Skip to content

PAM Module Concept

Eduardo Antuña Díez edited this page Sep 15, 2018 · 4 revisions


We have the following one time password page:

The parameters will be passed onto the url encoded using base64url


Since the parameters go after # these will never be sent to the github servers so they are resolved internally in the browser.

This website is intended to generate a random password based on the password provide by the url. For this purpose, the password sent in the url will be used as a prefix and a random number will be added after it. The web page should also generate a new and unique password each time it is accessed or refreshed.

"pass":"MC4xO2VkdTtwYXNz" -> "pass":"MC4xO2VkdTtwYXNz-902312"
"pass":"MC4xO2VkdTtwYXNz" -> "pass":"MC4xO2VkdTtwYXNz-234512"
"pass":"MC4xO2VkdTtwYXNz" -> "pass":"MC4xO2VkdTtwYXNz-132513"

PAM Module

Initially, the PAM module must accept any password for a user that contains the indicated prefix.

In this example any password of the form MC4xO2VkdTtwYXNz-* will be valid for the user vpn_user

So you could connect to the vpn with these passwords:


The first time the user vpn_user connects to the VPN (MC4xO2VkdTtwYXNz-234512), the VPN must start accepting only this new password and the rest of the passwords will no longer be valid, this way you can only access with the first password that is registered in the system.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.