Comments (2)
@minasrc I'm not sure of a way to derive the TOTP pin from just the secret key's hash. If there isn't, It would require the user to send the key when connecting, which essentially just makes it another password.
from carrotsh.
@minasrc At the moment, the password is sent over plaintext. This is by design, which is why enabling encryption with self-signed certificates is highly recommended. The password is then hashed on the server side, and the hash is compared with the one stored on the server. If it matches, then the server moves the connection to the next security level (OTP) if it's enabled. The OTP type used is TOTP (Time-Based One Time Password), which mixes a base32 key with the current time to generate a 6 digit pin that lasts a short duration. The user will have the base32 key already registered in their authenticator app, which will display the currently valid OTP. If the sent OTP matches with the one generated by the server (Presumably with the same key), then the user is finally let into the shell.
The user encrypts their password with their private key and sends the result.
The server can then look for the public key associated with the user and if it exists decrypts the password. If it matches then all good. Of course the passwords are not stored as plain text either.
We don't want to do encryption manually because any form of encryption through the browser would have to be done through javascript. This is very insecure, since someone performing an MITM attack could intercept the webpage, manipulate the javascript, and send it to the client, who will end up running the bad code which could expose the password to the attacker or something else malicious.
from carrotsh.
Related Issues (1)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from carrotsh.