pam_sotp 0.2.0 manual

http://www.cavecanen.org/cs/projects/pam_sotp/
http://www.cavecanen.org/cs/projects/pam_sotp/doc/pam_sotp-0.2.0-doc.shtml

1. Introduction. Features

pam_sotp provides simple one time password support to PAM, the pluggable authentication modules.

1.1 Usage scenario

The user is provided with a list of one time passwords. Each time the user wants to authenticate against an SOTP-enabled service he or she will be asked to enter an specific password of the list. In case of successful authentication that password will become invalid or valid only for a configured period of time (depending on how the service was configured) and the service will ask for a different password next time.

This list of one time passwords (OTP list) is typically stored in print form and stored in the user's wallet or in electronic form in the user's PDA or cell phone.

Optionally passwords can be configured with a 'prefix', which is another password which the user has to memorize and which has to be written as a prefix of the requested one time password. The prefix acts as a security measure in case that the OTP list is lost or stolen from the user.

The system administrator can control if each user has rights to re-generate his/hers OTP list when all the OTPs have been used. pam_sotp can be configured to:

Deny regeneration of the OTP list. When the user runs out of passwords he/she will have to contact the administrator in order to get a new OTP list
Allow regeneration of passwords under parameters (password length, number of passwords, charset, etc...) fixed by the system administrator. The user has to use the 'otppasswd' utility
Allow regeneration of passwords allowing also the user to specify the generation parameters. The 'genotpdb' utility, provided with pam_sotp, handles this

As it has been said, the system administrator can configure a service in such a way that entered passwords are valid for a configured period of time. This feature, which we will call password lifespan, is useful when the application requesting the authentication will have to authenticate several more times in a period of time (for example, a webmail application authenticating against the IMAP server).

2. Configuring pam_sotp

2.1 Auth databases

The first thing you should do is to create the directory /etc/sotp. This is were all the authentication information (i.e.: the passwords) is stored. Under this directory pam_sotp will manage several authentication databases, one for each user you want to enable OTP for. Each database is in fact a binary file with the user's login name as its file name.

Each database holds all the information required to authenticate the user, as well as some other configuration parameters. This means that the passwords are stored there, although by default they are hashed using the MD5 algorithm. Two bytes of 'salt' are used when hashing the password in order to disturb brute force cracking efforts.

Creation of authentication databases is handled by the genotpdb utility (by default installed in /usr/local/sbin). This utility accepts the following options:

-r <yes|no>
Allow the user to re-generate his/hers OTP list. A yes value will mean that the user will be able to regenerate his/hers OTP list with the otppasswd command. The default for this option is 'no'

-s path
If the user is able to re-generate his/hers OTP list (-r yes) the system will need to know where to write the file containing the clear-text passwords. A typical value for this option would be /home/user/otplist This file will be created with 0700 file permissions, although the user is encouraged to print it as soon as possible and then wipe the file. The default for this option is ./secret

-h <plain|md5>
Hash algorithm used for passwords in the authentication database. plain means that the passwords will not be hashed and thus will be stored in plain text, which is security risk (but useful for debugging). The default for this option is md5

-n number
Number of passwords to generate. The default for this option is 20

-p prefix
Prefix for the password list. The default is no prefix.

-l length
Length of the generated passwords. The default is 5

-c charset
Charset used to generate the passwords. The default is 0123456789 (numbers).

genotp also expects a filename were the authentication database will be stored.

Example

You want to generate an authentication database for the user susan, with 50 6-char passwords composed by numbers and some punctuation signs, with the prefix squish, and allow susan to regenerate her password list using the otppasswd command. You will have to issue the following command:

# /usr/local/sbin/genotpdb -r yes -s /home/susan/otplist -n 50 -l 60 -p squish -l 6 -c 0123456789-:. /etc/sotp/susan

The file /home/susan/otplist will contain the OTP list:

[01] 78:88-
[02] .91-9.
[03] -:.:39
[04] 46670.
....

2.2 PAM configuration

The last thing to configure in order to enable SOTP is PAM. The pam_sotp.so PAM module provides the auth and password features. Here is the list of the options accepted by the pam_sotp pam module:

Global options

auth_dir=<string>
Path to the SOTP authentication directory

fail_delay=<number>
Plan a delay of at least number seconds after a failed authentication. The actual number of seconds of waiting depends on PAM and the module stack.

Options related to the auth module

prompt_number=<yes|no>
Include the password number in the prompt

pw_lifespan=<number>
Enable password lifespan for this service. All correct passwords authenticated inside this service will remain valid for number seconds after its initial use. New passwords will still be valid.

Options related to the password module

This options apply when generating a new password set with the otppasswd utility

gen_length=<number>
Length of the passwords generated

gen_chars=<string>
Charset used when generating passwords

gen_prefix=<string>
Prefix used when generating passwords

gen_hash_type=<plain|md5>
Algorithm used to hash the passwords

gen_count=<number>
Number of passwords to generate

Example

We want to configure the login service with SOTP support. We also want to let in other non-SOTP users. SOTP users must also be able to log-in with their regular password.

The file /etc/pam.d/login will look something like this:

auth sufficient pam_sotp.so prompt_number=yes authdir=/etc/sotp
account required        pam_unix.so

SOTP users (the ones with an auth database in /etc/sotp) will be asked for an OTP. If the OTP is wrong they will be asked for their regular password:

	odiel:~# telnet localhost
	Trying 127.0.0.1...
	Connected to localhost.localdomain.
	Escape character is '^]'.
	Debian GNU/Linux 3.1 odiel
	odiel login: susan

	One time password [01]:
	Password:

Non-SOTP users won't notice difference:

	odiel:~# telnet localhost
	Trying 127.0.0.1...

	Connected to localhost.localdomain.
	Escape character is '^]'.
	Debian GNU/Linux 3.1 odiel
	odiel login: pdiaz
	Password:

You can also configure the password service in PAM, so SOTP users can regenerate (if allowed) their OTP list. This can be done with the following configuration in /etc/pam.d/otppasswd

# Example PAM configuration file for the otppasswd utility
password required pam_sotp.so gen_length=4 gen_count=20

otppasswd will authenticate the user asking for a one time password. This means that users with no valid (unused or non-expired) one time passwords in their database won't be able to regenerate their OTP list.

2.3 Other issues

Full-featured password generation

If you want to enable full featured password generation to an user (i.e: he/she can specify all the password generation parameters seen above) just chown his/hers auth database to this user. The user will then be able to use the genotpdb utility to generate the password list.

Password lifespan

With the option pw_lifespan=<number> you can configure pam_sotp to authenticate a service with limited time passwords. This basically means that pam_sotp will handle authentication in the same way as before but with the following additional feature: an used password will remain valid for number of seconds after its first use. Of course, the current new password (the one who is prompted) will be also valid.

This is useful for using pam_sotp with software that requires several authentications against a service in a short period of time, such as some webmail systems (Squirrelmail has this behaviour).

Example

Configuration of the IMAP service with OTP support (as well as the usual unix authentication) and a password lifespan of 5 minutes. The file /etc/pam.d/imap will look something like this:

auth sufficient pam_sotp.so pw_lifespan=300
auth            required       pam_unix.so      nullok
account         required       pam_unix.so
password        required       pam_unix.so
session         required       pam_unix.so

3. Disclaimer, contact information, etc...

pam_sotp is not yet ready for production use. This is alpha-quality code, it may be full of remote holes (I hope not ;-). Having said that, I've been using pam_sotp for accessing my webmail for some time and I didn't found any problems.

This is my first PAM module. I've done my best to comply with the standards recommended by the PAM Module Writers' Manual. If you have experience writing PAM modules and you have any suggestions about the code, please contact me!

Suggestions, patches and code contributions can be directed to sotp [_AT_] cavecanen [_DOT_] org. They will be very welcome.