Skip to content

PAM Module Concept

Eduardo Antuña Díez edited this page Sep 15, 2018 · 4 revisions

Frontend

We have the following one time password page: https://dappnode.github.io/DAppNode_OTP/

The parameters will be passed onto the url encoded using base64url

eyJzZXJ2ZXIiOiIxMjcuMC4wLjEiLCJuYW1lIjoiZGFwcG5vZGUtZ2l2ZXRoIiwidXNlciI6InZwbl91c2VyIiwicGFzcyI6Ik1DNHhPMlZrZFR0d1lYTnoiLCJwc2siOiJUSTNMakF1TUM0eCJ9
{"server":"127.0.0.1","name":"dappnode-giveth","user":"vpn_user","pass":"MC4xO2VkdTtwYXNz","psk":"TI3LjAuMC4x"}

https://dappnode.github.io/DAppNode_OTP/#otp=eyJzZXJ2ZXIiOiIxMjcuMC4wLjEiLCJuYW1lIjoiZGFwcG5vZGUtZ2l2ZXRoIiwidXNlciI6InZwbl91c2VyIiwicGFzcyI6Ik1DNHhPMlZrZFR0d1lYTnoiLCJwc2siOiJUSTNMakF1TUM0eCJ9

Since the parameters go after # these will never be sent to the github servers so they are resolved internally in the browser.

This website is intended to generate a random password based on the password provide by the url. For this purpose, the password sent in the url will be used as a prefix and a random number will be added after it. The web page should also generate a new and unique password each time it is accessed or refreshed.

"pass":"MC4xO2VkdTtwYXNz" -> "pass":"MC4xO2VkdTtwYXNz-902312"
"pass":"MC4xO2VkdTtwYXNz" -> "pass":"MC4xO2VkdTtwYXNz-234512"
"pass":"MC4xO2VkdTtwYXNz" -> "pass":"MC4xO2VkdTtwYXNz-132513"
...

PAM Module

Initially, the PAM module must accept any password for a user that contains the indicated prefix.

In this example any password of the form MC4xO2VkdTtwYXNz-* will be valid for the user vpn_user

So you could connect to the vpn with these passwords:

MC4xO2VkdTtwYXNz-902312
MC4xO2VkdTtwYXNz-234512
MC4xO2VkdTtwYXNz-132513
...

The first time the user vpn_user connects to the VPN (MC4xO2VkdTtwYXNz-234512), the VPN must start accepting only this new password and the rest of the passwords will no longer be valid, this way you can only access with the first password that is registered in the system.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.