Linux.com

Home Linux Community Community Blogs General Linux Two-Factor Authentication (One time passwords by SMS) for SSH and more

Two-Factor Authentication (One time passwords by SMS) for SSH and more

With passwords becoming inherently insecure nowadays, I decided to add an extra layer of security by using the Textlocal One-Time Password API (Its so new I haven't been able to get it documented yet).

One-Time Passwords are unique codes which are sent to a trusted mobile device which can then be checked and then allowed or denied access based on the response back.

This is pretty awesome considering the code can not be guessed, expires after 24 hours, can only be used once, and is separate to the service which is requiring the authentication.

Like I said, I decided to add One-Time Passwords to my Linux server, to do this, I added the following code to the bottom of my user's (my user, since no other users have SSH access) .bashrc file:

tlrequest="username=**EMAIL**&password=**PASS**&numbers=**NUMBER**&message=SSH%20OTP%20is&sender=SSH-OTP"
trap logout INT
curl -s -d $tlrequest http://api.txtlocal.com/otp_send >/dev/null 2>&1
echo "A One-time password has been sent to your device. Please enter it below followed by [enter]:"
read otp
check=$(curl -s "http://api.txtlocal.com/otp_challenge/?username=**EMAIL**&password=**PASS**&numbers=**NUMBER**&code=$otp >/dev/null 2>&1")
if [[ $check == *uccess* ]]
then
    echo "OTP Validated.";
else
    echo "OTP Invalid. Disconnecting."
    logout
fi

To make the code work, you will need:

1. A Textlocal account 
2. Change **EMAIL** to your email address
3. Change **PASS** to your Textlocal password or hash
4. change **NUMBER** to your mobile number (eg 447000000000)

Thats it!

 

Comments

Subscribe to Comments Feed
  • asdafa Said:

    Sorry if I might sound rude but this is just an exercise in futility. It is enough to to connect to the host using ssh $host -c 'bash --norc --no-profile' to skip the check entirely. Or if on your box /bin/sh is NOT a symlink to bash (like in almost all Debian derivatives) you can just run 'ssh $host -c sh'. If you really want to use 2-factor auth, please understand how the pam security model works and leverage properly written pam modules (like [1] for instance) instead of useless hacks like this one. One should post about security related topics only if he /really/ understands the topic entireli. [1] https://code.google.com/p/openotp-pam-plugin/

  • asdafa Said:

    Oh and silly me, there are other major pitfalls in this... First of all, you make requests to that textlocal thing using plain HTTP. Secondly you trust the input, it would be fairly trivial to inject commands on the user input. Please consider moving to a more appropriate setup (using PAM) but more importantly consider removing this post as it present a broken design that other people might follow.

  • foo Said:

    I can see at least 5 different vulnerabilities in that code

  • Andy Dixon Said:

    The code is a proof of concept, I agree with the SSL side of things, and indeed a PAM equivalent is in the works, and the input is certainly not checked, etc. Since writing this, it was replaced on my server with a python equivalent which uses SSL and sanitises input. If I had the ability to edit the article it would be updated with the fixes. Oh and @foo - thanks for your contribution. Short, yet pointless. :)

  • asdafa Said:

    Andy, the problem is not the language you use to write this thing. The problem is that its security model is _broken_. And even if you reimplement that in C and speak with the HTTPS endpoint of txtlocal, it will still be broken since it ignores the system-wide authentication mechanism provided by your distro of choice (which will be, most likely PAM and SSH). The other big issue (bigger than the whole approach imho) is that there is NO MENTION in your article about the fact that is a proof of concept and it shouldn't be used... The only thing this approach gives you (and whomever reads this article and decide to implement it) is a false sense of security, which is even worse than just having a 1 factor auth scheme. Furthermore, your approach is prone to third party service failures, which are always an option and completely outside of your control. If you really are working at a PAM module to interface it with the txtlocal API, please consider contributing to the Open OTP PAM plugin, instead of reinventing the wheel: https://code.google.com/p/openotp-pam-plugin/

  • Cakeinsingapore Said:

    Let your loving mother know that how much you love and care for. Send Mother’s Day special Gifts to Singapore at right price and express your love and affection. Deliver your love in the form of Cakes and Chocolates.

  • Tercio Filho Said:

    Well, I would comment about the several broken parts but asdafa already did it for me. Seriously, DON'T use this. So many security misconceptions. You should alert your users, imagine how many are using this (UN)secure script...

Upcoming Linux Foundation Courses

  1. LFD320 Linux Kernel Internals and Debugging
    03 Nov » 07 Nov - Virtual
    Details
  2. LFS416 Linux Security
    03 Nov » 06 Nov - Virtual
    Details
  3. LFS426 Linux Performance Tuning
    10 Nov » 13 Nov - Virtual
    Details

View All Upcoming Courses


Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board