Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 302095

Summary: sys-auth/otpasswd One-time Passwords Authentication System (new package)
Product: Gentoo Linux Reporter: Tomasz bla Fortuna <bla>
Component: New packagesAssignee: Default Assignee for New Packages <maintainer-wanted>
Status: CONFIRMED ---    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://savannah.nongnu.org/projects/otpasswd/
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Ebuild for RC1

Description Tomasz bla Fortuna 2010-01-24 20:05:37 UTC 
I. Why
I'd like this ebuild included in portage/overlay because there's no similar software available currently. I know of three other systems like this one:
- otpw
- opie (kind of outdated but popular)
- pam-ppp (software on which otpasswd ideas are based)
- pam_sotp (this one is in sunrise; it's development looks suspended) 

But I guess all are inferior to OTPasswd currently.

II. What
Idea for all of them is similar; software consist of some utility to manage "user state" and PAM module to perform authentication. After installation/configuration each time you have to log with SSH you're asked for your normal password and a one-time pad. Even if your client session is keylogged, the attacker won't have enough information to login himself.

One-time pads can be kept on printed paper cards on received via out-of-band channel communication (I use SMS).

III. Details
Ebuild info:
Tested successfully on x86 and amd64. At first I tried to fix bugs of pam-ppp and add some features but fast I decided to drop it completely and write similar system from scratch. This one after two months of coding is much more advanced and well-documented.

It needs tests but this can be helped by placing it in portage/overlay. ;)
Program was tested successfully also under FreeBSD.
Comment 1 Tomasz bla Fortuna 2010-01-24 20:09:11 UTC 
Created attachment 217325 [details]
Ebuild for RC1

This ebuild installs software in most versatile way, but requiring suid-root. If this would make it harder for the ebuild to be used it might be removed. otpasswd can work without suid while keeping it's state inside user home directories.
Comment 2 Tomasz bla Fortuna 2010-01-24 20:10:53 UTC 
*** Bug 292452 has been marked as a duplicate of this bug. ***