LinOTP with oath

Disclaimer: This is not meant to circumvent security policies. Ensure your disk is encrypted to prevent unauthorized access to your key. Always keep your pin secret. Adding your pin to your key generator completely defeats the purpose of two factor authentication. Google Authenticator/HOTP/TOTP are all open standards/open source, this is simply a software based implementation of those standards. If you have a problem with this then maybe you should be using a proprietary solution that's not a published standard.

Ok let's begin. * Go to your LinOTP dashboard and create a new google authenticator token * From the popup copy the link url, it should look something like this

otpauth://hotp/LSGO1234567890987654?secret=OMGREALLYREALLYLONGBASE32NUMBER&counter=0

• Here is a quick python script to convert the BASE32 number from the URL to a BASE16 number oath can use. GA's BASE32 character set is described here: https://github.com/akerl/google-authenticator/blob/master/base32.c

• Just change the 'KEY_FROM_URL' and run it

  #!/usr/bin/python
  
  KEY_FROM_URL = "OMGREALLYREALLYLONGBASE32NUMBER"
  BASE16 = "0123456789ABCDEF"
  BASE32 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"
  
  def baseconvert(number,fromdigits,todigits):
  if str(number)[0]=='-':
    number = str(number)[1:]
    neg=1
  else:
    neg=0
  
  # make an integer out of the number
  x=long(0)
  for digit in str(number):
    x = x*len(fromdigits) + fromdigits.index(digit)
  
  # create the result in base 'len(todigits)'
  res=""
  while x>0:
    digit = x % len(todigits)
    res = todigits[digit] + res
    x /= len(todigits)
  if neg:
    res = "-"+res
  
  return res
  # print converted string and at a 0, for some reason it doesn't work without the 0
  print baseconvert(KEY_FROM_URL, BASE32, BASE16) + '0'
  

• From the LinOTP dashboard add a pin to your new authenticator and then go to the resync token tab

• The following command will generate the two OTPs you need to sync

oathtool -c 1 -w 1 YOUR_HEX_KEY_FROM_THE_EARLIER_STEP

• If you get a confirmation that it synced then you're good to go
• Since the "-c" counter needs to incrament every time you use the key I just created a quick script to output a token and keep a persistant timer
• Create the "$HOME/.authcounter" file and just put the number "3" in it. This will start the token counter at 3 and every time you run the script it will raise the number by 1

  #!/bin/bash
  key=PUT_YOUR_HEX_KEY_HERE
  if [ -e "$HOME/.authcounter" ] ; then
    count=$(cat "$HOME/.authcounter")
  fi
  oathtool -c ${count} ${key}
  value=`expr ${count} + 1`
  echo ${value} > "$HOME/.authcounter"
  

http://tools.ietf.org/html/rfc4226 http://en.wikipedia.org/wiki/Google_Authenticator http://code.google.com/p/google-authenticator/ http://www.nongnu.org/oath-toolkit/