Loading...spinner

OTPASSWD

 

NAME

~/.otpasswd - OTPasswd user state information file  

DESCRIPTION

This file is used to store the user state information in the user's $HOME directory and in the /etc/otpasswd/otshadow global file for the OTPasswd one-time password authentication system. The only difference is that the system-wide database contains records for all users with OTPasswd state information.

The ~/.otpasswd file contains all state information required for the OTPasswd system to properly authenticate a user.

 

FORMAT

OTPasswd user state information is formatted as a single line of plain text with 14 fields delimited by colons (':'). Note that the currently documented database format is version 1. The fields are as follow:

1.
Login name
2.
State file version number
3.
Sequence Key
4.
Passcode Counter
5.
Last passcard printed
6.
Total Authentication Failures
7.
Recent Authentication Failures
8.
Time of Last OOB Channel Use
9.
Passcode Length
10.
Alphabet ID
11.
Operation Flags
12.
Static Password Hash
13.
Time of Static Password Change
14.
Passcard Label
15.
Channel Contact Information

 

FIELD DEFINITIONS

Login name
The standard symbolic system username. [Type: string] (FIELD_USER)
State file version number
This version number determines the format and interpretation for subsequent fields, and allows for OTPasswd software version interoperability. [Type: decimal] (FIELD_VERSION)
Sequence Key
The cryptographic sequence key which is used as one input to the Rijndael (AES) cipher to generate passcodes. [Type: hex] (FIELD_KEY)
Passcode Counter
The sequential passcode counter which is used as the other input to the AES cipher for passcode generation. Depending on the configuration, this counter may either start with one (1), or a 96-bit cryptographic salt may be added to it to increase entropy. See otpasswd(1) for more information. [Type: hex] (FIELD_COUNTER)
Last Passcard
The number of the last printed passcard. This value allows for simple management of the next passcards that must be printed, as well as provides the ability to issue warnings that the passcard supply is dwindling. [Type: hex] (FIELD_LATEST_CARD)
Total Authentication Failures
A cumulative total of the number of OTPasswd authentication failures. Useful to obtain a subjective feeling for general system performance. [Type: decimal] (FIELD_FAILURES)
Recent Authentication Failures
Total authentication failures since last reset. Useful measure to get an idea of whether user's login password has been compromised. [Type: decimal] (FIELD_RECENT_FAILURES)
Time of Last OOB Channel Use
Timestamp of the last out-of-band (OOB) channel use in seconds. This timestamp allows throttling the rate at which OOB passcodes are sent, as well as allowing the expiration of the OOB passcodes. Both the OOB transmission rate and time-to-live are determined by policy. (FIXME: Note that this feature is as yet unimplemented, hence the precise definition may change) [Type: decimal] (FIELD_CHANNEL_TIME)
Passcode Length
The length of the passcodes is required in a number of situations, such as when the number of passcodes per passcard is computed. [Type: decimal] (FIELD_CODE_LENGTH)
Alphabet ID
The alphabet identification number. This value determines the precise symbol alphabet to be used for passcode generation. [Type: decimal] (FIELD_ALPHABET)

Value
Description
0
Custom alphabet, defined in otpasswd.conf(5)
1
64 characters ("PPP standard")
2
88 characters ("PPP standard")
3
54 characters, no vowels
4
78 characters, no vowels
5
56 characters, only alphanumeric + digits
Operation Flags
Bit-wise encoded operation flags. These flags determine various aspects of OTPasswd operation, such as whether the passcode counter has salt, or whether to display the actual passcode when typed during a login session. For a full listing of available flags, see the description of the --config option in otpasswd(1). [Type: hex] (FIELD_FLAGS)

ValueFlag NameDescription
0x00000001FLAG_SHOWShow passcode during entry
0x00000002FLAG_DISABLEDUser disabled
0x00000004FLAG_SALTEDPasscode counter salt used
Static Password Hash
Cryptographic hash of the static password. The actual plaintext password is not stored in any file, hence cannot be easily compromised. This hash enables recognition of the password if correctly provided by user. [Type: hex] (FIELD_SPASS)
Time of Static Password Change
Timestamp of the last static password change in seconds. This value is used to force a password change if dictated by policy. [Type: decimal] (FIELD_SPASS_TIME)
Passcard Label
Label text to be printed on each passcard. The hostname of the system is used by default, however it may be set to any value of the user's choice. [Type: string] (FIELD_LABEL)
Channel Contact Information
This field contains whatever information is necessary to contact a user when an OOB channel is used. The precise interpretation of this field is determined by the type of channel that is used, but it may be a phone number, an IM (instant messenger) or IRC username, an email address, etc. This field may be subdivided to allow any, or all of these types of information to be present. [Type: string] (FIELD_CONTACT)

 

SECURITY NOTES

When the OTPasswd system operates by keeping user state information in the user's $HOME directory, it presents a fundamental security problem. Since the user has write permission for the ~/.otpasswd file, the user is able to modify this file at will. From a security perspective, the best possible outcome of such a modification is that the user will be unable to login by having corrupted the state information. The slightly less ideal situation is that the user may have "rolled-back" the passcode counter value, and thereby allowed "one-time passwords" to be reused.

There are a number of possible remedies to this issue. First, a hash could be computed for each user's state file and kept in a system-level database. Second, each user's state file could be cryptographically signed with a system-level key. And third, the user's state information could be taken out of the user's control.

The first option would require a system-wide database. The second option would require a system-wide secret, with the additional headaches of a periodic key-change. The third option therefore appears the most reasonable. OTPasswd is able to maintain such a system-wide database if the otpasswd.conf(5) system configuration file contains the DB=global parameter setting.

This is not to say that user-located state information is without merit. Specifically, it allows the otpasswd(1) utility to be run in the user context, without escalated privileges. It also allows user state information to be easily migrated with the user's home directory hierarchy, thereby giving the user significant continuity in passcard usage, especially when the home directories are NFS mounted on different hosts.

The primary realization when keeping user state information under the user's control is that OTPasswd security policy cannot be enforced. That means that system security will be no worse than the security afforded by the standard system login password, but if users diligently maintain their state information and don't compromise their own security, then system security could actually be better. The implicit security policy by operating in this manner is that one-time password security is optional.

 

SEE ALSO

otpasswd(1), agent_otp(1), pam_otpasswd(8),

 

LICENSE

Copyright (c) 2009-2013 Tomasz bla Fortuna

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program in a LICENSE file.

 

AVAILABILITY

The latest version of the OTPasswd package is available in source form at the project website https://savannah.nongnu.org/projects/otpasswd


 

Index

NAME
DESCRIPTION
FORMAT
FIELD DEFINITIONS
SECURITY NOTES
SEE ALSO
LICENSE
AVAILABILITY

This document was created by man2html, using the manual pages.
Time: 22:16:52 GMT, November 02, 2013