From owner-freebsd-security@FreeBSD.ORG Tue Dec 8 00:38:05 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87BE71065676 for ; Tue, 8 Dec 2009 00:38:05 +0000 (UTC) (envelope-from maf@eng.oar.net) Received: from sv1.eng.oar.net (sv1.eng.oar.net [192.148.251.86]) by mx1.freebsd.org (Postfix) with SMTP id 34DD48FC18 for ; Tue, 8 Dec 2009 00:38:04 +0000 (UTC) Received: (qmail 86831 invoked from network); 8 Dec 2009 00:11:23 -0000 Received: from dev1.eng.oar.net (HELO ?127.0.0.1?) (192.148.251.71) by sv1.eng.oar.net with SMTP; 8 Dec 2009 00:11:23 -0000 Message-Id: <73FE9669-75FD-4E2B-A238-68EAC6AA941B@eng.oar.net> From: Mark Fullmer To: Tomasz bla Fortuna In-Reply-To: <20091207201924.5d6ef1bf@thera.be> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Mon, 7 Dec 2009 19:11:23 -0500 References: <20091207201924.5d6ef1bf@thera.be> X-Mailer: Apple Mail (2.936) Cc: freebsd-security@freebsd.org Subject: Re: One-time password implementation. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Dec 2009 00:38:05 -0000 I recently released a BSD licensed smart card based OTP system we've used over the past few years. It uses the OATH HOTP algorithm and includes an OTP library, PAM module, smart card firmware, pin pad reader firmware, associated management utilities and man page documentation. The smart card and reader(s) hardware can be purchased in single quantities and it all works natively with FreeBSD. The HOTP algorithm has gained some momentum with a few vendors now selling hardware tokens which should work with this software. http://www.splintered.net/sw/otp It might be easier to add GRC PPP to this than to start from scratch. -- mark On Dec 7, 2009, at 2:19 PM, Tomasz bla Fortuna wrote: > Hello, > I've read thread that took place on this list in February > (http://lists.freebsd.org/pipermail/freebsd-security/2009-February/005132.html > ) > which tries to find a new solution for OTP authentication as current > implementation of OPIE is kind of outdated. > > I'm currently implementing a PAM module using GRC Perfect Paper > Passwords algorithm (with small optional changes). It's far from > perfect/stable release, yet all its main features work (printing > passcards, generating keys, switching flags, labelling passcards, PAM > authentication and parts of out-of-bound passcode transmission). > > Project is hosted here: > http://savannah.nongnu.org/projects/otpasswd/ > > It tries to fix all pitfalls of another existing implementation, > namely > ppp-pam (http://code.google.com/p/ppp-pam/) which at first I just > wanted to fix and use. > > Things that requires fixing are testcases (there're too little), > splitting into a library+utility+pam_module and most probably a little > redesign to allow user keys to be stored in /etc instead of their > homes > which will require SUID utility. > > I'm curious of your thoughts, if there's any interest and if so - what > should be done (and how can you help of course. :P). > > Licensing issue: > It's currently developed under GPL3+, but as I'm currently the only > code-author I wouldn't hesitate much to relicense it under BSD if it > would make anyone happy (also note that it uses GMP[lgpl3+] as a > bignum > library, PAM and OpenSSL). > > System issue: > I'm testing it currently using Linux so after program gets a bit > stable I would have to finally try it on FreeBSD. Most probably some > other interested person can review it and port. I'll be glad to have > it > working under fbsd so I'll most probably do it myself sometime. > > Cheers, > -- > Tomasz bla Fortuna > jid: bla(at)af.gliwice.pl > pgp: 0x90746E79 @ pgp.mit.edu a6c0*8884 > www: http://bla.thera.be > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " >