mirror of
https://github.com/adulau/ootp.git
synced 2024-11-22 10:07:12 +00:00
802 lines
27 KiB
Text
802 lines
27 KiB
Text
#
|
|
# $Id: QUICKSTART 76 2009-12-26 21:04:01Z maf $
|
|
#
|
|
|
|
OpenOTP is an implementation of the HOTP protocol using a ZeitControl
|
|
Cardsystems ZC3.9 BasicCard and standalone balance reader, standalone Spyrus
|
|
PAR2 (Personal Access Reader), or PCSC-Lite supported Smart Card reader.
|
|
|
|
Included is a C library implementation of the HOTP protocol and
|
|
associated user database management, HOTP PAM library, OpenVPN plug-in module,
|
|
micro RADIUS server with HOTP support, and utilties for managing the Smart
|
|
Card, Spyrus reader, and host side HOTP user database. The PCSC-Lite
|
|
API provides reader support for Smart Card management.
|
|
|
|
The card management, firmware loaders, C API, and authentication methods
|
|
have been developed & tested for FreeBSD and Linux.
|
|
|
|
The PARII HOTP firmware is provided as a pre-compiled binary with source
|
|
for the HOTP implementation. The Spyrus development toolkit and
|
|
Hi-Tech/Microchip C compiler are required for modification. Run-time
|
|
customization of strings is supported via an EEProm loader without need
|
|
for the development toolkit & PIC16 compiler. A Unix tool is included for
|
|
downloading firmware to the reader with a Spyrus downloader cable.
|
|
|
|
Source and Binary for the BasicCard firmware is supplied. Modification
|
|
requires the Windows BasicCard development software available as
|
|
a free download from ZeitControl. A Unix version of bcload implemented
|
|
with the PCSC-Lite interface and embedded ACR30S driver is included.
|
|
|
|
The Smart Card based token generator is standards based and may be
|
|
used with other RFC compliant HOTP implementations. Other HOTP
|
|
token generators may be used with the Unix side HOTP library
|
|
and authentication modules.
|
|
|
|
Distribution:
|
|
|
|
otp-control - OTP database manager
|
|
otp-pam - OTP PAM module
|
|
otp-sca - Smart Card Admin Utility
|
|
otp-sct - Smart Card Terminal
|
|
otp-openvpn - OpenVPN OTP plug-in
|
|
urd - Micro RADIUS server with HOTP integration
|
|
htsoft-downloader - PIC bootloader downloader utility for Spyrus firmware
|
|
bcload - BasicCard firmware loader
|
|
basiccard - BasicCard (Smart Card) firmware & source code
|
|
spyrus-par2 - Spyrus PAR2 firmware & source code
|
|
common - otplib API and other common code
|
|
doc - Documentation & Man pages in Unix and HTML format.
|
|
scripts - shell scripts to setup list of users with HOTP
|
|
Unix and SC databases.
|
|
|
|
Required:
|
|
|
|
o ZC3.9 BasicCard Smart cards. 1 Per user. These run about $3.00 (US)
|
|
in quantity 10, or about $5.00 in quantity 1.
|
|
http://www.basiccard.com
|
|
|
|
o Smart Card Reader. Recommend a CCID compatible reader as this
|
|
driver is well supported under PCSC-Lite. An embedded driver
|
|
for the ACR30S (which does not work well with PCSC-Lite) is
|
|
also included but it requires a RS232 Serial port and PC keyboard
|
|
port for power which is typically not available on newer laptops.
|
|
The OMNIKEY CardMan 1021 USB works well on Linux and FreeBSD
|
|
and can be found on ebay for ~ $17.00 (US).
|
|
|
|
o Balance Reader from Zeitcontrol. (Optional). Using a balance reader
|
|
to generate HOTP tokens limits the SC to one token and no PIN.
|
|
|
|
o Spyrus PAR II reader and download cable (Optional). The PAR II
|
|
with a ZC3.9 SC will support about 85 keys. These run about $60
|
|
in single quantities. One cable for setup, 1 reader per user.
|
|
http://www.spyrus.com
|
|
|
|
Software is available at http://www.splintered.net/sw/otp
|
|
|
|
#
|
|
# Quickstart install for ootp on Mac, FreeBSD, and Linux.
|
|
#
|
|
#
|
|
# PART 1 - Unix side (FreeBSD/Linux)
|
|
#
|
|
# o Install pcsc-lite & driver packages (optional / recommended).
|
|
# o Install developer packages openssl and PAM (if not available).
|
|
# o compile and install ootp.
|
|
# o create a user with otp-control.
|
|
# o configure PAM to use pam_otp.so with sshd.
|
|
# o test above configuration using software generated token.
|
|
#
|
|
# PART 2 hardware token generation
|
|
#
|
|
# o download OTP firmware to Spyrus PAR II reader with htsoft-downloader
|
|
# The Spyrus reader is not required. Tokens can be generated with
|
|
# only the SC and PC connected reader.
|
|
# o download OTP firmware to BasicCard SC with bcload.
|
|
# o copy hosts (hostname & key) to SC with otp-sca.
|
|
# o generate token with otp-sct.
|
|
# o generate token with Spyrus PAR II.
|
|
#
|
|
# PART 3 personalize Spyrus PAR II EEPROM
|
|
#
|
|
# o download Spyrus personalization firmware to BasicCard SC with bcload.
|
|
# o create EEPROM image.
|
|
# o copy EEPROM image to SC with otp-sca.
|
|
# o load EEPROM image into Spyrus reader via SC.
|
|
#
|
|
#
|
|
#
|
|
# otp-sct and otp-sca will use pcsc-lite if it installed. pcsc-lite provides
|
|
# drivers for many Smart Card readers. A built in driver is included for
|
|
# ACR30S based Smart Card readers which only requires a serial port. The
|
|
# PL2303 USB to Serial adapter is known to work.
|
|
#
|
|
|
|
#
|
|
# Installing pcsc-lite from source for Linux. If using YUM see below for
|
|
# the required packages. Your distribution may # have some or all of
|
|
# these packages previously installed, make sure to check the versions of
|
|
# installed software. The ACR38 driver is only available in source form.
|
|
# The CCID driver package for pcsc-lite supports many Smart Card readers
|
|
# conforming to the Chip/Smart Card Interface Devices USB standard.
|
|
#
|
|
|
|
wget --no-check-certificate https://alioth.debian.org/frs/download.php/3080/ccid-1.3.11.tar.bz2
|
|
wget --no-check-certificate https://alioth.debian.org/frs/download.php/3082/pcsc-lite-1.5.5.tar.bz2
|
|
wget 'http://www.acs.com.hk/drivers/eng/ACR38U_driver_Lnx_1710_P.tar.gz'
|
|
|
|
|
|
pcsc-lite:
|
|
tar -xf pcsc-lite-1.5.5.tar.bz2
|
|
cd pcsc-lite-1.5.5
|
|
./configure
|
|
make
|
|
make install
|
|
|
|
ccid
|
|
tar -xf ccid-1.3.11.tar.bz2
|
|
cd ccid-1.3.11/
|
|
./configure
|
|
examples/scardcontrol.c:
|
|
remove FEATURE_IFD_PIN_PROPERTIES code -- did not compile
|
|
make
|
|
make install
|
|
|
|
acr38u
|
|
tar -xf ACR38U_driver_Lnx_1710_P.tar.gz
|
|
cd ACR38_LINUX_100710_P
|
|
./configure
|
|
make
|
|
make install
|
|
|
|
mkdir -p /usr/local/pcsc
|
|
cd /usr/local/pcsc
|
|
ln -s /usr/lib/pcsc/drivers .
|
|
|
|
# run in the foreground
|
|
/usr/local/sbin/pcscd -d -f
|
|
|
|
#
|
|
# Using yum on a vanilla Fedore 11 install
|
|
#
|
|
yum install gcc.i586
|
|
yum install openssl
|
|
yum install openssl-devel
|
|
yum install pcsc-lite
|
|
yum install pcsc-lite-devel
|
|
yum install ccid
|
|
yum install pam-devel
|
|
|
|
|
|
#
|
|
# Mac OSX 10.5 has pcsc-lite and the CCID drivers installed by default.
|
|
#
|
|
|
|
install ACR38U MacOSX installer from acs.com.hk
|
|
|
|
#
|
|
##### installing pcsc-lite from source for FreeBSD
|
|
#
|
|
|
|
fetch -o libusb-0.1.12.tar.gz 'http://sourceforge.net/projects/libusb/files/libusb-0.1%20%28LEGACY%29/0.1.12/libusb-0.1.12.tar.gz/download'
|
|
|
|
patch < /usr/ports/devel/libusb/files/patch-bsd.c
|
|
|
|
./configure
|
|
make > make.out 2>&1
|
|
make install > install.out 2>&1
|
|
|
|
fetch https://alioth.debian.org/frs/download.php/3080/ccid-1.3.11.tar.bz2
|
|
fetch https://alioth.debian.org/frs/download.php/3082/pcsc-lite-1.5.5.tar.bz2
|
|
|
|
*** PCSCD
|
|
|
|
./configure --enable-libusb --prefix=/usr/local/pcsc LDFLAGS="-lpthread"\
|
|
--enable-ipcdir=/var/tmp/ --enable-confdir=/etc\
|
|
--enable-usbdropdir=/usr/local/pcsc/lib/drivers/ --disable-libhal
|
|
|
|
make > make.out 2>&1
|
|
make install > install.out 2>&1
|
|
ldconfig -m /usr/local/pcsc/lib
|
|
|
|
*** CCID
|
|
|
|
./configure --enable-usbdropdir=/usr/local/pcsc/lib/drivers\
|
|
--enable-ccidtwindir=/usr/local/pcsc/lib/drivers/serial\
|
|
--enable-udev PCSC_CFLAGS="-I/usr/local/pcsc/include/PCSC"\
|
|
PCSC_LIBS="-L/usr/local/pcsc/lib/ -lpcsclite"
