Hi folks,

Is there "dynamic password" project on Open Source?

Not found on Freshmeat. Sourceforge seemed not working for the time being.

TIA

B.R.
satimis

What do you mean by a "dynamic password"? One that changes often? :confused:

I think I know what you are talking about. I'm writing something similar for work literally as we speak. The CIO and I are talking about releasing it as OSS on SourceForge when it's complete, so I'll keep this board posted.

Basically it works like this.

Overview:

There is a database that holds all user information (UID, GID, Home, Shell, etc.). A stand alone SOAP server connects to that database for it's info. The SOAP client is a Linux-pam module that communicates with the soap server when a user logs in. There is a web front end (in perl/php) for "enableing" that communicates with the database.

Use:

A user goes to the web page and authenticates there, then "enables" himself on certain back-end boxes via a webform. When he "enables" he is "activated" for those specific hosts in the database and a random password is generated and stored in the password field for those rows. The user then copies the password, ssh's to the box, enters his username and pastes in the random password. The pam_module makes a soap call to authenticate him and pull his user information. Then the module adds an /etc/passwd entry for that user so that legacy/non-PAM applications know who he is. When the user logs out of the box, the /etc/passwd entry dissapears with him (which is ok for us, but may not be ok for others.) The next time the user goes to the web form and "enables" or his session expires, whatever a new random password is generated for him. So in essence these are psudo one-use passwords.

I've completed a working model so far. I have the soap server/db connection pool working as well as the soap pam module pam_soap.so. I don't have the front end yet, but the front end may not be opensourcable for us because it's part of our in-house management system.



Another method my friend Jacob uses is pgp/sendmail. He has a cron that randomly assigns passwords on his boxes, then pgp's up the passwords and emails them to him. I'm not quite sure which creek he'd be up if his mail server were to go down though.

Hi voidinit,

Yes, you are right.

I was talking about the random password generated by token. But instead I need tokenless. That is after the user sends his information to the webserver/any_server, the latter will generate a one_time password to the user. With this one_time password the user can login. This one_time password is only valid once and has time limit. After x-minuites/seconds it will expire. The user can't use it to login. Next time on request the server will generate another password.

B.R.
satimis

I couldn't find any sane enterprise level single use password projects out there. I couldn't find any insane ones either. In the end my company decided to use the tools they had to try to figure something out. By "tools they had" I mean "me" and by "figure something out" I mean "bloody start from scratch."