pam_oath suid helper binary
same as http://lists.nongnu.org/archive/html/oath-toolkit-help/2016-07/msg00000.html
usersfile : rewrite
I rewrite liboath/usersfile.c to lock and modify usersfile in-place instead of creating lock and temporary file. I first did those patches because I want to use pam_oath with postgres (which doesn't run as root). So I need the usersfile to have 660 permission, owner "root" and group "oath" (postgres is a member of oath).
I take advantage of the code hacking to make some other changes and comment it.
different usersfile field 5 if HOTP / TOTP & fields 5 present → 6 and 7 mandatory
Non-retrocompatible patchs. They change a bit the format of the userfile.
Now it's like the following before the first login:
HOTP/E/8 login password AES-key
After the first login:
HOTP/E/8 login password AES-key OATH-counter last-otp last-otp-timestamp
pam_oath: use helper binary to access/modify the usersfile
Create the (suid root) oath_usersfile
helper binary to access and modify the usersfile (like pam_unix does for /etc/shadow).
That way even service without access to the usersfile can authenticate user with pam_oath.