Simple OTP implementation for Debian and Android/iOS

October 30, 2017 technews

Usually the spare time is used to resolve an issue that I haven’t and this time is the same; how to implement the OTP request on my Debian machine, used to access from the outside world to my network? Today I spent one hour to figure out how to do it and this is the recipe that I used.

First of all install the support for OAUTH toolkit with:

# Install LibPAM OAUTH
apt install libpam-oath oathtool qrencode

generate and save a preshared key for my user:

# Configure the OTP key for pippobau
echo "HOTP/T30/6 pippobau - ${KEY}" > /etc/security/users.oath
chmod 600 /etc/security/users.oath

and exclude the local network from the request, so you can continue to connect to the server without OTP from the network that starts with “+”:

# Allow access without OTP from local network
cat <<\EOF | tee -a /etc/security/access-local.conf
+ : ALL :
+ : ALL :
- : ALL : ALL

Configure PAM to request the OTP password for all SSH connection that comes from untrusted networks:

# Configure PAM for SSH and the exclusion for local access
cat <<\EOF | tee -a /etc/pam.d/sshd
auth [success=1 default=ignore] accessfile=/etc/security/access-local.conf
auth required usersfile=/etc/security/users.oath window=30 digits=6

and enable challenge response for SSHD:

# Enable Challenge Response auth request for SSHD
cat <<\EOF | tee -a /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
service sshd restart

Finally generate the qr code to configure a compatible mobile client:

qrencode -o user.png "otpauth://totp/pippobau@myserver.tld?secret=$(cat /etc/security/users.oath | grep pippobau | awk '{print $4}')"

Scan and configure FreeOTP for iOS and Linux and the result is: