[talk] 2FA on BSD (was Re: Reducing password fatigue on OpenBSD (or any BSD))

Patrick Tracanelli eksffa at freebsdbrasil.com.br
Tue Apr 21 11:18:08 EDT 2015

> On 21/04/2015, at 03:38, N.J. Thomas <njt at ayvali.org> wrote:
> * Isaac (.ike) Levy <ike at blackskyresearch.net> [2015-04-20 23:50:04-0400]:
>> Just started playing with a Yubikey.  Didn't really understand the
>> thing at first.
>> And then it hit me: this is the cheap, easily introspectable, hardware
>> auth token I've been dying for for like a decade...
> On a slightly tangential note, I started playing with Google
> Authenticator recently:
>    https://github.com/google/google-authenticator/
> It's worked very well so far:
>    - there are iPhone/Android apps for it
>    - there is a port on FreeBSD to build a PAM module out of the box
>      (security/pam_google_authenticator)
>    - it only took me a few minutes to get my FreeBSD servers running it
>      (basically building the port and adding a single line to
>      /etc/pam.d/sshd)
>    - in addition to TOTP (time based one time passwords) it also
>      gives you some single use OTPs (is that redundant?) that you print
>      and put in your wallet or wherever to use if your phone is not
>      available
>    - it works with LastPass as well
> The nice thing about Google Authenticator is that apart from the
> smartphone app, there is no physical token to carry around. Whether or
> not that makes it less secure, I'm not entirely sure. The TOTP Wikipedia
> page mentions that printed codes and email resets (which LastPass
> allows) is a weakness which allows for additional exploitable vectors,
> so be aware of that if you are using it.

Well other than Google Authenticator I would also point to the great Archie Cobbs’ mod-authn-otp[1] for Apache and oathtoken[2] app for iPhone. The first one as the name suggest is for protecting web server realms with 2FA other than Digest/Basic/Etc auth mechanisms, and the iPhone app is the companion token. The iPhone app is open source as well and it can be fully integrated with Google Authenticator, (I mean, by manually adding a new config and using a converted base16 secret). I use this app to concentrate all my 2FA credentials, Google, Dropbox, SSH access, Apache Auth and banking token which is also RFC-4226 compliant.

But the cool thing is otptool that comes with the Apache module.

It’s a command line utility one can use to test, generate and verify OTP/HOTP access, probably it was written primarily for automation and debugging but it’s easy enough to integrate it with Radius and OpenVPN as well. I have used it to add 2FA to OpenVPN and to PPPoE authentication based on FreeBSD+MPD authenticating from a FreeRADIUS system. I have tried a Samba setup to replace the reusable password with the OTP value and it works as well. It’s not a 2-FA strategy since the first authentication method is fully replaced by the OTP pass, however it’s a very nice security possibility as well, forcing users to have their token in hand to actually find out what’s the current required time-based credentials to log in their Windows workstations. I found out otptool can also be wrapped around OS X’s dscl and therefore Apple’s OD with a simple shell script, which will also allow for an OTP based auth on OS X based networks authenticating on OD.

So in the end I found out otptool[3] to be more valuable than Google Authenticator’s PAM module or Apache module for the flexibility it adds. You can pretty much integrated 2FA in virtually anything this way, using just extendable auth mechanisms, scripting or by some minor code hacking or wrapping. 

Just for fun, I have also slightly modified the iPhone app and added user-defined passphrase for the AES cryptogragy (oath token already uses it, but it’s not user defined) and added some Geolocation features. The app won’t show the OTP password if user-passphrase is not entered, if the app won’t have GPS/location access or if the device is located a few miles away from the authorized geolocation radius, so adding a simple Geolocation Authorized/Denied test on the app will somehow add a third authentication factor mechanism. It’s a 3FA protection tested before the 2FA code is shown.

It’s a lot of fun to have all those pieces of good open source (BSD licensed) software available.

Patrick Tracanelli

[1] https://code.google.com/p/mod-authn-otp/
[2] https://code.google.com/p/oathtoken/
[3] https://code.google.com/p/mod-authn-otp/wiki/OTPTool

More information about the talk mailing list