I have just started writing a PAM module for authentication using One Time Passwords (OTP) sent to the user’s mobile phone via SMS.

The idea is adding a PAM module to the stack for sshd (or other services) with the following functionality:

• First use “normal” authentication of type “requisite”. That is if the normal username/password combination is not entered correctly by the user, the user is rejected.
• Check if the user originates from an IP address configured as trusted. If yes, approve authentication without further action.
• For non-trusted IP addresses check if the user is configured in the “OTP database” and if yes, generate an OTP and send to the user’s mobile phone.
• The user is prompted for the OTP and if entered correctly authectication is approved. For incorrect password start the authentication process all over again.

The PAM module will send the password using a HTTP POST on the format used by our own SMS Submit service. However, letting the URL be configurable the module can be configured to use any SMS service that can use the parameters sent.

First objective is to make it run in Linux, but then it would be nice to be able to support other operating systems as well.

This entry was posted on Tuesday, September 5th, 2006 at 18:54 and is filed under Internet, Linux. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.