# # $Id: QUICKSTART 76 2009-12-26 21:04:01Z maf $ # OpenOTP is an implementation of the HOTP protocol using a ZeitControl Cardsystems ZC3.9 BasicCard and standalone balance reader, standalone Spyrus PAR2 (Personal Access Reader), or PCSC-Lite supported Smart Card reader. Included is a C library implementation of the HOTP protocol and associated user database management, HOTP PAM library, OpenVPN plug-in module, micro RADIUS server with HOTP support, and utilties for managing the Smart Card, Spyrus reader, and host side HOTP user database. The PCSC-Lite API provides reader support for Smart Card management. The card management, firmware loaders, C API, and authentication methods have been developed & tested for FreeBSD and Linux. The PARII HOTP firmware is provided as a pre-compiled binary with source for the HOTP implementation. The Spyrus development toolkit and Hi-Tech/Microchip C compiler are required for modification. Run-time customization of strings is supported via an EEProm loader without need for the development toolkit & PIC16 compiler. A Unix tool is included for downloading firmware to the reader with a Spyrus downloader cable. Source and Binary for the BasicCard firmware is supplied. Modification requires the Windows BasicCard development software available as a free download from ZeitControl. A Unix version of bcload implemented with the PCSC-Lite interface and embedded ACR30S driver is included. The Smart Card based token generator is standards based and may be used with other RFC compliant HOTP implementations. Other HOTP token generators may be used with the Unix side HOTP library and authentication modules. Distribution: otp-control - OTP database manager otp-pam - OTP PAM module otp-sca - Smart Card Admin Utility otp-sct - Smart Card Terminal otp-openvpn - OpenVPN OTP plug-in urd - Micro RADIUS server with HOTP integration htsoft-downloader - PIC bootloader downloader utility for Spyrus firmware bcload - BasicCard firmware loader basiccard - BasicCard (Smart Card) firmware & source code spyrus-par2 - Spyrus PAR2 firmware & source code common - otplib API and other common code doc - Documentation & Man pages in Unix and HTML format. scripts - shell scripts to setup list of users with HOTP Unix and SC databases. Required: o ZC3.9 BasicCard Smart cards. 1 Per user. These run about $3.00 (US) in quantity 10, or about $5.00 in quantity 1. http://www.basiccard.com o Smart Card Reader. Recommend a CCID compatible reader as this driver is well supported under PCSC-Lite. An embedded driver for the ACR30S (which does not work well with PCSC-Lite) is also included but it requires a RS232 Serial port and PC keyboard port for power which is typically not available on newer laptops. The OMNIKEY CardMan 1021 USB works well on Linux and FreeBSD and can be found on ebay for ~ $17.00 (US). o Balance Reader from Zeitcontrol. (Optional). Using a balance reader to generate HOTP tokens limits the SC to one token and no PIN. o Spyrus PAR II reader and download cable (Optional). The PAR II with a ZC3.9 SC will support about 85 keys. These run about $60 in single quantities. One cable for setup, 1 reader per user. http://www.spyrus.com Software is available at http://www.splintered.net/sw/otp # # Quickstart install for ootp on Mac, FreeBSD, and Linux. # # # PART 1 - Unix side (FreeBSD/Linux) # # o Install pcsc-lite & driver packages (optional / recommended). # o Install developer packages openssl and PAM (if not available). # o compile and install ootp. # o create a user with otp-control. # o configure PAM to use pam_otp.so with sshd. # o test above configuration using software generated token. # # PART 2 hardware token generation # # o download OTP firmware to Spyrus PAR II reader with htsoft-downloader # The Spyrus reader is not required. Tokens can be generated with # only the SC and PC connected reader. # o download OTP firmware to BasicCard SC with bcload. # o copy hosts (hostname & key) to SC with otp-sca. # o generate token with otp-sct. # o generate token with Spyrus PAR II. # # PART 3 personalize Spyrus PAR II EEPROM # # o download Spyrus personalization firmware to BasicCard SC with bcload. # o create EEPROM image. # o copy EEPROM image to SC with otp-sca. # o load EEPROM image into Spyrus reader via SC. # # # # otp-sct and otp-sca will use pcsc-lite if it installed. pcsc-lite provides # drivers for many Smart Card readers. A built in driver is included for # ACR30S based Smart Card readers which only requires a serial port. The # PL2303 USB to Serial adapter is known to work. # # # Installing pcsc-lite from source for Linux. If using YUM see below for # the required packages. Your distribution may # have some or all of # these packages previously installed, make sure to check the versions of # installed software. The ACR38 driver is only available in source form. # The CCID driver package for pcsc-lite supports many Smart Card readers # conforming to the Chip/Smart Card Interface Devices USB standard. # wget --no-check-certificate https://alioth.debian.org/frs/download.php/3080/ccid-1.3.11.tar.bz2 wget --no-check-certificate https://alioth.debian.org/frs/download.php/3082/pcsc-lite-1.5.5.tar.bz2 wget 'http://www.acs.com.hk/drivers/eng/ACR38U_driver_Lnx_1710_P.tar.gz' pcsc-lite: tar -xf pcsc-lite-1.5.5.tar.bz2 cd pcsc-lite-1.5.5 ./configure make make install ccid tar -xf ccid-1.3.11.tar.bz2 cd ccid-1.3.11/ ./configure examples/scardcontrol.c: remove FEATURE_IFD_PIN_PROPERTIES code -- did not compile make make install acr38u tar -xf ACR38U_driver_Lnx_1710_P.tar.gz cd ACR38_LINUX_100710_P ./configure make make install mkdir -p /usr/local/pcsc cd /usr/local/pcsc ln -s /usr/lib/pcsc/drivers . # run in the foreground /usr/local/sbin/pcscd -d -f # # Using yum on a vanilla Fedore 11 install # yum install gcc.i586 yum install openssl yum install openssl-devel yum install pcsc-lite yum install pcsc-lite-devel yum install ccid yum install pam-devel # # Mac OSX 10.5 has pcsc-lite and the CCID drivers installed by default. # install ACR38U MacOSX installer from acs.com.hk # ##### installing pcsc-lite from source for FreeBSD # fetch -o libusb-0.1.12.tar.gz 'http://sourceforge.net/projects/libusb/files/libusb-0.1%20%28LEGACY%29/0.1.12/libusb-0.1.12.tar.gz/download' patch < /usr/ports/devel/libusb/files/patch-bsd.c ./configure make > make.out 2>&1 make install > install.out 2>&1 fetch https://alioth.debian.org/frs/download.php/3080/ccid-1.3.11.tar.bz2 fetch https://alioth.debian.org/frs/download.php/3082/pcsc-lite-1.5.5.tar.bz2 *** PCSCD ./configure --enable-libusb --prefix=/usr/local/pcsc LDFLAGS="-lpthread"\ --enable-ipcdir=/var/tmp/ --enable-confdir=/etc\ --enable-usbdropdir=/usr/local/pcsc/lib/drivers/ --disable-libhal make > make.out 2>&1 make install > install.out 2>&1 ldconfig -m /usr/local/pcsc/lib *** CCID ./configure --enable-usbdropdir=/usr/local/pcsc/lib/drivers\ --enable-ccidtwindir=/usr/local/pcsc/lib/drivers/serial\ --enable-udev PCSC_CFLAGS="-I/usr/local/pcsc/include/PCSC"\ PCSC_LIBS="-L/usr/local/pcsc/lib/ -lpcsclite" make > make.out 2>&1 make install > install.out 2>&1 ### start PCSCD in debug mode if not running. # run in the foreground /usr/local/sbin/pcscd -d -f # # The ACR38U drivers must be installed separately. See # http://www.acs.com.hk/drivers/eng/. Linux is works, FreeBSD driver hangs # in libusb. Mac driver works # ##### OTP build # ootp install dir mkdir -p /usr/local/ootp/bin mkdir -p /usr/local/ootp/man/man1 mkdir -p /usr/local/ootp/man/man7 mkdir -p /usr/local/ootp/firmware mkdir -p /usr/local/ootp/doc mkdir -p /usr/local/ootp/lib chmod -R 755 /usr/local/ootp chown -R root:wheel /usr/local/ootp OOTP="/usr/local/ootp" PATH=$PATH:$OOTP/bin # build Intel Linux, pcsc-lite installed from source cd otp cd common; make clean; make i386-linux; cd .. cd bcload; make clean; make i386-linux; make install cd .. cd htsoft-downloader; make clean; make i386-linux; make install; cd .. cd otp-control; make clean; make i386-linux; make install; cd .. cd otp-pam; make clean; make i386-linux; make install; cd .. cd otp-sca; make clean; make i386-linux; make install; cd .. cd otp-sct; make clean; make i386-linux; make install; cd .. cd otp-openvpn; make clean; make i386-linux; make install; cd .. cd urd; make clean; make i386-linux; make install; cd .. cd basiccard; make install; cd .. cd spyrus-par2; make install; cd .. cd scripts; make install; cd .. cd doc; make install; cd .. # build Intel Linux, pcsc-lite installed with yum cd otp cd common; make clean; make i386-yum-linux; cd .. cd bcload; make clean; make i386-yum-linux; make install; cd .. cd htsoft-downloader; make clean; make i386-linux; make install; cd .. cd otp-control; make clean; make i386-linux; make install; cd .. cd otp-pam; make clean; make i386-linux; make install; cd .. cd otp-sca; make clean; make i386-yum-linux; make install; cd .. cd otp-sct; make clean; make i386-yum-linux; make install; cd .. cd otp-openvpn; make clean; make i386-linux; make install; cd .. cd urd; make clean; make i386-linux; make install; cd .. cd basiccard; make install; cd .. cd spyrus-par2; make install; cd .. cd scripts; make install; cd .. cd doc; make install; cd .. # build Intel FreeBSD cd otp cd common; make clean; make i386-fbsd; cd .. cd bcload; make clean; make i386-fbsd; make install; cd .. cd htsoft-downloader; make clean; make i386-fbsd; make install; cd .. cd otp-control; make clean; make i386-fbsd; make install; cd .. cd otp-pam; make clean; make i386-fbsd; make install; cd .. cd otp-sca; make clean; make i386-fbsd; make install; cd .. cd otp-sct; make clean; make i386-fbsd; make install; cd .. cd otp-openvpn; make clean; make i386-fbsd; make install; cd .. cd urd; make clean; make i386-fbsd; make install; cd .. cd basiccard; make install; cd .. cd spyrus-par2; make install; cd .. cd scripts; make install; cd .. cd doc; make install; cd .. # build Intel MacOSX cd otp cd common; make clean; make i386-macosx; cd .. cd bcload; make clean; make i386-macosx; make install; cd .. cd otp-control; make clean; make i386-macosx; make install; cd .. cd otp-pam; make clean; make i386-macosx; make install; cd .. cd otp-sca; make clean; make i386-macosx; make install; cd .. cd otp-sct; make clean; make i386-macosx; make install; cd .. cd otp-openvpn; make clean; make i386-macosx; make install; cd .. cd urd; make clean; make i386-macosx; make install; cd .. cd htsoft-downloader; make clean; make i386-macosx; make install; cd .. cd basiccard; make install; cd .. cd spyrus-par2; make install; cd .. cd scripts; make install; cd .. cd doc; make install; cd .. # where the OTP database files live by default mkdir /etc/otpdb chown root:wheel /etc/otpdb chmod 700 /etc/otpdb # install the pam_otp module # linux cp $OOTP/lib/pam_otp.so /lib/security chown root:wheel /lib/security/pam_otp.so chmod 755 /lib/security/pam_otp.so # freebsd cp $OOTP/lib/pam_otp.so /usr/lib chown root:wheel /usr/lin/pam_otp.so chmod 755 /usr/lib/pam_otp.so # if running SELinux: # http://docs.fedoraproject.org//selinux-faq-fc5/#faq-div-understanding-selinux # chcon -t textrel_shlib_t /lib/security/pam_otp.so semanage fcontext -a -t textrel_shlib_t /lib/security/pam_otp.so # sshd would also need priviliges to write to /etc/otpdb # # to temporarily disable SELinux for testing use # setenforce 0 # create the OTP database with one inactive user (joe) otp-control -n -u joe -m add otp-control -u joe -m set-status inactive otp-control -u joe -m list >Username.......joe >Key............784F37E95A8410400700DF1E52466AB1704F487B >Count..........0 (0x0) >Count Ceiling..18446744073709551615 (0xFFFFFFFFFFFFFFFF) >Version........1 >Status.........inactive (2) >Format.........hex40 (1) >Type...........HOTP (1) # configure PAM sshd to use new OTP module /etc/pam.d/sshd: # change auth lines: auth requisite pam_unix.so nullok try_first_pass auth required pam_otp.so expose_account display_count allow_inactive debug # expose_account enabled verbose logging via syslog: # OTP username=joe response=0E3F8E7C47 # display_count enables the HOTP count in the challenge prompt # HOTP Challenge (1843): # ^^^^ this is the count # allow_inactive will configure the module to allow a user in the OTP # database set to status inactive to pass authentication without an OTP. /etc/ssh/sshd_config: # PasswordAuthentication must be turned off (default is on) # (note this is not true for all versions of sshd, see example # below. # SSH-2.0-OpenSSH_5.2 - PasswordAuthentication yes # SSH-2.0-OpenSSH_4.5p1 - PasswordAuthentication no PasswordAuthentication no # usePAM to yes (default) UsePAM yes # ChallengeResponseAuthentication is required for the pam OTP module # to interact with sshd ChallengeResponseAuthentication yes # Public Key Authentication must also be turned off RSAAuthentication no PubkeyAuthentication no # restart sshd (linux) /etc/init.d/sshd restart # restart sshd (FreeBSD) /etc/rc.d/sshd restart # example of incorrectly configured system, note after 3 attempts with # PAM, sshd reverts to internal authentication code allowing the OTP PAM # module to be bypassed. # # with later versions of sshd this is no longer true, ie # SSH-2.0-OpenSSH_5.2 is okay. The second password prompt will # also call pam_otp # bastion.eng:~% ssh 10.1.0.25 -l 'joe' Password: Password: Password: joe@10.1.0.25's password: # generate OTP otp-control -u joe -m generate count=5 crsp=48B0D8D8E1 # verify sshd is still working properly bastion.eng:~% ssh 10.1.0.25 Password: Last login: Tue Sep 1 23:21:20 2009 from 10.1.0.26 # activate user otp-control -u joe -m set-status -s active # login with OTP generated earlier bastion.eng:~% ssh 10.1.0.25 Password: HOTP Challenge (5): 48B0D8D8E1 Last login: Wed Sep 2 00:22:03 2009 from 10.1.0.26 [joe@localhost ~]$ #### Downloading firmware to the Spyrus reader The Spyrus PAR II will be programmed with the spyrus1.3.hex application included in the OTP distribution. This will be done once per new reader, or when new application software is required. An proprietary RS232 serial programming cable available from Spyrus is needed. Connect the programming cable to the Spyrus reader and a serial port on the computer with htsoft-downloader compiled. A USB Serial adapter based on the Prolific PL2303 chip has been used during development on Linux and FreeBSD with the htsoft-downloader. YMMV with other adapters. Press Calc/Off to turn on the reader. If it does not power up, remove the paper insulator from the battery or replace the batteries. Press the down arrow until the "DownloadApp" menu item is present. Start the htsoft-downloader utility using serial port at /dev/cuaU0 : # FreeBSD USB Serial Adapter htsoft-downloader -v1 -i -f /dev/cuaU0 < $OOTP/firmware/spyrus1.3.hex # Linux USB Serial Adapter htsoft-downloader -v1 -i -f /dev/ttyS0 < $OOTP/firmware/spyrus1.3.hex Press Enter on the spyrus reader to start the download application: Waiting for bootloader...... DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDwTwF PIC reset sent, ignored last WOK timeout. Increase the verbosity level for more debugging