OTP Code Reuse Possible

[antitree]

The google authenticator PAM module allows OTP code reuse.

Example:

• Log into server via SSH with code valid code: 111111
• Log in again to same server (within time window) with code 111111
• Allows login from both if within the time window set

Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.

https://tools.ietf.org/html/rfc6238

Tested on Ubuntu with sshd pam configuration set to use google-authenticator-libpam

[ThomasHabets]

Hmm, that's not right. The tool even asks you:

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

Did you say n to that?

I'm unable to reproduce your problem. Could you provide way more details, such as how you generated the config, and what your PAM config looks like?

[ThomasHabets]

You are using time-based tokens, right? Do you have DISALLOW_REUSE in your ~/.google_authenticator?

[antitree]

Thanks for the follow up. I just went through my installation again (using ansible) with the same results (reuse accepted even after selecting not to). But trying manually on a Debian and Centos install it works as expected. Looks like something on my end. Sorry for the false positive.

On Fri, Apr 19, 2019, 11:46 AM Thomas Habets notifications@github.com wrote:

You are using time-based tokens, right? Do you have DISALLOW_REUSE in your ~/.google_authenticator?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/google/google-authenticator-libpam/issues/130#issuecomment-484937088, or mute the thread https://github.com/notifications/unsubscribe-auth/AAIRHR7QJ4GDGKNWYZZEJRLPRHSNVANCNFSM4HHEU23Q .