|
|
|
|
make > make.out 2>&1
|
|
make install > install.out 2>&1
|
|
|
|
### start PCSCD in debug mode if not running.
|
|
|
|
# run in the foreground
|
|
/usr/local/sbin/pcscd -d -f
|
|
|
|
#
|
|
# The ACR38U drivers must be installed separately. See
|
|
# http://www.acs.com.hk/drivers/eng/. Linux is works, FreeBSD driver hangs
|
|
# in libusb. Mac driver works
|
|
#
|
|
|
|
##### OTP build
|
|
|
|
|
|
# ootp install dir
|
|
mkdir -p /usr/local/ootp/bin
|
|
mkdir -p /usr/local/ootp/man/man1
|
|
mkdir -p /usr/local/ootp/man/man7
|
|
mkdir -p /usr/local/ootp/firmware
|
|
mkdir -p /usr/local/ootp/doc
|
|
mkdir -p /usr/local/ootp/lib
|
|
chmod -R 755 /usr/local/ootp
|
|
chown -R root:wheel /usr/local/ootp
|
|
|
|
OOTP="/usr/local/ootp"
|
|
PATH=$PATH:$OOTP/bin
|
|
|
|
# build Intel Linux, pcsc-lite installed from source
|
|
cd otp
|
|
cd common; make clean; make i386-linux; cd ..
|
|
cd bcload; make clean; make i386-linux; make install cd ..
|
|
cd htsoft-downloader; make clean; make i386-linux; make install; cd ..
|
|
cd otp-control; make clean; make i386-linux; make install; cd ..
|
|
cd otp-pam; make clean; make i386-linux; make install; cd ..
|
|
cd otp-sca; make clean; make i386-linux; make install; cd ..
|
|
cd otp-sct; make clean; make i386-linux; make install; cd ..
|
|
cd otp-openvpn; make clean; make i386-linux; make install; cd ..
|
|
cd urd; make clean; make i386-linux; make install; cd ..
|
|
cd basiccard; make install; cd ..
|
|
cd spyrus-par2; make install; cd ..
|
|
cd scripts; make install; cd ..
|
|
cd doc; make install; cd ..
|
|
|
|
# build Intel Linux, pcsc-lite installed with yum
|
|
cd otp
|
|
cd common; make clean; make i386-yum-linux; cd ..
|
|
cd bcload; make clean; make i386-yum-linux; make install; cd ..
|
|
cd htsoft-downloader; make clean; make i386-linux; make install; cd ..
|
|
cd otp-control; make clean; make i386-linux; make install; cd ..
|
|
cd otp-pam; make clean; make i386-linux; make install; cd ..
|
|
cd otp-sca; make clean; make i386-yum-linux; make install; cd ..
|
|
cd otp-sct; make clean; make i386-yum-linux; make install; cd ..
|
|
cd otp-openvpn; make clean; make i386-linux; make install; cd ..
|
|
cd urd; make clean; make i386-linux; make install; cd ..
|
|
cd basiccard; make install; cd ..
|
|
cd spyrus-par2; make install; cd ..
|
|
cd scripts; make install; cd ..
|
|
cd doc; make install; cd ..
|
|
|
|
# build Intel FreeBSD
|
|
cd otp
|
|
cd common; make clean; make i386-fbsd; cd ..
|
|
cd bcload; make clean; make i386-fbsd; make install; cd ..
|
|
cd htsoft-downloader; make clean; make i386-fbsd; make install; cd ..
|
|
cd otp-control; make clean; make i386-fbsd; make install; cd ..
|
|
cd otp-pam; make clean; make i386-fbsd; make install; cd ..
|
|
cd otp-sca; make clean; make i386-fbsd; make install; cd ..
|
|
cd otp-sct; make clean; make i386-fbsd; make install; cd ..
|
|
cd otp-openvpn; make clean; make i386-fbsd; make install; cd ..
|
|
cd urd; make clean; make i386-fbsd; make install; cd ..
|
|
cd basiccard; make install; cd ..
|
|
cd spyrus-par2; make install; cd ..
|
|
cd scripts; make install; cd ..
|
|
cd doc; make install; cd ..
|
|
|
|
# build Intel MacOSX
|
|
cd otp
|
|
cd common; make clean; make i386-macosx; cd ..
|
|
cd bcload; make clean; make i386-macosx; make install; cd ..
|
|
cd otp-control; make clean; make i386-macosx; make install; cd ..
|
|
cd otp-pam; make clean; make i386-macosx; make install; cd ..
|
|
cd otp-sca; make clean; make i386-macosx; make install; cd ..
|
|
cd otp-sct; make clean; make i386-macosx; make install; cd ..
|
|
cd otp-openvpn; make clean; make i386-macosx; make install; cd ..
|
|
cd urd; make clean; make i386-macosx; make install; cd ..
|
|
cd htsoft-downloader; make clean; make i386-macosx; make install; cd ..
|
|
cd basiccard; make install; cd ..
|
|
cd spyrus-par2; make install; cd ..
|
|
cd scripts; make install; cd ..
|
|
cd doc; make install; cd ..
|
|
|
|
# where the OTP database files live by default
|
|
mkdir /etc/otpdb
|
|
chown root:wheel /etc/otpdb
|
|
chmod 700 /etc/otpdb
|
|
|
|
# install the pam_otp module
|
|
# linux
|
|
cp $OOTP/lib/pam_otp.so /lib/security
|
|
chown root:wheel /lib/security/pam_otp.so
|
|
chmod 755 /lib/security/pam_otp.so
|
|
# freebsd
|
|
cp $OOTP/lib/pam_otp.so /usr/lib
|
|
chown root:wheel /usr/lin/pam_otp.so
|
|
chmod 755 /usr/lib/pam_otp.so
|
|
|
|
# if running SELinux:
|
|
# http://docs.fedoraproject.org//selinux-faq-fc5/#faq-div-understanding-selinux
|
|
#
|
|
chcon -t textrel_shlib_t /lib/security/pam_otp.so
|
|
semanage fcontext -a -t textrel_shlib_t /lib/security/pam_otp.so
|
|
# sshd would also need priviliges to write to /etc/otpdb
|
|
#
|
|
# to temporarily disable SELinux for testing use
|
|
# setenforce 0
|
|
|
|
# create the OTP database with one inactive user (joe)
|
|
otp-control -n -u joe -m add
|
|
otp-control -u joe -m set-status inactive
|
|
otp-control -u joe -m list
|
|
|
|
>Username.......joe
|
|
>Key............784F37E95A8410400700DF1E52466AB1704F487B
|
|
>Count..........0 (0x0)
|
|
>Count Ceiling..18446744073709551615 (0xFFFFFFFFFFFFFFFF)
|
|
>Version........1
|
|
>Status.........inactive (2)
|
|
>Format.........hex40 (1)
|
|
>Type...........HOTP (1)
|
|
|
|
# configure PAM sshd to use new OTP module
|
|
/etc/pam.d/sshd:
|
|
# change auth lines:
|
|
auth requisite pam_unix.so nullok try_first_pass
|
|
auth required pam_otp.so expose_account display_count allow_inactive debug
|
|
# expose_account enabled verbose logging via syslog:
|
|
# OTP username=joe response=0E3F8E7C47
|
|
# display_count enables the HOTP count in the challenge prompt
|
|
# HOTP Challenge (1843):
|
|
# ^^^^ this is the count
|
|
# allow_inactive will configure the module to allow a user in the OTP
|
|
# database set to status inactive to pass authentication without an OTP.
|
|
|
|
/etc/ssh/sshd_config:
|
|
# PasswordAuthentication must be turned off (default is on)
|
|
# (note this is not true for all versions of sshd, see example
|
|
# below.
|
|
# SSH-2.0-OpenSSH_5.2 - PasswordAuthentication yes
|
|
# SSH-2.0-OpenSSH_4.5p1 - PasswordAuthentication no
|
|
PasswordAuthentication no
|
|
# usePAM to yes (default)
|
|
UsePAM yes
|
|
# ChallengeResponseAuthentication is required for the pam OTP module
|
|
# to interact with sshd
|
|
ChallengeResponseAuthentication yes
|
|
# Public Key Authentication must also be turned off
|
|
RSAAuthentication no
|
|
PubkeyAuthentication no
|
|
|
|
# restart sshd (linux)
|
|
/etc/init.d/sshd restart
|
|
# restart sshd (FreeBSD)
|
|
/etc/rc.d/sshd restart
|
|
|
|
|
|
# example of incorrectly configured system, note after 3 attempts with
|
|
# PAM, sshd reverts to internal authentication code allowing the OTP PAM
|
|
# module to be bypassed.
|
|
#
|
|
# with later versions of sshd this is no longer true, ie
|
|
# SSH-2.0-OpenSSH_5.2 is okay. The second password prompt will
|
|
# also call pam_otp
|
|
#
|
|
bastion.eng:~% ssh 10.1.0.25 -l 'joe'
|
|
Password:
|
|
Password:
|
|
Password:
|
|
joe@10.1.0.25's password:
|
|
|
|
# generate OTP
|
|
otp-control -u joe -m generate
|
|
count=5 crsp=48B0D8D8E1
|
|
|
|
# verify sshd is still working properly
|
|
bastion.eng:~% ssh 10.1.0.25
|
|
Password:
|
|
Last login: Tue Sep 1 23:21:20 2009 from 10.1.0.26
|
|
|
|
# activate user
|
|
otp-control -u joe -m set-status -s active
|
|
|
|
# login with OTP generated earlier
|
|
bastion.eng:~% ssh 10.1.0.25
|
|
Password:
|
|
HOTP Challenge (5): 48B0D8D8E1
|
|
Last login: Wed Sep 2 00:22:03 2009 from 10.1.0.26
|
|
[joe@localhost ~]$
|
|
|
|
#### Downloading firmware to the Spyrus reader
|
|
|
|
The Spyrus PAR II will be programmed with the spyrus1.3.hex application
|
|
included in the OTP distribution. This will be done once per new reader,
|
|
or when new application software is required. An proprietary RS232 serial
|
|
programming cable available from Spyrus is needed.
|
|
|
|
Connect the programming cable to the Spyrus reader and a serial port on the
|
|
computer with htsoft-downloader compiled. A USB Serial adapter based on the
|
|
Prolific PL2303 chip has been used during development on Linux and FreeBSD
|
|
with the htsoft-downloader. YMMV with other adapters.
|
|
|
|
Press Calc/Off to turn on the reader. If it does not power up, remove the
|
|
paper insulator from the battery or replace the batteries. Press the down
|
|
arrow until the "DownloadApp" menu item is present.
|
|
|
|
Start the htsoft-downloader utility using serial port at /dev/cuaU0 :
|
|
|
|
# FreeBSD USB Serial Adapter
|
|
htsoft-downloader -v1 -i -f /dev/cuaU0 < $OOTP/firmware/spyrus1.3.hex
|
|
|
|
# Linux USB Serial Adapter
|
|
htsoft-downloader -v1 -i -f /dev/ttyS0 < $OOTP/firmware/spyrus1.3.hex
|
|
|
|
Press Enter on the spyrus reader to start the download application:
|
|
|
|
Waiting for bootloader......
|
|
|
|
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDwTwF
|
|
PIC reset sent, ignored last WOK timeout.
|
|
|
|
Increase the verbosity level for more debugging information if necessary.
|
|
The -i option is required for the bootloader provided with the Spyrus reader.
|
|
|
|
A Windows PIC downloader which will work with the Spyrus reader is available
|
|
at http://www.ehl.cz/pic/pic_e.htm. It will also note an error when trying
|
|
to reset the PIC.
|
|
|
|
Press Card/On. The LCD should display:
|
|
|
|
OARnet
|
|
PIN:
|
|
|
|
Press Calc/Off to preserve the battery.
|
|
|
|
##### Downloading firmware to the ZC3.9 BasicCard
|
|
|
|
The HOTP BasicCard firmware is programmed into the blank ZC3.9 card.
|
|
This is typically done only once, the keys and other user information
|
|
are configured using otp-sct.
|
|
|
|
bcload -v -f $OOTP/firmware/HOTPC.IMG
|
|
Card/State: ZC3.9 test
|
|
EEChunkSize=2000
|
|
BCSetState: load
|
|
SC: Reset
|
|
EEStart=8020,EELen=1fa0
|
|
imgAddr=8020,imgLen=1fa0
|
|
Clear: addr=8020,len=1fa0
|
|
BCClearEEProm: success
|
|
SC: Reset
|
|
EEWRITE: nWrites=121,addr=8020,len=1e
|
|
EEWRITE: nWrites=120,addr=8038,len=10
|
|
EEWRITE: nWrites=119,addr=8170,len=38
|
|
EEWRITE: nWrites=118,addr=81a0,len=48
|
|
...
|
|
EEWRITE: nWrites=1,addr=9f40,len=48
|
|
EEWRITE: nWrites=0,addr=9f80,len=48
|
|
EECRC: nWrites=1,addr=8020,len=1fa0,imgCRC=7a3f
|
|
EECRC: SCCRC=7a3f
|
|
EECRC: nWrites=0,addr=8020,len=00,imgCRC=00
|
|
EECRC: SCCRC=0
|
|
BCSetState: test
|
|
SC: Reset
|
|
|
|
|
|
##### Downloading firmware to the ZC3.9 BasicCard (Windows Alternative)
|
|
|
|
Install the Windows BasicCard development toolkit from
|
|
http://www.basiccard.com/. This toolkit is a free download and required
|
|
for modifying the BasicCard HOTP implementation.
|
|
|
|
Tools / Download to Real Card
|
|
(card debugger starts)
|
|
Card / Download to Real Card
|
|
Select the COM port - anything other than the reader included with the
|
|
development kit will require installing the vendor PC/SC Smart Card
|
|
driver first.
|
|
Select the HOTPC.IMG file included in OTP distribution.
|
|
Click Download to start the card download.
|
|
|
|
|
|
#### Managing the Smart Card with otp-sca
|
|
|
|
Working from the otp-control example above, user joe has been setup on host
|
|
bastion. The Smart Card must have the firmware loaded on it with the above
|
|
procedure before otp-sca can be used with it.
|
|
|
|
List available SC readers. Examples will assume the default compiled in
|
|
reader is PCSC: which will select the first available PCSC reader. The default
|
|
reader is a compile time option and may be set to the embedded acr30s driver
|
|
if PCSC support is not enabled. When using the acr30s driver the serial port
|
|
can be configured by appending it to the reader name with a :, ie
|
|
embedded:acr30s:/dev/cuaU0
|
|
|
|
otp-sca -l
|
|
embedded:acr30s
|
|
PCSC:OmniKey CardMan 1021 00 00
|
|
|
|
First change the admin key from the default. The admin key is used to enable
|
|
administrator mode on the Smart Card to access the GetHost and SetHost
|
|
functions. When in admin mode a PIN is not required. Admin mode should be
|
|
disabled after initial setup.
|
|
|
|
Enable admin mode with default key:
|
|
|
|
echo "3030303030303030303030303030303030303030" > default.key
|
|
otp-sca -m admin-enable -a default.key
|
|
|
|
Create a new admin key with openssl and set the Smart Card to use it:
|
|
|
|
openssl rand 160 | openssl sha1 > secret.key
|
|
otp-sca -a secret.key -m adminkey-set
|
|
|
|
Dump user joe in an otp-sca friendly format with index 00. Store record
|
|
in SC.
|
|
|
|
otp-control -u joe -m list-sc -Hcrypto | tail -1 | otp-sca -m host-set
|
|
|
|
Dump the Smart Card to verify programming:
|
|
|
|
otp-sca -m host-get
|
|
|
|
#index:count:hostname:key
|
|
00:00000000:63727970746F000000000000:784F37E95A8410400700DF1E52466AB1704F487B
|
|
|
|
The hostname is encoded in HEX. The key matches the one programmed above
|
|
into the otpdb used with PAM. Initial count is set to 0.
|
|
|
|
Dump the available hosts in a friendlier format. The card is still in admin
|
|
mode so the PIN does not matter:
|
|
|
|
otp-sca -m hostname-get
|
|
Enter PIN: 99999
|
|
00,crypto
|
|
|
|
Disable admin mode:
|
|
|
|
otp-sca -m admin-disable -a secret.key
|
|
|
|
Set PIN for card. The default 28165 PIN can not be used to generate a HOTP:
|
|
|
|
otp-sca -m pin-set
|
|
Enter PIN: 28165
|
|
New PIN: 12345
|
|
New PIN (again): 12345
|
|
SetPIN Good.
|
|
|
|
Generate a HOTP for user. The initial count is 0. The count above
|
|
is 5 (want 6 next). To set the count on the Smart Card dump it to ASCII,
|
|
change the count then load it from ASCII. Alternately use the form of GetHOTP
|
|
which passes the count in. Note the other GetHOTP commands may be
|
|
conditionally compiled out, by default only GetHOTPHostCount32 is enabled
|
|
which also returns the hostname.
|
|
|
|
otp-sca -m hotp-gen -Mch -c5
|
|
Enter PIN: 12345
|
|
HOTP: 48B0D8D8E1 -- crypto
|
|
|
|
The HOTP generated here matches the one above for count 5. The count
|
|
on the Smart Card will automatically be incremented by one which can be
|
|
verified by dumping the card contents:
|
|
|
|
otp-sca -m admin-enable -a secret.key
|
|
AdminMode: enabled.
|
|
|
|
otp-sca -m host-get
|
|
#index:count:hostname:key
|
|
00:00000006:63727970746F000000000000:784F37E95A8410400700DF1E52466AB1704F487B
|
|
|
|
otp-sca -m admin-disable -a secret.key
|
|
AdminMode: disabled.
|
|
|
|
As a precaution admin mode is automatically disabled when a GetHOTP* command is
|
|
received.
|
|
|
|
#### Using a Smart Card with otp-sct
|
|
|
|
otp-sct duplicates the functionality of the Spyrus PAR II reader with a Smart
|
|
Card reader connected to the computer. This significantly reduces the security
|
|
of using one time passwords if the computer with the Smart Card inserted is
|
|
compromised and the attacker has the SC PIN. The 5 digit PIN is protected
|
|
from brute force attacks by the Smart Card disabling the card when more than
|
|
10 incorrect PIN's are tried in succession. A middle ground may be available
|
|
with newer readers which allow the PIN to be input on the reader.
