Re: PAM module for client/server application

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 12/09/14 11:15, Claude Brisson wrote:
> But I cannot use SSL or TLS for the client/server protocol

I would recommend solving that, or using some other
confidentiality/integrity layer like SSH. For your protocol to have a
purpose, its users are presumably transferring something useful or
important between the client and the server, other than the password
itself. Any non-password data transferred between your client and server
will be subject to eavesdropping (unless you have a confidentiality
layer and some sort of protection from man-in-the-middle attacks) and
undetected modification (unless you have an integrity layer).

With that warning out of the way...

> so I have to
> encrypt the user password. In such situations, I'd usually have the
> server send a one-time challenge, and the client respond
> sha1(pass+challenge).

... it sounds as though what you need is a PAM module that implements
some sort of challenge-response, instead of using "ordinary passwords".
You could find one, or write one.

Of the many PAM modules in Debian, libpam-dynalogin,
libpam-google-authenticator, libpam-oath, libpam-otpw, libpam-yubico,
libpam-barada and libpam-duo look relevant to this: they all implement
some sort of one-time-password scheme.

If you are not a security/cryptography expert, I would suggest that a
standard scheme like HOTP, TOTP or SCRAM is likely to be more secure
than something you have written yourself.


Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux