One-time passwords for shell access

From BubbaWiki
Jump to navigation Jump to search

If you are an avid Unix shell user, you will like the Excito devices for their openness - openness in the good sense, meaning that the device offers full access to the whole power of Unix.

Actually, by using an SSH client, you may login to your device from all over the world (sequentially, of course). This poses two challenges:

  1. You must use a good, strong password, impossible to guess, entirely secret.
  2. You must keep that password secret. Secret, that is, from prying eyes, like the stranger in your favourite Internet café. Not always is this as easy as it sounds (can you type while blindfolding your fellow man?), but there is even a greater threat: unsafe computers, deeply rotten with viruses, worms, keyloggers, and so on; and computers you deem safe, but that aren't.

passwords (in short, OTP) are a means of addressing these issues. They are not perfect, but, when properly used, add an additional layer of security. As their name implies, they may be used only once. So, even if an eavesdropper watches (or logs) you entering your password, the password will not be of any use for him - it cannot be used for a second time.

I like to combine my standard Unix password with one-time passwords.

There are lots of OTP solutions out there. One of the more recent developments is Google Authenticator (you might know that from Google's two-phase authentication). It is extremely easy to use with most Linux flavours like Debian (and the B3 is using Debian), but there is no ready solution for Debian Squeeze. So the easiest thing is to postpone using Google Authenticator until the next major B3 software release...

Fortunately, there is the time-honoured Authentication System that, though a bit old by still using MD5, is an excellent second layer of security, and it's extremely easy to install.

Very, very important notice: Keep an additional SSH connection to your B3, be sure that this connection will not time out, and be root in this shell. You will need this root shell in case of anything going wrong with setting up your OTP system. Remember, if your OTP system is half-configured, or set up improperly, you may not be able to login again!

That being said, there are no external risks that can't be controlled. If you do everyting properly, more bluntly put: If you don't make any mistake, setting up OPIE is easy.

  1. Become the root user by executing the su command.
  2. Install the OPIE PAM package by executing the command apt-get install opie-server
  3. Open your SSH configuration file /etc/ssh/sshd_config, e.g. using the fabulous vi editor, and find the line containing the string ChallengeResponseAuthentication. Change this entry to ChallengeResponseAuthentication yes, and uncomment it by removing the leading "hash" character ("#").
  4. Restart your SSH daemon by issuing the command /etc/init.d/ssh restart. Don't be afraid - this will not terminate your existing shell sessions.
  5. Open the file /etc/pam.d/sshd using your favourite editor (I take it for granted that at this stage, vi has taken that role.)
  6. Right at the beginning of this file (or after the heading comment lines, but before any actual statements), add the entry auth required pam_opie.so
  7. Now, you will have to drop root privileges in this session by typing exit.
  8. Next, issue the command opiepasswd -c -f. It will ask you to set a password. This password should be different from any other passwords you are using.
  9. Write down the output of this command and store it in a very safe place. (The output looks somewhat like ID username OTP key is 499 co1234 and FREE TOOR RUIN JOB BRAKE). You will need the co1234 and/or the FREE TOOR RUIN JOB BRAKE part for requesting one-time passwords.
  10. Next, do request one-time passwords. That's done with the command opiekey -n 20 499 co1234 Here, 20 is the number of one-time passwords you would like to request (the less, the better - but don't request much less than five, that's my recommendation). co1234 is part of the output from the opiepasswd command above. The number 499 is the sequence number the password list shoud end with. You may leave this at 499, though some prefer to alter it for each run.