One time passwords

From MEPIS Documentation Wiki

Jump to: navigation, search

Warning! The info in this article is categorized as "hack" because it might be dangerous to be tried by novice users. Use this info on your own responsibility.

Introduction

How to Use One Time Password Authentication for SSH

One Time Passwords are used as an extra layer of password security.

This How-To presumes:

  • One is comfortable with the command line
  • Openssh-server is installed and working at present (eg. You can login traditionally)
  • That you can install a package (and know what you are doing)
  • Have an intermediate understanding of linux (not really necessary, but helps)

Instructions

1. AS Root: Temporarily add the Lenny (testing) repo (deb ftp://ftp.debian.org/debian/ testing main) to /etc/apt/sources.list ( be careful here of the packages it wants to REMOVE! I was lucking and it only wanted to remove 'linux-kernel-headers' for me, If it wants to REMOVE lots of packages you should abort this how-to, Sorry)

2. Update apt-get
apt-get update

3. Install One Time Password Binarys and PAM Modules
apt-get install otpw-bin libpaw-otpw

4. Comment out the Lenny (testing) repo from instruction 1.

5. su to root

6. Edit the SSH PAM Module file to include our new authentication method
nano /etc/pam.d/ssh

Add the following lines below the line "auth required pam_env.so envfile=/etc/default/locale"
#OTPW Auth Method
auth required pam_otpw.so
session optional pam_otpw.so

7. Configure SSHD to UsePAM Modules
nano /etc/ssh/sshd_config
check for the line UsePAM, make sure it reads:
UsePAM yes

8. Restart ssh
/etc/init.d/ssh restart

9. exit root shell

10. Change to regular user account and generate some One Time Passwords
otpw-gen
Choose/type a prefix password (For this example we choose 1234)
Retype your prefix password

11. Copy the output to a safe place and print it out
No instructions given - Copy & Paste to file, then print etc

12. test it all works
ssh 127.0.0.1

We get the prompt: (Note: number will differ)
Password 227:

Don't forget to type in your prefix password at the start!! My 227 password is: yKVn nO%i
So the complete password I would type is: 1234yKVnnO%i

I then get prompted for my regular *nix account password also ( which I wont disclose :-P ) and then we have a session!!


Welcome home cAm
No mail.
cam@xx:~$

Additional Notes: If you get prompted something like: Password 031/027/225:
You have to type in prefix password plus the 3 additional OTPs eg. 1234GNWX=WuwGPc%6CapP9sUZoe:+
This is because you have a 'lock' file in your home directory called '.otpw.lock' This can be happen if you try to connect at the same time as another connection or if you hit Ctrl-C during a ssh Login attempt.

Please read the Authors web page for more helpful info

Original Author cAm34 from MepisLovers Forum

Links

Personal tools