On 4/13/25 6:36 PM, Sam Varshavchik wrote:
ToddAndMargo via users writes:
On Android and IOs I like Red Hat's Free OP.
I was referring to
$ dnf info google-authenticator
Updating and loading repositories:
Repositories loaded.
Available packages
Name : google-authenticator
Epoch : 0
The fact that it's available in Fedora means that it is free and open
source software.
You said that you "not real conformable using Google software". If that
only means that you are not comfortable using anything that's authored,
owned or controlled by Google, or has their name on it, then that's
certainly your right to do that.
But if you were concerned about using software that's irrevocably tied
with, and requires using Google services, and wouldn't work without
them, then I strongly doubt that this is the case here. Even if this is
a full-blown TOTP implementation, then Google services will have
absolutely no involvement, whatsoever, except when it's used to
authenticate a Google account. The way that TOTP works, authenticating
involves communications directly between the two involved parties, with
no third party involvement.
But that's not even the case here. The Fedora package includes a helpful
URL to the github repo, with a loud READMEs that "this project is not
about logging in to Google, Facebook, or other TOTP/HOTP second factor
systems, even if they recommend using the Google Authenticator apps".
It's a PAM plug-in.
I have not browsed the pitiful little amount of source code in that
github repo. The compiled code is about a 100kb runtime, according to
dnf. Which by modern standards is just a little bit more than random
padding. A five minute browse shows it to be just an implementation of a
couple of public algorithms, and that's about it. I see hmac.c, sha1.c,
and base32.c. I coded my very own version of two of them more than
thirty years ago, plus base64 instead of base32. Me, and probably a
countless other hacker-wanna-bes. That looks like about half the source
code. If Google tried to covertly slip in some code in there, that
uploaded the secret keys to the mothership, the resulting sh1tstorm
would …not be worth it.
And their warez gets used to set up the keys, those keys can be used
with any TOTP app, not just Google Authenticator. It's an open standard.
Give me a QR code from this thing, I'll scan it with Authy, and use it
to generate all the codes I need.
So: if you don't like using anything with a Google name on it, then
don't use it. Otherwise, I would try using keywords like "totp pam
module" with your favorite search engine and then trying one's luck to
see if any result is also a Fedora package.
Hi Sam,
I feel much more comfortable after your wonderful explanation.
> But if you were concerned about using software that's irrevocably tied
> with, and requires using Google services, and wouldn't work without
> them, then I strongly doubt that this is the case here.
This is why I asked:
Using Authy or Google Authenticator for 2FA with XRDP:
https://github.com/neutrinolabs/xrdp/wiki/Using-Authy-or-Google-Authenticator-for-2FA-with-XRDP
The article is not clear or I am missing if I can only limit
the 2FA to xRDP. If the console gets included, I will be writing
you guys to see if you know of an easy to remove tar and feathers.
-T
--
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
