Monday, December 10, 2012

Using libpam-google-authenticator with a Hardware token (C200).

We have started using libpam-google-authenticator to implement two factor authentication for our Linux servers accessed via SSH.  We have a number of users who are resistant to the usage of a software token such as the Google Authenticator app available for smartphones.

Google doesn't seem to provide a whole lot of information on how to use existing OATH OTP hardware tokens with libpam-google-authenticator, so I dug in on my own.



  1. Acquire a hardware token.  I saw some information online that the Gooze C200 token might be a good candidate, so I purchased one from
    http://www.gooze.eu/otp-c200-token-time-based-h3-casing-1-unit
    Note: You need to get the C200 time based token.
  2. While you are waiting for your package, install libpam-google-authenticator, configure and test it using the software token.  
  3. The first hurdle you will encounter is that the C200 seed (Gooze will provide the seed in a variety of ways including printed on paper with the token) is in HEX, libpam-google-authenticator requires a seed in Base32.  So you need to convert it, either whip out your calculator or head over to:
    http://tomeko.net/online_tools/hex_to_base32.php?lang=en
  4. Edit the ~/.google_authenticator file and input your base32 seed as the first line, removing the existing seed.
  5. At this point, rejoice, you will have locked yourself out of your account.  After you much digging, you may find out that the C200 hardware token as a Step Size of 60 seconds instead of the 30 seconds used by the software token.  A patch has been supplied to Google Code that will make the Step size configurable, it is available at:
    http://code.google.com/p/google-authenticator/issues/detail?id=202
  6. How you apply, compile, and install the modified libpam-google-authenticator will vary depending on distribution, the following should work on Debian based systems.
  7. Get the source using 'apt-get source libpam-google-authenticator'
  8. Get the build-deps using 'apt-get build-dep libpam-google-authenticator'
  9. Copy the patch from above into the build tree at debian/patches, remove the first 24 lines up to
    diff --git a/libpam/pam_google_authenticator.c
  10. Modify debian/patches/series to apply the patch.  
  11. Build package with 'dpkg-buildpackage'
  12. Install newly built package with dpkg -i.
  13. Add a configuration option with the other options:
    " TIME_STEP_SIZE 60
  14. Test.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)