On 18.4.2013 19:16, Sergey wrote:
I have a h/w key which works okay but is ~ 1 hour back in past.
Hmm. I thought about this (for other reasons) one day.
I can see two different issues here:
1) The hw clock has a constant offset
2) The hw clock actually drifts during use, so the offset changes
I guess you only saw the first problem right?
I wonder if the drift actually would be a problem, and how does
commercial stuff (like RSA) deal with it, if it does.
I've crawled through the sources and I've made a test.
The problem is — I have to set my window = at least 150, and then,
after some successful authentications I can't change it to normal
3—4. PAM library just doesn't use all that time drift info. The field
called ‘start_moving_factor’ just keeps increasing by 130 every time
I log in. And, as I see in the code it's not used with TOTP =( I
can't keep window=150, this make the whole thing useless.
Is the current code even supposed to do anything to handle this?
Are you planning on fixing this?
--
Ilkka Virta / itvirta at iki.fi
