RFC6287 (OCRA) pam module
- intended target platforms are FreeBSD and Linux
- Session DataInput parameter is not supported
Use the FreeBSD port security/pam_ocra
pam_ocra depends on libcrypto (from OpenSSL or LibreSSL), BerkleyDB 5.3 and Linux PAM
- debuild (Debian, Ubuntu, ...)
$ wget https://github.com/sg2342/pam_ocra/archive/1.6/pam_ocra-1.6.tar.gz
$ tar zxf pam_ocra-1.6.tar.gz
$ cd pam_ocra-1.6
$ debuild -i -us -uc -b
$ sudo dpkg -i ../libpam-ocra_1.6_$(dpkg --print-architecture)*.deb
- rpm (RHEL7, CentOS7, Fedora, ...)
$ wget https://github.com/sg2342/pam_ocra/archive/1.6/pam_ocra-1.6.tar.gz
$ rpmbuild -ta pam_ocra-1.6.tar.gz
$ sudo rpm -i ~/rpmbuild/RPMS/$(uname -m)/pam_ocra-1.6-1.*.$(uname -m).rpm
- other
$ wget https://github.com/sg2342/pam_ocra/archive/1.5/pam_ocra-1.6.tar.gz
$ tar zxf pam_ocra-1.6.tar.gz
$ cd pam_ocra-1.6
$ make -C pam_ocra-1.6
$ sudo make -C pam_ocra-1.6 install
$ man pam_ocra
$ man ocra_tool
$ ocra_tool init -f ~foobar/.ocra \
-s OCRA-1:HOTP-SHA1-6:C-QN08-PSHA1 \
-k 00112233445566778899aabbccddeeff00112233 \
-c 0 -w 50 -p 1234
will create the ocra db file ".ocra" in the home directory of user "foobar"; set the OCRA suite, key, counter, counter_window and pin.
if for example /etc/pam.d/sshd has the line
auth required pam_ocra.so
and sshd is configured to use PAM and ChallengeResponseAuthentication, "foobar" can log in using an OCRA token.
-
1.6:
- support OpenSSL 3.0
-
1.5:
-
change credential file look-up: if the pam module option dir= is set ~/.ocra files will NOT be used
-
new formatting directive for cmsg/rmsg: %Nc (split challenge string to increase readability, default cmsg is now "OCRA Challenge: %4c"; the challenge string is split into groups of 4 characters)
-
fix counter handling in ocra_tool sync
-
Linux support (Linux PAM, OpenSSL old and new API, rpm and deb packaging)
-
-
1.4:
-
add ocra_tool sync: synchronize counter with OTP device
-
introduce kill pin: If this pin is used, the the authentication fails, all future authentications also fail
idea, interface, documentation and some code taken from
-
-
1.3:
-
fix pam_ocra "dir=" option
-
introduce pam_ocra "rmsg=", "cmsg=" and "nodata=" options
contributed by Richard Nichols rdn757@gmail.com
-
-
1.2:
- Constify two local variables to avoid -Wcast-qual warnings: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198113
-
1.1:
-
change ocra_tool(8) command line interface:
- 'help' command removed
- 'init' -P pinhash option added
- 'init' -c option now also accepts hex counters
- 'info' output format changed
-
fix ocra_tool counter input: the -c counter option did not work for the whole value range of the counter parameter.
-
fix gcc builds: which where broken due to (cast-qual, format, sign-compare, ...) warnings.
-
fix timstamp_offset verification: broken termination condition in timstamp_offset verify loop did not account for timstamp_offset==0. The result was that verification would succeed for any timestamp.
-
fix counter_window and timstamp_offset verification: broken termination condition in counter_window verify loop did not account for counter_window==0. The result was that the verification would execute MAX_INT times before failing.
-
fix i368 builds: incorrect sign-compare and 64bit specific format string triggered warnings which broke the build for i368 targets.
-
-
1.0: first release