Please note, I am having issues with localhost authentication. See below
MOTP-AS is a simple installable two-factor authentication system using the mOTP algorythm for generating one-time passwords. MOTP-AS integrates with FreeRadius to provide the same authentication to log in to managed servers in a consistent manner.
I’ve recently installed this on my Ubuntu 11.10 laptop and on my Ubuntu 12.04 Beta server, and the installation instructions worked on both, so I thought I’d share them with you.
Installing appropriate packages
sudo apt-get install libpam-radius-auth freeradius mysql-server phpmyadmin
Alternatively, use tasksel to install the LAMP server task, then
sudo apt-get install libpam-radius-auth freeradius
Download the latest version of motp-as from http://motp-as.network-cube.de/index.php/download/current-version
Unpack it.
tar xfz ~/Downloads/motp-as*
Setting up the database
Go into the Setup/MySQL directory of the MOTP-AS directory. Edit motp_schema.sql at the line “CREATE USER”. Change the password from motp to something more secure.
mysql -u root -p < motp_schema.sql
Now update Setup/config.php with the new password you just created.
Setting up the web site
Copy the HTML directory to /var/www/motp (or somewhere else in your web root). You may need to do this either as root, or as a user with permissions to write to /var/www
cp -Rf ~/MOTP-AS_*/HTML /var/www/motp
Note this must be done after you’ve made your changes to Setup/config.php
Setting up FreeRadius
Stop the FreeRadius service
sudo /etc/init.d/freeradius stop
Users
Backup the users file
sudo mv /etc/freeradius/users /etc/freeradius/users.dist
Edit the users file you’re about to copy in
nano ~/MOTP-AS_*/Setup/Freeradius/users
Find the part where it says “/var/www/htdocs/radius-auth.php” and change that to “/var/www/motp/radius-auth.php”
Copy in the new users file
sudo cp ~/MOTP-AS_*/Setup/Freeradius/users /etc/freeradius/users
Dynamic Clients
Backup the dynamic-clients file
sudo mv /etc/freeradius/sites-available/dynamic-clients /etc/freeradius/sites-available/dynamic-clients.dist
Edit the new dynamic-clients file
nano ~/MOTP-AS_*/Setup/Freeradius/dynamic-clients
Find the three lines saying “/var/www/htdocs” and replace that string with “/var/www/motp” (I use Ctrl+W, Ctrl+R in nano to do a replace-all.)
Copy in the new dynamic-clients file
sudo cp ~/MOTP-AS_*/Setup/Freeradius/dynamic-clients /etc/freeradius/sites-available/dynamic-clients
Then make that function available
sudo ln -s /etc/freeradius/sites-available/dynamic-clients /etc/freeradius/sites-enabled/dynamic-clients
Accounting
Amend the default script to enable accounting
sudo cp /etc/freeradius/sites-available/default /etc/freeradius/sites-available/default.dist
Then edit it to use the MOTP accounting functions
sudo nano /etc/freeradius/sites-available/default
Search for the line “accounting {” then comment that whole block out with the hash/pound sign “#“. Fortunately in the distribution supplied default file, this only means commenting out a few lines, which are “detail“, “unix“, “radutmp“, “exec“, “attr_filter.accounting_response“, and then the closing “}” for that block.
If you’re using nano, press the insert key (or Ctrl+R if you can’t find that easily) and enter /home/MyUserName/MOTP-AS_v0.7.2/Setup/Freeradius/accounting (amend the path as appropriate). Replace the section “/var/www/htdocs” with “/var/www/motp“.
Save and exit
Finishing off FreeRadius
sudo /etc/init.d/freeradius start
Install your client
Personally, I have an Android device, and I chose to install the Mobile-OTP app from the Android Marketplace. I also, through work, have a Nokia 6303i Classic, on which I installed the MOTP application from the MOTP site.
I’ve heard good things about iOTP for iPhone, although I personally don’t have one.
Configuring MOTP
Go to http://localhost/motp (or https://yourdomain.com/motp)
Login with the username admin and password of motp.
