One-time passwords for shell access
If you are an avid Unix shell user, you will like the Excito devices for their openness - openness in the good sense, meaning that the device offers full access to the whole power of Unix.
Actually, by using an SSH client, you may log in to your device from all over the world (sequentially, of course). This poses two challenges:
- You must use a good, strong password, impossible to guess, entirely secret.
- You must keep that password secret. Secret, that is, from prying eyes, like the stranger in your favourite Internet café. Not always is this as easy as it sounds (can you type while blindfolding your fellow man?), but there is even a greater threat: unsafe computers, deeply rotten with viruses, worms, keyloggers, and so on; and computers you deem safe, but that aren't.
One-time passwords (in short, OTP) are a means of addressing these issues. They are not perfect, but, when properly used, add an additional layer of security. As their name implies, they may be used only once. So, even if an eavesdropper watches (or logs) you entering your password, the password will not be of any use for him/her - it cannot be used a second time.
I like to combine my standard Unix password with one-time passwords. I do not consider (and would not recommend) to use one-time passwords as the only means of authentication, because many implementations are not that strong. But as an additional layer of security, even a weaker OTP will make things harder for an intruder.
There are lots of OTP solutions out there. One of the more recent developments is Google Authenticator (you might know that from Google's two-phase authentication). It is extremely easy to use with most Linux flavours like Debian (and the B3 is using Debian), but there is no ready solution for Debian Squeeze. So the easiest thing is to postpone using Google Authenticator until the next major B3 software release...
Fortunately, there is the time-honoured OPIE Authentication System that, though a bit old by still using MD5, is an excellent second layer of security, and it's extremely easy to install.
- Very, very important notice
- Keep an additional SSH connection to your B3, be sure that this connection will not time out, and be root in this shell. You will need this root shell in case of anything going wrong with setting up your OTP system. Remember, if your OTP system is half-configured, or set up improperly, you may not be able to log in again!
That being said, there are no external risks that can't be controlled. If you do everyting properly, more bluntly put: If you don't make any mistake, setting up OPIE is easy.
- Become the root user by executing the
su
command. - Install the OPIE PAM package by executing the command
apt-get install opie-server
- Open your SSH configuration file
/etc/ssh/sshd_config
, e.g. using the fabulous vi editor, and find the line containing the stringChallengeResponseAuthentication
. Change this entry toChallengeResponseAuthentication yes
, and uncomment it by removing the leading "hash" character ("#
"). - Restart your SSH daemon by issuing the command
/etc/init.d/ssh restart
. Don't be afraid - this will not terminate your existing shell sessions. - Open the file
/etc/pam.d/sshd
using your favourite editor (I take it for granted that at this stage, vi has taken that role.) - Right at the beginning of this file (or after the heading comment lines, but before any actual statements), add the entry
auth required pam_opie.so
- Now, you will have to drop root privileges in this session by typing
exit
. - Next, issue the command
opiepasswd -c -f
. It will ask you to set a password. This password should be different from any other passwords you are using. - Write down the output of this command and store it in a very safe place. (The output looks somewhat like
ID username OTP key is 499 co1234
andFREE TOOR RUIN JOB BRAKE
). You will need theco1234
and/or theFREE TOOR RUIN JOB BRAKE
part for requesting one-time passwords. - Next, do request one-time passwords. That's done with the command
opiekey -n 20 499 co1234
Here, 20 is the number of one-time passwords you would like to request (the less, the better - but don't request much less than five, that's my recommendation).co1234
is part of the output from theopiepasswd
command above. The number 499 is the sequence number the password list shoud end with. You may leave this at 499 for the first run.
Now, when logging in to your B3, you will be presented a very cool prompt like otp-md5 477 co1234 ext, Response:
. This means that you have to take your list of one-time passwords, find the password whose sequence number is 477, and enter it.
Next, your B3 will ask for your usual password. This step is less cool, but still mandatory.
If both credentials you entered are correct, your B3 will let you in. If either is wrong, you have to start the login process all over.
Do not forget to request a new list of one-time passwords before your list is exhausted. If you don't want to re-initialize OPIE for your account, you have to provide an appropriate sequence number. So, if your last key list consisted of the keys 461 to 499, your next key list should start with 460, because that's the key OPIE will ask you for when 461 has been consumed.