https://chatgpt.com/share/66fe3483-ce0c-800e-9943-d8b360914b98
To send the OTP generated by libpam-oath
via email using mailutils
(a simple mail-sending utility), you'll need to combine the OTP generation process with the email-sending process using a shell script. Below is a step-by-step guide to configure libpam-oath
and send OTP via mailutils
.
Step 1: Install libpam-oath
and mailutils
Install
libpam-oath
: On Ubuntu/Debian:bashsudo apt-get install libpam-oath
Install
mailutils
: On Ubuntu/Debian:bashsudo apt-get install mailutils
Step 2: Configure libpam-oath
Create an OATH users file: Edit
/etc/security/oath/users.oath
and add your users with their secret keys.Example of a TOTP configuration:
TOTP user1 - base32secret3232
Ensure the permissions are secure:
bashsudo chmod 600 /etc/security/oath/users.oath
Configure PAM for
libpam-oath
: Edit the PAM file for the service you want to protect, such as SSH (/etc/pam.d/sshd
), and add the following line:bashauth required pam_oath.so usersfile=/etc/security/oath/users.oath window=30 digits=6
Step 3: Create a Script to Generate OTP and Send via mailutils
You can use a shell script to generate the OTP code and send it via email using mailutils
.
Generate OTP Using
oathtool
: Use theoathtool
command to generate the OTP for a user. For example:bashoathtool --totp -b base32secret3232
Create a Shell Script:
Here’s an example of a shell script that generates an OTP and sends it via
mailutils
:bash#!/bin/bash # User's OATH secret key (from /etc/security/oath/users.oath) SECRET_KEY="base32secret3232" RECIPIENT_EMAIL="user@example.com" # Generate the OTP using oathtool OTP_CODE=$(oathtool --totp -b $SECRET_KEY) # Subject and body of the email SUBJECT="Your One-Time Password" BODY="Your OTP code is: $OTP_CODE" # Send the OTP code via email using mailutils echo "$BODY" | mail -s "$SUBJECT" "$RECIPIENT_EMAIL"
Save the Script: Save this script as
send_otp.sh
and make it executable:bashchmod +x /path/to/send_otp.sh
Step 4: Integrate the Script with PAM
To send the OTP code via email when the user tries to log in, integrate the script with PAM using the pam_exec.so
module.
Edit PAM Configuration:
Edit
/etc/pam.d/sshd
or any other PAM configuration file where you want to apply the OTP email sending. Add the following line to execute the script during the authentication process:bashauth required pam_exec.so /path/to/send_otp.sh
Test the Configuration: When you attempt to log in to the service (e.g., SSH), the OTP will be generated and sent to the user's email using
mailutils
.
Step 5: Testing and Securing the Setup
Testing:
- Attempt to log in using SSH or any service configured with PAM.
- You should receive an email with the OTP code.
- Enter the OTP in the authentication prompt.
Security Considerations:
- Permissions: Ensure that the script (
send_otp.sh
) and theusers.oath
file are properly secured to prevent unauthorized access. - Email Security: Make sure the email server is set up to use encryption (TLS) to protect the contents of the emails.
- Permissions: Ensure that the script (
Summary
You can use libpam-oath
to generate an OTP code and send it via email using mailutils
with a custom shell script. By configuring PAM to execute the script during the authentication process, the user will receive the OTP in their email. Let me know if you need further assistance with any part of the setup!
=================================================================
https://github.com/reekol/oath-installer-debian-ubuntu/blob/master/setupOath.sh
#!/bin/bash
version='0.0.4'
me=$(whoami)
host=$(hostname)
seed=$(head -10 /dev/urandom | sha512sum | cut -b 1-30)
authType="required" # required || sufficient || requisite
type="HOTP"
window="30"
pinLen="6"
cnf="/etc/users.oath"
sshdConfig="/etc/ssh/sshd_config"
sshdPam="/etc/pam.d/sshd"
typeLower=$(echo $type | tr '[:upper:]' '[:lower:]')
pause(){ read -p $'\e[33mEnter to continue\e[0m' -n 1 -r; }
version() { echo $version 1>&2; exit 0; }
### START MENU SECTION ####
TEMP=`getopt -o u:s:w:l:v --long user:,seed:,window:,length:,version,help -n '$0' -- "$@"`
eval set -- "$TEMP"
usage() { echo -e "Usage: \n\
-u --user User.\n\
-s --seed Seed.\n\
-w --window Algorithm window size.\n\
-l --length Length of the pin.\n\
-h --help Usage: Prints this help.\n\
-v --version Prints version.\n\
" 1>&2; exit 1; }
while true ; do
case "$1" in
-u|--user) me=$2; shift 2;;
-s|--seed) seed=$2; shift 2;;
-w|--window) window=$2; shift 2;;
-l|--length) pinLen=$2; shift 2;;
-v|--version) version; shift 2;;
-h|--help) usage; shift ;;
--) break ;;
*) echo "Wrong arguments!" ; exit 1 ;;
esac
done
echo -e "\e[33mCurrent configuration: \n\
-u --user $me\n\
-s --seed $seed\n\
-w --window $window\n\
-l --length $pinLen\n\
-v --version $version\n\
\e[0m"
### END MENU SECTION ####
pause
installDep(){
if [ $(dpkg -l | grep libpam-oath | wc -l ) -eq "0" ]; then apt-get install libpam-oath; fi
if [ $(dpkg -l | grep oathtool | wc -l ) -eq "0" ]; then apt-get install oathtool ; fi
if [ $(dpkg -l | grep -v libqrencode | grep qrencode | wc -l ) -eq "0" ]; then apt-get install qrencode ; fi
}
setSeed(){
# echo -e "\n$type/T$window/$pinLen $1 - $2" > $cnf
echo -e "$type $1 - $2\n" > $cnf
chmod 600 $cnf && chown root $cnf
echo -e "\e[32m" && cat $cnf && echo -e "\e[32m"
}
setSshdConfig(){
local now=$(date +%Y-%m-%d-%H-%M-%s)
read -p $'\e[33mReconfigure '${sshdConfig}$' [Y/N]?\e[0m' -n 1 -r REPLY
echo
if [[ $REPLY =~ ^[Yy]$ ]]
then
cp --verbose $sshdConfig $sshdConfig.$now.bak
sed -i "s/^UsePAM\ .*/UsePAM\ yes/g" $sshdConfig
sed -i "s/^ChallengeResponseAuthentication\ .*/ChallengeResponseAuthentication\ yes/g" $sshdConfig
echo -e "\e[32m"
cat $sshdConfig | grep 'UsePAM\|ChallengeResponseAuthentication'
echo -e "\e[0m"
service sshd restart
fi
}
setSshdAuth(){
pamExists=$(cat $sshdPam | grep "pam_oath.so" | wc -l)
local now=$(date +%Y-%m-%d-%H-%M-%s)
cp --verbose $sshdPam $sshdPam.$now.bak
if [ "$pamExists" -gt "0" ]
then
local cnfEscaped=$(echo $cnf | sed 's/\//\\\//g' )
echo -e "\e[31mpam_oath found in $sshdPam\n Replacing\e[0m"
sed -i "s/.*pam_oath.*/auth\ $authType\ pam_oath\.so\ usersfile\=$cnfEscaped\ window\=$window\ digits\=$pinLen/g" $sshdPam
else
read -p $'\e[33mAdd pam_oath to '${sshdPam}$' [Y/N]?\e[0m' -n 1 -r REPLY
echo
if [[ $REPLY =~ ^[Yy]$ ]]
then
echo -e "auth $authType pam_oath.so usersfile=$cnf window=$window digits=$pinLen\n\n$(cat $sshdPam)" > $sshdPam
fi
fi
echo -e "------------- $sshdPam (3) ------------------\e[32m" && cat $sshdPam | grep pam_oath && echo -e '\e[0m-----------------------------------------------'
}
generateQr(){
echo -e "\e[107m"
secret=$(oathtool --$typeLower -v $3 | grep Base32 | cut -d ' ' -f3)
qrencode -t ASCII "otpauth://$typeLower/$1@$2?secret=$secret" | sed $'s/#/\e[42m \e[0m\e[107m/g'
echo -e "\e[0m"
echo -e "Navigate to your Favorite Mobile OS's store and download FreeOTP app to scan qr code and start using OneTime authentication"
echo -e "Or use this tool [NOT RECOMMENDED- Seed provided]: oathtool --totp -v $3 "
}
getOtp(){
local pin=$(oathtool -s$window --$typeLower -d6 $seed)
echo -e "[ Current pin: \e[32m$pin\e[0m ]% oathtool -v -s$window --$typeLower -d6 $seed" && echo ""
}
installDep
setSeed $me $seed && pause
setSshdConfig && pause
setSshdAuth && pause
generateQr $me $host $seed && getOtp $seed
Tidak ada komentar:
Posting Komentar