README.md 3.55 KB
Newer Older
Marcus Pedersén's avatar
Marcus Pedersén committed
1
2
# add-totp

Marcus Pedersén's avatar
Marcus Pedersén committed
3
4
5
6
7
8
9
10
11
12
13
add-totp - Add an additional TOTP prompt at login

This is a binary crate and the aim is to present an extra prompt for TOTP.  
The main problem that it solves is that when you use ssh with public key  
it does not use pam that is configured with oath tool and you will not  
be prompted with the TOTP password.  
That is what add-totp is solving, if user is logging in with public key  
then user is prompted for TOTP password. If not valid, user is logged out.  
add-totp can be used in other cases as well, just change the config file  
and you will be prompted when that way of logging in is used.  

Marcus Pedersén's avatar
Marcus Pedersén committed
14
15
## config file

Marcus Pedersén's avatar
Marcus Pedersén committed
16
For an example file of the config file, look at: add-totp.conf.template  
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
The default values and explanation for each setting:
```
# add-totp.conf
# This config file is using the toml format.
# More information on toml can be foud at: https://toml.io

# All values below are the default values
# Remove the comment and change value if needed for your config

# Static file path to the login log that
# logs all login on the system
# Usually:
# /var/log/auth.log
# or
# /var/log/secure
#
auth_path = "/var/log/auth.log"

# Static file path to the oath file
# that contains all users and oath codes
#
oauth_user_path = "/etc/security/users.oath"

# Static file path to the access file
# File that contains IP numbers to allowed networks
# Networks that do not need the oath login prompt
# This file is also used with pam_oauth.so to
# control when to show prompt for password
#
access_path = "/etc/security/access-local.conf"

# Login type where this extra
# login should be used
50
# Valid values are: Password, PublicKey, KeyboardInteractive, Local, Unknown
51
52
53
54
55
56
57
58
59
60
61
62
63
#
login_type = "PublicKey"

# Static file path to log file
#
log_path = "/var/log/add-totp.log"

# Hash function that this program
# should use to calculate TOTP code
# Valid values are: Sha1, Sha256, Sha512
#
hash = "Sha1"

64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
```

## Installation
### Compilation
To compile yourself, make sure that you have rust and cargo installed and the run:
```
git clone https://projects.interbull.org/marcus/add-totp.git
cd add-totp
cargo build --release
# After compilation has finished, find binary: ./target/release/add-totp
```

To view sourcre code documentation:
```
cargo doc --open --bin add-totp
# Doc can be found in ./target/doc/add-totp/index.html
```

### Binary arch Linux x86_64
Find the latest release at:  
```
https://projects.interbull.org/marcus/add-totp.git
```
* Download the binary: add-totp-x.x.x-linux-x86_64
* Rename binary to add-totp
* Move binary to: /usr/sbin/add-totp
* Change owner to root: chown root:root /usr/sbin/add-totp
* Change permissions to: chmod 4111 /usr/sbin/add-totp
* Download man pages: add-totp-x.x.x-man.1.gz and add-totp.conf-x.x.x-man.5.gz
* Rename files to: add-totp.1.gz and add-totp.conf.5.gz
* Move files to /usr/share/man/man1/add-totp.1.gz and /usr/share/man/man5/add-totp.conf.5.gz
* Edit config file /etc/add-totp.conf if needed
* Config logrotate, see man add-totp(1)
Marcus Pedersén's avatar
Marcus Pedersén committed
97
* Add /usr/sbin/add-totp to /etc/profile  
98
  **WARNING!** Make sure that you have tested thoroughly before you add it to profile, otherwise you can lock yourself out of the system.
99
100
101
102
103
104
105
106
107
108
109


### Debian package installation amd64
Find the latest release at:  
```
https://projects.interbull.org/marcus/add-totp.git
```
* Download the debian package: add-totp_x.x.x-x_amd64.deb
* Install with: apt install /path/to/deb/package/add-totp_x.x.x-x_amd64.deb
* Add /usr/sbin/add-totp to /etc/profile  
  **WARNING!** Make sure that you have tested thoroughly before you add it to profile, otherwise you can lock yourself out of the system.