Package: libpam-google-authenticator Version: 20160607-2 Severity: normal Dear Maintainer,
* What led up to the situation? When using Android Token, one notices that the base32 tokens printed out by the `google-authenticator` program are not valid. The issue has been previously reported against Android Token https://github.com/markmcavoy/androidtoken/issues/12 but it appears authenticator do not generate a proper base32 string when it displays the secret or generates the QR code. * What exactly did you do (or not do) that was effective (or ineffective)? Use `google-authenticator` to generate a new code. (I only tried with time-based.) * What was the outcome of this action? The secret key is printed out with missing `=` (equal) signs at the end. The QR code embeds the same key and is improperly parsed. * What outcome did you expect instead? The secret key should contain any number of trailing `=` (equal) signs at the end in order to be valid base32. The QR code should embed the secret with the proper number of `=` (equal) signs at the end in order to be valid base32. Experimentally one observes that six (6) equal signs appear to be missing in most cases. (This is because google-authenticator outputs 26 characters, for 130 bits, while Base32 "represents 40-bits groups on input bits as output strings of 8 encoded characters"(*), so padding must be extended to 32 characters.) (*) https://tools.ietf.org/html/rfc3548#page-7 References: https://github.com/google/google-authenticator/wiki/Key-Uri-Format indicates that the `secret` field should be encoded in Base32 according to RFC3548. RFC6238 (TOTP) references RFC4226 (HOTP) which specifies a minimal length of 128 bits for the secret key, with 160 bits preferred. -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (900, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages libpam-google-authenticator depends on: ii libc6 2.23-5 ii libpam0g 1.1.8-3.3 ii libqrencode3 3.4.4-1+b1 libpam-google-authenticator recommends no packages. libpam-google-authenticator suggests no packages. -- no debconf information