|
|
|
|
If your local security policy requires the use of the Spyrus reader, the
|
|
reader will provide a 40 bit key to the SC which otp-sct will not. Host
|
|
entries on the SC can set the READERKEY flag to prevent HOTP generation
|
|
without this shared key between the Spyrus reader and SC.
|
|
|
|
otp-sct
|
|
Enter PIN: 12345
|
|
HOTP: crypto 6C960E4B21
|
|
|
|
#### Using a Smart Card with Spyrus Reader
|
|
|
|
Insert the SC into the Spyrus Reader.
|
|
|
|
Press Card/ON. Enter PIN. Default PIN is 28165
|
|
|
|
Press * to change PIN. The default PIN can not be used to generate a token.
|
|
|
|
Enter to generate a HOTP for the first system (index 00).
|
|
|
|
Down arrow to enter the menu. The menu will allow viewing of all hostnames
|
|
programmed in the Smart Card with the up/down arrows. Press Enter once the
|
|
host is selected.
|
|
|
|
Enter 2 digit index to bypass the menu.
|
|
|
|
# before generating a HOTP will prompt for a Count input. This can be used to
|
|
synch a card or for Challenge/Response mode with shared keys.
|
|
|
|
|
|
#### Spyrus PAR II Personalization
|
|
|
|
Strings in the PAR II such as the text "OARnet" or the reader key are
|
|
loaded from the onboard PIC16F877 256KByte EEPROM at runtime. The EEPROM
|
|
can can be reprogrammed with a SC loaded with SPYRUSP.IMG.
|
|
|
|
First create a Smart Card with the SPYRUSP.IMG firmware. This will need
|
|
to be a different SC from the HOTPC.IMG loaded earlier.
|
|
|
|
bcload -v -f $OOTP/firmware/SPYRUSP.IMG
|
|
|
|
Card/State: ZC3.9 test
|
|
EEChunkSize=2000
|
|
BCSetState: load
|
|
SC: Reset
|
|
EEStart=8020,EELen=1fa0
|
|
imgAddr=8020,imgLen=1fa0
|
|
Clear: addr=8020,len=1fa0
|
|
BCClearEEProm: success
|
|
SC: Reset
|
|
EEWRITE: nWrites=10,addr=8020,len=1e
|
|
EEWRITE: nWrites=9,addr=8038,len=10
|
|
EEWRITE: nWrites=8,addr=8170,len=38
|
|
EEWRITE: nWrites=7,addr=81a0,len=48
|
|
EEWRITE: nWrites=6,addr=81e0,len=48
|
|
EEWRITE: nWrites=5,addr=8220,len=48
|
|
EEWRITE: nWrites=4,addr=8260,len=48
|
|
EEWRITE: nWrites=3,addr=82a0,len=48
|
|
EEWRITE: nWrites=2,addr=82e0,len=48
|
|
EEWRITE: nWrites=1,addr=8320,len=11
|
|
EEWRITE: nWrites=0,addr=9fbd,len=a
|
|
EECRC: nWrites=1,addr=8020,len=1fa0,imgCRC=6ef1
|
|
EECRC: SCCRC=6ef1
|
|
EECRC: nWrites=0,addr=8020,len=00,imgCRC=00
|
|
EECRC: SCCRC=0
|
|
BCSetState: test
|
|
SC: Reset
|
|
|
|
# create a copy of the default (OARnet) EEPROM ASCII string file
|
|
cd $OOTP/firmware
|
|
cp oar.str my.str
|
|
vi my.str
|
|
|
|
Edit the my.str file with a text editor. The character strings
|
|
in the second column can be changed. Do not change the number of
|
|
characters between the : delimiters or ordering of the symbols as the
|
|
memory map is fixed in the Spyrus firmware.
|
|
|
|
EE_L1MAIN : OARnet :
|
|
EE_L2MAIN : Verified :
|
|
can be changed to
|
|
EE_L1MAIN :Company Name:
|
|
EE_L2MAIN : Verified :
|
|
but not (extended length of string)
|
|
EE_L1MAIN :My Company Name:
|
|
EE_L2MAIN : Verified :
|
|
or (truncated length of string)
|
|
EE_L1MAIN :Company:
|
|
EE_L2MAIN : Verified :
|
|
|
|
Convert the str file to something otp-sca will parse with the str2ee
|
|
utility. The format is index:<16 hex bytes>. The high bit of the index
|
|
can be set to indicate the last block. The Spyrus reader will stop
|
|
after reading an index with the high bit set.
