Google doesn't seem to provide a whole lot of information on how to use existing OATH OTP hardware tokens with libpam-google-authenticator, so I dug in on my own.
- Acquire a hardware token. I saw some information online that the Gooze C200 token might be a good candidate, so I purchased one from
Note: You need to get the C200 time based token.
- While you are waiting for your package, install libpam-google-authenticator, configure and test it using the software token.
- The first hurdle you will encounter is that the C200 seed (Gooze will provide the seed in a variety of ways including printed on paper with the token) is in HEX, libpam-google-authenticator requires a seed in Base32. So you need to convert it, either whip out your calculator or head over to:
- Edit the ~/.google_authenticator file and input your base32 seed as the first line, removing the existing seed.
- At this point, rejoice, you will have locked yourself out of your account. After you much digging, you may find out that the C200 hardware token as a Step Size of 60 seconds instead of the 30 seconds used by the software token. A patch has been supplied to Google Code that will make the Step size configurable, it is available at:
- How you apply, compile, and install the modified libpam-google-authenticator will vary depending on distribution, the following should work on Debian based systems.
- Get the source using 'apt-get source libpam-google-authenticator'
- Get the build-deps using 'apt-get build-dep libpam-google-authenticator'
- Copy the patch from above into the build tree at debian/patches, remove the first 24 lines up to
diff --git a/libpam/pam_google_authenticator.c
- Modify debian/patches/series to apply the patch.
- Build package with 'dpkg-buildpackage'
- Install newly built package with dpkg -i.
- Add a configuration option with the other options:
" TIME_STEP_SIZE 60