Debian Bug report logs - #562968
ITP: otpasswd -- one-time passwords implementation for PAM

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Luke Faraone <luke@faraone.cc>

Date: Tue, 29 Dec 2009 17:15:04 UTC

Owned by: Tomasz bla Fortuna <tomasz.fortuna@jakby.co>

Severity: wishlist

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, <wnpp@debian.org>:
Bug#562968; Package wnpp. (Tue, 29 Dec 2009 17:15:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luke Faraone <luke@faraone.cc>:
New Bug report received and forwarded. Copy sent to debian-devel@lists.debian.org, <wnpp@debian.org>. (Tue, 29 Dec 2009 17:15:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Luke Faraone <luke@faraone.cc>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ITP: otpasswd -- one-time passwords implementation for PAM
Date: Tue, 29 Dec 2009 12:05:20 -0500
Package: wnpp
Severity: wishlist
Owner: Luke Faraone <luke@faraone.cc>


* Package name    : otpasswd
  Version         : 0.4
  Upstream Author :  Tomasz bla Fortuna <bla@thera.be> 
* URL             : http://savannah.nongnu.org/projects/otpasswd/ 
* License         : GPLv3+
  Programming Lang: C
  Description     : one-time passwords implementation for PAM

otpasswd consists of a pam module and an user utility. With the
utility user manages his "state" file: creates his KEY, manages flags
and prints passcards with one-time passwords.

PAM module enables (for example) OpenSSH to do an authentication using
one-time password with the information from user state file.

The program is written in C (C99) and implements OTP as described in
"Perfect Paper Passwords" description of which can be found here
https://www.grc.com/ppp.htm
This program also kind of extends this idea with "salt".

Unlike OPIE, otpasswd uses modern hashing algotrithms and supports offline
/ out-of-band use.




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>, Luke Faraone <luke@faraone.cc>:
Bug#562968; Package wnpp. (Tue, 29 Dec 2009 20:24:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to The Fungi <fungi@yuggoth.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>, Luke Faraone <luke@faraone.cc>. (Tue, 29 Dec 2009 20:24:02 GMT) Full text and rfc822 format available.

Message #10 received at 562968@bugs.debian.org (full text, mbox):

From: The Fungi <fungi@yuggoth.org>
To: 562968@bugs.debian.org
Subject: Re: Bug#562968: ITP: otpasswd -- one-time passwords implementation for PAM
Date: Tue, 29 Dec 2009 20:22:35 +0000
On Tue, Dec 29, 2009 at 12:05:20PM -0500, Luke Faraone wrote:
[...]
> Unlike OPIE, otpasswd uses modern hashing algotrithms and supports offline
> / out-of-band use.

A compare/contrast with the libpam-otpw package would also be
interesting.
-- 
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fungi@yuggoth.org); IRC(fungi@irc.yuggoth.org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fungi@yuggoth.org);
MUD(fungi@katarsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); }




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#562968; Package wnpp. (Tue, 29 Dec 2009 21:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luke Faraone <luke@faraone.cc>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. (Tue, 29 Dec 2009 21:54:06 GMT) Full text and rfc822 format available.

Message #15 received at 562968@bugs.debian.org (full text, mbox):

From: Luke Faraone <luke@faraone.cc>
To: The Fungi <fungi@yuggoth.org>, 562968 <562968@bugs.debian.org>
Cc: otpasswd-talk <otpasswd-talk@nongnu.org>
Subject: Re: Bug#562968: ITP: otpasswd -- one-time passwords implementation for PAM
Date: Tue, 29 Dec 2009 13:49:33 -0800
[Message part 1 (text/plain, inline)]
On Tue, Dec 29, 2009 at 12:22, The Fungi <fungi@yuggoth.org> wrote:

> On Tue, Dec 29, 2009 at 12:05:20PM -0500, Luke Faraone wrote:
> > Unlike OPIE, otpasswd uses modern hashing algotrithms and supports
> offline
> > / out-of-band use.
>
> A compare/contrast with the libpam-otpw package would also be
> interesting.
>

I might not be the best person to do this, so I've CC'd the otpasswd-talk
discussion list to solicit better explanations.

otpasswd allows both the use of a optional (via ~/.otpasswd) and global
policy-enforced system. In the "global" system, it would be SGID (SUID as
well?) to a shared otpasswd user. Via such a centralized database, the
systems administrator can prevent passcard reuse as well as length
requirements etc. From what I've such an architecture makes it easier to use
one-time-passwords on a LDAP backend as well, but I haven't tried it.

otpasswd, when set to be PPP-compatible, also allows interoperability with a
variety of client applications <https://www.grc.com/ppp/software.htm>.

That said, I have not studied OTPW nor the security of otpasswd closely, and
would advise anybody making a choice between the two to perform their own
research.

Luke Faraone
http://luke.faraone.cc
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>, Luke Faraone <luke@faraone.cc>:
Bug#562968; Package wnpp. (Wed, 30 Dec 2009 11:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tomasz bla Fortuna <bla@thera.be>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>, Luke Faraone <luke@faraone.cc>. (Wed, 30 Dec 2009 11:39:06 GMT) Full text and rfc822 format available.

Message #20 received at 562968@bugs.debian.org (full text, mbox):

From: Tomasz bla Fortuna <bla@thera.be>
To: Luke Faraone <luke@faraone.cc>
Cc: The Fungi <fungi@yuggoth.org>, 562968 <562968@bugs.debian.org>, otpasswd-talk <otpasswd-talk@nongnu.org>
Subject: Re: [Otpasswd-talk] Re: Bug#562968: ITP: otpasswd -- one-time passwords implementation for PAM
Date: Wed, 30 Dec 2009 12:27:36 +0100
[Message part 1 (text/plain, inline)]
Dnia 2009-12-29, o godz. 13:49:33
Luke Faraone <luke@faraone.cc> wrote:

> On Tue, Dec 29, 2009 at 12:22, The Fungi <fungi@yuggoth.org> wrote:
> 
> > On Tue, Dec 29, 2009 at 12:05:20PM -0500, Luke Faraone wrote:
> > > Unlike OPIE, otpasswd uses modern hashing algotrithms and supports
> > offline
> > > / out-of-band use.
> >
> > A compare/contrast with the libpam-otpw package would also be
> > interesting.
> >
> 
> I might not be the best person to do this, so I've CC'd the
> otpasswd-talk discussion list to solicit better explanations.

Biggest difference is the way those project handle generation of
passcodes. OTPW generates many and stores them hashed. We have key +
counter which is a bit more elastic. Ensuring some way of receiving
new passcodes in a safe manner (any OOB communication like SMS,
which is already implemented) it's generally impossible o run out of
passcodes. There's around 2^32 passcodes in salted version and 2^128 in
not-salted. 

Idea of key+counter allows us to easily export state data (if allowed
by policy) and import into, say, java mobile phone application which
can then generate passcodes.

> 
> otpasswd allows both the use of a optional (via ~/.otpasswd) and
> global policy-enforced system. In the "global" system, it would be
> SGID (SUID as well?) to a shared otpasswd user. Via such a
SUID to some special user (otpasswd proposed) (SGID had
signal-reception problem).
> centralized database, the systems administrator can prevent passcard
> reuse as well as length requirements etc. From what I've such an
> architecture makes it easier to use one-time-passwords on a LDAP
> backend as well, but I haven't tried it.
LDAP and MySQL is not yet implemented but there's place for it and
motivation to write it. SUID allows us to store somewhere password for
ldap and mysql (and in case of this configuration SUID is dropped as
fast as we get this information).

Many policies are implemented currently, much we will implement and
test shortly.

> 
> otpasswd, when set to be PPP-compatible, also allows interoperability
> with a variety of client applications
> <https://www.grc.com/ppp/software.htm>.
> 
> That said, I have not studied OTPW nor the security of otpasswd
> closely, and would advise anybody making a choice between the two to
> perform their own research.
I too would have to look closer at it. From what I've read I didn't
like it's way of handling race-for-last-key attacks and parallel
logins. If somebody likes he should be able to use OTPW, but I think
that it's a time to make OPIE obsolete.


Regards,
-- 
Tomasz bla Fortuna
jid: bla(at)af.gliwice.pl
pgp: 0x90746E79 @ pgp.mit.edu
www: http://bla.thera.be
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>, Luke Faraone <luke@faraone.cc>:
Bug#562968; Package wnpp. (Wed, 30 Dec 2009 15:51:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to The Fungi <fungi@yuggoth.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>, Luke Faraone <luke@faraone.cc>. (Wed, 30 Dec 2009 15:51:13 GMT) Full text and rfc822 format available.

Message #25 received at 562968@bugs.debian.org (full text, mbox):

From: The Fungi <fungi@yuggoth.org>
To: 562968 <562968@bugs.debian.org>, otpasswd-talk <otpasswd-talk@nongnu.org>
Subject: Re: [Otpasswd-talk] Re: Bug#562968: ITP: otpasswd -- one-time passwords implementation for PAM
Date: Wed, 30 Dec 2009 15:47:24 +0000
On Wed, Dec 30, 2009 at 12:27:36PM +0100, Tomasz bla Fortuna wrote:
[...]
> If somebody likes he should be able to use OTPW, but I think that
> it's a time to make OPIE obsolete.

