1. 48
  1.  

  2. 7

    Frankly, this is really cool

    1. 1

      Agreed, the reasoning behind it is awesome too!

    2. 6

      Sorry to be that guy but isn’t the article talking about a TOTP suffix on the IPv6 address?

      1. 8

        TOTP suffixes, but it’s abusing the AWS IPv6 prefixes feature.

        1. 2

          yeah, open an issue on the repo, I’d say

        2. 2

          If it’s stupid, but it works … it’s not stupid.

          Well, maybe sometimes it’s a little bit dumb. I’ll take dumb but solves a problem over not solving the problem though.

          1. 1

            It does expose your TOTP code to the network.

            1. 1

              It is a fun hack, nothing anyone should use.

              1. 2

                i feel like maybe we should discuss that…

                is it exposing your TOTP code to the network? isn’t the whole point of TOTPs that any knowing the TOTP would not expose the underlying algorithm?

                is it even possible to guess a TOTP given knowledge of n previous TOTPs? i do know it’s fairly easy to brute force a TOTP when there is no rate limiting in place, and i think this would definitely be one of those cases

                1. 2

                  Since it’s time-based, and nothing that I see (from my quick skim) is keeping track of which codes have been used, a network observer who sees what IP addresses you’re talking to should be able to bypass your TOTP protection as long as they connect to the same IP address within that 30 second window or whatever.

                  1. 2

                    I checked a few TOTP implementations out there and not all of them invalidate codes after use. Github for example happily accepts the same code multiple times within the same time period.

                    I agree that blacklisting codes after use is good practice, but it’s just one more safety measure. Only checking the TOTP without blacklisting is not the same as not checking a TOTP

                    1. 1

                      Github for example happily accepts the same code multiple times within the same time period.

                      That’s against the specs and a pretty serious bug. It’s called “one time” for a reason.

                    2. 1

                      If they can guess the IP then they have already broken your TOTP anyway…

                      1. 4

                        Somebody who can watch your IP traffic (watch, not decrypt!) does not need to guess the IP.

                        1. 3

                          sure, but they still would need the SSH key to access the machine.

                          1. 1

                            TOTP is supposed to be the second factor that protects you when someone has stolen your first factor. If your security is only as good as the first factor, then you don’t have 2FA.

                          2. 2

                            Oh, sure, so they have a handful of seconds to try cracking your password before it rotates.

                            1. 1

                              Yes, so at least it would provide that much protection – reducing the window of exposure.

                              1. 0

                                Absolutely; that’s why a solution like fail2ban is probably the better idea and more comfortable to use.

                    3. 1

                      How? All the ip addresses exist, it just changes the firewall rules. You would have to bruteforce the code in the time to find it, no?

                      1. 2

                        no TLS for the TOTP “code”, it’s plain in the connection IP