Setup oathtoolkit and libpam-oath on Debian Linux
The OATH Toolkit contains a shared library, command line tool and a PAM module that makes it possible to build one-time password authentication systems. Supported technologies include the event-based HOTP algorithm and the time-based TOTP algorithm. OATH is the Open AuTHentication organization which specifies the algorithms.
The components included in the package are:
- liboath: A shared and static C library for OATH handling.
- oathtool: A command line tool for generating and validating OTPs.
- pam_oath: A PAM module for pluggable login authentication for OATH.
Compatible (and tested) Apps and hardware token on the client-side
As you can see, the OATH Toolkit includes support for Google-Authenticator. So if you want to build an OTP System you should use OATH Toolkit. The only additional option Google-Authenticator has is the ability to add scratchcodes. If you build a PAM-based system e.g. with freeradius, there is the possibility to combine google-authenticator (for scratchcodes) and OATH Toolkit for all kind of OTPs by adding them both as “auth optional” in /etc/pam.d/radiusd.
This document is based on:
Distributor ID: Debian Description: Debian GNU/Linux 6.0.5 (squeeze) Release: 6.0.5 Codename: squeeze
Depending on your system you need some packages on your machine before we begin. Since I wrote this documentation after I installed everything, it might be possible that I missed a dependency. If so, find out what is missing and install it. As far as I can remember I did:
apt-get install libqrencode3 datefudge
Get and install the OATH Toolkit for Debian
OATH Toolkit is not included in the stable version of Debian. I just downloaded it from the current testing version (wheezy). You can get it here:
Download the following packages for your architecture:
- liboath0 - Unordered List ItemOATH Toolkit Liboath library
- libpam-oath - OATH Toolkit libpam_oath PAM module
- oathtool - OATH Toolkit oathtool command line tool
and install them from the command line with
dpkg -i liboath0_1.12.3-1_i386.deb dpkg -i libpam-oath_1.12.3-1_i386.deb dpkg -i oathtool_1.12.3-1_i386.deb
The names can slightly differ on your side.
You have now installed the OATH Toolkit including PAM support.
Try to use oathtool now:
oathtool -v dd23c3db653ba29ac533 The result should look exactly like this: Hex secret: dd23c3db653ba29ac533 Base32 secret: 3UR4HW3FHORJVRJT Digits: 6 Window size: 0 Start counter: 0x0 (0) 684379
If you have the same output you know, your installation of the OATH Toolkit worked. Please verify also, that the PAM module has been placed in the correct location:
ls -l /lib/security/pam_oath.so
should result in
This means, the PAM module is in the right place.
I would prefer using counter-based codes instead of time-based codes when using Software-Tokens. With counter-based codes you can reduce the possibility to duplicate the account on multiple devices, since it has “some kind” of protection against cloning due to the increasing of the counter on every good or bad login.
For hardware tokens I would recommend time-based tokens like the c200 from Gooze (HOTP/T60/6). This will reduce the administrative work on synchronising tokens.
Also take a look at this entry http://code.google.com/p/google-authenticator/issues/detail?id=170.
I would generally say:
For cloneable tokens (Software Tokens) use event-based (HOTP/E).
For hardware tokens use time-based (HOTP/T).
Use Google Authenticator to login to a Linux PC - thanks for this good tutorial!