Organization of SSH access on one-time passwords

    In any serious company, sometimes it becomes necessary for an employee who has gone on vacation to urgently fulfill his duties. Consider a situation where a company needs a specific employee, for example, a system administrator, who is currently lying on the beach a thousand kilometers from a stuffy office. Suppose even that this employee agrees to do work that suddenly fell on his head and there is an Internet cafe in the resort. But here's the problem: the cafe is located in a dark lane, on its computers are a popular OS, trojans, keyloggers and other hacktools, so it’s pretty unreasonable to type the root password from the company's main server on such machines.

    There are several solutions to this problem. For example, you can use one-time passwords, namely the s / key system, which uses the md4 and md5 algorithms to generate passwords. This system will be described later.

    S / key works on the principle of client-server as follows: the user sets a secret key, which is then hashed several hundred times (for example, 500). On the user's computer (server), the last (500th) hash of the secret phrase is stored. For
    For authorization, the user will need to enter the previous (499th) hash of the secret key, which will be generated by the client application. The server hashes the combination entered by the user and, in case of coincidence with previously stored data, authorizes the user and remembers the just entered (499th) hash so that next time the previous (498th) hash will be asked for the current hash.

    Read more about s / key on Wikipedia and in RFC 1760 .

    Let's move on to practice. We will use PAM (a set of APIs for user authentication) and OPIE (a PAM module for working with one-time passwords). It is assumed that SSH is already installed.

    Install OPIE:
    $ apt-get install opie-client opie-server

    Then you need to edit the configuration files:

    In the file/etc/pam.d/sshd you need to comment out the line " @include common-auth ":
    #@include common-auth
    and add the following after it: The first line leaves the possibility of authorization by password from the account. If this is not required, then it can be removed. You can read more about PAM configuration here and here . Next, edit / etc / ssh / sshd_config - in the line " ChallengeResponseAuthentication no " no you need to change to yes . Now restart SSH: OPIE data is stored in the / etc / opiekeys file , which has the following format: Field Description
    auth sufficient pam_unix.so
    auth sufficient pam_opie.so
    auth required pam_deny.so









    $ service ssh restart




    name User login.
    sequence The hash sequence number.
    seed A seed is an unclassified random sequence.
    key Last used hash.
    date The date of the last change.
    time The time of the last change.

    This file is initially empty. To set the initial data (generating the same 500th hash), you need to run the opiepasswd command : To get the requested response (Response), open the second console and run the otp-md5 499 no8327 command : We invent and enter the password. In response, we see something similar to WATS NIP DUD BRAD LIME DRUM.
    $ opiepasswd
    Adding username:
    You need the response from an OTP generator.
    New secret pass phrase:
    otp-md5 499 no8327
    Response:



    $ otp-md5 499 no8327
    Using the MD5 algorithm to compute response.
    Reminder: Don't use opiekey from telnet or dial-in sessions.
    Enter secret pass phrase:




    Pleasant moment: sometimes one-time passwords consist of short English words, which are quite easy to remember. We return to the previous console to the opiepasswd application and enter the sequence given to us (WATS NIP DUD BRAD LIME DRUM). In capital letters and with spaces. According to experts, you can enter in small letters, but the author did not check this. If you now open the file / etc / opiekeys , you can see a line similar to Going on vacation, you can take with you a list of pre-generated one-time passwords. You can get this list by running opiekey -n 100 499 no8327 . We will be asked a secret phrase, and in return we will get a list of 100 (the number is specified with the -n 100 key ) one-time passwords of the form ...

    $ opiepasswd
    Adding username:
    You need the response from an OTP generator.
    New secret pass phrase: *********
    otp-md5 499 no8327
    Response: WATS NIP DUD BRAD LIME DRUM

    ID username OTP key is 499 no8327
    WATS NIP DUD BRAD LIME DRUM
    $



    username 0499 no8327 f825803faf1afaee Jul 10,2010 20:12:12




    480: SLUR ROVE TONE ADAM MUST IRK
    481: FULL NAY LYLE BROW MARY COD
    482: WERE LOB DOME LIT GIN CHAD
    ...

    The password sheet can be hidden deeper in a suitcase or copied to the phone as a simple text file. At the end of this article we will consider a more convenient and secure way to obtain / store one-time passwords.

    Let's return to our SSH access: To authorize using a one-time password to request a password from your account, enter the password “ opiepasswd ”, after which they will ask us for a one-time password: As a response, enter the sequence that can be obtained by running or

    $ ssh username@host
    Password:




    $ ssh username@host
    Password: opiepasswd
    otp-md5 498 no8327 ext, Response:



    $ otp-md5 498 no8327

    $ opiekey 498 no8327

    In fact, you can generate an answer on any computer using any s / key generator instead of otp-md5 or opiekey.

    If everything is done correctly, then we will get ssh access.

    Back to our vacation legend. There are few Internet cafes where you can find an ssh client. As a solution to this problem, you can use the ssh client in the form of a java applet. Unfortunately, not all ssh clients are equally useful support s / key. The author of this article met only one working as it should applet: JCTerm from JCraft, Inc . Source code is available on the developer's site. Applet can be tested here .

    To conclude this article, it is worth mentioning the OneTimePassword open source java2me application, available atsourceforge.net/projects/otp-j2me . By downloading it to your mobile phone, you can safely go on vacation without worrying about the safety of the now unnecessary one-time password sheet - OneTimePassword will easily generate them.

    Have a nice vacation!

    When writing the article, materials from the following sites were used:

    - ru.wikipedia.org/wiki/S/Key
    - tools.ietf.org/html/rfc1760
    - www.delta-xi.net/index.php?/archives/16-OTPs- Using-sKey-with-SSH-via-OPIE.html
    - blog.bogosity.se/2008/05/31/debian-ubuntu-skey-and-opie
    - www.opennet.ru/cgi-bin/opennet/man. cgi? topic = opiekeys & category = 5
    - alexustes.dev.juga.ru/pam/article.html
    -www.ibm.com/developerworks/en/library/l-pam/index.html
    - sourceforge.net/projects/otp-j2me
    - www.jcraft.com/jcterm
    - wiredx.net/jcterm

    Also popular now: