This is just a summary of source package installation of OTPasswd. For detailed and up-to-date instructions please see INSTALL file. Things that need to be done in order to get OTPasswd running:
- Install it into the system (from source or a binary package)
- Decide whether to use DB=global or DB=user. (user doesn't require SUID but doesn't offer policy enforcing)
- For global option you need to create a 'otpasswd' system user, and set correctly /etc/otpasswd permissions and give SUID to otp_agent
- Configure SSH (or other app) if required to do Challenge-Response authentication
- Configure PAM so SSH during authentication uses pam_otpasswd
- Create sequence key
If you run into problems, utility doesn't want to work and you don't know why, execute agent_otp --check-config as root. It will examine installation and inform you about any found problems. Details follow.
Example building OTPasswd from source:
- Ensure you've got PAM -dev package, cmake and gettext utilities. Debian: apt-get install cmake libpam0g-dev build-essential gettext
- $ wget http://download.savannah.gnu.org/releases/otpasswd/otpasswd_0.8.tar.xz
You can verify the signature:
$ wget http://otpasswd.thera.be/download/bla.gpg
$ gpg --import bla.gpg
$ wget http://download.savannah.gnu.org/releases/otpasswd/otpasswd_0.8.tar.xz.sig
$ gpg --verify otpasswd_0.8.tar.xz.sig
DON'T USE THIS SOFTWARE IF VERIFICATION FAILS. Contact me.
- $ tar -Jxvf otpasswd_0.8.tar.xz && cd otpasswd-0.8
- cmake . && make
- sudo make install
Following commands configure OTPasswd and might be required even when installing from binary packages:
- cp /etc/otpasswd/otpasswd.conf.dist /etc/otpasswd/otpasswd.conf
- vim /etc/otpasswd/otpasswd.conf # Set DB option.
- If DB is set to user everything should work. To do "global" continue:
- touch /etc/otpasswd/otshadow
- useradd --system otpasswd
- chown otpasswd /etc/otpasswd /etc/otpasswd/otshadow
Last required changes: configure SSH to use OTPasswd via PAM
Turn on ChallengeResponseAuthentication and UsePAM
You will want probably to comment out all 'auth' entries and instead of them include otpasswd-login file which should be located in /etc/pam.d. Be warned that this may differ from distribution to distribution! Be careful not to cut yourself from ssh logins. It is much better to use PAM profiles. One is distributed with OTPasswd. On Debian profiles might be enabled/disabled using pam-auth-update tool.