pam-webauth-otp

Warning

This package is orphaned. Although I believe it is still useful, I no longer use WebAuth and am no longer maintaining this PAM module. If you would like to pick up maintenance of this package, please feel free. Contact me if you would like this page to redirect to its new home.

Description

WebAuth is a site-wide web authentication system that uses a central login server. That login server supports multifactor authentication (and other features) via a user information service provided by the local site. OTP-based multifactor authentication is validated by WebAuth via calls to the validate function in that user information service.

pam-webauth-otp is a PAM module that performs the same API calls as the WebAuth login server, allowing the same infrastructure and OTP database to be used to secure authentications that use PAM. The user is prompted for an OTP code, which is then validated by a call to the validate function of a WebAuth user information service. Any middleware that speaks the WebAuth user information service protocol can be used, whether or not it is also used for a WebAuth deployment.

This module currently only supports OTP mechanisms where the user can supply a code without any further interaction. SMS, which requires a call to send the SMS message before prompting the user, is not currently supported.

Requirements

The PAM implementations on Linux, Solaris, Mac OS X, HP-UX, and AIX should theoretically work, although the module is only tested on Linux. Use on platforms with other PAM implementations, such as IRIX or the *BSDs, will require more porting and will not currently work. Patches are welcome.

The module is written in C and should hopefully build on any system with an adequate PAM library that Libtool supports.

pam-webauth-otp requires libwebauth from WebAuth 4.5 or later. WebAuth must be built with remctl support.

pam-webauth-otp can optionally read configuration from krb5.conf as well as PAM options; for this, Kerberos libraries are also required. This functionality should work with either MIT Kerberos or Heimdal, but will probably not work on Mac OS X since the krb5_appdefault* APIs are crippled on that platform.

Running the complete test suite requires the remctld program be installed in /usr/sbin, /usr/local/sbin, or a directory on the builder's PATH. In addition, Perl 5.6 or later plus the following Perl modules are required for some tests:

All are available on CPAN. Those tests will be skipped if the modules are not available.

To enable tests that may be sensitive to the local environment or that produce a lot of false positives without uncovering many problems, set RRA_MAINTAINER_TESTS to a true value.

Download

The distribution:

pam-webauth-otp 1.0 2013-09-16 tar.gz (PGP signature) tar.xz (PGP signature)

An archive of older releases is also available.

A Debian packages is available from my personal repository as libpam-webauth-otp.

pam-webauth-otp is maintained using the Git version control system. To check out the current development tree, clone:

    git://git.eyrie.org/kerberos/pam-webauth-otp.git

You can also browse the current development source.

Documentation

User documentation:

Developer documentation:

License

The pam-webauth-otp package as a whole is covered by the following license:

Copyright 2013 The Board of Trustees of the Leland Stanford Junior University

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the pam-webauth-otp source distribution.

Last modified and spun 2014-08-10