URL:
<http://gna.org/task/?6297>
Summary: Submission of Barada: PAM Two-Factor Authentication
Project: Gna! Administration
Submitted by: moxie
Submitted on: Sunday 11/02/2008 at 21:36
Status: None
Approval Status: None
Should Start On: Sunday 11/02/2008 at 00:00
Should be Finished on: Wednesday 11/12/2008 at 00:00
Category: Project Approval
Priority: 5 - Normal
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
A new project has been registered at Gna!
This project account will remain inactive until a site admin approves or
discards the registration.
= Registration Administration =
While this item will be useful to track the registration process, *approving
or discarding the registration must be done using the specific Group
Administration <https://gna.org/siteadmin/groupedit.php?group_id=2810> page*,
accessible only to site administrators, effectively *logged as site
administrators* (superuser):
* Group Administration
<https://gna.org/siteadmin/groupedit.php?group_id=2810>
= Registration Details =
* Name: *Barada: PAM Two-Factor Authentication *
* System Name: *barada*
* Type: Programs
* License: GNU General Public License V3 or later
----
==== Description: ====
This is a PAM module is designed to provide two-factor authentication
support, based on an algorithm outlined in RFC 4226
<http://www.rfc-editor.org/rfc/rfc4226.txt> known as HOTP.
The basic problem is this: one might occasionally find it necessary to
access email or get a remote shell from a computer that is one's
own. The problem, however, is that it's often unwise to trust
computers that are not your own. This is particularly true for public
computers at libraries or internet cafes, which are a tempting option
when traveling.
There are solutions for this, of course. The two obvious choices are a
One Time Password system (like S/Key or OTPW) or a Two Factor
Authentication system (like RSA SecureID or CryptoCard). I prefer Two
Factor Authentication. What I don't like about OTP is that you have to
carry a list of passwords around with you, that there can be
logistical problems if you get to the end of your list while you're
still traveling, and that you have to type your constant "prefix"
password into untrusted computers. What I like about Two Factor
Authentication is that you have the security of two factors (something
you have and something you know) and that it solves the keystroke
logging problem in a more convenient way (no lists, no out of date
information, no typing of anything but a temporary access code into
untrusted computers).
Ironically, then, the problem with SecureID or CryptoCard is that
they're not convenient. They cost money to license, the hardware costs
money, and they're difficult to maintain. You have to setup a
dedicated Solaris machine with RADIUS support just to deploy SecureID,
which isn't really great for someone with a small setup.
And that's why this exists. It's an implementation of the HOTP
protocol in the form of a PAM module. Basically, in addition to a
normal password, users are also assigned a 20 byte key and
arbitrary-length PIN number. Every time you'd like to login using a
OTP, you calculate a secure hash based on your assigned PIN and an
increasing counter, the result of which is a six character one time
password.
This module goes above the normal authentication module in the PAM
stack, so at any moment you can either use your normal password or a
OTP interchangeably.
While this module could be used in conjunction with many different
client devices, it was written specifically with Android devices in
mind. There is companion software which runs on Android, so that your
phone essentially becomes a SecureID token. All you need to do is
open up the software, type in your PIN, and you get back a 6-character
number that you can use to login to your system.
The source is here:
http://www.thoughtcrime.org/software/mobileauth/index.html
==== Other Software Required: ====
PAM, openssl, boost
_______________________________________________________
Reply to this item at:
<http://gna.org/task/?6297>
_______________________________________________
Message sent via/by Gna!
http://gna.org/
_______________________________________________
Register mailing list
[email protected]
https://mail.gna.org/listinfo/register
