One Time Passwords on Linux
From FreeAuth Wiki
Contents |
[edit] Notes and About !FreeAuth for OTP
One time passwords are great, since in most cases you don't need anything more than a Java enabled phone.
This example will give you a quick run down on how to get your computers secured by them.
I had two goals when I was originally playing with this, firstly to secure my laptop, and the way I ended up setting up PAM allows me to use !FreeAuth for everything from GDM login, to authenticating against the screen saver.
Secondly it allows me to use one time passwords instead of root passwords, and as I have dealt extensively with colocated servers, giving out a one time password to remote hands instead of root passwords.
So far I've included instruction for people using Debian/Ubuntu since that's what I use, but I've also included details for Centos as well. Please update the page with any distro specific notes that people encounter, especially with differences in pam configurations.
[edit] Installing the !FreeAuth MIDLet on your phone
Please see our WIKI page on FreeAuth MIDLet, this page has details on where and how to get it, installing it, and using it. Complete with screen shots.
[edit] Server Installations
pam_freeauth is based on pam_mobile_otp written by Sebastian Korff, but has been extended to implement the FreeAuth Protocol Implementation.
[edit] Installing !FreeAuth on your Debian based computer
To compile pam_freeauth, you will need to install the pam headers. To get these you can simply do:
apt-get install libpam0g-dev
Other distros may have these headers already installed, so you might be able to skip this step.
Build the pam_freeauth module (see below).
Finally you need to edit /etc/pam.d/common-auth, and change:
auth required pam_unix.so nullok_secure
to:
auth sufficient pam_unix.so nullok_secure auth required pam_freeauth.so use_first_pass
And you also need to edit /etc/pam.d/common-password, and change:
password required pam_unix.so nullok obscure min=4 max=8 md5
to:
password sufficient pam_unix.so nullok obscure min=4 max=8 md5 password required pam_freeauth.so use_first_pass
There are a number of other ways to configure pam_freeauth other then use_first_pass (see the README for details), I chose this method as it only prompts the user for the password and passcode once, rather then prompting the user for a system password, and then for a passcode.
Alternatively you can simply remove the pam_unix.so line if you no longer wish to allow users to authenticate against the shadow password file.
[edit] Installing !FreeAuth on your Centos based computer
You will need to install the pam headers as well, under CentOS you can simply do:
yum install libpam-devel
Other distros may have these headers already installed, so you might be able to skip this step.
Build the pam_freeauth module (see below).
Finally you only need to edit /etc/pam.d/system-auth, and change:
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
and:
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5
to:
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/freeauth.so use_first_pass
and:
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 password sufficient /lib/security/pam_freeauth.so use_first_pass
There are a number of other ways to configure pam_freeauth other then use_first_pass (see the README for details), I chose this method as it only prompts the user for the password and passcode once, rather then prompting the user for a system password, and then for a passcode.
Alternatively you can simply remove the pam_unix.so line if you no longer wish to allow users to authenticate against the shadow password file.
[edit] Building the module
Next you will need to grab the PAM !FreeAuth module, you can grab it via a tar ball or from our SVN repository:
wget http://www.freeauth.org/images/pam_freeauth.tgz tar xzvf pam_freeauth.tgz
Next jump into the pam_freeauth directory, then compile and install.
cd pam_freeauth make clean make install
[edit] Compile options
Some versions of GCC need -fno-stack-protector added to the compile line, I only have one system that needs this which is running a bleeding edge version of gcc.
[edit] Configuring
From here it can be a little tricky because you need to match the timezone on your computer to the timezone on your phone, and of course the time on both need to be pretty close as well, by default the module allows for +/- 3 minutes, for you to enter your passcode into the computer after generating it.
firstly copy freeauth.conf into /etc/security and update the permissions
cp -a freeauth.conf /etc/security chmod 600 /etc/security/freeauth.conf
Next edit /etc/security/freeauth.conf and remove the example line and replace it with the username and shared secret for any and all accounts you want to access, you can use the same shared secret for multiple accounts even, ideally you should use a different shared secret for each purpose otherwise you run the risk of other accounts being compromised.
eg
root 71ee089e623af879 root 623af87971ee089e root 623af87971ee089e user 623af87971ee089e
You will also need to make a cache directory for !FreeAuth and copy the pam module into /lib/security.
mkdir -p /var/cache/freeauth/ chmod 700 /var/cache/freeauth/
[edit] Debugging Time Zones
On the timezone configuration page of the !FreeAuth MIDLet you can view the generated time stamp the phone thinks is valid and you can also print out the time stamp on the server with the following command:
echo "`date +%s` / 60" | bc
You should never need to set the offset in the freeauth.conf file, this should only be set in phones where it's actually needed.
