#11828: Look into using one-time-passwords as secondary authentication method for baron -------------------------+---------------------------- Reporter: zooey | Owner: haiku-sysadmin Type: task | Status: new Priority: normal | Milestone: Component: Sys-Admin | Version: Resolution: | Keywords: Blocked By: | Blocking: Has a Patch: 0 | Platform: All -------------------------+---------------------------- Comment (by Centinel): The sshd PAM file has been fixed. {{{ auth requisite pam_nologin.so auth sufficient pam_access.so accessfile=/etc/security/access-local.conf auth [success=done new_authtok_reqd=done default=die] pam_oath.so usersfile=/etc/users.oath window=30 }}} The first line is unchanged. The second line is essentially unchanged. The third line now fails authentication if the OTP is entered incorrectly or succeeds and exits the PAM stack if the OTP is entered correctly. As a result, everything after the third line becomes dead code, but that's okay since it has to do with password-based authentication. In my and jprostko's initial testing, everything works properly. I think we've finally nailed this. Due to prior commitments, I won't be able to resume work on this until early next week, but jprostko may finish this off in the mean time. I'm not a security expert, but I would tend to think that OTP would be more appropriate for logins. After all, it's best to keep people from getting in to begin with. However, I can see why you'd opt for sudo OTP as a convenience compromise. The PAM stack for sudo is really simple: {{{ auth include common-auth account include common-account password include common-password session include common-session }}} Altogether, this (1) prompts you for your password, (2) makes sure that your account and password are valid, (3) checks to see if your password needs changed, and (4) sets up environmental variables. It really couldn't be more straightforward. So if you wanted to add OTP support, here's how I would do it: {{{ '''auth [success=1 default=ignore] pam_access.so accessfile=/etc/security /access-local.conf auth requisite pam_oath.so usersfile=/etc/users.oath window=30''' auth include common-auth account include common-account password include common-password session include common-session }}} The first line is recycled from one of my earlier sshd PAM stacks: if you're an OTP user, go to the next line, and if not, go to the third line and proceed as usual. The second line prompts for an OTP. If it isn't entered correctly, authentication fails. If it's entered successfully, go to line three and proceed as usual. And that's all it should take. Feel free to start from there if you've got time, jprostko. -- Ticket URL: <https://dev.haiku-os.org/ticket/11828#comment:20> Haiku <https://dev.haiku-os.org> Haiku - the operating system.