Intro
I ever liked the two-factor authentication systems, as described in an old post about pamusb, and similar.
Now I’ve tried to understand the lack of auth systems on linux based on the hardware one-time password generator (just to understand: they are the small devices you use to connect to the web portal of you bank).
Giving a look around seems that MOTP (Mobile One Time Password) is the simplest one for the following reasons:
- Is open source. Fully.
- It runs on Linux as well on Solaris and (I think) all other POSIX systems.
- It have a lot of clients around, for my Android device, for iPhone, web pages and so on.
- It can be integrated either with a RADIUS server or simply using PAM.
I don’t know it’s exact level of security (especially if the random seed is not adequately protected) but at the moment it works and it’s funny!
So, let’s try to install it:
Download
First of all you have to download:
- The MOTP script to check the password (useful to check before applying changes)
- The PAM module (to be compiled)
- The client. I use this, for Android.
Compile the PAM module
These are the dependencies to compile the PAM module: libpam0g-dev. You can install it using aptitude.
- Unpack the pam_mobile_otp-0.6.1.tgz
- Enter the directory and give the
make
command
- An executable file, called pam_mobile_otp.so together with another one, motp-manager should be created. The first one is the actual PAM module, mopt-manager is an helper to edit the configuration file (but best to hand edit it).
Install the PAM module
WARNING: THESE INFORMATION CAN CAUSE DAMAGE TO YOUR AUTHENTICATION SYSTEM. IF SOMETHING GOES WRONG YOU COULDN’T BE ABLE TO LOGIN ANYMORE, SO KEEP ALWAYS A SHELL OPENED (BEST AS ROOT) ON YOUR COMPUTER UNTIL YOU HAVEN’T TEST IT EXTENSIVELY.
- Copy the mopt.conf file into /etc/security/
- Copy the pam_mobile_otp.so into /lib/security/
- Create the /var/cache/motp/
- Edit the /etc/security/mopt.conf file choosing:
- An username (must be the username you use to logon into your computer). If you use the “root” user too via ssh, you have to add another line to the file changing the first field to “root”.
- A secret key (also called seed). Must be an hexadecimal 20 char password, like 02e5c2f981aa2c893b0b. This must be put also into your client.
- A 4 digit pin.
- The timezone. “0″ means the GMT timezone. For me, eg, is 2
- Delete the standard entry (test 1234567890abcdef 1234 0).
- Remember that each user not listed in this file but is present on the system will not be able to access using ssh.
- Edit the /etc/pam.d/sshdcommenting out
@include common-auth
And adding these lines:
auth sufficient /lib/security/pam_mobile_otp.so not_set_pass password required /lib/security/pam_mobile_otp.so debug account required /lib/security/pam_mobile_otp.so
- Restart the ssh server
Install the application on Android
You can install Mobile-OTP.apk by opening it with a file manager such as Astro or similar. You have to enable the third-party application flag in Settings -> Applications -> Unknown sources
There you must set the secret key and the pin.
Final check and test
First we have to check that the time set on both PDA and PC are much similar as possible. On the linux box type
date +%s
and then on the mOTP application on the phone (menu -> Time).
Now we can try to connect via SSH with the linux box. Note that an opened shell is safe in case you cannota access.
If you can’t enter try to modify the timezone field in /etc/security/motp.conf setting to 0.
Links
Official website: there are a lot of useful options, scripts and examples at http://motp.sourceforge.net/
Two client when you don’t have your PDA (but you have the key): one and two.
You have to use the first 9 digits of date +%s output.
How can I contact the author?
I am trying to make this work on fedora. I have put the three lines in /etc/pam.d/sshd above. It refuses bad one-time-passwords with passcode not accepted and writes nothing into /var/log/messages otherwise. Only it does not let me in. What other pam claused should I put into /etc/pam.d/sshd if I want my users to log in with motp?
Hi, here is the official website: http://motp.sourceforge.net/
Sorry, I was not clear, I meant the author of this page. Is that you? It is not clear for me what other rules I should give beside the three above in /etc/pam.d/sshd to actually let the user log in.
The rules to pam I’ve mentioned are sufficient, but I’ve tested only in Debian/Ubuntu.
Don’t know about PAM configuration in Fedora, did you try?
Yes, I tried, and debugging it I see that on good passcodes the pam module is silent, and on any bad code it complains on /var/log/messages.
But it does not let me in, i.e. the connection is refused.
It is not clear what should I comment out or rewrite:
#%PAM-1.0
auth sufficient /lib64/security/pam_mobile_otp.so not_set_pass debug maxdiff=36000
password required /lib64/security/pam_mobile_otp.so debug
account required /lib64/security/pam_mobile_otp.so debug
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# cat password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
Switching to a non-root user in motp.conf made it work. Do you have any idea why is this limitation and how I can overcome this?