-
Committer:
Daniel Manrique
-
Date:
2019-02-22 15:35:45 UTC
-
Revision ID:
roadmr@ubuntu.com-20190222153545-1ybat72ya0ajfyte
Do not store/use an OATH TOTP client's calculated "absolute drift".
Per LP bug #1817075, the "stored absolute drift" functionality of python-oath
is broken and allows a client to reuse a token that is just expired (due to
allowing relative drift of +/-30 seconds), and keep reusing it just past the
end of the previously-calculated absolute drift to keep it "alive"
indefinitely.
A side-effect of this is that we will require OATH TOTP devices to have
*accurate* clocks, which is deemed acceptable since the vast majority of clients
are either phones or computers. "Accurate" is quite lenient though, because
a device can be +/- 45 seconds off and still generate valid codes.