lists.arthurdejong.org
RSS feed

Re: Support OTP

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Support OTP



Arthur de Jong wrote:
> On Thu, 2019-03-07 at 11:22 -0500, Dave Macias wrote:
>> Any thoughts of including otp ?
>> https://symas.com/two-factor-authentication-everywhere/
>> https://github.com/openldap/openldap/tree/master/contrib/slapd-modules/passwd/totp
>
> [...]
> The most common way of setting up two-factor authentication is by using
> PAM and have one module for validating the password and one for
> validating the OTP.

See also:

    https://duo.com/docs/duounix                (SMS OTP to a phone)
    https://www.cl.cam.ac.uk/~mgk25/otpw.html   (Lamport-style "something you 
have" OTPs)

I have used & can recommend otpw for SSHing from a facility where
wallets are allowed, but personal computers/phones are banned.

If you're interested in hardware, see also:

    https://en.wikipedia.org/wiki/Common_Access_Card
    https://en.wikipedia.org/wiki/Yubikey

AFAICT Symas's approach happens in slapd, not PAM, so
1) I guess leverages LDAP replication to better keep many auth servers in 
sync?; and
2) talks to Google Authenticator, which is already used on "every" smartphone?
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/