One-Time-Passwords using oathtool on Ubuntu 14.04(+)

So I’ve finally found the motivation and the time to set up OTP for my ssh logins!

DISCLAIMER: Let me say upfront that there are plenty of articles on using Google’s GAuthenticator which I didn’t want to use. Since the whole PRISM thing was leaked I try to decentralise my data as much as possible and distrust big names more since they are surely a more attractive target than the small players.

After a bit of searching I found oathtool, a piece of software that seems to be relatively well maintained compared to S/KEY and others. The concept is simple, you can choose between two types of OTPs, event based and time based. Event based OTPs are expired once they’ve been used for an event (e.g. a log in) or time based OTPs which expire every x seconds (default: x = 30 seconds).

I’ve chosen time based OTPs since I use this method to protect other online accounts like and others. I use my Android device and the “FreeOTP” to keep track of my time-based OTPs. With TOTPs you have the following parameters that play a role at creation time.

  • The start time from which to count the TOTPs (see below why I’m not using this).
  • The number of digits each OTP is made up from.
  • A hex (or base32) encoded secret.

Using introducing the oath toolkit, the README on github, and this doco on I managed to get the following going:

# Install oathtool.
sudo aptitude install -y oathtool libpam-oath

# Generate a secret.
export HEX_SECRET=$(head -10 /dev/urandom | md5sum | cut -b 1-30)

# Generate the TOTP details, 6 digits long.
oathtool --verbose --totp $HEX_SECRET
# Enter the base32 secret and the hex secret in your OTP app.

# Create and populate the /etc/users.oath file.
sudo touch /etc/users.oath
sudo chmod 0600 /etc/users.oath
sudo /bin/bash -c "echo HOTP/T30 $USER - $HEX_SECRET \
>> /etc/users.oath"

# Forget the secret!

# Set up PAM.
echo "auth requisite usersfile=/etc/users.oath
$(cat /etc/pam.d/sshd)" > /etc/pam.d/sshd

# Allow this in sshd and restart.
sudo sed -Ei -e 's/(ChallengeResponseAuthentication) no/\1 yes/' \
sudo service ssh restart

# Test.
ssh localhost
# You should see:
# One-time password (OATH) for `ubuntu':
# Password:
# Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-44-generic x86_64)
# ...

As you can see by the example output in the above test, if you’ve followed the instructions correctly you will be asked for a TOTP first, and then for your user password afterwards. \o/

I’d have liked to set a different start-time for my TOTPs, oathtool supports ‘–start-time’ however there is no way to enter that in FreeOTP so it always assumes the default of ‘1970-01-01 00:00:00 UTC’. Took me a while to work that out, I had assumed that the start time was somehow mixed into the base32 secret but that’s not the case.

oathtool! Bloody oath mate 😉


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s