Friday, June 07, 2013

Using a time-based OATH token (TOTP) on Debian 7

Debian 7 (wheezy) includes packages for oath-toolkit. This means it is easy to use OATH tokens or mobile apps for authentication. This was already described in a post by Mike boers:

http://mikeboers.com/blog/2011/05/28/one-time-passwords-for-ssh-on-ubuntu-and-os-x

But now, it's become even easier. Let's say you would like to use Google authenticator to login to your SSH server. All you need is to install and configure some software from standard debian packages. Here goes...



ntpdate

As we are using time-based tokens, make sure the clock is synced. Install ntpdate:

# apt-get install -y ntpdate

and sync your clock:

# ntpdate klokslag.surfnet.nl

oathtool

Install:

# apt-get install oathtool

You should now be able to invoke oathtool using HOTP - the sample key (from rfc 4226) yields 755224:

$ oathtool 3132333435363738393031323334353637383930
755224

For TOTP, use:

$ oathtool --totp 3132333435363738393031323334353637383930
195659

Of course, you will get a different answer because at the time of writing my clock shows 1370636289 and yours will show something different.

SSH

Edit the file /etc/ssh/sshd_config and set ChallengeResponseAuthentication to yes
Don't forget to restart the ssh daemon:

# invoke-rc.d ssh restart

PAM

Next step is to configure PAM:

# apt-get install libpam-oath

edit the file /etc/pam.d/sshd and replace the unix login with oath login:

auth    required     pam_oath.so usersfile=/etc/users.oath

Here, we'll use the test key.
# echo "HOTP/T30/6 jodi - 3132333435363738393031323334353637383930" >> /etc/users.oath
# chmod go-rw /etc/users.oath

Using Google Authenticator

Tto use an OATH token like Google Authenticator, use verbose mode to show the base32-encode secret:

$ oathtool -v --totp 3132333435363738393031323334353637383930
Hex secret: 3132333435363738393031323334353637383930
Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
Digits: 6
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2013-06-07 20:26:56 UTC (1370636816)
Counter: 0x2B92455 (45687893)

152112

Now, manually enter the secret in Authenticator, or scan an enrolment QR code, which you can generate using qrencode. Install using:

# apt-get install qrencode

and generate the QR code URL:

$ qrencode otpauth://totp/Debian7?secret=GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ -o enrol.png

The file enrol.png will look like this:

References


oath toolkit:
http://www.nongnu.org/oath-toolkit/index.html

Wednesday, January 02, 2008

Monitor harddrive temperature

I installed a laptop harddrive into my soekris SBC, which runs some server processes on FreeBSD. Although not designed for 24x7 use, this drive works perfectly, and has been spinning flawlessly for over three years now. It does generate a lot of heat though. I've been monitoring its temperature using smartmontools, which is in the FreeBSD ports collection (/usr/ports/sysutils/smartmontools).

To get info about your drive:

# smartctl -i /dev/ad0
smartctl version 5.36 [i386-portbld-freebsd6.1] Copyright (C) 2002-6 Bruce Allen
Home page is http://smartmontools.sourceforge.net/

=== START OF INFORMATION SECTION ===
Model Family: Fujitsu MHTxxxxAH family
Device Model: FUJITSU MHT2060AH
Serial Number: NP05T4325FMN
Firmware Version: 006C
User Capacity: 60,011,642,880 bytes
Device is: In smartctl database [for details use: -P show]
ATA Version is: 6
ATA Standard is: ATA/ATAPI-6 T13 1410D revision 3a
Local Time is: Wed Jan 2 11:03:14 2008 CET
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

To display attributes:

smartctl -A /dev/ad0
smartctl version 5.36 [i386-portbld-freebsd6.1] Copyright (C) 2002-6 Bruce Allen
Home page is http://smartmontools.sourceforge.net/

=== START OF READ SMART DATA SECTION ===
SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
1 Raw_Read_Error_Rate 0x000f 100 100 046 Pre-fail Always - 165117
2 Throughput_Performance 0x0005 100 100 030 Pre-fail Offline - 19464192
3 Spin_Up_Time 0x0003 100 100 025 Pre-fail Always - 1
4 Start_Stop_Count 0x0032 100 100 000 Old_age Always - 60
5 Reallocated_Sector_Ct 0x0033 100 100 024 Pre-fail Always - 8589934592000
7 Seek_Error_Rate 0x000f 100 100 047 Pre-fail Always - 2146
8 Seek_Time_Performance 0x0005 100 100 019 Pre-fail Offline - 0
9 Power_On_Seconds 0x0032 037 037 000 Old_age Always - 31899h+28m+39s
10 Spin_Retry_Count 0x0013 100 100 020 Pre-fail Always - 0
12 Power_Cycle_Count 0x0032 100 100 000 Old_age Always - 60
192 Power-Off_Retract_Count 0x0032 100 100 000 Old_age Always - 20
193 Load_Cycle_Count 0x0032 024 024 000 Old_age Always - 763252
194 Temperature_Celsius 0x0022 100 065 000 Old_age Always - 38 (Lifetime Min/Max 18/67)
195 Hardware_ECC_Recovered 0x001a 100 100 000 Old_age Always - 45616
196 Reallocated_Event_Count 0x0032 100 100 000 Old_age Always - 277282816
197 Current_Pending_Sector 0x0012 100 100 000 Old_age Always - 0
198 Offline_Uncorrectable 0x0010 100 100 000 Old_age Offline - 0
199 UDMA_CRC_Error_Count 0x003e 200 200 000 Old_age Always - 0
200 Multi_Zone_Error_Rate 0x000f 100 100 060 Pre-fail Always - 29279
203 Run_Out_Cancel 0x0002 100 100 000 Old_age Always - 433780686965

I use something like
# smartctl -A /dev/ad0 | grep ^194| awk '{print $5}'
in a crob job to store the drive's temperature into an rrd database, which in turn can generate nice pictures.