It turns out the issues I was having compiling OATH-Toolkit was due to a slight change to the build process introduced in version 1.8.1. It is something to do with autoreconf, but I wasn't able to properly diagnose the problem. Ergo my workaround was to simply build only the parts that I needed:
tar -xzf oath-toolkit-1.10.2.tar.gz
make -C liboath
make -C pam_oath
make -C liboath install
make -C pam_oath install
And now I have time-based one-time-passwords on my Mac as well. The next thing to do is figure out how to get it to check against hashed passwords so I can get back to using a single prompt...
I have been meaning to beef up the security on my various servers for a while. Everything was configured in a way that was relatively closed, but ultimately I decided that convenience outweighed absolute security. To that end, my passwords are not as good as they could be (ie. I can remember them easily and type them quickly (although they were designed to be...)), SSH continues to serve from the default port, and one could SSH to root just with its (enormous) password.
Walking home from the train yesterday I decided to finally fix this. My original idea was to setup a pluggable authentication module (PAM) for Steve Gibson's "Perfect Paper Passwords", but I soon discovered the (slightly more official) Initiative for Open Authentication (OATH). OATH provides specifications for two types of one time passwords (OTPs): event based (HOTP) or time based (TOTP).
Event based OTPs are generated from a counter that increments every time you ask for a password. The servers keep track of the current counter so they will never accept previous passwords again (eg. if someone watches over your shoulder or there is a key logger). Time based OTPs do much the same, except they are based off of the current time and so are only valid for the current 30 second block.
These sorts of two-factor authentication schemes often rely upon proprietary hardware and expensive service plans, but the openness of OATH allows for free apps for iOS, Android, and many more. Another open source project, OATH Toolkit, provides the server side code including a PAM.
Read the full post...
There are no more posts tagged "SSH".