libpam_hotp 0.1

Pam module to authenticate users using HOTP token.

libpam-hotp is a PAM (Pluggable Authentication Modules) module written in Python to authenticate users using an OTP (One Time Password) generated with the HOTP algorithm.

1. Installation

libpam-hotp depend of libpam-python which is packaged into all major distro. The module have been tested with Python 2.6, maybe it also work with 2.5, and certainly with 2.7 version.

After installing the dependencies, you can drop pam_hotp.py into /lib/security directory.

Next step is to setup PAM, and create a file with all your token seeds.

2. Configuration of PAM

libpam-hotp use libpam-python, the latter is actually the called module for PAM, thereby, your rule line will look like this:

auth [POLICY] pam_python.so pam_hotp.py [OPTIONS]

Available options are:

• file: path to file that store user login - secret seeds mapping (default to /etc/hotp).

Example:

auth sufficient pam_python.so pam_hotp.py file=/etc/hotp_ssh

NOTE: This module only provide the AUTH mecanism.

3. Seeds file:

Seed file store the mapping between an user login and the secret seed code of user’s token.

Each line of this file is an association, each field is separated by an “:” char. The three first fields are mandatory:

• User login

• Secret seed code (encoded in hexadecimal form)

• The number of seconds for a period (see your token datasheet)

You can add two additionals fields:

• The maximum allowed number of drift periods

• An hash, used to prompt an additionnal password to the user.

The hash is encoded with it salt with this format: SALT$HASH, hash function is SHA1(CONCAT(PASSWORD, SALT)).

Example:

Here is a complete example for the user stallman, with a token-period of 30 seconds, a maximum drift of 3 periods, and an additionnal password “richard”:

stallman:11223344556677889900AABBCCDDEEFF:30:3:6jsd3$1b6a67161e1cca2b1cd014c59b5bc907435cf8e7