These instructions are for Debian. If other distro users send me
instructions I'll make a note for theirs. In addition if anyone knows
of Opie calculators (and links to them) for other devices that would be
nifty. Devices like Palms, Ipaqs, phones or other things would be nice.
One time passwords (OTP) for SSH will cover the following things:
* Why
* How to install
* How to configure
* How users use it
* How users maintain it
Why
I'm installing Opie to solve two specific problems:
1. Logging in from untrusted public machines.
2. To protect users who might not have secure passwords.
How to install
Server:
Debian:
apt-get install libpam-opie opie-server opie-client
Client:
Debian:
apt-get install opie-client
How to configure
I configured Opie to first prompt for a normal password and if that
was successful, prompt for the OTP. Once both are entered correctly
the user is logged in. This setup avoids losing all your OTP's to ssh
scanners and also avoids a weakness in Opie regarding non-existant or
unconfigured accounts. Note that if ssh authenticates with ssh keys
(with ~/.ssh/authorized_keys on the server), neither the password
or the OTP are required.
This means that once you set this up you'll need both your password
and your OTP. To avoid locking yourself out, do this first:
root at server# opiepasswd -c root
root at server# opiepasswd -c YOUR_LOGIN
Those commands will prompt you for a passphrase. You'll use that
passphrase plus the OTP challenge to generate the OTP. Note that
you'll need to rerun opiepasswd at some point since just under 500
OTP's are created.
Now to enable OTP. Comment out this line in /etc/pam.d/ssh:
#@include common-auth
Put these lines in their place:
auth required pam_unix.so nullok_secure
auth sufficient pam_opie.so
auth required pam_deny.so
There are other ways to set up OTP. Having to enter both passwords
is a pain so you can configure ssh to accept either a password or an
OTP. The drawbacks are that you let attackers know what are valid
accounts and you risk exhausting OTP's for a user. For the latter
issue, consider using a tool to block out IP addresses with too many
failed logins or some other way to limit connections. To configure
OTP for this setup, do that last step like so:
auth required pam_unix.so nullok_secure
auth sufficient pam_opie.so
auth required pam_deny.so
How users use it
When users are first given their accounts, they should be given
their password and their OTP passphrase. You create this initial
OTP passphrase by doing this (for user me):
root at server# opiepasswd -c me
In general this should be done on the console or a secure terminal.
If you've connected via ssh you're not really on a secure terminal.
Since this is the real world and the server might be in a machine
room hundreds of miles away, the following will force opiepasswd
to continue:
root at server# opiepasswd -f -c me
When logging in, users will see the following:
untrusted% ssh me at server
Password: ---> regular password <---
otp-md5 456 se9910 ext, Response:
The user will then use an opie calculator:
trusted% opiekey 456 se9910
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase: ---> otp passphrase <---
ONES AWE DISH KILL WOOL LISA
Those uppercase words are the user's password. Those words are the
response being requested. The user types those in (including the
spaces) and they will be logged in like so:
untrusted% ssh me at server
Password: ---> regular password <---
otp-md5 456 se9910 ext, Response: ONES AWE DISH KILL WOOL LISA
me at server%
How users maintain it
Users can see their current opie status with opieinfo:
me at server% opieinfo
455 se9910
The above example shows that the user has 455 OTP's left.
Users can generate several OTP's to save for later (useful in case
they won't have a trusted device handy to generate responses):
me at server% opiekey -n 10 456 se9910
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase: ---> otp passphrase <---
446: WOOD DOLE MAST AIDE DINE BOY
447: GEL TENT VERY BANE OWLY BIRD
448: WIRE EYED ELY BRED LACE WERT
449: SARA LYE ABET VIE RUSE BONN
450: THAN CRUD FAIR SAN REB NAME
451: MEMO BONN KNIT PUN SIS BAD
452: DENT JEFF RACE MIT TELL KEG
453: WASH POE GAM ARM VEIL BIB
454: RUNS FOE GURU IOTA MAID TEE
455: MUTT IQ LED ED NOAH RUNS
Once the sequence number gets very low users must use opiepasswd to
generate more OTP's. Generally this should be done when it reaches
around 20 or 30. Unlike the initial opiepasswd call, this can be
done on an insecure terminal.
me at server% opiepasswd
Updating me:
You need the response from an OTP generator.
Old secret pass phrase:
otp-md5 455 se9910 ext
Response: MUTT IQ LED ED NOAH RUNS [0]
New secret pass phrase:
otp-md5 499 se2340
Response: MEN LACE ARTY NEIL ED ACT [1]
ID bjl OTP key is 499 se2340
MEN LACE ARTY NEIL ED ACT
[0] Generated by calling opiekey 455 se9910 with your old
OTP passphrase on a trusted device.
[1] Generated by calling opiekey 499 se2340 with your new
OTP passphrase on a trusted device.
Credits
http://www.lonsteins.com/archives/2005/01/09/set-up-otp-on-debian-in-minutes/http://www.unix.geek.org.uk/~arny/junk/skeyflaws.html
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
