Friday, June 07, 2013

Using a time-based OATH token (TOTP) on Debian 7

Debian 7 (wheezy) includes packages for oath-toolkit. This means it is easy to use OATH tokens or mobile apps for authentication. This was already described in a post by Mike boers:

http://mikeboers.com/blog/2011/05/28/one-time-passwords-for-ssh-on-ubuntu-and-os-x

But now, it's become even easier. Let's say you would like to use Google authenticator to login to your SSH server. All you need is to install and configure some software from standard debian packages. Here goes...



ntpdate

As we are using time-based tokens, make sure the clock is synced. Install ntpdate:

# apt-get install -y ntpdate

and sync your clock:

# ntpdate klokslag.surfnet.nl

oathtool

Install:

# apt-get install oathtool

You should now be able to invoke oathtool using HOTP - the sample key (from rfc 4226) yields 755224:

$ oathtool 3132333435363738393031323334353637383930
755224

For TOTP, use:

$ oathtool --totp 3132333435363738393031323334353637383930
195659

Of course, you will get a different answer because at the time of writing my clock shows 1370636289 and yours will show something different.

SSH

Edit the file /etc/ssh/sshd_config and set ChallengeResponseAuthentication to yes
Don't forget to restart the ssh daemon:

# invoke-rc.d ssh restart

PAM

Next step is to configure PAM:

# apt-get install libpam-oath

edit the file /etc/pam.d/sshd and replace the unix login with oath login:

auth    required     pam_oath.so usersfile=/etc/users.oath

Here, we'll use the test key.
# echo "HOTP/T30/6 jodi - 3132333435363738393031323334353637383930" >> /etc/users.oath
# chmod go-rw /etc/users.oath

Using Google Authenticator

Tto use an OATH token like Google Authenticator, use verbose mode to show the base32-encode secret:

$ oathtool -v --totp 3132333435363738393031323334353637383930
Hex secret: 3132333435363738393031323334353637383930
Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
Digits: 6
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2013-06-07 20:26:56 UTC (1370636816)
Counter: 0x2B92455 (45687893)

 152112

Now, manually enter the secret in Authenticator, or scan an enrolment QR code, which you can generate using qrencode. Install using:

 # apt-get install qrencode

and generate the QR code URL:

 $ qrencode otpauth://totp/Debian7?secret=GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ -o enrol.png

The file enrol.png will look like this:

References


oath toolkit:
http://www.nongnu.org/oath-toolkit/index.html
Posted by at
Subscribe to: Posts (Atom)