One time passwords on linux

Submitted by bdeferme on August 11, 2008 - 14:56
in

As I was reading my rss feeds I discovered one time password logins via ssh. I read it in a post on Philip's Blog. I found it interesting so decided to try this on a virtual machine as a test. Although it wasn't as simple as Philip's post, it was rather simple. But to help out you guys trying to configure and use it here are my findings:

As this is a rather long post I'm going to use a break for this one time (sorry rssfeed readers! I forgot but I noticed my feed feeds entire blog posts, and not just the part before the break. Good!).

First, I installed opie-server, this is as simple as:

# apt-get install opie-server

Then, to make sure when you login through SSH, the pam_opie module is used, I had to edit /etc/pam.d/sshd as follows:

[...]

# Standard Un*x authentication.
#@include common-auth
auth    sufficient      pam_opie.so
auth    sufficient      pam_unix.so nullok_secure
auth    require         pam_deny.so

[...]

If you do it this way you will still be able to login with your normal password when te OTP(One Time Password) login fails. This may be handy when you have no possibility of calculating the appropriate response to the OTP challenge. If you do not like this behaviour and you want you or your users to be able to authenticate with OTP only you can comment out the pam_unix.so line:

[...]

#auth    sufficient      pam_unix.so nullok_secure

[...]

As after this it was still not working I looked into the /etc/ssh/sshd_config file and found that there was one option that needed to be enabled to make sure that the ssh server knows you will be using challenge response authentication. Edit /etc/ssh/sshd_config:

[...]

ChallengeResponseAuthentication yes

[...]

As a final step restart your ssh server:

/etc/init.d/ssh restart

As of here we can follow the simple step that Philip gave us in his blog post

:

$ opiepasswd -c
Adding bert:
Only use this method from the console; NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase:
Again new secret pass phrase:

ID bert OTP key is 499 mi7400
RIDE LUSH VIE YE BARD LOSE

When issuing opiepasswd -c you will be asked to enter a secret pass phrase, you will have to be able to remember this, but it should be very secret(not like your birthday or something like that).

When we look at the following output:

ID bert OTP key is 499 mi7400
RIDE LUSH VIE YE BARD LOSE

  • 'bert' is your unix username, and your OTP ID
  • '499' is the sequence (this will count downwards every time a password has been used
    An already used password will be discarded and not usable anymore, hence OTP(One TIme Password) :-)
  • 'mi7400' is the challenge string
  • 'RIDE LUSH VIE YE BARD LOSE' is the password for this sequence (499) !! spaces included

Now, when ssh'ing to the system, and you have no private key file (because this will still work) you will be prompted the following:

$ ssh bert@minerva
otp-md5 498 mi7400 ext, Response:

On a system where opie-client is installed you can calculate the appropriate response:

$ opiekey 498 mi7400
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Sorry, but you don't seem to be on the console or a secure terminal.
Warning: Continuing could disclose your secret pass phrase to an attacker!
Enter secret pass phrase:
WACK WAIT ALMA HERO WAR KIN

And use this password 'WACK WAIT ALMA HERO WAR KIN' to log in.

Now offcourse the thing about this is that when you got your favorite machine with you (e.g. laptop) you do have your private keys. So there's no need for OTP. And when you need it (e.g. a public computer) you are not always (read: seldom) privileged to install an opie-client to calculate your response. Offcourse you can find online calculators but do you trust them with your passphrase?

Luckely there's a nice solution for this problem:

http://code.google.com/p/j2me-otp/

Thanks to "Marcin Gryszkalis" who posted this comment on Philip's blog post.

This is a java application, so it should work on almost any modern cellphone. I tried this on my Nokia E61i and it works like a charm. (And offcourse, you do always have your cellphone with you!).

A screenshot of the calculator in action:

The only thing I could say about this application is that they chose to call the passphrase "Password" which might be a bit confusing.

So, if you are a bit paranoid, or you just require a very secure authentication mechanism, this works like a charm, is not too difficult to setup and provides you with a handy mobile solution!

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <br> <p> <img>
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.