1pam_ocra 2======= 3[![Build Status](https://travis-ci.org/sg2342/pam_ocra.svg?branch=master)](https://travis-ci.org/sg2342/pam_ocra) 4 5 6[RFC6287](http://tools.ietf.org/html/rfc6287) (OCRA) pam module 7 8Limitations 9----------- 10 11 - intended target platforms are FreeBSD and Linux 12 - Session DataInput parameter is not supported 13 14Installation FreeBSD 15---------------- 16 17Use the FreeBSD port security/pam_ocra 18 19Build/Installation Linux 20---------------- 21 22pam_ocra depends on libcrypto (from OpenSSL or LibreSSL), BerkleyDB 5.3 23and Linux PAM 24 25 26- debuild (Debian, Ubuntu, ...) 27 28``` 29$ wget https://github.com/sg2342/pam_ocra/archive/1.5/pam_ocra-1.5.tar.gz 30$ tar zxf pam_ocra-1.5.tag.gz 31$ cd pam_ocra-1.5 32$ debuild -i -us -uc -b 33$ sudo dpkg -i ../libpam-ocra_1.5_$(dpkg --print-architecture)*.deb 34``` 35 36- rpm (RHEL7, CentOS7, Fedora, ...) 37 38``` 39$ wget https://github.com/sg2342/pam_ocra/archive/1.5/pam_ocra-1.5.tar.gz 40$ rpmbuild -ta pam_ocra-1.5.tar.gz 41$ sudo rpm -i ~/rpmbuild/RPMS/$(uname -m)/pam_ocra-1.5-1.*.$(uname -m).rpm 42``` 43 44- other 45 46``` 47$ wget https://github.com/sg2342/pam_ocra/archive/1.5/pam_ocra-1.5.tar.gz 48$ tar zxf pam_ocra-1.5.tag.gz 49$ cd pam_ocra-1.5 50$ debuild -i -us -uc -b 51$ make -C pam_ocra-1.5 52$ sudo make -C pam_ocra-1.5 install 53``` 54 55Basic Use 56-------------- 57 58 $ man pam_ocra 59 $ man ocra_tool 60 $ ocra_tool init -f ~foobar/.ocra \ 61 -s OCRA-1:HOTP-SHA1-6:C-QN08-PSHA1 \ 62 -k 00112233445566778899aabbccddeeff00112233 \ 63 -c 0 -w 50 -p 1234 64 65will create the ocra db file ".ocra" in the home directory of user "foobar"; 66set the OCRA suite, key, counter, counter_window and pin. 67 68if for example /etc/pam.d/sshd has the line 69 70 auth required pam_ocra.so 71 72and sshd is configured to use PAM and ChallengeResponseAuthentication, "foobar" 73can log in using an OCRA token. 74 75Changelog 76--------- 77- 1.5: 78 79 * change credential file look-up: 80 if the pam module option dir= is set ~/.ocra files will NOT be used 81 82 * new formatting directive for cmsg/rmsg: %Nc (split challenge string 83 to increase readability, default cmsg is now "OCRA Challenge: %4c"; 84 the challenge string is split into groups of 4 characters) 85 86 * fix counter handling in ocra_tool sync 87 88 * Linux support (Linux PAM, OpenSSL old and new API, rpm and deb packaging) 89 90- 1.4: 91 92 * add ocra_tool sync: synchronize counter with OTP device 93 94 * introduce kill pin: If this pin is used, the the authentication fails, all 95 future authentications also fail 96 97 idea, interface, documentation and some code taken from 98 99 https://github.com/nilsrasmuszen/pam_ocra 100 101- 1.3: 102 103 * fix pam_ocra "dir=" option 104 105 * introduce pam_ocra "rmsg=", "cmsg=" and "nodata=" options 106 107 contributed by Richard Nichols <rdn757@gmail.com> 108 109- 1.2: 110 111 * Constify two local variables to avoid -Wcast-qual warnings: 112 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198113 113 114- 1.1: 115 116 * change ocra_tool(8) command line interface: 117 - 'help' command removed 118 - 'init' -P pinhash option added 119 - 'init' -c option now also accepts hex counters 120 - 'info' output format changed 121 122 * fix ocra_tool counter input: 123 the -c counter option did not work for the whole value range of the counter 124 parameter. 125 126 * fix gcc builds: 127 which where broken due to (cast-qual, format, sign-compare, ...) warnings. 128 129 * fix timstamp_offset verification: 130 broken termination condition in timstamp_offset verify loop did not 131 account for timstamp_offset==0. The result was that verification would 132 succeed for any timestamp. 133 134 * fix counter_window and timstamp_offset verification: 135 broken termination condition in counter_window verify loop did not 136 account for counter_window==0. The result was that the verification 137 would execute MAX_INT times before failing. 138 139 * fix i368 builds: 140 incorrect sign-compare and 64bit specific format string triggered warnings 141 which broke the build for i368 targets. 142 143- 1.0: first release 144