• HowTos
• Linux_and_OTP

Howto authenticate to a Linux box using the eTokenNG OTP

• date: 08.07.2005

• author: CorneliusKoelbel

• <cornelius.koelbel AT lsexperts DOT de>

introduction

Hit me, beat me. But - I am sorry - this example is about using a windows backend. This is - since this example is rather old. If you want to run a Linux Backend please take a look at LinOTP. Of course the client configuration (pam_radius) stays the same.

installing the windows server

• install the Aladdin Token Management System (TMS)
• install the TMS OTP-Connector
  • load the OTP-Connecton in the TMS
  • load Licences in the TMS
• install Microsoft Internet Authentication Service (IAS)
• install the Aladdin IAS Plugin
• Now run the Aladdin OTP Auth Manager and configure
  • Generate a securtiy key
• Now add a GPO for the user in the Active Directory that contains the OTP-Connector.

rollout eTokenNG

Having done all the steps above, you are now able to roll out an eTokenNG OTP using the Aladdin eToken Wizard.

configure IAS

• You have to add a new radius client with the IP of your linux box. Choose "radius standard" and "preshared secret". Do _not_ choose "Message Authenticator".
• Add a new RAS-Richtlinie with:
  • NAS-Port-Type Ethernet OR Virtuell
  • Windows-Groups are Domain-Users
  • Authentication-Type is CHAP, PAP etc.

configure pam_radius_auth

Again you need a new pam module. Download pam_radius_auth from ftp://ftp.freeradius.org/pub/radius/

We create a new file /etc/pam.d/system-auth-radius, that can be used in all pam-configs.

 --snip--
 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth        required      /lib/security/$ISA/pam_env.so
 auth            sufficient      /root/pam_radius-1.3.16/pam_radius_auth.so conf=/root/pam_radius-1.3.16/pam_radius_auth.conf debug
 auth        required      /lib/security/$ISA/pam_deny.so
 account     required      /lib/security/$ISA/pam_unix.so
 password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
 password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
 password    required      /lib/security/$ISA/pam_deny.so
 session     required      /lib/security/$ISA/pam_limits.so
 session     required      /lib/security/$ISA/pam_unix.so
 --snip--

Now we have to edit the file pam_auth_radius.conf:

 --snip--
 # server[:port] shared_secret      timeout (s)
 #127.0.0.1      secret             1
 #other-server    other-secret       3
 172.16.200.201  123456                  6
 --snip-- 

This is very simple. Just enter the IP of your windows machine and the preshared secret.

finally

Now you only need to make sure, that your Linux box has the same user account name like the user on the Windows machine, for whom you were enrolling the eTokenNG.