FireBrick - Firewalls, Bonding ADSL, Routers, Traffic Shaping...

FireBrick FB6000
FireBrick FB6000

OATH OTP password login

The FireBrick supports OATH one time password authentication for logging in via http or telnet, as per RFC4226. You can purchase OATH/OTP devices to go on a keyring or as an app for mobile devices. The device provides a code number for you to use when you log in, typically 6 digits.

You can either have a time based device, typically giving a new code every minute or 30 seconds, or a device that gives a new code every time you press a key. A time based device can be used with many systems. An event based device can normally only be used with one system. The FireBrick supports both types of device.

Password only

For password only, simply include password="..." in the <user.../> definition. This will expect the password to be entered. The config will show a hash of the password that was entered.


For OATH/OTP only, i.e. logging in using the digital code from your one time password device, simply include otp="..." in the <user.../> definition quoting the serial number of your OTP device. You then enter the digital code as your password when logging in.

OATH/OTP and password

For full two factor authentication with an OATH/OTP code and password, enter both password="..." and otp="..." in the <user.../> definition quoting the serial number of your OTP device. When you log in you need to enter a password that is the digits from your OATH/OTP device immediately followed by the password.

Setting up OATH/OTP devices

OPT keyringYou will need to set up the OATH/OTP device on your FireBrick. This is not part of the normal config, and is set up using a form on the config web page. The device will have been supplied with a key, typically a long string of hex digits, and normally will have a serial number of some sort. You can give devices serial numbers as you wish as long as you are consistent - they are used in the <user.../> config to reference the OTP device.

Enter the serial number, and the hex key code carefully. You will also need to say if it is event based or time based, and what interval, as well as how many digits are used. The default is 60 seconds time based with 6 digits.

You then need to enter a sequence of 3 codes. For time based devices you will have to wait for each code to be shown. The sequence must be exactly correct otherwise the validation will fail. If you make an error then use the back button on the browser to re-enter correct details.

The OATH/OTP set up is not stored with the configuration and the key cannot be extracted from the FireBrick. Once you have entered the details and passed verification you can use the serial number you have specified in your <user.../> config as the otp="..." attribute.

If ever your device gets out of sequence (e.g. pressing the button on an event based device hundreds of times without logging in) you can repeat the process to set up the device again. This process searches the first 20,000 codes on an event based device, and allows a day of drift either way on a time based device in order to resynchronise.

You need to take care of the key as this can be used to generate the OTP codes. It is a good idea to set up the OTP codes on a machine directly connected to the FireBrick for maximum security.

What if you lose your OATH/OTP device?

You may want to add a user that has a good password and restricted access from only specific IP addresses as a fall back just in case you lose your token. The allow="..." attribute on the user can be used to lock down access to be from specific IP addresses only.

Using FireBrick to check credentials

Having password and OATH/OTP checking makes the FireBrick a useful tool for remote devices checking credentials. Using curl you can check login details are correct. e.g.

curl http://IP-address/auth --fail --user "username:password"

This will either give an error status if the details are wrong, or a zero status and no output if it works.

PCI/DSS two factor authentication for access to devices on your LAN

Many security systems (e.g. PCI/DSS for bank card handling) require two factor authentication, i.e. a password and a code from a device as well as your user-name. The <ip-group.../> feature of the FireBrick allows firewalling rules to be created that relate to specific IP addresses and ports being allowed only from the IP from which a specific user or users has logged in. By using OATH/OTP for user authentication you can set up the FireBrick to allow remote access to desktop machines via the firewall with two-factor authentication.

More information?

There is a good Wikipedia article explaining OATH/OTP devices and how they add security. You can download OATH/OTP apps for iPhone and similar devices, typically free of charge. Physical OATH/OTP devices can be purchased on-line for as little as €9, and by using a timer based device you can have one gadget on your key ring to authenticate to multiple systems and devices.