Re: Support OTP

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: twb-nss-pam-ldapd-users [at] cyber.com.au
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Cc: Dave Macias <davama [at] gmail.com>
Subject: Re: Support OTP
Date: Tue, 12 Mar 2019 12:31:58 +1100

Arthur de Jong wrote:
> On Thu, 2019-03-07 at 11:22 -0500, Dave Macias wrote:
>> Any thoughts of including otp ?
>> https://symas.com/two-factor-authentication-everywhere/
>> https://github.com/openldap/openldap/tree/master/contrib/slapd-modules/passwd/totp
>
> [...]
> The most common way of setting up two-factor authentication is by using
> PAM and have one module for validating the password and one for
> validating the OTP.

See also:

    https://duo.com/docs/duounix                (SMS OTP to a phone)
    https://www.cl.cam.ac.uk/~mgk25/otpw.html   (Lamport-style "something you 
have" OTPs)

I have used & can recommend otpw for SSHing from a facility where
wallets are allowed, but personal computers/phones are banned.

If you're interested in hardware, see also:

    https://en.wikipedia.org/wiki/Common_Access_Card
    https://en.wikipedia.org/wiki/Yubikey

AFAICT Symas's approach happens in slapd, not PAM, so
1) I guess leverages LDAP replication to better keep many auth servers in 
sync?; and
2) talks to Google Authenticator, which is already used on "every" smartphone?
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/

Support OTP, Dave Macias
- Re: Support OTP, Arthur de Jong
  - Re: Support OTP, Michael Ströder
  - Re: Support OTP, twb-nss-pam-ldapd-users

Prev by Date: Re: Support OTP
Next by Date: OpenLDAP ppolicy + ubuntu clients expired passwords
Previous by thread: Re: Support OTP
Next by thread: OpenLDAP ppolicy + ubuntu clients expired passwords