Recently discovered gooze and their interesting variety of cryptographic products.
I bought one of their OTP C100 one-time-password tokens to play with. They seem to implement the OATH standards, which works nicely with a variety of software.
I decided to try to get this working on debian with PAM as an authentication method.
So far the software I've tried to do this is oath-toolkit, which provides a convenient pam_oath PAM module to use. I've got this working on a home debian machine for testing, requiring a one-time-password from the dongle every time I login.
Rough steps to setup:
- Install oath-toolkit as usual. You probably want to install from source or download the supplied debs, the latest version seems to be the thing to get.
- Run
ldconfig- this is one thing that's not mentioned in the instructions but was needed before my machine would see the new PAM module. - Put this in
/etc/pam.d/common-auth:# this bit restricts oath checking to the specified user # you could use a group or whatever if you had more than 1 token auth [default=1 success=ignore] pam_succeed_if.so quiet user = useryouwanttoauth auth requisite pam_oath.so usersfile=/etc/users.oath window=20 digits=6
You should have created theusers.oathfile in the normal course of installing oath-toolkit. sshd_configshould have:ChallengeResponseAuthentication yes PasswordAuthentication yes
After that, things seem to work with at least sshd and su, but I'm still testing. Annoyingly, if there's a ssh authorized_key, it seems to override password authentication totally. Ideally I'd like to combine ssh keys and OTP, but I haven't worked that out yet.
I've also got one of the gooze OTP C200 tokens, which looks very nice, and uses time based passwords, which I'd really rather use, but it's not supported by oath-toolkit yet.