information if necessary. The -i option is required for the bootloader provided with the Spyrus reader. A Windows PIC downloader which will work with the Spyrus reader is available at http://www.ehl.cz/pic/pic_e.htm. It will also note an error when trying to reset the PIC. Press Card/On. The LCD should display: OARnet PIN: Press Calc/Off to preserve the battery. ##### Downloading firmware to the ZC3.9 BasicCard The HOTP BasicCard firmware is programmed into the blank ZC3.9 card. This is typically done only once, the keys and other user information are configured using otp-sct. bcload -v -f $OOTP/firmware/HOTPC.IMG Card/State: ZC3.9 test EEChunkSize=2000 BCSetState: load SC: Reset EEStart=8020,EELen=1fa0 imgAddr=8020,imgLen=1fa0 Clear: addr=8020,len=1fa0 BCClearEEProm: success SC: Reset EEWRITE: nWrites=121,addr=8020,len=1e EEWRITE: nWrites=120,addr=8038,len=10 EEWRITE: nWrites=119,addr=8170,len=38 EEWRITE: nWrites=118,addr=81a0,len=48 ... EEWRITE: nWrites=1,addr=9f40,len=48 EEWRITE: nWrites=0,addr=9f80,len=48 EECRC: nWrites=1,addr=8020,len=1fa0,imgCRC=7a3f EECRC: SCCRC=7a3f EECRC: nWrites=0,addr=8020,len=00,imgCRC=00 EECRC: SCCRC=0 BCSetState: test SC: Reset ##### Downloading firmware to the ZC3.9 BasicCard (Windows Alternative) Install the Windows BasicCard development toolkit from http://www.basiccard.com/. This toolkit is a free download and required for modifying the BasicCard HOTP implementation. Tools / Download to Real Card (card debugger starts) Card / Download to Real Card Select the COM port - anything other than the reader included with the development kit will require installing the vendor PC/SC Smart Card driver first. Select the HOTPC.IMG file included in OTP distribution. Click Download to start the card download. #### Managing the Smart Card with otp-sca Working from the otp-control example above, user joe has been setup on host bastion. The Smart Card must have the firmware loaded on it with the above procedure before otp-sca can be used with it. List available SC readers. Examples will assume the default compiled in reader is PCSC: which will select the first available PCSC reader. The default reader is a compile time option and may be set to the embedded acr30s driver if PCSC support is not enabled. When using the acr30s driver the serial port can be configured by appending it to the reader name with a :, ie embedded:acr30s:/dev/cuaU0 otp-sca -l embedded:acr30s PCSC:OmniKey CardMan 1021 00 00 First change the admin key from the default. The admin key is used to enable administrator mode on the Smart Card to access the GetHost and SetHost functions. When in admin mode a PIN is not required. Admin mode should be disabled after initial setup. Enable admin mode with default key: echo "3030303030303030303030303030303030303030" > default.key otp-sca -m admin-enable -a default.key Create a new admin key with openssl and set the Smart Card to use it: openssl rand 160 | openssl sha1 > secret.key otp-sca -a secret.key -m adminkey-set Dump user joe in an otp-sca friendly format with index 00. Store record in SC. otp-control -u joe -m list-sc -Hcrypto | tail -1 | otp-sca -m host-set Dump the Smart Card to verify programming: otp-sca -m host-get #index:count:hostname:key 00:00000000:63727970746F000000000000:784F37E95A8410400700DF1E52466AB1704F487B The hostname is encoded in HEX. The key matches the one programmed above into the otpdb used with PAM. Initial count is set to 0. Dump the available hosts in a friendlier format. The card is still in admin mode so the PIN does not matter: otp-sca -m hostname-get Enter PIN: 99999 00,crypto Disable admin mode: otp-sca -m admin-disable -a secret.key Set PIN for card. The default 28165 PIN can not be used to generate a HOTP: otp-sca -m pin-set Enter PIN: 