One-Time-Passwords using oathtool on Ubuntu 14.04(+)

So I’ve finally found the motivation and the time to set up OTP for my ssh logins!

DISCLAIMER: Let me say upfront that there are plenty of articles on using Google’s GAuthenticator which I didn’t want to use. Since the whole PRISM thing was leaked I try to decentralise my data as much as possible and distrust big names more since they are surely be a more attractive target than the small players.

After a bit of searching I found oathtool, a piece of software that seems to be relatively well maintained compared to S/KEY and others. The concept is relatively simple, you can choose between two types of OTPs, event based and time based. Event based OTPs are expired once they’ve been used for an event (e.g. a log in) or time based OTPs which expire every x seconds (default: x = 30 seconds).

I’ve chosen time based OTPs since I use this method to protect other online accounts like and others. I use my Android device and the “FreeOTP” to keep track of my time-based OTPs. With TOTPs you have the following parameters that play a role at creation time.

  • The start time from which to count the TOTPs (see below why I’m not using this).
  • The number of digits each OTP is made up from.
  • A hex (or base32) encoded secret.

Using introducing the oath toolkit, the README on github, and this doco on I managed to get the following going:

# Install oathtool.
sudo aptitude install -y oathtool libpam-oath

# Generate a secret.
export HEX_SECRET=$(head -10 /dev/urandom | md5sum | cut -b 1-30)

# Generate the TOTP details, 6 digits long.
oathtool --verbose --totp $HEX_SECRET
# Enter the base32 secret and the hex secret in your OTP app.

# Create and populate the /etc/users.oath file.
sudo touch /etc/users.oath
sudo chmod 0600 /etc/users.oath
sudo /bin/bash -c "echo HOTP/T30 $USER - $HEX_SECRET \
>> /etc/users.oath"

# Forget the secret!

# Set up PAM.
echo "auth requisite usersfile=/etc/users.oath
$(cat /etc/pam.d/sshd)"

# Allow this in sshd and restart.
sudo sed -Ei -e 's/(ChallengeResponseAuthentication) no/\1 yes/' \
sudo service ssh restart

# Test.
ssh localhost
# You should see:
# One-time password (OATH) for `ubuntu':
# Password:
# Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-44-generic x86_64)
# ...

As you can see by the example output in the above test, if you’ve followed the instructions correctly you will be asked for a TOTP first, and then for your user password afterwards. \o/

I’d have liked to set a different start-time for my TOTPs, oathtool supports ‘–start-time’ however there is no way to enter that in FreeOTP so it always assumes the default of ‘1970-01-01 00:00:00 UTC’. Took me a while to work that out, I had assumed that the start time was somehow mixed into the base32 secret but that’s not the case.

oathtool! Bloody oath mate ;)

dot files

Remember the days when people put up their .rc files on their blogs? I used to do that too but these days, I *would* like to link people to my puppet manifest on github. (EDIT: Despite being secure i.e. not containing any passwords, there was a some information leakage and my employer encouraged me to make the repository private. I use bitbucket for that.) If you don’t know what Puppet is, you should definitively check out

The only reason this page still exists because back in the day I worked for this lady who got angry when I changed global settings on the server to sensible defaults. Like “alias grep=’grep –color'” got me into trouble o.O So I created my own little environment that stayed persistent even when I sudo’d. This was mainly done via the following lines:

#always open VIm with my settings
alias vim='vim -u ~sk/.vimrc'
#create your our own 'bash' so root can run screen with my settings
echo '/bin/bash --rcfile ~sk/.bashrc' > ~sk/bash
chmod 755 ~sk/bash
#set my bash shell
export SHELL=`echo ~sk/bash`
#always run screen with my settings
alias screen='screen -c ~sk/.screenrc'

I even had .sync files kept on a web server so I could easily update once I made changes to the environment :)

#If we have updates, we want an easy way of synchronisation
alias sksync='cd ~sk; wget --timeout=2 --tries=1;
if [ "$?" == "0" ]; then mv .bashrc.sync ~sk/.bashrc; fi;
wget --timeout=2 --tries=1;
if [ "$?" == "0" ]; then mv .vimrc.sync ~sk/.vimrc; fi;
wget --timeout=2 --tries=1;
if [ "$?" == "0" ]; then mv .screenrc.sync .screenrc; fi'

My firefox add-ons

Below is a list of add-ons I use in my current Firefox profile and I’d recommend you use too! :)

  • Adblock Plus – An advertisement blocker that can import filters from others
  • BetterPrivacy – Allows you to view and DELETE nasty LSO files
  • Bried – An RSS reader
  • Disable Ctrl-Q shortcut – ever tried to “Ctrl+a” but accidentally “Ctrl+q” :(
  • DownloadHelper – store a local copy of a video on youtube and other sites
  • FireGestures – Control firefox with mouse gestures
  • It’s all Text! – Every textfield can be edited via your favourite text editor
  • Lazarus – re-populates data in forms if the browser crashes or similar
  • TabMix Plus – An Add-on to help manage a lot of Tabs

And good ones for development:

  • FireBug – “Web Development Evolved”
  • Tamper Data – lets you manipulate headers before you get redirected
  • Web Developer – lets you do all sorts of things to HTML forms and the like

You should have a master password set for Firefox anyway, however if you have more than one device, do yourself a favour and set up Firefox Sync (with a master password).