Rabu, 02 Oktober 2024

OTP-ssh email

https://chatgpt.com/share/66fe3483-ce0c-800e-9943-d8b360914b98 

To send the OTP generated by libpam-oath via email using mailutils (a simple mail-sending utility), you'll need to combine the OTP generation process with the email-sending process using a shell script. Below is a step-by-step guide to configure libpam-oath and send OTP via mailutils.

Step 1: Install libpam-oath and mailutils

  1. Install libpam-oath: On Ubuntu/Debian:

    bash
    sudo apt-get install libpam-oath
  2. Install mailutils: On Ubuntu/Debian:

    bash
    sudo apt-get install mailutils

Step 2: Configure libpam-oath

  1. Create an OATH users file: Edit /etc/security/oath/users.oath and add your users with their secret keys.

    Example of a TOTP configuration:

    TOTP user1 - base32secret3232

    Ensure the permissions are secure:

    bash
    sudo chmod 600 /etc/security/oath/users.oath
  2. Configure PAM for libpam-oath: Edit the PAM file for the service you want to protect, such as SSH (/etc/pam.d/sshd), and add the following line:

    bash
    auth required pam_oath.so usersfile=/etc/security/oath/users.oath window=30 digits=6

Step 3: Create a Script to Generate OTP and Send via mailutils

You can use a shell script to generate the OTP code and send it via email using mailutils.

  1. Generate OTP Using oathtool: Use the oathtool command to generate the OTP for a user. For example:

    bash
    oathtool --totp -b base32secret3232
  2. Create a Shell Script:

    Here’s an example of a shell script that generates an OTP and sends it via mailutils:

    bash
    #!/bin/bash # User's OATH secret key (from /etc/security/oath/users.oath) SECRET_KEY="base32secret3232" RECIPIENT_EMAIL="user@example.com" # Generate the OTP using oathtool OTP_CODE=$(oathtool --totp -b $SECRET_KEY) # Subject and body of the email SUBJECT="Your One-Time Password" BODY="Your OTP code is: $OTP_CODE" # Send the OTP code via email using mailutils echo "$BODY" | mail -s "$SUBJECT" "$RECIPIENT_EMAIL"
  3. Save the Script: Save this script as send_otp.sh and make it executable:

    bash
    chmod +x /path/to/send_otp.sh

Step 4: Integrate the Script with PAM

To send the OTP code via email when the user tries to log in, integrate the script with PAM using the pam_exec.so module.

  1. Edit PAM Configuration:

    Edit /etc/pam.d/sshd or any other PAM configuration file where you want to apply the OTP email sending. Add the following line to execute the script during the authentication process:

    bash
    auth required pam_exec.so /path/to/send_otp.sh
  2. Test the Configuration: When you attempt to log in to the service (e.g., SSH), the OTP will be generated and sent to the user's email using mailutils.

Step 5: Testing and Securing the Setup

  1. Testing:

    • Attempt to log in using SSH or any service configured with PAM.
    • You should receive an email with the OTP code.
    • Enter the OTP in the authentication prompt.
  2. Security Considerations:

    • Permissions: Ensure that the script (send_otp.sh) and the users.oath file are properly secured to prevent unauthorized access.
    • Email Security: Make sure the email server is set up to use encryption (TLS) to protect the contents of the emails.

Summary

You can use libpam-oath to generate an OTP code and send it via email using mailutils with a custom shell script. By configuring PAM to execute the script during the authentication process, the user will receive the OTP in their email. Let me know if you need further assistance with any part of the setup!

=================================================================

https://github.com/reekol/oath-installer-debian-ubuntu/blob/master/setupOath.sh


#!/bin/bash


version='0.0.4'

me=$(whoami)

host=$(hostname)

seed=$(head -10 /dev/urandom | sha512sum | cut -b 1-30)

authType="required" # required || sufficient || requisite

type="HOTP"

window="30"

pinLen="6"

cnf="/etc/users.oath"

sshdConfig="/etc/ssh/sshd_config"

sshdPam="/etc/pam.d/sshd"

typeLower=$(echo $type | tr '[:upper:]' '[:lower:]')


pause(){ read -p $'\e[33mEnter to continue\e[0m' -n 1 -r; }


version() { echo $version 1>&2; exit 0; }


### START MENU SECTION ####


TEMP=`getopt -o u:s:w:l:v --long user:,seed:,window:,length:,version,help -n '$0' -- "$@"`

eval set -- "$TEMP"


usage() {   echo -e "Usage: \n\

        -u --user       User.\n\

        -s --seed       Seed.\n\

        -w --window     Algorithm window size.\n\

        -l --length     Length of the pin.\n\

        -h --help       Usage: Prints this help.\n\

        -v --version    Prints version.\n\

" 1>&2; exit 1; }


while true ; do

    case "$1" in

        -u|--user)           me=$2;     shift 2;;

