PAM_OBC: out-of-band challenge-response authentication module
paul
pgsery at swcp.com
Fri Oct 24 04:25:06 UTC 2008
The pam_obc module transmits a random challenge to the user via an
out-of-band channel. The user authenticates by correctly answering the
challenge.
pam_obc looks to pam_obc.conf for users and their associated actions.
When called, pam_obc tries to find the user in the configuration file.
If the user is found, pam_obc generates a one-time password (a random
string), pipes it to the action's standard input and then executes the
action. The action transmits the password to the user.
For instance, put pam_obc.so in the SSH stack and add the following line
to pam_obc.conf:
someone:/bin/mail -s 'Out-of-band challenge' someone at someplace.com
In this case, when Someone tries to authenticate via SSH, pam_obc
generates a random string and pipes it to /bin/mail's standard input.
Then challenge is emailed to Someone who authenticates by proving
knowledge of the challenge.
A more secure pam_obc configuration would email the challenge to
Someone's cell phone or pager. Using a cell phone, for instance,
achieves a channel physically separate from the SSH channel. That cell
phone or pager channel is also inexpensive and ubiquitous.
I've used pam_obc to give visitors easily managed and secure user
accounts on my servers. I'm also working on making PAM work with the
OpenSSH "required methods" found at:
https://bugzilla.mindrot.org/show_bug.cgi?id=983. When that works,
pam_obc will give OpenSSH a true, two-factor authentication mechanism
when coupled with two required authentication methods.
You can find pam_obc at http://sourceforge.net/projects/pamobc.
I hope this is an appropriate way to release this module. Please give me
feedback.
More information about the Pam-list
mailing list