OATH OTP Password Login

The FireBrick supports OATH one time password authentication for logging in via HTTP or telnet, as per RFC4226. You can purchase OATH/OTP devices to go on a keyring or as an app for mobile devices. The device provides a code number for you to use when you log in, typically 6 digits.

You can either have a time-based device, typically giving a new code every minute or 30 seconds, or a device that gives a new code every time you press a key. A time-based device can be used with many systems. An event-based device can normally only be used with one system. The FireBrick supports both types of device.

Password only

For password only, simply include password=”…” in the <user…/> definition. This will expect the password to be entered. The config will show a hash of the password that was entered.

OATH/OTP only

For OATH/OTP only, i.e. logging in using the digital code from your one-time password device, simply include otp=”…” in the <user…/> definition quoting the serial number of your OTP device. You then enter the digital code as your password when logging in.

OATH/OTP and password

For full two factor authentication with an OATH/OTP code and password, enter both password=”…” and otp=”…” in the <user…/> definition quoting the serial number of your OTP device. When you log in you need to enter a password that is the digits from your OATH/OTP device immediately followed by the password.

Setting up OATH/OTP using a mobile phone

The simplest way to set up OTP is to use a mobile phone app. Select the Password/OTP option from the main menu. You are presented with a QR code to scan with your mobile app – scan it, and then enter the code and your password. This will set up your login to use OTP.

It really is as simple as that and we recommend using an OTP app for all logins for added security.

Setting up OATH/OTP devices

You will need to set up the OATH/OTP device on your FireBrick. The device will have been supplied with a key, typically a long string of hex digits. Simply put otp=”…” and the key in the config. However, at the same time, you must also put the password=”…” and your password as the password is used to encode your OTP key within the config.

What if you lose your OATH/OTP device?

You may want to add a user that has a good password and restricted access from only specific IP addresses as a fall back just in case you lose your token. The allow=”…” attribute on the user can be used to lock down access to be from specific IP addresses only.

Using FireBrick to check credentials

Having password and OATH/OTP checking makes the FireBrick a useful tool for remote devices checking credentials. Using curl you can check login details are correct. e.g.

curl http://IP-address/auth –fail –user “username:password

This will either give an error status if the details are wrong or a zero status and no output if it works.

PCI/DSS two factor authentication for access to devices on your LAN

Many security systems (e.g. PCI/DSS for bank card handling) require two-factor authentication, i.e. a password and a code from a device as well as your user-name. The <ip-group…/> feature of the FireBrick allows firewalling rules to be created that relate to specific IP addresses and ports being allowed only from the IP from which a specific user or users has logged in. By using OATH/OTP for user authentication you can set up the FireBrick to allow remote access to desktop machines via the firewall with two-factor authentication.

More information?

There is a good Wikipedia article explaining OATH/OTP devices and how they add security. You can download OATH/OTP apps for iPhone and similar devices, typically free of charge. Physical OATH/OTP devices can be purchased online for as little as €9, and by using a timer-based device you can have one gadget on your key ring to authenticate to multiple systems and devices.