|
|
|
|
str2ee < my.str > my.ee
|
|
|
|
# my.hex will look something like:
|
|
|
|
00:6D616630303030304F41526E65743A32
|
|
01:303039202020204F41526E6574202020
|
|
02:50494E3A20202020202020202020204F
|
|
03:41526E65742020202020566572696669
|
|
04:656420204368616C6C656E67653A2020
|
|
05:3130204661696C757265732043617264
|
|
06:204C6F636B6564202020204163636573
|
|
07:7320202020202044656E696564202020
|
|
08:20204E6F20486F737473202053657420
|
|
09:4E65772050494E204E657750494E3A20
|
|
0A:20202020416761696E3A202020202020
|
|
0B:50494E204368616E676564204E6F2043
|
|
0C:61726420202020205472792048617264
|
|
8D:65722020000000000000000000000000
|
|
|
|
# use otp-sca to program the SC with the above hex file
|
|
|
|
otp-sca -m spyrus-ee-set < my.ee
|
|
|
|
SetSpyrusEEBlock (0): Done
|
|
SetSpyrusEEBlock (1): Done
|
|
SetSpyrusEEBlock (2): Done
|
|
SetSpyrusEEBlock (3): Done
|
|
SetSpyrusEEBlock (4): Done
|
|
SetSpyrusEEBlock (5): Done
|
|
SetSpyrusEEBlock (6): Done
|
|
SetSpyrusEEBlock (7): Done
|
|
SetSpyrusEEBlock (8): Done
|
|
SetSpyrusEEBlock (9): Done
|
|
SetSpyrusEEBlock (10): Done
|
|
SetSpyrusEEBlock (11): Done
|
|
SetSpyrusEEBlock (12): Done
|
|
SetSpyrusEEBlock (13): Done
|
|
|
|
# insert the SC into the Spyrus reader. Use the magic PIN sequence 3#
|
|
# to reprogram the EEPROM.
|
|
|
|
#
|
|
# READERKEY
|
|
#
|
|
|
|
The Spyrus PAR II reader will send a 40 bit key to the SC when executing
|
|
the GetHOTP* functions. This key defaults to "00000". Use the otp-sca
|
|
reader-key-set command to change it in a SC. The key is stored on the
|
|
Spyrus PAR II EEPROM and can be changed using the personalization
|
|
steps above. This check is off by default in the SC. To enable it, set
|
|
the high bit of the 2nd character in the hostname.
|
|
|
|
|
|
See also:
|
|
This site http://www.splintered.net/sw/otp
|
|
HOTP ID http://www.ietf.org/internet-drafts/draft-mraihi-oath-hmac-otp-02.txt
|
|
IETF slides http://www3.ietf.org/proceedings/05mar/slides/saag-2/sld1.htm
|
|
SHA-1 http://www.itl.nist.gov/fipspubs/fip180-1.htm
|
|
HMAC http://www.faqs.org/rfcs/rfc2104.html
|
|
BasicCard http://www.basiccard.com/
|
|
Linux PAM http://www.kernel.org/pub/linux/libs/pam/
|
|
PAM S-Key http://kreator.esa.fer.hr/projects/tarballs/pam_skey-1.1.3.tar.gz
|
|
(used as a reference PAM module)
|
|
Spyrus http://www.spyrus.com
|
|
PCSC-LITE http://pcsclite.alioth.debian.org/
|
|
Smart Cards http://www.smartcardfocus.com/
|
|
BalanceReader http://www.basiccard.com/chip/balanceR.pdf
|
|
|
|
#
|
|
# The HOTP database is not encrypted. For added security use an encrypted
|
|
# disk partition to store the HOTP database and SC files
|
|
#
|
|
|
|
#
|
|
# FreeBSD encrypted USB drive install
|
|
#
|
|
|
|
USB drive is on da0
|
|
|
|
# create a key file used as part of the key to unlock the disk
|
|
dd if=/dev/random of=/root/OarEng1.key bs=64 count=1
|
|
# create a eli context for da0, passphrase is the rest of the key
|
|
geli init -s 4096 -K /root/OarEng1.key /dev/da0
|
|
<passph1rase>
|
|
# attach providing a plaintext device da0.eli
|
|
geli attach -k /root/OarEng1.key /dev/da0
|
|
# erase what was there
|
|
dd if=/dev/zero of=/dev/da0.eli bs=4k
|
|
|
|
# add a disk label
|
|
bsdlabel -w /dev/da0.eli
|
|
|
|
# make a partition whole disk
|
|
disklabel -e /dev/da0.eli
|
|
|
|
# create filesystem
|
|
newfs /dev/da0.elia
|
|
|
|
# create mountpoint
|
|
mkdir /priv
|
|
|
|
# mount it
|
|
mount /dev/da0.elia /priv
|
|
|