Posted by MaxLock on Tue 20 Mar 2007 at 03:32
A great way to improve security on your systems public services is to add an extra factor to your authentication scheme. Here we'll show what that means and how it works.
An extra factor means that in addition to something you know such as a password, you also have to prove posession of something you own, a physical object.
The physical object can take a number of forms, from a printed grid of passcodes often known as a 'one time pad', to a sophisticated electronic key sometimes implemented as a keychain with an ever changing code on an LCD screen.
When using a one time pad, a user is given a passcode reference, to which he must respond with the correct passcode from the pad. Electronic keys typically use the current time to hash a known secret and the system simply prompts for this.
Each approach to the physical item has it's advantages and disadvantages, for example cost, in the case of electronic keys, or convenience with a pad.
Open source implementations of these schemes have been created such as OTPW but the electronic key type schemes obviously still incur a hardware cost. However due to the increasing capabilites of the ubiquitous cellphone it's possible to implement an electronic key as a java midlet, reducing expenditure on specialised hardware.
FreeAuth implements an electronic key system, utilising a mobile phone. It comprises of two parts, a PAM plugin and a java midlet. First grab a copy of both the FreeAuth code and java midlet, i'd recommend version 2.3.10 upwards of the midlet.
To compile pam_freeauth, you will need to install the pam headers. To get these you can simply run:
apt-get install libpam0g-dev
next unpack the pam_freeauth archive you previously downloaded, and build it:
cd pam_freeauth make clean make install
This will place the freeauth pam module in /lib/security. Next copy the file freeauth.conf into /etc/security and update the permissions:
cp -a freeauth.conf /etc/security chmod 600 /etc/security/freeauth.conf
Lets now setup PAM to use Freeauth for ssh, go to the /etc/pam.d directory, and using your favourite editor, edit the ssh file. Comment out the "@include common-auth" directive, and add the following line above it:
auth required pam_freeauth.so
Now restart the ssh service:
/etc/init.d/ssh restart
Finally you'll need to make sure your clock is accurate on both your phone and your system. I'd recommend installing NTP to keep your system clock accurate:
apt-get install ntp-simple
Now you need to install the java midlet on your cellphone to generate passcodes that freeauth will accept. This process varies wildly between manufacturers and phones, and is beyond the scope of this article. On my Motorola SLVR, the process involved connecting a usb cable, and uploading the midlet using the moto4lin package.
The first time you run the java midlet, you're prompted for a pin number, which you must remember, then 20 random keypresses to create a new shared secret. Next you enter an alias for the secret, such as a domain name. Finally the midlet will display the secret it has generated, this secret must be added to your /etc/security/freeauth.conf file, at the same time removing any example entries that may be there:
# user secret username 0123456789abcdef
You're now ready to test. Restart the java midlet. Enter your pin number, and the midlet will display a passcode, and a countdown to the next passcode, there's also a time zone button which controls the timezone and displays the current phone epoch time. This must be set close to the system epoch time. You can display the system epoch time using this command:
echo "`date +%s` / 60" | bc
Finally ssh to your system, when prompted for a passcode, enter the passcode displayed on the phone, and you'll be authenticated. I've used this system for the past few weeks now, and it's proven reliable and very cost effective compared to commercial offerings.
This article can be found online at the Debian Administration website at the following bookmarkable URL:
This article is copyright 2007 MaxLock - please ask for permission to republish or translate.