28165 New PIN: 12345 New PIN (again): 12345 SetPIN Good. Generate a HOTP for user. The initial count is 0. The count above is 5 (want 6 next). To set the count on the Smart Card dump it to ASCII, change the count then load it from ASCII. Alternately use the form of GetHOTP which passes the count in. Note the other GetHOTP commands may be conditionally compiled out, by default only GetHOTPHostCount32 is enabled which also returns the hostname. otp-sca -m hotp-gen -Mch -c5 Enter PIN: 12345 HOTP: 48B0D8D8E1 -- crypto The HOTP generated here matches the one above for count 5. The count on the Smart Card will automatically be incremented by one which can be verified by dumping the card contents: otp-sca -m admin-enable -a secret.key AdminMode: enabled. otp-sca -m host-get #index:count:hostname:key 00:00000006:63727970746F000000000000:784F37E95A8410400700DF1E52466AB1704F487B otp-sca -m admin-disable -a secret.key AdminMode: disabled. As a precaution admin mode is automatically disabled when a GetHOTP* command is received. #### Using a Smart Card with otp-sct otp-sct duplicates the functionality of the Spyrus PAR II reader with a Smart Card reader connected to the computer. This significantly reduces the security of using one time passwords if the computer with the Smart Card inserted is compromised and the attacker has the SC PIN. The 5 digit PIN is protected from brute force attacks by the Smart Card disabling the card when more than 10 incorrect PIN's are tried in succession. A middle ground may be available with newer readers which allow the PIN to be input on the reader. If your local security policy requires the use of the Spyrus reader, the reader will provide a 40 bit key to the SC which otp-sct will not. Host entries on the SC can set the READERKEY flag to prevent HOTP generation without this shared key between the Spyrus reader and SC. otp-sct Enter PIN: 12345 HOTP: crypto 6C960E4B21 #### Using a Smart Card with Spyrus Reader Insert the SC into the Spyrus Reader. Press Card/ON. Enter PIN. Default PIN is 28165 Press * to change PIN. The default PIN can not be used to generate a token. Enter to generate a HOTP for the first system (index 00). Down arrow to enter the menu. The menu will allow viewing of all hostnames programmed in the Smart Card with the up/down arrows. Press Enter once the host is selected. Enter 2 digit index to bypass the menu. # before generating a HOTP will prompt for a Count input. This can be used to synch a card or for Challenge/Response mode with shared keys. #### Spyrus PAR II Personalization Strings in the PAR II such as the text "OARnet" or the reader key are loaded from the onboard PIC16F877 256KByte EEPROM at runtime. The EEPROM can can be reprogrammed with a SC loaded with SPYRUSP.IMG. First create a Smart Card with the SPYRUSP.IMG firmware. This will need to be a different SC from the HOTPC.IMG loaded earlier. bcload -v -f $OOTP/firmware/SPYRUSP.IMG Card/State: ZC3.9 test EEChunkSize=2000 BCSetState: load SC: Reset EEStart=8020,EELen=1fa0 imgAddr=8020,imgLen=1fa0 Clear: addr=8020,len=1fa0 BCClearEEProm: success SC: Reset EEWRITE: nWrites=10,addr=8020,len=1e EEWRITE: nWrites=9,addr=8038,len=10 EEWRITE: nWrites=8,addr=8170,len=38 EEWRITE: nWrites=7,addr=81a0,len=48 EEWRITE: nWrites=6,addr=81e0,len=48 EEWRITE: nWrites=5,addr=8220,len=48 EEWRITE: nWrites=4,addr=8260,len=48 EEWRITE: nWrites=3,addr=82a0,len=48 EEWRITE: nWrites=2,addr=82e0,len=48 EEWRITE: nWrites=1,addr=8320,len=11 EEWRITE: nWrites=0,addr=9fbd,len=a EECRC: nWrites=1,addr=8020,len=1fa0,imgCRC=6ef1 EECRC: SCCRC=6ef1 EECRC: nWrites=0,addr=8020,len=00,imgCRC=00 EECRC: SCCRC=0 BCSetState: test SC: Reset # create a copy of the default (OARnet) EEPROM ASCII string file cd $OOTP/firmware cp oar.str my.str vi my.str