pam-webauth-otp 1.0

One of the things that was added to WebAuth when we added support for multifactor authentication was the ability to talk to an external user information service. We wanted to keep the details of the multifactor authentication implementation out of WebAuth itself and encapsulate them in a service that WebAuth calls so that we could replace it with something else later and so that each site could do multifactor authentication in their own way. (It looks like we're going to be using that capability, so I'm very glad we designed it that way.)

That, however, also means that the same interface used by WebAuth could be used for other things. This PAM module is the first non-WebAuth use of that API. It provides the ability to prompt for an OTP code as part of the PAM authentication stack and then verify that code against the WebAuth user information service.

This is only the bare beginnings of a full PAM integration with the user information service, and it doesn't do lots of things that it could. (For example, do anything with the list of configured factors, show reasonable error messages if a user doesn't have the right things configured, or even support the SMS multifactor method that requires a callout to send the SMS message in advance of the authentication.) But it works, and for any multifactor method that doesn't require a user interaction beyond a code entry, it's fairly clean.

This is the first public release, with documentation and a test suite. (There was an earlier, undocumented internal 0.1 release.) It's too soon to say whether we'll keep using this in the long run, but we're using it right now in production and will continue to do so for a little bit at least. I suspect this will prove a viable long-term approach, with some possible changes to the way the user information service abstraction layer works.

You can get the latest version from the pam-webauth-otp distribution page.

Posted: 2013-09-16 16:53 — Why no comments?

Last spun 2013-09-22 from thread modified 2013-09-16