstream issue may take a while to get a response.