        -s|--seed)           seed=$2;   shift 2;;

        -w|--window)         window=$2; shift 2;;

        -l|--length)         pinLen=$2; shift 2;;

        -v|--version)        version;   shift 2;;

        -h|--help)           usage;     shift  ;;

        --)                             break  ;;

        *) echo "Wrong arguments!" ;    exit 1 ;;

    esac

done


echo -e  "\e[33mCurrent configuration: \n\

        -u --user       $me\n\

        -s --seed       $seed\n\

        -w --window     $window\n\

        -l --length     $pinLen\n\

        -v --version    $version\n\

          \e[0m"


### END MENU SECTION ####


pause


installDep(){

    if [ $(dpkg -l | grep libpam-oath | wc -l ) -eq "0" ]; then apt-get install libpam-oath; fi

    if [ $(dpkg -l | grep oathtool    | wc -l ) -eq "0" ]; then apt-get install oathtool   ; fi

    if [ $(dpkg -l | grep -v libqrencode | grep qrencode    | wc -l ) -eq "0" ]; then apt-get install qrencode   ; fi

}


setSeed(){

#    echo -e "\n$type/T$window/$pinLen $1  -   $2" > $cnf

    echo -e "$type $1  -   $2\n" > $cnf

    chmod 600 $cnf && chown root $cnf

    echo -e "\e[32m" && cat $cnf && echo -e "\e[32m"

}



setSshdConfig(){

    local now=$(date +%Y-%m-%d-%H-%M-%s)

    read -p $'\e[33mReconfigure '${sshdConfig}$' [Y/N]?\e[0m' -n 1 -r REPLY

    echo

    if [[  $REPLY =~ ^[Yy]$ ]]

    then

        cp --verbose $sshdConfig $sshdConfig.$now.bak

        sed -i "s/^UsePAM\ .*/UsePAM\ yes/g" $sshdConfig

        sed -i "s/^ChallengeResponseAuthentication\ .*/ChallengeResponseAuthentication\ yes/g" $sshdConfig

        echo -e "\e[32m"

        cat $sshdConfig | grep 'UsePAM\|ChallengeResponseAuthentication'

        echo -e "\e[0m"

        service sshd restart

    fi

}


setSshdAuth(){

    pamExists=$(cat $sshdPam | grep "pam_oath.so" | wc -l)

    local now=$(date +%Y-%m-%d-%H-%M-%s)

    cp --verbose $sshdPam $sshdPam.$now.bak

    if [ "$pamExists" -gt "0" ]

    then

        local cnfEscaped=$(echo $cnf | sed 's/\//\\\//g' )

        echo -e "\e[31mpam_oath found in $sshdPam\n Replacing\e[0m"

        sed -i "s/.*pam_oath.*/auth\ $authType\ pam_oath\.so\ usersfile\=$cnfEscaped\ window\=$window\ digits\=$pinLen/g"  $sshdPam

    else

        read -p $'\e[33mAdd pam_oath to '${sshdPam}$' [Y/N]?\e[0m' -n 1 -r REPLY

        echo

        if [[  $REPLY =~ ^[Yy]$ ]]

        then

            echo -e "auth $authType pam_oath.so usersfile=$cnf window=$window digits=$pinLen\n\n$(cat $sshdPam)" > $sshdPam

        fi

    fi

    echo -e "------------- $sshdPam (3) ------------------\e[32m" && cat $sshdPam | grep pam_oath && echo -e '\e[0m-----------------------------------------------'

}


generateQr(){

    echo -e "\e[107m"

    secret=$(oathtool --$typeLower -v $3 | grep Base32 | cut -d ' ' -f3)

    qrencode -t ASCII "otpauth://$typeLower/$1@$2?secret=$secret" | sed $'s/#/\e[42m \e[0m\e[107m/g'

    echo -e "\e[0m"

    echo -e "Navigate to your Favorite Mobile OS's store and download FreeOTP app to scan qr code and start using OneTime authentication"

    echo -e "Or use this tool [NOT RECOMMENDED- Seed provided]: oathtool --totp -v $3 "

}


getOtp(){

    local pin=$(oathtool -s$window --$typeLower -d6 $seed)

    echo -e "[ Current pin: \e[32m$pin\e[0m ]% oathtool -v -s$window --$typeLower -d6 $seed" && echo ""

}


installDep

setSeed $me $seed && pause

setSshdConfig && pause

setSshdAuth && pause

generateQr $me $host $seed && getOtp $seed

Tidak ada komentar:

Posting Komentar