FS#58588 - [oath-toolkit] "sha512" does not work with pam_oath

Attached to Project: Community Packages
Opened by Reinardo Escobar (wincraft71) - Monday, 14 May 2018, 09:11 GMT
Last edited by freswa (frederik) - Tuesday, 11 February 2020, 19:10 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Christian Hesse (eworm)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

In totp mode setting HMAC to "sha512" does not work with pam_oath. The OTP will generate using "oathtool" but not validate when using PAM.

This is because pam_oath has no setting for SHA, so when it authenticates the userfile in pam_oath.c:

rc = oath_authenticate_usersfile (cfg.usersfile,
user,
otp, cfg.window, onlypasswd, &last_otp);

It has no way of knowing the user intends to use the "totp=sha512" option on the command line with the "oathtool" command.

A patch adding this as an option is attached. After building, I can confirm OTPs generated with "totp=sha512" will now validate (and also validate consecutively when the "last otp" field is present in /etc/users.oath).

The only configuration necessary is adding the option "hmacsha=2" to the relevant /etc/pam.d/* file.

For example:

auth required pam_oath.so usersfile=/etc/users.oath digits=8 hmacsha=2
   patch.txt (4.3 KiB)
This task depends upon

Closed by  freswa (frederik)
Tuesday, 11 February 2020, 19:10 GMT
Reason for closing:  Upstream
Additional comments about closing:  https://gitlab.com/oath-toolkit/oath-too lkit/issues/8
Comment by Reinardo Escobar (wincraft71) - Monday, 14 May 2018, 09:18 GMT
The summary should be '[oath-toolkit] "sha512" does not work with pam_oath'
Comment by Reinardo Escobar (wincraft71) - Monday, 14 May 2018, 23:44 GMT
An issue has been opened in the upstream repo "https://gitlab.com/oath-toolkit/oath-toolkit". It's unfortunate that the patch cannot be implemented on Arch Linux by the package maintainer since the fix is technically upstream's responsibility, because the upstream issue may take a while to get a response.

Loading...