OTP on Linux, client side.

Many online services (google, facebook, etc), as well as company VPN configurations require the use of OTP (one-time password) for improved security. The one-time password is comprised of a PIN (which is static and only known to you in your head), as well as a software or hardware token.  For more information on various implementations of two-factor auth, see:  https://fedorahosted.org/freeotp/ or https://github.com/google/google-authenticator/wiki .

Before I go any further and detail how you can generate OTP on a Linux box, let me state very clearly, doing the following is NOT RECOMMENDED if you are concerned with SECURITY.  I do this as a matter of convenience, and also because I am comfortable with the level of additional security measures I take on my personal laptop.

Why is it not recommended you ask?  I’m glad you asked, so please let me explain.  If your laptop or desktop is somehow compromised, and someone can intercept your activities, and you use your laptop to generate as well as enter your one-time password when connecting to remote resources, the attacker will then have not only the static PIN associated with your OTP, but will also have a token generated (since it also resides on your laptop in software).  As such, your token generator should typically NOT reside on your laptop.  Some people also make use of the YubiKey harware token generator, which they leave plugged into their laptop all the time, and just press the hardware button to enter the OTP into an application with focus.  In my opinion, the convenience of using the YubiKey reduces security in much the same way as having the soft-token running on a laptop or desktop, as physical access to your system now means an attacker simply needs to employ a brute-force attack against a set of static passwords.

With the above in mind, the following method is used on a Fedora22 laptop using the Oath Toolkit.

First, install the oathtool RPM using:

yum install -y oathtool

Next, generate your token.  I won’t detail how this is done here, as it will be dependent on service provided.  Typically you’ll see a QR code that can be scanned into one of a number of available clients for mobile platforms.  However, the QR code is really just a representation of the token secret associated with your token.  There may also be a URL that can be used with various clients to initialize the token generator.  This URL will look something like:

otpauth://hotp/SomeTokenName?secret=base32-encoded-secret&counter=0
or
otpauth://hotp/SomeTokenName?secret=base32-encoded-secret&counter=0

Next, take the “base32-encoded-secret” (note that this will seem like a random string of characters), and store it in a GPG encrypted file.  I used the file $HOME/.google_token.gpg as an example.

If you’re using a counter or event based (HOTP) mode, you will also want to store the counter used.  For this I use $HOME/.google_counter file.

Finally, use the following Bash script to generate your OTP:

#!/bin/bash

counter=$(cat ~/.google_counter)
counter=$((counter+1))
secret=$(gpg < ~/.google_token.gpg) 
oathtool -c $counter -b $secret echo $counter > ~/.google_counter

IMPORTANT: In order to protect your laptop and the contents therein, please use disk encryption so that if your laptop or desktop is ever stolen your files will not be readable by anyone unless they have the decryption key.  The combination of disk level encryption, as well as the use of GPG to further encrypt the secret associated with my token is why I am comfortable with the above approach.  However, you will need to consult with your local security policies in order to ensure that your are within the guidelines provided by your company or institutional Information Security group.

One thought on “OTP on Linux, client side.

  1. Hey Kambiz,

    Thanks for the quick article on OTP from your local machine. I extended the Bash script with xclip to copy the token directly into my clipboard. I noticed it looks like you missed one newline in the script on the last line after $secret.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s