Hi, >> 2. In some situations it would be nice to let users set up their >> password precix and OTP secret. What would be needed is a tool like >> /usr/bin/passwd that managed the libpam-oath users file, letting users >> to change their relevant data after authentication. I couldn't find such >> a tool. Is somebody working on it? > > Not to my knowledge. It would indeed be a usable tool. The > alternative, of course, is to not perform the OATH stuff locally but on > a remote server, and setup RADIUS or something else and use a pam_radius > or whatever. > > /Simon >
I've been working on one although the caveats are that I've only used it myself, on my server with less than 10 users - so feedback welcome. I've not announced it mostly due to having a busy year and not able to do much more with it for another month or so. The idea is that the users.oath file is group read/writable only (i.e., mode 660), and the tools in this chain are setgid (so don't need root, yet keeps users.oath secret) If people want to play, the sources are available from Bitbucket at: https://bitbucket.org/rangerchris/otpsetpin There are programs to manage users.oath, allows users to change their PIN and generate QR codes for use with (say) FreeOTP on Android. As mentioned, feedback welcome: I'm in the middle of other stuff at the moment and then a holiday, so changes to the codebase, if required, will take some time. Cheers, Chris
