This is to announce oath-toolkit-2.6.14, a stable release. OATH Toolkit provide components to build one-time password authentication systems. It contains shared C libraries, command line tools and a PAM module. Supported technologies include the event-based HOTP algorithm (RFC 4226), the time-based TOTP algorithm (RFC 6238), and Portable Symmetric Key Container (PSKC, RFC 6030) to manage secret key data. OATH stands for Open AuTHentication, which is the organization that specify the algorithms.
The following components are included: * liboath: A shared and static C library for OATH handling. * oathtool: A command line tool for generating and validating OTPs. * pam_oath: A PAM module for pluggable login authentication for OATH. * libpskc: A shared and static C library for PSKC handling. * pskctool: A command line tool for manipulating PSKC data. The project web pages are available at: https://oath-toolkit.codeberg.page/ https://codeberg.org/oath-toolkit/oath-toolkit Documentation for the command line tools oathtool and pskctool: https://oath-toolkit.codeberg.page/oathtool.1.html https://oath-toolkit.codeberg.page/pskctool.1.html Tutorial on PSKC: https://oath-toolkit.codeberg.page/libpskc-api/pskc-tutorial.html Manual for PAM module: https://oath-toolkit.codeberg.page/pam_oath.html Liboath Manual: https://oath-toolkit.codeberg.page/liboath-api/liboath-oath.h.html Libpskc Manual https://oath-toolkit.codeberg.page/libpskc-api/pskc-reference.html General information on contributing: https://oath-toolkit.codeberg.page/contrib.html GitLab Pipeline: https://gitlab.com/oath-toolkit/oath-toolkit/-/pipelines Code coverage charts: https://oath-toolkit.gitlab.io/oath-toolkit/coverage/ Coverity report: https://scan.coverity.com/projects/oath-toolkit If you need help to use the OATH Toolkit, or want to help others, you are invited to join our oath-toolkit-help mailing list, see: https://lists.nongnu.org/mailman/listinfo/oath-toolkit-help There have been 24 commits by 3 people in the 26 weeks since 2.6.13. See the NEWS below for a brief summary. Thanks to everyone who has contributed! The following people contributed changes to this release: Luna (2) Simon Josefsson (21) lvgenggeng (1) Happy hacking, Simon ================================================================== Here is the release page: https://codeberg.org/oath-toolkit/oath-toolkit/releases/tag/v2.6.14 Here are the compressed sources and a GPG detached signature: https://codeberg.org/oath-toolkit/oath-toolkit/releases/download/v2.6.14/oath-toolkit-2.6.14.tar.gz https://codeberg.org/oath-toolkit/oath-toolkit/releases/download/v2.6.14/oath-toolkit-2.6.14.tar.gz.sig Here is a signed git-archive style minimal source code archive: https://codeberg.org/oath-toolkit/oath-toolkit/releases/download/v2.6.14/oath-toolkit-v2.6.14-src.tar.gz https://codeberg.org/oath-toolkit/oath-toolkit/releases/download/v2.6.14/oath-toolkit-v2.6.14-src.tar.gz.sig Here are Sigsum Proofs: https://codeberg.org/oath-toolkit/oath-toolkit/releases/download/v2.6.14/oath-toolkit-2.6.14.tar.gz.proof https://codeberg.org/oath-toolkit/oath-toolkit/releases/download/v2.6.14/oath-toolkit-v2.6.14-src.tar.gz.proof Use a mirror for higher download bandwidth: https://www.gnu.org/order/ftp.html Here are the SHA256 and SHA3-256 checksums: SHA256 (oath-toolkit-2.6.14.tar.gz) = ix2jZXWfEkm+V6gq7G4Qf3tX3HfYE/ltwKr4FiTyiXE= SHA3-256 (oath-toolkit-2.6.14.tar.gz) = JhrhFTFBZQqPL1VwS7fJgmF0LgclpZBkWTaX4ZSeacI= SHA256 (oath-toolkit-v2.6.14-src.tar.gz) = 