| Summary | One Time Password Module Implementation - request for comment |
| Queue | Horde Framework Packages |
| Queue Version | Git develop |
| Type | Enhancement |
| State | No Feedback |
| Priority | 1. Low |
| Owners | |
| Requester | c.denis (at) mrduck (dot) fr |
| Created | 03/14/2012 (4902 days ago) |
| Due | |
| Updated | 01/30/2013 (4580 days ago) |
| Assigned | |
| Resolved | 01/30/2013 (4580 days ago) |
| Milestone | |
| Patch | Yes |
State ⇒ No Feedback
gonna reopen the ticket.
Indeed, this is getting old ... sorry about that. Do you want to close
the ticket or is it fine if I have a look at it during March?
State ⇒ Feedback
this is just one possible implementation of OTP authentication and
Horde_Auth_Otp is too generic.
- You should use the existing user_pass field.
- It's okay to add an additional field for the chain index to the
general user table. It should follow the column nomenclature though
and should be added by a migration script.
- Why is the _reduce_password method necessary? This doesn't make
sense to me. Also, you are using the pwdformat_length parameter, but
it's not documented and you don't set the default value in the
constructor like for the other parameters.
- You should extend the Horde_Auth_Sql class and only overwrite those
methods and properties that are necessary.
- There also some minor style issues that should be tackled in a final
version.
Priority ⇒ 1. Low
New Attachment: otp.patch
Patch ⇒ Yes
Milestone ⇒
Summary ⇒ One Time Password Module Implementation - request for comment
Type ⇒ Enhancement
State ⇒ New
Queue ⇒ Horde Framework Packages
as announced in #10980, I am trying to provide a first version of a
hash-chain implementation for one time passwords. This is my personal
reason why I would need the Dual_Auth module described previously.
Nevertheless the modules are both fully functional on their own.
With this otp module a user can log in to horde with another password
every time and thus protect his credentials if he has to log in from
an untrusted location such as an airport internet terminal.
ATM this uses the same table as Auth_Sql (horde_users) with two
additional fields. If requested this can of course be changed to use
its own table.
ALTER TABLE `horde_users` ADD `hash_chain_pwd` VARCHAR( 60 ) NOT NULL
ALTER TABLE `horde_users` ADD `hash_chain_index` INT( 50 ) NOT NULL
I am posting this at this state mainly to get feedback on the idea and
the implementation. I am by all means willing to improve it from a
security, architectural, or even style point of view.
Further additions in terms of support in the passwd application,
warnings when the password list runs empty and integration in the
configuration page are planned if this is of common interest.
Any comment is appreciated.
Best regards,
Carl