From owner-freebsd-security@FreeBSD.ORG Mon Dec 7 19:37:37 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CD681065676 for ; Mon, 7 Dec 2009 19:37:37 +0000 (UTC) (envelope-from bla@thera.be) Received: from af.gliwice.pl (afdns.sownet.pl [195.82.188.30]) by mx1.freebsd.org (Postfix) with ESMTP id B4C3E8FC12 for ; Mon, 7 Dec 2009 19:37:36 +0000 (UTC) Received: by af.gliwice.pl (Postfix, from userid 218) id E142A117440; Mon, 7 Dec 2009 20:32:21 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.2.1-gr1 (2007-05-02) on thera.be X-Spam-Level: X-Spam-Status: No, score=-4.3 required=8.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.1-gr1 Received: from af.gliwice.pl (localhost [127.0.0.1]) by af.gliwice.pl (Postfix) with ESMTP id 2981F11743C for ; Mon, 7 Dec 2009 20:32:21 +0100 (CET) Received: from localhost (Vorago [192.168.0.2]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by af.gliwice.pl (Postfix) with ESMTPSA id 0E3C5117431 for ; Mon, 7 Dec 2009 20:32:21 +0100 (CET) Date: Mon, 7 Dec 2009 20:19:24 +0100 From: Tomasz bla Fortuna To: freebsd-security@freebsd.org Message-ID: <20091207201924.5d6ef1bf@thera.be> X-Mailer: Claws Mail 3.7.3 (GTK+ 2.18.3; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: One-time password implementation. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Dec 2009 19:37:37 -0000 Hello, I've read thread that took place on this list in February (http://lists.freebsd.org/pipermail/freebsd-security/2009-February/005132.html) which tries to find a new solution for OTP authentication as current implementation of OPIE is kind of outdated. I'm currently implementing a PAM module using GRC Perfect Paper Passwords algorithm (with small optional changes). It's far from perfect/stable release, yet all its main features work (printing passcards, generating keys, switching flags, labelling passcards, PAM authentication and parts of out-of-bound passcode transmission). Project is hosted here: http://savannah.nongnu.org/projects/otpasswd/ It tries to fix all pitfalls of another existing implementation, namely ppp-pam (http://code.google.com/p/ppp-pam/) which at first I just wanted to fix and use. Things that requires fixing are testcases (there're too little), splitting into a library+utility+pam_module and most probably a little redesign to allow user keys to be stored in /etc instead of their homes which will require SUID utility. I'm curious of your thoughts, if there's any interest and if so - what should be done (and how can you help of course. :P). Licensing issue: It's currently developed under GPL3+, but as I'm currently the only code-author I wouldn't hesitate much to relicense it under BSD if it would make anyone happy (also note that it uses GMP[lgpl3+] as a bignum library, PAM and OpenSSL). System issue: I'm testing it currently using Linux so after program gets a bit stable I would have to finally try it on FreeBSD. Most probably some other interested person can review it and port. I'll be glad to have it working under fbsd so I'll most probably do it myself sometime. Cheers, -- Tomasz bla Fortuna jid: bla(at)af.gliwice.pl pgp: 0x90746E79 @ pgp.mit.edu a6c0*8884 www: http://bla.thera.be