Edit the my.str file with a text editor. The character strings in the second column can be changed. Do not change the number of characters between the : delimiters or ordering of the symbols as the memory map is fixed in the Spyrus firmware. EE_L1MAIN : OARnet : EE_L2MAIN : Verified : can be changed to EE_L1MAIN :Company Name: EE_L2MAIN : Verified : but not (extended length of string) EE_L1MAIN :My Company Name: EE_L2MAIN : Verified : or (truncated length of string) EE_L1MAIN :Company: EE_L2MAIN : Verified : Convert the str file to something otp-sca will parse with the str2ee utility. The format is index:<16 hex bytes>. The high bit of the index can be set to indicate the last block. The Spyrus reader will stop after reading an index with the high bit set. str2ee < my.str > my.ee # my.hex will look something like: 00:6D616630303030304F41526E65743A32 01:303039202020204F41526E6574202020 02:50494E3A20202020202020202020204F 03:41526E65742020202020566572696669 04:656420204368616C6C656E67653A2020 05:3130204661696C757265732043617264 06:204C6F636B6564202020204163636573 07:7320202020202044656E696564202020 08:20204E6F20486F737473202053657420 09:4E65772050494E204E657750494E3A20 0A:20202020416761696E3A202020202020 0B:50494E204368616E676564204E6F2043 0C:61726420202020205472792048617264 8D:65722020000000000000000000000000 # use otp-sca to program the SC with the above hex file otp-sca -m spyrus-ee-set < my.ee SetSpyrusEEBlock (0): Done SetSpyrusEEBlock (1): Done SetSpyrusEEBlock (2): Done SetSpyrusEEBlock (3): Done SetSpyrusEEBlock (4): Done SetSpyrusEEBlock (5): Done SetSpyrusEEBlock (6): Done SetSpyrusEEBlock (7): Done SetSpyrusEEBlock (8): Done SetSpyrusEEBlock (9): Done SetSpyrusEEBlock (10): Done SetSpyrusEEBlock (11): Done SetSpyrusEEBlock (12): Done SetSpyrusEEBlock (13): Done # insert the SC into the Spyrus reader. Use the magic PIN sequence 3# # to reprogram the EEPROM. # # READERKEY # The Spyrus PAR II reader will send a 40 bit key to the SC when executing the GetHOTP* functions. This key defaults to "00000". Use the otp-sca reader-key-set command to change it in a SC. The key is stored on the Spyrus PAR II EEPROM and can be changed using the personalization steps above. This check is off by default in the SC. To enable it, set the high bit of the 2nd character in the hostname. See also: This site http://www.splintered.net/sw/otp HOTP ID http://www.ietf.org/internet-drafts/draft-mraihi-oath-hmac-otp-02.txt IETF slides http://www3.ietf.org/proceedings/05mar/slides/saag-2/sld1.htm SHA-1 http://www.itl.nist.gov/fipspubs/fip180-1.htm HMAC http://www.faqs.org/rfcs/rfc2104.html BasicCard http://www.basiccard.com/ Linux PAM http://www.kernel.org/pub/linux/libs/pam/ PAM S-Key http://kreator.esa.fer.hr/projects/tarballs/pam_skey-1.1.3.tar.gz (used as a reference PAM module) Spyrus http://www.spyrus.com PCSC-LITE http://pcsclite.alioth.debian.org/ Smart Cards http://www.smartcardfocus.com/ BalanceReader http://www.basiccard.com/chip/balanceR.pdf # # The HOTP database is not encrypted. For added security use an encrypted # disk partition to store the HOTP database and SC files # # # FreeBSD encrypted USB drive install # USB drive is on da0 # create a key file used as part of the key to unlock the disk dd if=/dev/random of=/root/OarEng1.key bs=64 count=1 # create a eli context for da0, passphrase is the rest of the key geli init -s 4096 -K /root/OarEng1.key /dev/da0 # attach providing a plaintext device da0.eli geli attach -k /root/OarEng1.key /dev/da0 # erase what was there dd if=/dev/zero of=/dev/da0.eli bs=4k # add a disk label bsdlabel -w /dev/da0.eli # make a partition whole disk disklabel -e /dev/da0.eli # create filesystem newfs /dev/da0.elia # create mountpoint mkdir /priv # mount it mount /dev/da0.elia /priv