On 07/03/2022 16:38, Michael Ströder wrote:
libpam-google-auth and other similar PAM modules require to store the
token's shared secrets on the server. If your system gets hacked and
shared secrets are stolen the attacker can generate an arbitrary
amount of valid OTP values. And if you use the same shared secrets on
multiple servers the security impact will be broad.
=> Don't use that.
That's a nice thing about pam_yubico with real Yubikeys: they can be
validated against the Yubico cloud API, without any local secrets.
I have also experimentally got TOTP validation working against a
Hashicorp Vault server: https://github.com/candlerb/vault-totp-helper
(I would be interested in having extra eyes on this)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
