OTP feature for /bin/login

Michael Conrad mconrad at intellitree.com
Tue May 8 23:56:12 UTC 2012 

On 5/8/2012 6:56 PM, Rich Felker wrote:
> On Tue, May 08, 2012 at 05:38:26PM -0400, Michael Conrad wrote:
>>>   With the little amount of thought I've done on it so far, I've concluded
>>> that a viable system would have to have executables instead of shared
>>> objects as atoms, i.e. the /bin/login program configurably executes into
>>> /bin/login-X-mechanism, where X can be passwd, OTP or anything of the
>>> kind, and /bin/login-X-mechanism does the X-specific work.
>>>
>> +1
>>
>> Call them "Busybox Auth Helpers" and the API is as simple as read
>> "$username\n$password\n" from stdin, and return 0 or 1.  Serves
>> everyone's needs in about 20 lines of code added to busybox.  All
>> configuration and selection of which accounts are affected can be
>> written into a Multiplexor which obeys the same API.  You could even
>> write an auth helper that dynamically links out to PAM.
> A *good* OTP system (I'm not sure how good the submitted one is) needs
> bidirectional communication for login. For a printed sheet of
> passwords, the host has the ask the user for a specific number off the
> sheet, not just any password, so the authentication method needs a way
> to present this information to the user. Or if you have a device on
> the client side that can generate passwords based on a challenge from
> the host, you need a way to present the challenge to the user when
> they attempt to login (so they can enter it in their device).

My thought here was that you can't always alter the original protocol 
that much (httpd, ftpd, etc).  If you can and need to, then you might as 
well just write a custom daemon  (which actually, is exactly what you're 
describing below with the ssh passthrough) or use PAM.  Writing a 
one-size-fits-all authentication API is not a simple thing, and I think 
any attempt to do so would end up as complex as PAM.

The OP was describing a system where you'd have your phone 
time-synchronized with the server, and be unidirectional.  Your phone 
knows what the correct password is at any given time.

>> It could be as simple as checking getenv("BUSYBOX_AUTH_HELPER"), or
>> hard-coded busybox config string.  If it doens't exist, fall back to
>> passwd/shadow.
> Letting this be configured by the environment is a gaping security
> hole...

I was about to say "not any worse than LD_LIBRARY_PATH", but I suppose 
then it would need the same special restriction for setuid programs.  
(It would just require a check of geteuid... but you're right, probably 
better to forget it and either use a config file or hard-code it.)

-Mike

More information about the busybox mailing list