Thanks for reporting back so fast. I live in the Netherlands, so we might have a bit of a time difference.
Reviewed edits have been made already in the following pages: http://askubuntu.com/questions/159727/how-can-i-use-a-passcode-generator-for-authentication-for-remote-logins http://askubuntu.com/questions/193248/google-authenticator-for-desktop-lightdm-or-gdm-plugin But I do agree to your view that modifying PAM configurations automatically and without user interaction is extremely dangerous because it goes against user expectations and might indeed make matters worse. The package itself does not install any configuration in any pam.d modules like sshd or lightdm/gdm and I do not intend to change that either for the same reasons. Removing google-authenticator from the ubuntu and/or debian repository also effectively changes the security configuration. So there are a few options left: * warning users interactively at an update when they have google-authenticator installed * ring some bells at security authorities and tech media to alert people about this * Think, think, think. Hope you can help me with this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1491597 Title: brute force attack on password possible on many existing google- authenticator setups To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/google-authenticator/+bug/1491597/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
