ToddAndMargo via users writes:
On Android and IOs I like Red Hat's Free OP. I was referring to $ dnf info google-authenticator Updating and loading repositories: Repositories loaded. Available packages Name : google-authenticator Epoch : 0
The fact that it's available in Fedora means that it is free and open source software.
You said that you "not real conformable using Google software". If that only means that you are not comfortable using anything that's authored, owned or controlled by Google, or has their name on it, then that's certainly your right to do that.
But if you were concerned about using software that's irrevocably tied with, and requires using Google services, and wouldn't work without them, then I strongly doubt that this is the case here. Even if this is a full-blown TOTP implementation, then Google services will have absolutely no involvement, whatsoever, except when it's used to authenticate a Google account. The way that TOTP works, authenticating involves communications directly between the two involved parties, with no third party involvement.
But that's not even the case here. The Fedora package includes a helpful URL to the github repo, with a loud READMEs that "this project is not about logging in to Google, Facebook, or other TOTP/HOTP second factor systems, even if they recommend using the Google Authenticator apps". It's a PAM plug- in.
I have not browsed the pitiful little amount of source code in that github repo. The compiled code is about a 100kb runtime, according to dnf. Which by modern standards is just a little bit more than random padding. A five minute browse shows it to be just an implementation of a couple of public algorithms, and that's about it. I see hmac.c, sha1.c, and base32.c. I coded my very own version of two of them more than thirty years ago, plus base64 instead of base32. Me, and probably a countless other hacker-wanna-bes. That looks like about half the source code. If Google tried to covertly slip in some code in there, that uploaded the secret keys to the mothership, the resulting sh1tstorm would …not be worth it.
And their warez gets used to set up the keys, those keys can be used with any TOTP app, not just Google Authenticator. It's an open standard. Give me a QR code from this thing, I'll scan it with Authy, and use it to generate all the codes I need.
So: if you don't like using anything with a Google name on it, then don't use it. Otherwise, I would try using keywords like "totp pam module" with your favorite search engine and then trying one's luck to see if any result is also a Fedora package.
Attachment:
pgpzwtaZmfSAC.pgp
Description: PGP signature
-- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