1hi2te1uDEgnidUavnvdDGVKChNgeXijtvUyIW7AHEU= SHA3-256 (oath-toolkit-v2.6.14-src.tar.gz) = 3OwYvnn4loKK1MoZxyRD3zpIBYKcw7PKq9LARFnOwG8= Verify the base64 SHA256 checksum with 'cksum -a sha256 --check' from coreutils-9.2 or OpenBSD's cksum since 2007. Verify the base64 SHA3-256 checksum with 'cksum -a sha3 --check' from coreutils-9.8. Use a .sig file to verify that the corresponding file (without the .sig suffix) is intact. First, be sure to download both the .sig file and the corresponding tarball. Then, run a command like this: gpg --verify oath-toolkit-2.6.14.tar.gz.sig The signature should match the fingerprint of the following key: pub ed25519 2019-03-20 [SC] B1D2 BD13 75BE CB78 4CF4 F8C4 D73C F638 C53C 06BE uid Simon Josefsson <[email protected]> If that command fails because you don't have the required public key, or that public key has expired, try the following commands to retrieve or refresh it, and then rerun the 'gpg --verify' command. gpg --locate-external-key [email protected] gpg --recv-keys 51722B08FE4745A2 Use the .proof files to verify the Sigsum proof. These files are like signatures but with extra transparency: you can cryptographically verify that every signature is logged in a public append-only log, so you can say with confidence what signatures exists. This makes hidden releases no longer deniable for the same public key. Releases are Sigsum-signed with the following public key: cat <<EOF > jas-sigsum-key.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzCFcHHrKzVSPDDarZPYqn89H5TPaxwcORgRg+4DagE EOF Run a command like this to verify downloaded artifacts: sigsum-verify -k jas-sigsum-key.pub -P sigsum-generic-2025-1 \ oath-toolkit-2.6.14.tar.gz.proof < oath-toolkit-2.6.14.tar.gz You may learn more about Sigsum concepts and find instructions how to download the tools here: https://www.sigsum.org/getting-started/ This release is based on the oath-toolkit git repository, available as git clone https://codeberg.org/oath-toolkit/oath-toolkit.git with commit 5a534218feaa1bf58b59bc183d7d4c34bc48c7c1 tagged as v2.6.14. For a summary of changes and contributors, see: https://codeberg.org/oath-toolkit/oath-toolkit/commits/tag/v2.6.14 or run this command from a git-cloned oath-toolkit directory: git shortlog v2.6.13..v2.6.14 This release was bootstrapped with the following tools: Git 2.52.0 Gnulib 2026-01-14 2a288c048e2a23ea9cd8cbef9a60aa4ac82bdc3d Autoconf 2.72 Automake 1.17 Libtoolize 2.4.7 Make 4.4.1 Bison 3.8.2 Help2man 1.49.2 Gengetopt 2.23 Gtkdocize 1.34.0 Tar 1.35 Gzip 1.13 Guix 1c477aea8d97933b7594a48b58fd13fb7dd7070f NEWS * Noteworthy changes in release 2.6.14 (2026-01-27) [stable] ** pam_oath: Support null_usersfile_okay parameter. The argument no_usersfile_okay forces the module to act as if the user is not present in the config, if the config file does not exist. This has security implications only use if you know what you are doing. E.g. if the file is in a mount like home and that fails to be mounted, then this will succeed even if the OTP if configured for that user. Patch by Luna, Jan Zerebecki, and Miika Alikirri; see <https://codeberg.org/oath-toolkit/oath-toolkit/pulls/94>. ** pam_oath README: Suggest `KbdInteractiveAuthentication`. Instead of deprecated `ChallengeResponseAuthentication`. Patch by lvgenggeng, see <https://codeberg.org/oath-toolkit/oath-toolkit/pulls/112>. ** Various build fixes including updated gnulib files. Fixes building with glibc 2.43, see <https://codeberg.org/oath-toolkit/oath-toolkit/issues/113>.
signature.asc
Description: PGP signature
