smspasswd iconsmspasswd 0.1

smspasswd software provides two factor authentication via cell phone short message service (SMS).
smspasswd software provides two factor authentication via cell phone short message service (SMS). The reason I wrote this was because of all the pesky SSH brute force attacks, which continue to build in numbers. I didn’t want to waste money and time on using tokens because the few people who have accounts on my machines also have mobile phones.

I’m stoked that I have been using this since v0.1 back in 2005 and so far it’s worked very well with no changes. I’m hoping for feedback to get me motivated to develop this some more. Thanks to my good friend Solomon who has encouraged me to start posting some of my fun projects on the web.
Any feedback is more than welcome to ed -at- e-things.org.

How does this work?

The simple explanation for the average user goes a little like this. You use your normal password followed by a 6 digit number. To get access to a system you need to send an SMS from your pre-registered mobile phone number with a PIN. The systems admin folk will assign you a 4 digit pin and give you the mobile number to send your login request to. So, when you want to login, just send a text (SMS) to the phone number provided, with your 4 digit PIN. Shortly after you will receive a 6 digit number in a text (SMS) to your phone. Then login as normal using you normal password followed by the 6 digit number. You can use this same 6 digit number as many times as you like within a time period set by the systems admin folk. Simple right? Ok then, perhaps not much more complex than a token?

Now for the spanner-head explanation. smspasswd is a Perl application that runs as a daemon. It uses a MySQL back-end database which stores the usernames, mobile numbers, PIN’s, passwords, tokens, and the amount of time each users token (temporary x digit code) is valid for. smspasswd uses the information in the MySQl database to update your LDAP server based on a polling frequency you set in it’s config file. You can also set lots of other options in the config file and these are covered in the Features section below. smspasswd talks to a SMS gateway to send and receive new token requests. In my case it’s a cheap pre-paid Nokia 7110 connected to COM1 (/dev/ttys0) via gnokii.

The authentication process goes a little like this. The user sends a SMS to your gnokii phone with their PIN. Note the PIN is not really important because it will get saved in the users SMS outbox, so it could just be “request” or “foobar”. What’s important is that the SMS must come from the correct number for that user, and even if this could be spoofed, the reply will still go the users mobile number in the database anyway. Then smspasswd checks the database for the users mobile phone number and if it finds a match it will send a x digit code to the number registered for that user. At this point the password for this user will be updated in the local LDAP server with their normal password, followed by their new x digit code. Once the user has the SMS with the new code they can login.

You should setup your systems and applications for LDAP authentication, and if you wish you can configure your FreeRADUIS server to authenticate via OpenLDAP. Or you can use some commercial LDAP or RADIUS system. FreeRADIUS and OpenLDAP work just fine for me.

Confused? Drop me an email and I’ll make a nice diagram with Dia.

Features

Here’s the config file, and check the source.


##################################################
# smspasswd config file
#
##################################################

# minumum password length
#
minPasswordLength 6

# minimum username length
#
minUsernameLength 2

# minimum PIN length
#
minPinLength 4

# database options
#
dbName smspasswd
dbUsername smspasswd
dbPassword [enter the database users password here]
dbHostname localhost
dbPort 3306
dbEncryptionKey [enter a very long and random string here]

# gnokii options
#
gnokii /usr/local/bin/gnokii
gnokiiMailBox IN

# Check interval. This is the amount of time to
# wait between incoming SMS checks in seconds as
# well as user timeout checks
#
checkInterval 15

# LDAP server option
#
ldapServer localhost
ldapBindDn cn=Manager,dc=yourdomain,dc=com
ldapPassword [enter your LDAP users password here]
ldapBiseDn ou=People,dc=yourdomain,dc=com

# Email notification for non pin request SMS messages
# This is very useful if you would like to be emailed
# the ‘your pre-paid account is about to expire’ messages.
# Note: PIN requests will not be emailed.
#
emailNotify yes
emailToAddress root@localhost
emailFromAddress root@localhost
emailSubject SMS notification from smspasswd

last updated on:
July 12th, 2007, 6:05 GMT
price:
FREE!
developed by:
ethings
license type:
GPL (GNU General Public License) 
category:
ROOT \ Security

FREE!

In a hurry? Add it to your Download Basket!

user rating 21

UNRATED
3.9/5
 

0/5

Add your review!

SUBMIT