Bug#564820: ITP: libpam-barada -- PAM module to provide two-factor authentication based on HOTP

01-12-2010, 01:22 AM

Package: wnpp
Severity: wishlist
Owner: Andrew Pollock <apollock@debian.org>

* Package name : libpam-barada
Version : 0.4
Upstream Author : Moxie Marlinspike <moxie@thoughtcrime.org>
* URL : http://barada.sourceforge.net/
* License : GPL
Programming Lang: C++
Description : PAM module to provide two-factor authentication based on HOTP

Use HOTP (RFC4226) two-factor authentication with PAM.
.
In addition to a normal password, users are also assigned a 128 bit key and
arbitrary-length PIN number. Every time you'd like to login using a OTP, you
calculate a secure hash based on your assigned PIN and an increasing counter,
the result of which is a six character one time password.
.
While this module could be used in conjunction with many different
client devices, it was written specifically with Android devices in
mind. There is companion software which runs on Android, so that your
phone essentially becomes a SecureID token. All you need to do is
open up the software, type in your PIN, and you get back a 6-character
number that you can use to login to your system.

-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

01-12-2010, 07:35 PM

[Andrew Pollock]
> * Package name : libpam-barada
> Description : PAM module to provide two-factor authentication based on HOTP

I would suggest that the PAM architecture is better suited to providing
only _one_ factor of authentication per plugin. Does this module
really implement two factors? If not, you probably shouldn't claim
that it does.

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

01-12-2010, 09:01 PM

Peter Samuelson <peter@p12n.org> writes:
> [Andrew Pollock]

>> * Package name : libpam-barada
>> Description : PAM module to provide two-factor authentication based on HOTP

> I would suggest that the PAM architecture is better suited to providing
> only _one_ factor of authentication per plugin. Does this module really
> implement two factors? If not, you probably shouldn't claim that it
> does.

I don't know about this module in particular, but it's certainly possible
for a PAM module to provide a system interface for a two-factor
authentication system. For example, use of a hardware smart card plus a
pass code is a two-factor authentication system, and if the PAM module
prompts the user to enter the smart card, prompts for the pass code, and
then uses the libraries to verify the pass code and the smart card, that's
a two-factor authentication system implemented in a PAM module.

--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org