neděle 7. dubna 2013

Tip: using oath-toolkit for HOTP/TOTP authentication

I packaged oath-toolkit for Fedora and it is currently submitted for the merge review. The toolkit provides oathtool which can be used as a generator for HOTP/TOTP (e.g. to authenticate against LinOTP). Usage is very simple, for HOTP:
$ oathtool -c COUNTER SEED
And for TOTP:
$ oathtool --totp SEED
The package also provides library and header files and more complex applications/GUIs can be easily based on it. There is also PAM module included that allows you to use your HOTP/TOTP HW/SW token for authentication against your machines (e.g. sshd). To enable it for sshd add the following line to the top of your /etc/pam.d/sshd:
auth sufficient pam_oath.so usersfile=/etc/users.oath window=20 digits=6
This will setup the SSH for 6 digits HOTP/TOTP and will check through the 20 values (the tolerance). Then create the /etc/users.oath file and add there a list of allowed users together with their prefix passwords (PINs) and seeds, e.g.:
HOTP/T30 root pw 00
HOTP user1 - 01
In the example above, the user root is configured for 30 seconds TOTP with the prefix password (PIN) pw and seed 00, the user user1 has no prefix password and uses the seed 01. As the file contains seeds and plain text PINs, do not forget to chown it to root:root and chmod it to 600. For correct function the "UsePAM yes" and "PasswordAuthentication yes" also needs to be specified in your /etc/ssh/sshd_config. Currently it may not work correctly with the SELinux (for details see the merge review).