OTP feature for /bin/login

Tito farmatito at tiscali.it
Wed May 9 20:52:27 UTC 2012


On Wednesday 09 May 2012 21:38:26 Sven-Göran Bergh wrote:
> >>  This should be easy to fix either in the current implementation of PAM
> 
> > 
> > Ha, ha.
> > There are reasons why I'm (slowly) rewriting the world instead of
> > contributing to other projects. One of the main reasons is that most
> > people write code of HORRIBLE quality and I'll take no part in that.
> > PAM is no exception.
> > 
> > 
> >>  or by writing a replacement for the main PAM code that can use the existing 
> > module
> >>  code
> > 
> > Maybe, but the workings of PAM are inherently complex. I'd rather design
> > a simpler API.
> > 
> >>>  [ to have executables instead of shared objects as atoms ]
> >>  No, this is just as broken and probably is full of security problems
> >>  to be considered. Running child processes is anything but transparent
> >>  to the calling program.
> > 
> > Huh ? Who said anything about child processes ? I was talking about
> > something like the checkpassword interface (see
> > http://cr.yp.to/checkpwd/interface.html ), but enhanced to provide the
> > functionality that OTP and other auth schemes need. No child processes,
> > just chain loading.
> > 
> >>  or else have a local "pamd" that does all the authentication work
> > 
> > That's another viable solution indeed. But people might not like it
> > because it's not transparent.
> 
> I actually have hard to believe this is the busybox mailing list.
> 
> Several PAM replacements are discussed, some as complex as the original,
> some a bit simpler. Don't get me wrong I would love to see a *simple*
> PAM replacement. Until that replacement is in place and has proven
> itself worthy, lets focus on the patch supplied by Guylhem.
> 
> First it was turned down because "this belongs in PAM".
Hi,
In fact it already exists http://motp.sourceforge.net/pam_mobile_otp-0.6.1.tgz
(some info also at http://www.worksinmymind.com/blog/?p=1083)
plus "motp-manager", a shell script to simplify user management
(http://motp.sourceforge.net/motp-manager.sh)
and there is even a Android client (http://motp.sourceforge.net/Mobile-OTP.apk)
and for PalmOS and for J2ME phones and  a Web App for every device with
a Javascript enabled browser.

PAM_module_exists + we_have_the_hooks_for_PAM = use_PAM_IMHO

> When pointed out that PAM is bloated and complex, several innovative
> ways of replacing it are discussed.
> 
> IMHO the patch follow the bb spirit. It is lean, simple and supply a

"BusyBox combines tiny versions of many _common_ UNIX utilities into a single small executable. "

> powerful feature. Furthermore, it is not mandatory!
> CONFIG_FEATURE_LOGIN_OTP is disabled by default.
> 
> As pointed out earlier there may be some minor tweaks needed, and we
> have already touched on most of them. Until I see a PAM replacement
> that is lean, simple and secure I would love to see the patch

So far there is no patch, just a proof of concept that needs polishing.
I think that the code should be moved out of correct_password
to its own file (but obviously Denys is the boss, he will decide),  
It is also unclear to me if the client side motpgen should also
be included in busybox, maybe along with other programs
to send SMS, make phone calls and read PINS on the phone.
I wonder also if the motpgen should be made multiplatform
due to the number of different OSes out there.
There is the issue about the shared_secret in motpgen,
should it be hardcoded or do we need to carry a piece
of paper to remember it.

Ciao,
Tito
> included. If/when a good PAM replacement turns up in the future it
> wouldn't be rocket science to adapt OTP to use it.
> 
> /Sven








More information about the busybox mailing list