Securing the admin account
Click on the red text in “First time configuration”
Click on “Change password of User ‘admin’”
Enter a new password. Do not set the time or uses section of this page. Click “Set“. Ignore the warning.
Click on “Home”
Setting up your first user
Click on “Quick Add” (under “Wizards”)
Enter a username. It should be the username for your Ubuntu 11.10 device.
On the client, create a profile for the device. Most of them create a profile by asking for a seed, rather than a secret, so those will likely be more than 16 characters long – maybe even 20 (Mobile-OTP for Android) or 25 (MOTP Java app).
Once you’ve got your secret (on Mobile-OTP, by pushing-and-holding on the profile name and selecting “Show Secret“, on MOTP Java app, once you’ve put 0000 as the PIN for the first time to initialize it, you get a string “Init-Secret:“), put that into the “Secret” field, and then ask the user to set their pin here – I suggest 1234 initially, as the user can change it to something they want after.
Click OK, then click “Logout” and test authentication. If it all goes OK, they should be presented with “Welcome to the Mobile OTP Authentication Server“.
Under “Settings” they can change their own PIN.
Testing radius authentication works OK
Run the radius testing program, like this, as a user:
radtest username passcode localhost 0 testing123
(This assumes the default localhost password hasn’t changed)
If you get anything like “rad_recv: Access-Reject packet from host“, then you’ve failed to configure something properly, or you’ve entered the PIN or code wrong.
Restart FreeRadius in debugging mode by doing the following:
/etc/init.d/freeradius stop
/usr/sbin/freeradius -X
This will produce a large quantity of logs on-screen, so I’d suggest running the test itself from a separate window. Run the radtest command (listed above) again. Look for your error messages. In my case, I forgot to update the line in users, so I saw this error message: Could not open input file: /var/www/htdocs/radius-auth.php
To find where this fault was, I did (as root, in /etc/freeradius)
find -R 'htdocs' /etc/freeradius
And got back:Â users: Exec-Program-Wait = “/usr/bin/php /var/www/htdocs/radius-auth.php %{User-Name} %{User-Password} %{Client-Shortname}”
That told me the fault was in the users file.
Fix the issue, check it again, and when you get this message “rad_recv: Access-Accept packet from host” press Ctrl+C to cancel the test mode of FreeRadius, and then run:
sudo /etc/init.d/freeradius start
Configuring pam_radius_auth.conf
Edit /etc/pam_radius_auth.conf
sudo nano /etc/pam_radius_auth.conf
Find the line which says “127.0.0.1” and replace the shared secret with something you want your server to use. You will also need to amend /etc/freeradius/clients.conf and replace the “secret” in the localhost client there (by default, it’s “testing123” in freeradius).
If you want to use your OTP for all authentication credentials, edit /etc/pam.d/common-auth, or if you just want to use it with specific access protocols, edit the relevant file in /etc/pam.d for the authentication systems you want to use OTP for.
You need to add the following line – either on the line before “@include common-auth” (for non common-auth files) or after the primary comment block for common-auth.
auth sufficient pam_radius_auth.so
Open a separate terminal session to your box (especially! if you’re remote) and ensure you can still login with your regular credentials.
Then try a connection with your radius credentials. It should just work! If not, stop the freeradius server and re-run it using /usr/sbin/freeradius -X and see whether you’re getting a different error message.
** UPDATE **
I have noticed that I’m getting locked out when using my non-radius credentials. This is probably due to the placement of the line in the /etc/pam.d/common-auth – it should probably come after the pam_unix.so line, but I’ve not tested that yet. I’m also going to try to suggest that there be an optional time-out period on locked accounts to the developers of MOTP-AS.
The second issue I’m struggling with is that I’m getting errors when using the LightDM. I’m getting the following error message in /var/log/auth.log:
pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "spriggsj"
I don’t know if this is because I’m using ecryptfs as well, or because there’s something wonky going on with the common-auth structure I’m using.