LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Setting up OTP for SSH

[ILUG] Setting up OTP for SSH

Ivan Kelly ivan at ivankelly.net
Mon Aug 22 09:23:42 IST 2005 

back when i was setting this up on skynet, i wrote a patch for pam-opie to
only ask for the otp if the user has enabled it for themselves.
It's available at 
http://www.skynet.ie/~ikelly/libpam-opie-0.22-onlyaskifuserenabled.tgz
if ye're interested in that sort of thing.
Regards
Ivan

On Mon, Aug 22, 2005 at 02:26:28AM +0100, kevin lyda wrote:
> These instructions are for Debian.  If other distro users send me
> instructions I'll make a note for theirs.  In addition if anyone knows
> of Opie calculators (and links to them) for other devices that would be
> nifty.  Devices like Palms, Ipaqs, phones or other things would be nice.
> 
> One time passwords (OTP) for SSH will cover the following things:
> 
>     * Why
>     * How to install
>     * How to configure
>     * How users use it
>     * How users maintain it
> 
> Why
> 
>     I'm installing Opie to solve two specific problems:
>     
>         1. Logging in from untrusted public machines.
>         2. To protect users who might not have secure passwords.
> 
> How to install
> 
>     Server:
>         Debian:
>             apt-get install libpam-opie opie-server opie-client
> 
>     Client:
>         Debian:
>             apt-get install opie-client
> 
> How to configure
> 
>     I configured Opie to first prompt for a normal password and if that
>     was successful, prompt for the OTP.  Once both are entered correctly
>     the user is logged in.  This setup avoids losing all your OTP's to ssh
>     scanners and also avoids a weakness in Opie regarding non-existant or
>     unconfigured accounts.  Note that if ssh authenticates with ssh keys
>     (with ~/.ssh/authorized_keys on the server), neither the password
>     or the OTP are required.
> 
>     This means that once you set this up you'll need both your password
>     and your OTP.  To avoid locking yourself out, do this first:
> 
>         root at server# opiepasswd -c root
>         root at server# opiepasswd -c YOUR_LOGIN
> 
>     Those commands will prompt you for a passphrase.  You'll use that
>     passphrase plus the OTP challenge to generate the OTP.  Note that
>     you'll need to rerun opiepasswd at some point since just under 500
>     OTP's are created.
> 
>     Now to enable OTP.  Comment out this line in /etc/pam.d/ssh:
> 
>         #@include common-auth
> 
>     Put these lines in their place:
> 
>         auth required pam_unix.so nullok_secure
>         auth sufficient pam_opie.so
>         auth required pam_deny.so
> 
>     There are other ways to set up OTP.  Having to enter both passwords
>     is a pain so you can configure ssh to accept either a password or an
>     OTP.  The drawbacks are that you let attackers know what are valid
>     accounts and you risk exhausting OTP's for a user.  For the latter
>     issue, consider using a tool to block out IP addresses with too many
>     failed logins or some other way to limit connections.  To configure
>     OTP for this setup, do that last step like so:
> 
>         auth required pam_unix.so nullok_secure
>         auth sufficient pam_opie.so
>         auth required pam_deny.so
> 
> How users use it
> 
>     When users are first given their accounts, they should be given
>     their password and their OTP passphrase.  You create this initial
>     OTP passphrase by doing this (for user me):
> 
>         root at server# opiepasswd -c me
> 
>     In general this should be done on the console or a secure terminal.
>     If you've connected via ssh you're not really on a secure terminal.
>     Since this is the real world and the server might be in a machine
>     room hundreds of miles away, the following will force opiepasswd
>     to continue:
> 
>         root at server# opiepasswd -f -c me
> 
>     When logging in, users will see the following:
> 
>         untrusted% ssh me at server
>         Password: ---> regular password <---
>         otp-md5 456 se9910 ext, Response:
> 
>     The user will then use an opie calculator:
> 
>         trusted% opiekey 456 se9910
>         Using the MD5 algorithm to compute response.
>         Reminder: Don't use opiekey from telnet or dial-in sessions.
>         Enter secret pass phrase: ---> otp passphrase <---
>         ONES AWE DISH KILL WOOL LISA
> 
>     Those uppercase words are the user's password.  Those words are the
>     response being requested.  The user types those in (including the
>     spaces) and they will be logged in like so:
> 
>         untrusted% ssh me at server
>         Password: ---> regular password <---
>         otp-md5 456 se9910 ext, Response: ONES AWE DISH KILL WOOL LISA
>         me at server%
> 
> How users maintain it
> 
>     Users can see their current opie status with opieinfo:
> 
>         me at server% opieinfo
>         455 se9910
> 
>     The above example shows that the user has 455 OTP's left.
> 
>     Users can generate several OTP's to save for later (useful in case
>     they won't have a trusted device handy to generate responses):
> 
>         me at server% opiekey -n 10 456 se9910
>         Using the MD5 algorithm to compute response.
>         Reminder: Don't use opiekey from telnet or dial-in sessions.
>         Enter secret pass phrase: ---> otp passphrase <---
>         446: WOOD DOLE MAST AIDE DINE BOY
>         447: GEL TENT VERY BANE OWLY BIRD
>         448: WIRE EYED ELY BRED LACE WERT
>         449: SARA LYE ABET VIE RUSE BONN
>         450: THAN CRUD FAIR SAN REB NAME
>         451: MEMO BONN KNIT PUN SIS BAD
>         452: DENT JEFF RACE MIT TELL KEG
>         453: WASH POE GAM ARM VEIL BIB
>         454: RUNS FOE GURU IOTA MAID TEE
>         455: MUTT IQ LED ED NOAH RUNS
> 
>     Once the sequence number gets very low users must use opiepasswd to
>     generate more OTP's.  Generally this should be done when it reaches
>     around 20 or 30.  Unlike the initial opiepasswd call, this can be
>     done on an insecure terminal.
> 
>         me at server% opiepasswd
>         Updating me:
>         You need the response from an OTP generator.
>         Old secret pass phrase:
>                 otp-md5 455 se9910 ext
>                 Response: MUTT IQ LED ED NOAH RUNS [0]
>         New secret pass phrase:
>                 otp-md5 499 se2340
>                 Response: MEN LACE ARTY NEIL ED ACT [1]
>         ID bjl OTP key is 499 se2340
>         MEN LACE ARTY NEIL ED ACT
> 
>         [0] Generated by calling opiekey 455 se9910 with your old
>             OTP passphrase on a trusted device.
>         [1] Generated by calling opiekey 499 se2340 with your new
>             OTP passphrase on a trusted device.
> 
> Credits
> 
>     http://www.lonsteins.com/archives/2005/01/09/set-up-otp-on-debian-in-minutes/
>     http://www.unix.geek.org.uk/~arny/junk/skeyflaws.html
> 
> -- 
> Irish Linux Users' Group
> http://www.linux.ie/mailman/listinfo/ilug/
>

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell