0

I have a 2FA setup on my network for certain kinds of authentication, but not others. The way it currently works is a combination of pam_ldap for passwords, and pam_oath for TOTP. PAM is configured in a way that it requires only pam_ldap for local login/unlock, only pam_oath for SSH (because that already requires publickey), and both for sudo and su.

The problem with this setup is that pam_oath reads from /etc/users.oath. I need to periodically regenerate this file based on LDAP contents. Even worse, it also writes to this file, which I currently just ignore.

There is a TOTP module for OpenLDAP I want to try, called slapo-otp. This would solve the problem of having to keep the file in sync, but I would lose the option to skip it in some cases. I don't want to use it for unlocking the screen every time, people will just turn off the screen locker, honestly even I would do that.

Please give me some ideas.

stribika
  • 5,374
  • 5
  • 30
  • 35
  • 1
    "it also writes to `/etc/users.oath`, which I currently just ignore." -- You can't. It stores the timestamp of the last used OTP code there, so it can't be reused. You can't skip on that, since that would allow replaying a code the user already entered. (During those up to 30 or 60 seconds it's still valid, but that's plenty of time for an automated attacker, and enough for an attentive typist anyway.) Which pretty much also means that using the same keys on multiple different authentication servers is bound be unsafe, so yes, you should move to handling it in LDAP. – ilkkachu Feb 17 '23 at 14:44
  • @ilkkachu Exactly. Every host has its own offset value, which is very broken. I'd always have this issue to some extent, even with push-based syncrepl, but it would be less broken. – stribika Feb 17 '23 at 15:19

0 Answers0