[haiku-sysadmin] Re: [Haiku] #11828: Look into using one-time-passwords as secondary authentication method for baron
- From: "Centinel" <trac@xxxxxxxxxxxx>
- Date: Fri, 13 Feb 2015 20:14:00 -0000
#11828: Look into using one-time-passwords as secondary authentication method
for
baron
-------------------------+----------------------------
Reporter: zooey | Owner: haiku-sysadmin
Type: task | Status: new
Priority: normal | Milestone:
Component: Sys-Admin | Version:
Resolution: | Keywords:
Blocked By: | Blocking:
Has a Patch: 0 | Platform: All
-------------------------+----------------------------
Comment (by Centinel):
The sshd PAM file has been fixed.
{{{
auth requisite pam_nologin.so
auth sufficient pam_access.so accessfile=/etc/security/access-local.conf
auth [success=done new_authtok_reqd=done default=die] pam_oath.so
usersfile=/etc/users.oath window=30
}}}
The first line is unchanged.
The second line is essentially unchanged.
The third line now fails authentication if the OTP is entered incorrectly
or succeeds and exits the PAM stack if the OTP is entered correctly. As a
result, everything after the third line becomes dead code, but that's okay
since it has to do with password-based authentication.
In my and jprostko's initial testing, everything works properly. I think
we've finally nailed this. Due to prior commitments, I won't be able to
resume work on this until early next week, but jprostko may finish this
off in the mean time.
I'm not a security expert, but I would tend to think that OTP would be
more appropriate for logins. After all, it's best to keep people from
getting in to begin with. However, I can see why you'd opt for sudo OTP as
a convenience compromise.
The PAM stack for sudo is really simple:
{{{
auth include common-auth
account include common-account
password include common-password
session include common-session
}}}
Altogether, this (1) prompts you for your password, (2) makes sure that
your account and password are valid, (3) checks to see if your password
needs changed, and (4) sets up environmental variables. It really couldn't
be more straightforward.
So if you wanted to add OTP support, here's how I would do it:
{{{
'''auth [success=1 default=ignore] pam_access.so accessfile=/etc/security
/access-local.conf
auth requisite pam_oath.so usersfile=/etc/users.oath window=30'''
auth include common-auth
account include common-account
password include common-password
session include common-session
}}}
The first line is recycled from one of my earlier sshd PAM stacks: if
you're an OTP user, go to the next line, and if not, go to the third line
and proceed as usual.
The second line prompts for an OTP. If it isn't entered correctly,
authentication fails. If it's entered successfully, go to line three and
proceed as usual.
And that's all it should take. Feel free to start from there if you've got
time, jprostko.
--
Ticket URL: <https://dev.haiku-os.org/ticket/11828#comment:20>
Haiku <https://dev.haiku-os.org>
Haiku - the operating system.
Other related posts:
