OTP input is echoed in the clear

[throw1008a]

Currently, after enter the SSH password (which is not displayed on the screen), the OTP Token Code prompt is output, and then as one types in the six digits they are printed on the display.

I know that theoretically this should not matter, because that's the entire point of 2FA, but sometimes auditors do not care about "theory".

I would like an option added to the PAM module to control echoing; the default can remain the same if that's easier. So the proposal is to add an "echo" option that takes one of the following parameters:

• echo=yes : same as now; leave as default?
• =no : disables any output, like OpenSSH password prompt
• =hide : displays an asterisk ('*') for each digit

[cron2]

what you are looking for is called "hide_otp_input" (option to pam_linotp.so in the pam config). If set, it will instruct OpenSSH to not echo password prompts.

(The echoing is not done by the PAM module itself but by OpenSSH, depending on PAM flags passed "up the stack")

[throw1008a]

Thanks.

This options is "documented" in the comments of src/pam_linotp.c: perhaps mentioning it in the README or something would be more helpful.

[cron2]

I agree. Having the PAM options documented in a more easy-to-find way would be good.

(I am not one of the authors and do not have write access to the repo... I just contributed before, waiting for PR#6 to be merged, since about two years. Seems this project is fairly dead... someone should fork and revive it)