March 19, 2014

Two-Factor Authentication (One time passwords by SMS) for SSH and more

With passwords becoming inherently insecure nowadays, I decided to add an extra layer of security by using the Textlocal One-Time Password API (Its so new I haven't been able to get it documented yet).

One-Time Passwords are unique codes which are sent to a trusted mobile device which can then be checked and then allowed or denied access based on the response back.

This is pretty awesome considering the code can not be guessed, expires after 24 hours, can only be used once, and is separate to the service which is requiring the authentication.

Like I said, I decided to add One-Time Passwords to my Linux server, to do this, I added the following code to the bottom of my user's (my user, since no other users have SSH access) .bashrc file:

tlrequest="username=**EMAIL**&password=**PASS**&numbers=**NUMBER**&message=SSH%20OTP%20is&sender=SSH-OTP"
trap logout INT
curl -s -d $tlrequest http://api.txtlocal.com/otp_send >/dev/null 2>&1
echo "A One-time password has been sent to your device. Please enter it below followed by [enter]:"
read otp
check=$(curl -s "http://api.txtlocal.com/otp_challenge/?username=**EMAIL**&password=**PASS**&numbers=**NUMBER**&code=$otp >/dev/null 2>&1")
if [[ $check == *uccess* [[
then
    echo "OTP Validated.";
else
    echo "OTP Invalid. Disconnecting."
    logout
fi

To make the code work, you will need:

1. A Textlocal account 
2. Change **EMAIL** to your email address
3. Change **PASS** to your Textlocal password or hash
4. change **NUMBER** to your mobile number (eg 447000000000)

Thats it!