Mon, 31 Jan 2011

OTP Tokens

Recently discovered gooze and their interesting variety of cryptographic products.

I bought one of their OTP C100 one-time-password tokens to play with. They seem to implement the OATH standards, which works nicely with a variety of software.

I decided to try to get this working on debian with PAM as an authentication method.

So far the software I've tried to do this is oath-toolkit, which provides a convenient pam_oath PAM module to use. I've got this working on a home debian machine for testing, requiring a one-time-password from the dongle every time I login.

Rough steps to setup:

  1. Install oath-toolkit as usual. You probably want to install from source or download the supplied debs, the latest version seems to be the thing to get.
  2. Run ldconfig - this is one thing that's not mentioned in the instructions but was needed before my machine would see the new PAM module.
  3. Put this in /etc/pam.d/common-auth:
    # this bit restricts oath checking to the specified user                        
    # you could use a group or whatever if you had more than 1 token                
    auth [default=1 success=ignore] quiet user = useryouwanttoauth
    auth requisite usersfile=/etc/users.oath window=20 digits=6
    You should have created the users.oath file in the normal course of installing oath-toolkit.
  4. sshd_config should have:
    ChallengeResponseAuthentication yes                                             
    PasswordAuthentication yes                                    

After that, things seem to work with at least sshd and su, but I'm still testing. Annoyingly, if there's a ssh authorized_key, it seems to override password authentication totally. Ideally I'd like to combine ssh keys and OTP, but I haven't worked that out yet.

I've also got one of the gooze OTP C200 tokens, which looks very nice, and uses time based passwords, which I'd really rather use, but it's not supported by oath-toolkit yet.

[21:23] | [] | OTP Tokens

< January 2011 >
2 3 4 5 6 7 8

Contact: Michael Stevens <>

RSS: RSS feed

Atom: Atom feed

Valid XHTML 1.0!

Valid CSS!