TRI-D Quick Install and Test Guide

Overview

Install and test TRI-D's OTP software ... it should only take about 15 minutes.

If you have a Linux distribution that supports RPM, this is all you need to install and test One-Time Passwords with TRI-D's software.

Download

Download otpd from the Community Edition.

Build and Install RPM

Build the RPM (replace the version number as needed):

$ rpmbuild -tb otpd-3.0.0.tar.gz

Install the RPM:

# rpm -ivh otpd-3.0.0-1.i386.rpm

Create the state directory:

# mkdir /etc/otpstate
# chmod 700 /etc/otpstate

Start Up

Start otpd in debug mode:

# otpd -D

Sample Authentication

Create an OTP password file (use of $e is for presentation reasons):

# e=test:trid-hard-eotp-d6:fedcba9876543210fedcba987654321000000000
# echo $e >> /etc/otppasswd
# chmod 600 /etc/otppasswd

• test is the user name.
• trid-hard-eotp-d6 configures the user with a Key Token. (Learn about all the tokens supported in the otpd documentation.)
• fedcba9876543210fedcba987654321000000000 is the secret key on the token.

First, try an authentication that should fail:

# otpauth -u test -s /var/run/otpd/socket -p 123456
3 (authentication error)

Results: Authentication failed, as expected.

In the otpd debug window:

otpd: work_thread(3,5): handling plugin request for [test]
otpd: state_parse: null state data for [test]
otpd: verify: [test], challenge t:0 e:0 0000000000000000, response 201905
otpd: verify: [test], challenge t:0 e:1 0000000000000001, response 537596
otpd: verify: [test], challenge t:0 e:2 0000000000000002, response 584173
...
otpd: verify: [test], challenge t:0 e:25 0000000000000019, response 293346
otpd: verify: user [test] authentication failed

• Note: The line "null state data" indicates that state did not previously exist for user "test". This is expected, since this is the very first time otpd has ever seen an authentication for that user.

Try the first OTP (highlighted in bold above):

# otpauth -u test -s /var/run/otpd/socket -p 201905
6 (next passcode required)

Results: Even though we entered the correct OTP, authentication failed, with otpauth telling us that the next passcode is required.

In the otpd debug window, you can see what happened:

otpd: work_thread(4,6): handling plugin request for [test]
otpd: verify: [test], challenge t:0 e:0 0000000000000000, response 201905
otpd: verify: [test], rwindow candidate at t:0 e:0
otpd: verify: user [test] authentication failed

The rwindow candidate message is the indicator that an OTP was correct, but that the next OTP is required to actually authenticate the user. In this case, two consecutive OTPs are required because it is the first time this user has authenticated, and otpd needs to establish the state of the token with certainty.

Now use the next expected OTP:

# otpauth -u test -s /var/run/otpd/socket -p 537596
0 (ok)

Results: authentication was successful.

Let's look at the otpd debug window again:

otpd: work_thread(5,5): handling plugin request for [test]
otpd: verify: [test], challenge t:0 e:0 0000000000000000, response 201905
otpd: verify: [test], challenge t:0 e:1 0000000000000001, response 537596
otpd: verify: softfail override for [test] at window position t:0 e:1
otpd: verify: user [test] authentication succeeded

The softfail override message indicates that this was the second of two consecutive OTPs required to authenticate the user, as opposed to a normal (single OTP) authentication.

Test this with a Soft Token. Download the demo version of winOTP for Windows PC and see how easy it is to use strong 2-Factor authentication.

Please read the Quickstart Guide for more details about setting up the authentication servers.