Simple OTP implementation for Debian and Android/iOS
Usually the spare time is used to resolve an issue that I haven’t and this time is the same; how to implement the OTP request on my Debian machine, used to access from the outside world to my network? Today I spent one hour to figure out how to do it and this is the recipe that I used.
First of all install the support for OAUTH toolkit with:
# Install LibPAM OAUTH apt install libpam-oath oathtool qrencode
generate and save a preshared key for my user:
# Configure the OTP key for pippobau echo "HOTP/T30/6 pippobau - ${KEY}" > /etc/security/users.oath chmod 600 /etc/security/users.oath
and exclude the local network from the request, so you can continue to connect to the server without OTP from the network that starts with “+”:
# Allow access without OTP from local network cat <<\EOF | tee -a /etc/security/access-local.conf + : ALL : 192.168.0.0/24 + : ALL : 127.0.0.1 + : ALL : LOCAL - : ALL : ALL EOF
Configure PAM to request the OTP password for all SSH connection that comes from untrusted networks:
# Configure PAM for SSH and the exclusion for local access cat <<\EOF | tee -a /etc/pam.d/sshd auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf auth required pam_oath.so usersfile=/etc/security/users.oath window=30 digits=6 EOF
and enable challenge response for SSHD:
# Enable Challenge Response auth request for SSHD cat <<\EOF | tee -a /etc/ssh/sshd_config ChallengeResponseAuthentication yes EOF service sshd restart
Finally generate the qr code to configure a compatible mobile client:
qrencode -o user.png "otpauth://totp/pippobau@myserver.tld?secret=$(cat /etc/security/users.oath | grep pippobau | awk '{print $4}')"
Scan and configure FreeOTP for iOS and Linux and the result is: