How To Secure Your Ubuntu 10.10 Desktop With LinOTP 2
This howto will guide you to set up a LinOTP standalone one time password authentication backend on your Linux machine. This enables you to add two factor authentication with one time passwords to your desktop login.
LinOTP is a modular OTP (one time password) solution, that supports many different OTP tokens. LinOTP is written in python, based on pylons and apache. It comes as open source licensed under the AGPLv3. Additional functionalities, maintenance and support can be licensed in an Enterprise Edition.
This howto should run on Ubuntu 10.10 and Debian Squeeze.
Prerequisites
You can either download the necessary packages from the LinOTP website or you can add the online repository to your repositories and install them with apt-get.
This Howto will use the second way to install the software.
Configure the online repository
First you need to add the GPG key, that was used to sign the packages:
wget http://linotp.org/apt/LSE\ LinOTP2\ Packaging\ [email protected]\ \(0xF86258E5\)\ pub.as
sudo apt-key add http://linotp.org/apt/LSE\ LinOTP2\ Packaging\ [email protected]\ \(0xF86258E5\)\ pub.asc
Then add the repository to your system:
sudo add-apt-repository "deb http://linotp.org/apt/ubuntu lucid linotp2ce"
Installation
Now you can install the LinOTP server, the management client and the PAM module:
sudo apt-get install linotp linotpuseridresolver libpam-linotp linotpadminclientce
When installing the linotp package you are asked several questions:
Do you want to run LinOTP 2 via Apache2? -> Yes
Enter admin password for the new LinOTP admin account. -> think of one
Do you want to create a self signed ceritficate? -> Yes
What SQL database do you want to use for the token database? -> Mysql
database hostname: -> localhost
Name of Token database -> LinOTP2
database user -> linotp2
database users password: -> think of one
Enter MySQL root password
Do you want to create the tables: -> yes
During the installation the encryption key /etc/linotp2/encKey will be created. Be sure to also enter the MySQL root password, so the database will be created, too.
Now you got two possibilities to manage the LinOTP server and OTP tokens. You can either use the command line client linotpadmin.py or the web interface located at
https://localhost/manage
Please note: If you got and "internal server error" take a look at /var/log/apache2/error.log. It could be, that the access rights of the directory /var/log/linotp are not right. Also the whole directory /etc/linotp2 needs to be owned by the user linotp.
Configuration of the UserIdResolver
LinOTP reads users by so called UserIdResolvers. The APGLv3 version comes with the PasswdUserIdResolver, that can be used to read users from flat files like the /etc/passwd. You can also create a new file that contains the users, as long as you stick to the passwd format.
The Enterprise Edition also provides Resolvers for users located in LDAP and SQL databases.
You may use the management web ui or the command line client to setup your LinOTP server. You need to configure a UserIdResolver and a default realm. You may do this by issuing the following commands:
linotpadm.py --url=https://localhost --admin=admin --command=setresolver --resolver=defaultPW --rtype=FILE --rf_file=/etc/passwd
That reads the users from the /etc/passwd file. You will get a JSON feedback like this:
{ u'status': True,....}
Now you need to add this resolver to your default realm:
linotpadm.py --url=https://localhost --admin=admin --command=setrealm --realm=defrealm --resolver=useridresolver.PasswdIdResolver.IdResolver.defaultPW
linotpadm.py --url=https://localhost --admin=admin --command=setdefaultrealm --realm=defrealm
You can either check it in the web ui or issue the command:
linotpadm.py --url=https://localhost --admin=admin --command=listuser
You should see the list of your users. Now you are ready to assign tokens to your user.
Enroll OTP Token
You may want to enroll an OTP token, now. In this example we enroll an motp token (you could also enroll an OATH Token or a Google authenticator) on our mobile phone. Download the app from http://motp.sourceforge.net and install it on your phone. You may initialize the token by entering 0000 as PIN on the phone. An init-secret will be displayed.
linotpadm.py --url=https://localhost --admin=admin --command=inittoken --user=cornelius --type=motp --otpkey=860e2e9bf9d50665 --serial=1 --otppin=1234
This means, that you generated an mOTP token that gets assigned to the user "cornelius". The otpkey is the init-secret that was displayed on your phone. You may choose a serial (serial number) as you like to. The otppin is the PIN you will enter on the phone to generate an otp value.
Optionally you may set an OTP PIN, which is a fixed password part, that you need to enter in front (depending on the parameter PrependPIN) of the OTP value:
linotpadm.py --url=https://localhost --admin=admin --command=set --pin=Password --serial=1
Alternatively you can use the management web interface, to enroll the token.
Now you are ready to generate your first OTP value! Go to the portal site:
https://localhost/auth/index
and enter your username and as password the OTP PIN you set and the otp value you generated with your phone. If you fail to authenticate, you might mistyped the init secret or the time of your phone might be out of sync.
Authenticate via PAM
Now we will setup PAM to enable you to authenticate to your desktop. The security module /lib/security/pam_linotp.so was installed to your system. You may now set up otp authentication. We choose to do it modular:
cp /etc/pam.d/common-auth /etc/pam.d/common-linotp
In /etc/pam.d/common-linotp change the line:
auth [success=1 default=ignore] pam_unix.so nullok_secure
to
auth [success=1 default=ignore] pam_linotp.so debug nosslhostnameverify nosslcertverify url=https://localhost/validate/simplecheck realm=defrealm resConf=defaultPW
Please note, that when using "debug" option, many many information - also the password! - will be written to the auth.log.
You may now use the common-linotp in any PAM configuration instead of common-auth, where you like to. I.e. you may change the line in /etc/pam.d/gdm:
@include common-auth
to
@include common-linotp
Now you will need to authenticate with OTP to your Gnome desktop! Note that you will also need to change /etc/pam.d/gnome-screensaver if you also want to unlock the desktop using OTP. You will not be asked for "Password" anymore but for "Your OTP".
If you fail to authenticate you may also take a look into /var/log/auth.log.