Provided by: pwdsphinx_1.0.18-3_all 
NAME
oracle - server for the SPHINX password manager
SYNOPSIS
oracle
DESCRIPTION
The SPHINX protocol only makes sense if the server (called oracle) is somewhere else than
where you type your password, pwdsphinx comes with a server implemented in python3 which
you can host off-site from your usual desktop/smartphone.
The server can be started simply by running oracle it does not take any parameters.
CONFIGURATION
The server can be configured by any of the following files:
• /etc/sphinx/config
• ~/.sphinxrc
• ~/.config/sphinx/config
• ./sphinx.cfg
Files are parsed in this order, this means global settings can be overridden by per-user
and per-directory settings.
The server can be configured by changing the variables in the [server] section of the
config file.
The address is the IP address on which the server is listening, default is localhost - you
might want to change that.
The port where the server is listening is by default 2355. Another recommended values is
to use port 433 which is allowed by most firewalls while 2355 is not.
ssl_key and ssl_cert must be specified, they point at a traditional TLS certificate and
secret key file. It is recommended to not use self-signed certs, but to use certs that
signed by CAs that are recognised widely by browsers and other TLS clients.
datadir specifies the data directory where all the device “secrets” are stored, this
defaults to “data/” in the current directory. You might want to back up this directory
from time to time to an encrypted medium.
verbose enables logging to standard output.
timeout sets the timeout for any connection the server keeps open.
max_kids sets the number maximum requests handled in parallel. The timeout config
variable makes sure that all handlers are recycled in predictable time.
rl_decay specifies the number of seconds after which a ratelimit level decays to an easier
difficulty.
rl_threshold increase the difficulty of ratelimit puzzles if not decaying.
rl_gracetime gracetime in seconds added to the expcted time to solve a rate-limiting
puzzle.
SECURITY CONSIDERATIONS
The configuration values max_kids and timeout can be used to tune how many requests are
served in parallel and how long each request is allowed to take before it gets killed. An
attacker might be able to run a denial-of-service attack against your server, by keeping
all max_kids connections “occupied”.
Since the server does only know about failed authorizations for management operations, but
not about correctness of master passwords for get requests, there is no way to mitigate
master password bruteforce attempts aside from ratelimiting. By tuning the configuration
variables starting with rl_ it is possible to configure this. If you have clients that
have less than 1G RAM, it might be possible to increase the difficulty to the maximum
level where those devices will not be able to solve the ratelimting puzzles. Rate-
limiting in general should not be noticable, only if dozens of get requests are served to
the same record. At the highest level the solution should take about 20-40 seconds
(depending on your cpu).
REPORTING BUGS
https://github.com/stef/pwdsphinx/issues/
AUTHOR
Written by Stefan Marsiske.
COPYRIGHT
Copyright © 2023 Stefan Marsiske. License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html>. This is free software: you are free to change and
redistribute it. There is NO WARRANTY, to the extent permitted by law.
SEE ALSO
sphinx(1), getpwd(1)
oracle(1)