Start VirtualBox and run Debian Virtual Machine
Login to virtual as root/password
Enter:
$ apt-get update
$ apt-get install mc
Locate a line in the file starting with ChallengeResponseAuthentication and change the value to yes:
$ mcedit /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
Restart SSH:
$ /etc/init.d/ssh restart
Add new user, setup password and define your email:
$ useradd -m emailuser
$ passwd emailuser
$ usermod -c vas@tuke.mail emailuser
Install required package:
$ apt-get install python-pam libpam-python
Download pam module source
$ wget http://zeus.fei.tuke.sk/bps3r/pam.py
$ mv pam.py /lib/security/pam.py
Modify python pam module, and change ephasised variables:
$ mcedit /lib/security/pam.py
import random, string,hashlib
import pwd, syslog import smtplib
#change properly following emphasized lines... fromaddr = 'your tuke email address'
toaddrs = 'your tuke email address'
username = 'your mais login'
password = 'your mais password'
def mail(to,pin):
msg = 'Subject: Ssh access verification\n\nEnter your PIN:'+ pin
server = smtplib.SMTP_SSL('smtp.tuke.sk',465)
#server.set_debuglevel(1)
server.login(username, password)
server.sendmail(fromaddr, to, msg)
server.quit()
def id_generator(size=6, chars=string.ascii_uppercase + string.digits):
return ''.join(random.choice(chars) for x in range(size))
def get_user_mail(user):
try:
comments = pwd.getpwnam(user).pw_gecos
except KeyError: # Bad user name
auth_log("No local user (%s) found." % user)
return -1
return comments
def pam_sm_authenticate(pamh, flags, argv):
try:
user = pamh.get_user()
user_mail = get_user_mail(user)
except pamh.exception, e:
return e.pam_result
if user is None or user_mail == -1:
msg = pamh.Message(pamh.PAM_ERROR_MSG, "Not such user")
pamh.conversation(msg)
return pamh.PAM_ABORT
#pin=nahodna hodnota
#poslanie mailu s pinom na adresu uzivatela
pin=id_generator()
mail(user_mail,pin)
for attempt in range(0,3): # 3 attempts to enter the one time PIN
msg = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "Enter one time mail PIN:")
resp = pamh.conversation(msg)
if resp.resp == pin:
return pamh.PAM_SUCCESS
else:
continue
return pamh.PAM_AUTH_ERR
def pam_sm_setcred(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_acct_mgmt(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_open_session(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_close_session(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_chauthtok(pamh, flags, argv):
return pamh.PAM_SUCCESS
Check your code for errors:
$ python /lib/security/pam.py
Configure pam to use the new pam module.
$ mcedit /etc/pam.d/sshd
# Standard Un*xauthentication.
@include common-auth
auth requisite pam_python.so pam.py
Open web browser and login to your tuke email account
http://posta.tuke.sk
Try to login as google user with SSH protocol, enter PIN from email (it's case sensitive)
$ ssh emailuser@localhost
Check your mailbox for new email and try to finish ssh login