OpenSource or not? And Google where is inside?

[danjde]

Hi Devs and thanks for your contribute!

This is not a really issue question, we would like to know if "google-authenticator-libpam" is or isn't OpenSource (or if it contains proprietary code),
Wikipedia says:

Previous versions of the software were open-source but since 2013 releases are proprietary.[3]

Then, should be very interesting to know if "google-authenticator-libpam" contains calls to Google servers and therefore covert tracking systems.

Many thanks!

[ThomasHabets]

This repo, Google Authenticator LibPAM, is 100% open source, and there is no internal version or anything. In fact, this repo is ONLY distributed as source code, which is entirely open to read, to find any covert tracking. As the current maintainer I've stared at the code a lot, and not found any. (though I am employed by Google, and encourage you to look for yourself).

Linux distributions take the code from here, and compile it to release it as binary. But Google does (to my knowledge) not. And even if Google does somewhere produce a binary version, it's not what you'd get on a Debian/Redhat/whatever system, and I am extremely doubtful that whoever did that would not just take this repo as-is.

But Google is a company of over a hundred thousand people, and the number of projects that implies. I can't vouch for what everyone does. I can only vouch for this repo, and describe how Linux distributions say they take the code from this repo and add it as packages in their systems.

Sorry for the confusion. That statement on wikipedia applies only to the apps on phones/tablets, and not to anything in this repo.

I hope that clarifies.

[danjde]

This repo, Google Authenticator LibPAM, is 100% open source, and there is no internal version or anything. I[...]
I hope that clarifies.

Hi ThomasHabets and thanks for your reply,
anyway my doubt persist. Here you can see a call stack to Google system, with which it can get different types of information, as ip, time, and location for example, but surely much and much more..

if (encoderURL) {
    // Show a QR code.
    const char *encoder = "https://www.google.com/chart?chs=200x200&"
                          "chld=M|0&cht=qr&chl=";
    const char *encodedURL = urlEncode(url);

    *encoderURL = strcat(strcpy(malloc(strlen(encoder) +
                                       strlen(encodedURL) + 1),
                                encoder), encodedURL);
    free((void *)encodedURL);
  }

and here Google admits to have access to tocken:

printf("Warning: pasting the following URL into your browser exposes the OTP secret to Google:\n %s\n", encoderURL);

What can you tell me about this?

And secondly, but still of a certain importance, why does the code still bear the name of Google?

Thanks in advance for all the answers you will give us.

[akerl]

As noted in the lines of code you quoted, it prints a URL that lets you optionally open the QR code in Google’s web QR code generator, and shows a clear warning alongside the URL about the impact of doing so.

If you don’t open the link in your browser, no traffic is sent to Google.

The code probably bears Google’s name because Google employees wrote it.

[ThomasHabets]

Ah yes. When you provision a new user that is done by showing a QR code, and scanning it in your app. Normally the QR code "image" is generated using libqrencode, to create an ASCIIART QR code in your terminal. That is done entirely on the local system.

Optionally, you can choose to generate the QR code image by using the Google charts API.

Personally, I never use that generated URL. And it's never used automatically. You have manually copy-paste that into a browser for any network activity to happen.

I'm not on the Google Charts team, nor can I speak for them about how their logs are used. I think this may be the ToS for Google Charts, and maybe the relevant section is 5b. But I'm not a lawyer, and am not in a position to speak for a lawyer, or Google, or to forbid, allow, or promise anything. And please don't read anything into that vagueness, other than the fact that I'm not a lawyer.

Note that "Google admits to have access to token" may be technically true (though one could debate the difference between "exposes" and "access"), it's also true that pasting that URL into your browser also gives access to the token to Firefox, AdBlocker, and any other extension you have that is allowed to look at URLs. Hopefully all of these only use the URL to provide the service of rendering the QR code, and don't log them anywhere. Hmm… actually your browser probably put it in the browser history. That's… actually a bit concerning.

Why still the name "Google" is a good question. It's mostly historical. Back when this code was on code.google.com it was all part of the same git repo called "Google Authenticator" that included apps for iPhone, Android, and Blackberry. When I moved it to github I split it into one for Android, one for the PAM module, and one for "other". This makes it easier to deal with pull requests and bug reports. Also they don't share code. And I only really wanted to maintain the PAM module, so am hoping someone will take more ownership of the other ones.

There's nothing Google-specific about the code in this repo. It's an open standard, that other applications also implement. The Google Charts API could just as well also have a link to some other web-based chart renderer, and I would accept a PR to provide alternatives. (though really one should generate the QR code locally by having libqrencode installed). It could be called "TOTP/HOTP PAM module". But it's had this name for longer than I've maintained it, and the name is used by Linux distributions and many other things, so I'd say the name ship has sailed.