Plaintext storage of TOTP secret key about carrotsh HOT 2 OPEN

@minasrc I'm not sure of a way to derive the TOTP pin from just the secret key's hash. If there isn't, It would require the user to send the key when connecting, which essentially just makes it another password.

from carrotsh.

@minasrc At the moment, the password is sent over plaintext. This is by design, which is why enabling encryption with self-signed certificates is highly recommended. The password is then hashed on the server side, and the hash is compared with the one stored on the server. If it matches, then the server moves the connection to the next security level (OTP) if it's enabled. The OTP type used is TOTP (Time-Based One Time Password), which mixes a base32 key with the current time to generate a 6 digit pin that lasts a short duration. The user will have the base32 key already registered in their authenticator app, which will display the currently valid OTP. If the sent OTP matches with the one generated by the server (Presumably with the same key), then the user is finally let into the shell.

The user encrypts their password with their private key and sends the result.
The server can then look for the public key associated with the user and if it exists decrypts the password. If it matches then all good. Of course the passwords are not stored as plain text either.

We don't want to do encryption manually because any form of encryption through the browser would have to be done through javascript. This is very insecure, since someone performing an MITM attack could intercept the webpage, manipulate the javascript, and send it to the client, who will end up running the bad code which could expose the password to the attacker or something else malicious.

from carrotsh.