Tuesday, September 3, 2013

One-time passwords with phone-token

Going to vacation? Maybe you don't want to enter your password on a shared computer in a rough hostel? Enter OATH!

Serverside, as root:

Pre-requisite:
Open a root shell and keep it open (if you by any chance break pam it's really hard to login).
Make sure that your clock is correct! (install ntp)

Time to edit PAM:
vi /etc/pam.d/ssh

Comment out the:
# Standard Un*x authentication.
#@include common-auth

Instead, put this in there:
auth    sufficient     pam_unix.so nullok_secure
# OATH OTP
auth    required     pam_oath.so usersfile=/etc/users.oath

The reason we comment the @include common-auth is that it would prompt for regular password before OTP, which we don't want. Or leave it if you want two-factor auth.

Edit OpenSSH config file:
vi /etc/ssh/sshd_config

Change ChallengeResponseAuthentication from no to yes:
ChallengeResponseAuthentication yes

restart sshd:
/etc/init.d/sshd restart

Now, lets add users to the /etc/users.oath:
echo "HOTP/T30/6 user - $(head -c 1024 /dev/urandom | openssl sha1 |awk '{print $2}')" >>/etc/users.oath

Change user above to the username that should be able to use oath,  the output should look like this:
HOTP/T30/6 jolt - XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Change the permission on the file, to root only:
chmod 0600 /etc/users.oath

Now the server side is complete.

Token:
Time to install OATH Token on your phone (or some other compatible OATH token software). Enter the hash from the config file under "Token Secret Key", and set OATH Token to be time-based.


As soon as you open OATH Token it will generate a new number that is valid for 30 seconds. Login and enjoy!

"Lock down token" makes sure that the Token is never displayed again, which is really nice touch.