So I’ve finally found the motivation and the time to set up OTP for my ssh logins!
DISCLAIMER: Let me say upfront that there are plenty of articles on using Google’s GAuthenticator which I didn’t want to use. Since the whole PRISM thing was leaked I try to decentralise my data as much as possible and distrust big names more since they are surely be a more attractive target than the small players.
After a bit of searching I found oathtool, a piece of software that seems to be relatively well maintained compared to S/KEY and others. The concept is relatively simple, you can choose between two types of OTPs, event based and time based. Event based OTPs are expired once they’ve been used for an event (e.g. a log in) or time based OTPs which expire every x seconds (default: x = 30 seconds).
I’ve chosen time based OTPs since I use this method to protect other online accounts like github.com and others. I use my Android device and the “FreeOTP” to keep track of my time-based OTPs. With TOTPs you have the following parameters that play a role at creation time.
- The start time from which to count the TOTPs (see below why I’m not using this).
- The number of digits each OTP is made up from.
- A hex (or base32) encoded secret.
# Install oathtool. sudo aptitude install -y oathtool libpam-oath # Generate a secret. export HEX_SECRET=$(head -10 /dev/urandom | md5sum | cut -b 1-30) # Generate the TOTP details, 6 digits long. oathtool --verbose --totp $HEX_SECRET # Enter the base32 secret and the hex secret in your OTP app. # Create and populate the /etc/users.oath file. sudo touch /etc/users.oath sudo chmod 0600 /etc/users.oath sudo /bin/bash -c "echo HOTP/T30 $USER - $HEX_SECRET \ >> /etc/users.oath" # Forget the secret! unset HEX_SECRET # Set up PAM. echo "auth requisite pam_oath.so usersfile=/etc/users.oath $(cat /etc/pam.d/sshd)" # Allow this in sshd and restart. sudo sed -Ei -e 's/(ChallengeResponseAuthentication) no/\1 yes/' \ /etc/ssh/sshd_config sudo service ssh restart # Test. ssh localhost # You should see: # One-time password (OATH) for `ubuntu': # Password: # Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-44-generic x86_64) # ...
As you can see by the example output in the above test, if you’ve followed the instructions correctly you will be asked for a TOTP first, and then for your user password afterwards. \o/
I’d have liked to set a different start-time for my TOTPs, oathtool supports ‘–start-time’ however there is no way to enter that in FreeOTP so it always assumes the default of ‘1970-01-01 00:00:00 UTC’. Took me a while to work that out, I had assumed that the start time was somehow mixed into the base32 secret but that’s not the case.
oathtool! Bloody oath mate ;)