Dnia 2009-12-29, o godz. 13:49:33 Luke Faraone <luke@faraone.cc> wrote: > On Tue, Dec 29, 2009 at 12:22, The Fungi <fungi@yuggoth.org> wrote: > > > On Tue, Dec 29, 2009 at 12:05:20PM -0500, Luke Faraone wrote: > > > Unlike OPIE, otpasswd uses modern hashing algotrithms and supports > > offline > > > / out-of-band use. > > > > A compare/contrast with the libpam-otpw package would also be > > interesting. > > > > I might not be the best person to do this, so I've CC'd the > otpasswd-talk discussion list to solicit better explanations. Biggest difference is the way those project handle generation of passcodes. OTPW generates many and stores them hashed. We have key + counter which is a bit more elastic. Ensuring some way of receiving new passcodes in a safe manner (any OOB communication like SMS, which is already implemented) it's generally impossible o run out of passcodes. There's around 2^32 passcodes in salted version and 2^128 in not-salted. Idea of key+counter allows us to easily export state data (if allowed by policy) and import into, say, java mobile phone application which can then generate passcodes. > > otpasswd allows both the use of a optional (via ~/.otpasswd) and > global policy-enforced system. In the "global" system, it would be > SGID (SUID as well?) to a shared otpasswd user. Via such a SUID to some special user (otpasswd proposed) (SGID had signal-reception problem). > centralized database, the systems administrator can prevent passcard > reuse as well as length requirements etc. From what I've such an > architecture makes it easier to use one-time-passwords on a LDAP > backend as well, but I haven't tried it. LDAP and MySQL is not yet implemented but there's place for it and motivation to write it. SUID allows us to store somewhere password for ldap and mysql (and in case of this configuration SUID is dropped as fast as we get this information). Many policies are implemented currently, much we will implement and test shortly. > > otpasswd, when set to be PPP-compatible, also allows interoperability > with a variety of client applications > <https://www.grc.com/ppp/software.htm>. > > That said, I have not studied OTPW nor the security of otpasswd > closely, and would advise anybody making a choice between the two to > perform their own research. I too would have to look closer at it. From what I've read I didn't like it's way of handling race-for-last-key attacks and parallel logins. If somebody likes he should be able to use OTPW, but I think that it's a time to make OPIE obsolete. Regards, -- Tomasz bla Fortuna jid: bla(at)af.gliwice.pl pgp: 0x90746E79 @ pgp.mit.edu www: http://bla.thera.be
Attachment:
signature.asc
Description: PGP signature