I ever liked the two-factor authentication systems, as described in an old post about pamusb, and similar.
Now I’ve tried to understand the lack of auth systems on linux based on the hardware one-time password generator (just to understand: they are the small devices you use to connect to the web portal of you bank).
Giving a look around seems that MOTP (Mobile One Time Password) is the simplest one for the following reasons:
- Is open source. Fully.
- It runs on Linux as well on Solaris and (I think) all other POSIX systems.
- It have a lot of clients around, for my Android device, for iPhone, web pages and so on.
- It can be integrated either with a RADIUS server or simply using PAM.
I don’t know it’s exact level of security (especially if the random seed is not adequately protected) but at the moment it works and it’s funny!
So, let’s try to install it:
First of all you have to download:
- The MOTP script to check the password (useful to check before applying changes)
- The PAM module (to be compiled)
- The client. I use this, for Android.
Compile the PAM module
These are the dependencies to compile the PAM module: libpam0g-dev. You can install it using aptitude.
- Unpack the pam_mobile_otp-0.6.1.tgz
- Enter the directory and give the
- An executable file, called pam_mobile_otp.so together with another one, motp-manager should be created. The first one is the actual PAM module, mopt-manager is an helper to edit the configuration file (but best to hand edit it).
Install the PAM module
WARNING: THESE INFORMATION CAN CAUSE DAMAGE TO YOUR AUTHENTICATION SYSTEM. IF SOMETHING GOES WRONG YOU COULDN’T BE ABLE TO LOGIN ANYMORE, SO KEEP ALWAYS A SHELL OPENED (BEST AS ROOT) ON YOUR COMPUTER UNTIL YOU HAVEN’T TEST IT EXTENSIVELY.
- Copy the mopt.conf file into /etc/security/
- Copy the pam_mobile_otp.so into /lib/security/
- Create the /var/cache/motp/
- Edit the /etc/security/mopt.conf file choosing:
- An username (must be the username you use to logon into your computer). If you use the “root” user too via ssh, you have to add another line to the file changing the first field to “root”.
- A secret key (also called seed). Must be an hexadecimal 20 char password, like 02e5c2f981aa2c893b0b. This must be put also into your client.
- A 4 digit pin.
- The timezone. “0″ means the GMT timezone. For me, eg, is 2
- Delete the standard entry (test 1234567890abcdef 1234 0).
- Remember that each user not listed in this file but is present on the system will not be able to access using ssh.
- Edit the /etc/pam.d/sshdcommenting out
And adding these lines:
auth sufficient /lib/security/pam_mobile_otp.so not_set_pass password required /lib/security/pam_mobile_otp.so debug account required /lib/security/pam_mobile_otp.so
- Restart the ssh server
Install the application on Android
You can install Mobile-OTP.apk by opening it with a file manager such as Astro or similar. You have to enable the third-party application flag in Settings -> Applications -> Unknown sources
There you must set the secret key and the pin.
Final check and test
First we have to check that the time set on both PDA and PC are much similar as possible. On the linux box type
and then on the mOTP application on the phone (menu -> Time).
Now we can try to connect via SSH with the linux box. Note that an opened shell is safe in case you cannota access.
If you can’t enter try to modify the timezone field in /etc/security/motp.conf setting to 0.
Official website: there are a lot of useful options, scripts and examples at http://motp.sourceforge.net/