Linux Token Auth one-time password authentication

Linux Token Auth one-time password authentication

1. What is Token?

A Token is an identity authentication identifier. A token also has an expiration time. That is, the token is not valid for a long time.

2. Why do we usually need temporary or one-time identity authentication to use tokens? 3. When can I use the token technology?

For example, if you go to a restaurant and get a Wi-Fi password from the front-end, you can enjoy 30 minutes of Internet access. The password will expire after 30 minutes.

Our company has a lot of servers, and the password management is very troublesome, sometimes there will be personnel changes, once the personnel change, all the server passwords need to be modified once, very troublesome, occasionally there will be missed changes, using a bastion host can better manage passwords, but the cost is very high.

So I think of the Token technology, but it costs a lot to buy the Token hardware. I know exactly how Token works. Using symmetric algorithms to calculate the same peer-to-peer key, we can develop our own tokens without buying hardware devices and carrying them with our mobile devices. Therefore, it is best to develop a mobile edition Token.

4. Where is the Token application in this article?

I use the Token technology to change the password cycle of a specified user in Linux. Based on the time, the mobile phone calculates the password on the server synchronously. I added four disturbing characters to prevent the password from being compromised.

If you feel insecure about the strength of the cryptographic algorithm, you can modify the complexity on your own.

You can also change the password remotely.

5. Who will deploy

First, the Administrator deploys the password modification program chpasswd. sh and then adds it to the crontab for regular operation. Because of the varying levels of readers, I use shell to complete it, so that most readers can understand it.

 
 

  
  
# cat chpasswd.sh     
  
  
#!/bin/bash  
  
  
datetime=`date +%Y-%m-%d" "%H":"%M`  
  
  
email="neo.chan@live.com" 
  
  
#password=$(cat /dev/urandom | tr -cd [:alnum:] | fold -w30 | head -n 1)  
  
  
string=$(date -u "+%Y$1%m$2%d$3%H$4%M")  
  
  
password=$(echo $string | md5sum | cut -c 2-9 | base64 | tr -d "=" | cut -c 1-32)  
  
  
echo $password > ~/.lastpasswd  
  
  
echo $password | passwd www --stdin > /dev/null 
 
 

~ /. Save the last password in lastpasswd

Crontab settings: change the password every minute.

 
 

  
  
# crontab -l  
  
  
*/1 * * * * /root/chpasswd.sh a b c d 
 
 

A B c d: Set it to the same as that on the mobile phone.

Now the server configuration is complete

6. Mobile phone Configuration

Install the token.apk file to your mobile phone

Https://github.com/oscm/Token

 

6.1. Set the password

Confirm Password

Select Environment

Set interference Codes

6.2. view the server password

6.3. Set the refresh time

Refresh once every minute by default. The password may be updated before the password is entered.

If you modify this option, you can change the settings in the crontab on the server.

Link: http://my.oschina.net/neochen/blog/297712