用 OATH Toolkit 設定 CentOS 7 OTP 認證

要先安裝 epel

# yum install epel-release

然後再安裝下列套件

# yum install liboath gen-oath-safe pam_oath oathtool

修改 pam.d 的 sshd 設定檔案

# vi /etc/pam.d/sshd
auth required pam_sepermit.so
auth substack password-auth
auth required pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
auth include postlogin

然後用 gen-oath-safe 指令產生 otp 設定,記得把 USERID 改成你要的使用者帳號

# gen-oath-safe USERID totp

這時候就可以拿手機把產生出來的 QR Code 加入 Google Authenticator APP 內 (傳送門:AndroidiOS

然後把上面指令最後面的結果複製到 /etc/liboath/users.oath 內

users.oath / otp.users configuration:
HOTP/T30 USERID – 6877585cec3e13ac4e9bb6aad013451f4e9bae1d

確認 sshd_config 有下列的設定

# vi /etc/ssh/sshd_config
UsePAM yes
ChallengeResponseAuthentication yes

然後再 sshd_config 檔案後面加入下面的設定,啟用互動式認證

Match User USERID
AuthenticationMethods publickey,keyboard-interactive

重啟 sshd 服務

# systemctl restart sshd

就可以測試 otp 有無成功設定

$ ssh lalala
Password:
One-time password (OATH) for `USERID’:
Last login: Thu Jun 27 10:17:46 2019 from yoyoyo
[USERID@lalala ~]

後記, oathtool 工具可以顯示 totp 然後也可以看到 base32 碼

$ oathtool –totp -v 6877585cec3e13ac4e9bb6aad013451f4e9bae1d
Hex secret: 6877585cec3e13ac4e9bb6aad013451f4e9bae1d
Base32 secret: NB3VQXHMHYJ2YTU3W2VNAE2FD5HJXLQ5
Digits: 6
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: XXXX-XX-XX XX:XX:XX UTC (XXXXXXXXXX)
Counter: 0x31XXXXX (XXXX)
361170

還可以把 base32 碼轉回去 hex 密碼

$ oathtool –totp -b NB3VQXHMHYJ2YTU3W2VNAE2FD5HJXLQ5 -v

Hex secret: 6877585cec3e13ac4e9bb6aad013451f4e9bae1d
Base32 secret: NB3VQXHMHYJ2YTU3W2VNAE2FD5HJXLQ5
Digits: 6
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: XXXX-XX-XX XX:XX:XX UTC (XXXXXXXXXX)
Counter: 0x31XXXXX (XXXX)
361170