Perhaps you occasionally find it necessary to access your email or login to a remote server from a computer that is not your own. The problem, of course, is that it is often unwise to type your password into computers that are not under your control. Terminals at libraries, internet cafes, or maybe even your less-careful friends' houses could be running keystroke loggers.
There are existing solutions for this, of course. The two obvious choices are a One Time Password system (like S/Key or OTPW) or a Two Factor Authentication system (like RSA SecureID or CryptoCard). We don't like the OTP option because it requires that you carry a list of passwords around with you, there can be logistical problems if you get to the end of your list while you're still traveling, and you have to type your constant "prefix" for each OTP into untrusted computers. So we prefer two factor authentication because there is the security of two factors (something you have and something you know) and it solves the keystroke logging problem in a more convenient way (no lists, no out of date information, no typing of anything but a temporary access code into untrusted computers).
Ironically, then, the problem with systems like SecureID or CryptoCard is that they're often not convenient. They cost money to license, the hardware costs money, and they're difficult to maintain. You have to setup a dedicated Solaris machine with RADIUS support just to deploy SecureID, which isn't really great for someone with a small setup.
And that's why we wrote this. Barada turns your phone into a two factor authentication device. It's an implementation of the HOTP protocol in the form of a PAM module (the server) and an Android applicaton (the client).
Basically, in addition to a normal password, users are also assigned a PIN number and a 128 bit key. Every time you'd like to login using two-factor authentication, you open up the Android application, type in your PIN number, and get back a six character one time password that you can then use to authenticate remotely. The PIN number is not stored on the phone, and the the OTP can only be used exactly once. Thus, the loss of the phone does not result in leaked passwords, and the capture of an OTP does not result in remote access.
This module can be installed above the normal authentication module in the PAM stack, so at any moment you can either use your normal password or Barada's two-factor authentication interchangably. Sitting at a trusted computer, you might choose to quickly type in a password, while you might choose to use two-factor authentication when using a non-trusted or public computer.
First download and unpack the PAM module:
- Download barada-pam
- tar zxvf barada-pam-0.5.tar.gz
- cd barada-pam-0.5
- sudo make install
You then need to configure your PAM stack to use the Barada module for authorization. In the /etc/pam.d/ directory you will find a list of programs which use PAM. If, for instance, you would like to use this in conjunction with SSH, you'd edit the file /etc/pam.d/sshd -- which should already exist. Just above the line:
...you would add the line:
auth sufficient pam_barada.so
This means that when sshd calls out to the PAM stack for authorization, the barada module will be used before the standard password-based authorization module. Here we have listed it as "sufficient," which means that should the authorization succeed it will be considered successful, but if it fails it will continue on with the rest of the PAM stack to try and find a success. This means that at any time you can use a OTP credential or your password.
Once you have PAM configured, you need to setup the Barada credentials for the users you would like to make it available for. The program "barada-add" should have been installed into /usr/local/bin/ and should be run as such:
- sudo barada-add <username> <pin>
$ sudo barada-add someUser 1234
Added someUser with key:
The key printed here needs to be installed on the user's device (available for free via Android Market). The best way to do it is to read it off the screen here and type it in directly when the Android-based client software prompts you for it. This is the only time that you'll have to enter the key. After that, you'll just need to enter the PIN each time you want an OTP.
At this point, you should be ready to go.
- Added licensing exception for OpenSSL.
- Added some syslog output
- Moved credentials directory from /etc/hotp.d/ to /etc/barada.d/ — if upgrading from 0.3, you'll need to run "sudo mv /etc/hotp.d /etc/barada.d"
- Fixed bug in barada-add tool that failed to create barada user credentials with old version of the Boost library.
- Fixed key formatting bug that occasionally wrote incorrect hex values to barada user credentials.
- Renamed PAM module to pam_barada.
- Renamed barada credentials tool to barada-add