Localhost Only ToTP

hydrian · August 27, 2020, 1:21pm

Ello all,
I’d like to setup a localhost only ToTP setup for local only accounts on my servers. I don’t want any external connection required. It has to support PAM. Does anybody know of anything that fits the requirements?

Eden · August 27, 2020, 2:22pm

I believe the google Authenticator Pam module would do the job?

https://www.redhat.com/sysadmin/mfa-linux

I believe it’s all local

PhaseLockedLoop · August 27, 2020, 2:46pm

That’s actually cool but does it phone home at all?

hydrian · August 27, 2020, 6:48pm

I looked at that. Some of the auth diagrams made believe it was not all local.

I’m looking for a solution that can work in a degraded network situation, no networking (other than localhost).

Eden · August 27, 2020, 9:20pm

I don’t see why it wouldn’t be local? The diagrams may have appeared that way of it was explaining the use of the Authenticator device or a setup only for accessing outside the local network.

It’s supports both TOTP and HOTP so it seems like an ideal and easy solution.

rcxb · August 28, 2020, 1:36am

TOTP has no reason to make any external connections. It’s a secret value in a file on your server, and on your smart phone or a hardware token device.

Here’s a guide for pam_oath:
https://wiki.archlinux.org/index.php/Pam_oath

The FreeOTP app works well on Android phones. TOTP Authenticator works well on iPhone.

hydrian · September 14, 2020, 9:02pm

Thanks, I’ll take a look at pam_oath. It looks pretty promising.

hydrian · September 22, 2020, 4:04pm

Unfortunately, pam_oath doesn’t support fall-though if a user isn’t configured. Looks like google_authenticator does. Pam_oath has had an issue opened for this feature for two years but there isn’t any traction on it. Doesn’t look like the feature isn’t going anywhere soon.