How can I authenticate to cmgui with a one-time password?
One time password (OTP) authentication overcomes replay attacks. It allows an administrator to login to a cluster without having to worry about the password being captured by an evildoer. This is because the password is, after all, one-time only by design.
OTP authentication can be implemented in BCM with PAM as follows:
1. Download the otpw OTP implementation:
wget -c http://www.cl.cam.ac.uk/~mgk25/download/otpw-1.3.tar.gz
2. unpack the sources
tar -xzvf otpw-1.3.tar.gz
3. compile otpw:
* cd otpw
* edit Makefile and add the "-fPIC" flag to the "CFLAGS" variable to be able to compile the shared library pam_otpw.so which provides authentication and session components. The authentication component asks for and verifies a one-time password, while the session component prints a reminder of how many unused passwords you have left after each successful login
4. Enable one-time-password Authentication in the pam configuration:
* copy pam_otpw.so under /lib64/security/
* add the following pam lines to /etc/pam.d/cmd:
auth required pam_otpw.so
* Generate a list of one-time-passwords using “otpw-gen” and choose a suitable prefix password which you will prepend to the one-time-password:
Generating random seed ...
If your paper password list is stolen, the thief should not gain
access to your account with this information alone. Therefore, you
need to memorize and enter below a prefix password. You will have to
enter that each time directly before entering the one-time password
(on the same line).
When you log in, a 3-digit password number will be displayed. It
identifies the one-time password on your list that you have to append
to the prefix password. If another login to your account is in progress
at the same time, several password numbers may be shown and all
corresponding passwords have to be appended after the prefix
password. Best generate a new password list when you have used up half
of the old one.
Enter new prefix password:
Reenter prefix password:
Generating new one-time passwords ...
OTPW list generated 2013-07-12 18:11 on adel61-centos6-sge
000 C82b S5Jg 056 fSf% xZuR 112 =46u ipfJ 168 sAos cuTL 224 9DFp Tp29
042 gJ3q ez/d 098 3YHS Zehe 154 Bk=V QRwq 210 U8xe Q=Z: 266 Jja/ 7M=Z
055 hS=U HFhc 111 2+KO TU3N 167 MOrm tLv% 223 EohG Ms3a 279 k/NQ 4ezI
!!! REMEMBER: Enter the PREFIX PASSWORD first !!!
* Save the generated list for future reference.
* a file named “.otpw” will be stored under the home directory of the user who issued the otpw-gen command.
* You can copy this file to the home directory of any user to be able to use one-time-password.
* If you copy it to another user's home directory, then remember to change the ownership of the file. Note that the prefix password will be the same.
5. Verify login
* When you attempt to login to cmgui you’ll be asked for a password from the generated list:
* Remember to prepend the prefix password to the password beside column 268 in the generated list and use the resulting string to login to cmgui.