Thanks for the writeup! I'd definitely like to see this included in
Debian (and other operating systems, for that matter). I switched
from OPIE to OTPW a few years ago over similar security concerns,
but OTPW hasn't really been actively maintained upstream since '03
and this project sounds like not only a great alternative, but also
an improvement in both functionality and security.
-- 
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fungi@yuggoth.org); IRC(fungi@irc.yuggoth.org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fungi@yuggoth.org);
MUD(fungi@katarsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); }




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Luke Faraone <luke@faraone.cc>:
Bug#562968; Package wnpp. (Sat, 19 Feb 2011 17:10:22 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lucas Nussbaum <lucas@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Luke Faraone <luke@faraone.cc>. (Sat, 19 Feb 2011 17:10:22 GMT) Full text and rfc822 format available.

Message #30 received at 562968@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@debian.org>
To: 562968@bugs.debian.org
Cc: control@bugs.debian.org
Subject: otpasswd: changing back from ITP to RFP
Date: Sat, 19 Feb 2011 17:06:48 +0000
retitle 562968 RFP: otpasswd -- one-time passwords implementation for PAM
noowner 562968
thanks

Hi,

This is an automatic email to change the status of otpasswd back from ITP
(Intent to Package) to RFP (Request for Package), because this bug hasn't seen
any activity during the last 6 months.

If you are still interested in adopting otpasswd, please send a mail to
<control@bugs.debian.org> with:

 retitle 562968 ITP: otpasswd -- one-time passwords implementation for PAM
 owner 562968 !
 thanks

However, it is not recommended to keep ITP for a long time without acting on
the package, as it might cause other prospective maintainers to refrain from
packaging that software. It is also a good idea to document your progress on
this ITP from time to time, by mailing <562968@bugs.debian.org>.

Thank you for your interest in Debian,
-- 
Lucas, for the QA team <debian-qa@lists.debian.org>




Changed Bug title to 'RFP: otpasswd -- one-time passwords implementation for PAM' from 'ITP: otpasswd -- one-time passwords implementation for PAM' Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Sat, 19 Feb 2011 17:11:16 GMT) Full text and rfc822 format available.

Removed annotation that Bug was owned by Luke Faraone <luke@faraone.cc>. Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Sat, 19 Feb 2011 17:11:17 GMT) Full text and rfc822 format available.

Changed Bug title to 'ITP: otpasswd -- one-time passwords implementation for PAM' from 'RFP: otpasswd -- one-time passwords implementation for PAM' Request was from Tomasz bla Fortuna <tomasz.fortuna@jakby.co> to control@bugs.debian.org. (Sun, 27 Oct 2013 03:57:07 GMT) Full text and rfc822 format available.

Owner recorded as Tomasz bla Fortuna <tomasz.fortuna@jakby.co>. Request was from Tomasz bla Fortuna <tomasz.fortuna@jakby.co> to control@bugs.debian.org. (Sun, 27 Oct 2013 03:57:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Tomasz bla Fortuna <tomasz.fortuna@jakby.co>:
Bug#562968; Package wnpp. (Sun, 27 Oct 2013 04:18:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tomasz bla Fortuna <bla@thera.be>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Tomasz bla Fortuna <tomasz.fortuna@jakby.co>. (Sun, 27 Oct 2013 04:18:05 GMT) Full text and rfc822 format available.

Message #43 received at 562968@bugs.debian.org (full text, mbox):

From: Tomasz bla Fortuna <bla@thera.be>
To: 562968@bugs.debian.org
Subject: RFS: otpasswd/0.8-1 [ITP]
Date: Sun, 27 Oct 2013 05:07:51 +0100
[Message part 1 (text/plain, inline)]
Hello,

I've just redone the package. Last is available at
http://mentors.debian.net/package/otpasswd

I intend to test it and update in case of any bugs are found. It
currently works for me on a single machine.

I'd love to see this package included in Debian and I'm willing to
maintain it - along with the upstream. 

Therefore - I'm looking for a sponsor.


 * Package name    : otpasswd
   Version         : 0.8-1
   Upstream Author : Tomasz bla Fortuna <bla@thera.be>
 * URL             : http://otpasswd.thera.be
 * License         : GNU GPL3. Intend to relicense to BSD-like.
   Section         : admin

It builds those binary packages:
  libpam-otpasswd - one-time passwords implementation, PAM module
  otpasswd-bin - one-time passwords implementation, system utility

dget -x http://mentors.debian.net/debian/pool/main/o/otpasswd/otpasswd_0.8-1.dsc


Thanks,
-- 
Tomasz bla Fortuna
jid: bla(at)thera.be
pgp: 0x90746E79 @ pgp.mit.edu
www: http://bla.thera.be
[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 02:46:15 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.