One time passwords
From MEPIS Documentation Wiki
Warning! The info in this article is categorized as "hack" because it might be dangerous to be tried by novice users. Use this info on your own responsibility.
How to Use One Time Password Authentication for SSH
One Time Passwords are used as an extra layer of password security.
This How-To presumes:
- One is comfortable with the command line
- Openssh-server is installed and working at present (eg. You can login traditionally)
- That you can install a package (and know what you are doing)
- Have an intermediate understanding of linux (not really necessary, but helps)
1. AS Root: Temporarily add the Lenny (testing) repo (
deb ftp://ftp.debian.org/debian/ testing main) to /etc/apt/sources.list ( be careful here of the packages it wants to REMOVE! I was lucking and it only wanted to remove 'linux-kernel-headers' for me, If it wants to REMOVE lots of packages you should abort this how-to, Sorry)
2. Update apt-get
3. Install One Time Password Binarys and PAM Modules
apt-get install otpw-bin libpaw-otpw
4. Comment out the Lenny (testing) repo from instruction 1.
5. su to root
6. Edit the SSH PAM Module file to include our new authentication method
Add the following lines below the line "auth required pam_env.so envfile=/etc/default/locale"
#OTPW Auth Method
auth required pam_otpw.so
session optional pam_otpw.so
7. Configure SSHD to UsePAM Modules
check for the line UsePAM, make sure it reads:
8. Restart ssh
9. exit root shell
10. Change to regular user account and generate some One Time Passwords
Choose/type a prefix password (For this example we choose 1234)
Retype your prefix password
11. Copy the output to a safe place and print it out
No instructions given - Copy & Paste to file, then print etc
12. test it all works
We get the prompt: (Note: number will differ)
Don't forget to type in your prefix password at the start!!
My 227 password is: yKVn nO%i
So the complete password I would type is: 1234yKVnnO%i
I then get prompted for my regular *nix account password also ( which I wont disclose :-P ) and then we have a session!!
Welcome home cAm
Additional Notes: If you get prompted something like: Password 031/027/225:
You have to type in prefix password plus the 3 additional OTPs eg. 1234GNWX=WuwGPc%6CapP9sUZoe:+
This is because you have a 'lock' file in your home directory called '.otpw.lock' This can be happen if you try to connect at the same time as another connection or if you hit Ctrl-C during a ssh Login attempt.
Please read the Authors web page for more helpful info
Original Author cAm34 from MepisLovers Forum