Autenticação de senha dinâmica

1

Eu gostaria de saber como eu posso (e se é possível) criar uma autenticação dinâmica para um usuário no linux.

O servidor alteraria a senha do usuário periodicamente e o usuário usaria um programa (como um token) para recuperar e inserir a senha correta.

    
por Renato Augusto 18.06.2014 / 15:47

1 resposta

3

Não exatamente o que você está procurando, mas eu já vi o OTPW usado para esses cenários. É um pacote completo que se integra com um sistema Linux via módulos PAM.

trecho

The OTPW package consists of the one-time-password generator otpw-gen plus two verification routines otpw_prepare() and otpw_verify() that can easily be added to programs such as login or ftpd on POSIX systems. For platforms that support the Pluggable Authentication Method (PAM) interface, a suitable wrapper is included as well. Login software extended this way will allow reasonably secure user authentication over insecure network lines. The user carries a password list on paper. The scheme is designed to be robust against theft of the paper list and race-for-the-last-letter attacks. Cryptographic hash values of the one-time passwords are stored for verification in the user’s home directory.

No seu caso, você vai querer seguir as instruções nessa página detalhando a instalação do PAM.

trecho

If your system supports Pluggable Authentication Modules [Mor01,XSSO], then simply compile the shared library pam_otpw.so and copy it to the directory in which other PAM modules reside (under Linux usually /lib/security/). Then edit the PAM configuration file for the application in which you want to use OTPW, as described in your PAM System Administrators’ Guide. The pam_otpw.so provides both an authentication and a session component. The authentication component asks for and verifies a one-time password, the session component prints after each successful login a reminder on how many unused passwords you have left.

To use both components when login into your system via Secure Shell, you might have to add in /etc/pam.d/sshd the lines

 auth            required        pam_otpw.so
 session         optional        pam_otpw.so

With OpenSSH 3.4 for example, you need to make sure that your version has PAM support compiled in, and you will have to add in /etc/ssh/sshd_config the lines

 UsePrivilegeSeparation          no
 PAMAuthenticationViaKbdInt      yes

To force OpenSSH to use PAM authentication (instead of its own hostbased or publickey methods, which it normally tries first), use “ssh -o PreferredAuthentications=keyboard-interactive”.

    
por 18.06.2014 / 16:05