Dear oath users, I'm trying to find a way to set up a secure OTP authentication mechanism for a multi-user server[1] and at the moment libpam-oath seems the best solution. Still there are two thing that I'm missing and I'd like to ask you if you have any workaround to suggest me or if they are somehow planned features.
1. When using libpam-oath as a two-factor authenticator (fixed prefix + numeric token), the prefix is stored in the user file in plain text. This means that if the user file is stolen, the intruder will have all the information needed to generate new valid password. Why not storing the prefix encrypted, as it is normally done in /etc/shadow? This should be quite easy to implement, and I don't see why it shouldn't be done. Please not that I don't want to use the users' standard unix (/etc/shadow) password as a prefix. This could be easily implemented with pam_unix and try_first_pass, but I don't want the users' password to leak in case the keystrokes are logged, shoulder surfing or similar attacks. (Possible workaround: libpam-oath + libpam-pwdfile + try_first_pass. Not very clean, requires another pam module, another file to manage and keep secure, a dedicated management tool... Other solutions are welcome.) 2. In some situations it would be nice to let users set up their password precix and OTP secret. What would be needed is a tool like /usr/bin/passwd that managed the libpam-oath users file, letting users to change their relevant data after authentication. I couldn't find such a tool. Is somebody working on it? Thank you and kind regards, Paride Legovini [1] See: http://ninthfloor.org
