Use One Time Passwords

Use One Time Passwords

figs/moderate.gif figs/hack33.gif

Sometimes even a complex password may not meet your security needs.

If you are on the road and need to access the corporate network from a non-secure computer in a public place, the risk of password leakage increases. Could the person next to you be shoulder surfing, watching as you log into the network? Does the computer you're using have some sort of installed spyware or keystroke logger? Is there a packet sniffer running somewhere on the network? In such a situation, a One Time Password can be a real lifesaver.

1 Configuring OPIE

FreeBSD comes with OPIE, or One-time Passwords In Everything, a type of software OTP system. It is easy to configure and doesn't require any additional hardware or proprietary software running on a server. Ideally, you should configure OPIE before leaving your secure network. For example, if you plan on traveling with your laptop, configure OPIE while connected to the office network. Make sure you are logged in as your regular user account to the particular system you'll need to access while on the road.

Start by adding yourself to the OPIE database, or /etc/opiekeys, using opiepasswd. If you intend to access your workstation while on the road, run this command while physically sitting at your workstation. Include the console switch (-c) to indicate you are at that station's console, so it is safe to enter a passphrase:

% opiepasswd -c

Adding dru:

Only use this method from the console; NEVER from remote. If you are using

telnet, xterm, or a dial-in, type ^C now or exit with no password.

Then run opiepasswd without the -c parameter.

Using MD5 to compute responses.

Enter new secret pass phrase: 

Secret pass phrases must be between 10 and 127 characters long.

Enter new secret pass phrase: 

Again new secret pass phrase: 

ID dru OTP key is 499 dh0391


See that warning at the beginning? If you don't have physical access to the system's keyboard—say, you're logging into a server—make sure you use ssh to log into that system before running the opiepasswd -c command. Your only protection from another user using your one-time password is your passphrase, which is basically a long password that can include spaces. If that passphrase is transmitted over the network in clear text, you've defeated the whole purpose of this exercise.

Note that the passphrase isn't used as a password per se; instead, it is used to prove who added the account to the database and is therefore the rightful owner of the resulting response or one-time password. You'll need to issue that passphrase whenever you need to view your responses. Responses are always comprised of six uppercase nonsense words.

Next, verify that you are indeed in the OPIE database:

% opieinfo

498 dh0391

The opieinfo command displays the count (498) that will be used at the next login. It will also display the seed associated with that count (dh0391). In this example, it is expecting the response associated with 498, but I only know the response for 499. I'll need to use an OTP password calculator to figure out the correct response; that calculator is really just the opiekey command.

You could use the calculator from a separate terminal every time you login, but it is usually more convenient to print a list of responses and regenerate a new list whenever you run out of responses.

2 Generating Responses

In order to use the calculator, you need to know three things:

  • Your current counter

  • Your seed

  • Your secret passphrase

The challenge at the login prompt will display the current counter and seed. However, it is important that only you know your secret passphrase. Otherwise, anyone could calculate the response and log into your account.

To generate a list of responses, use the number switch (-n), followed by the number of desired responses and your current count and seed:

% opiekey -n 5 498 dh0391

Using the MD5 algorithm to compute response.

Reminder: Don't use opiekey from telnet or dial-in sessions.

Enter secret pass phrase: 






You can either direct that output to a printer or record those responses by hand. Either way, store those responses in a safe place such as your wallet, as these are your next five one-time passwords. The next time you log in, use the response that matches the count at your login prompt:

login: dru 

otp-md5 498 dh0391 ext

Password:  (here I pressed Enter)

otp-md5 498 dh0391 ext

Password [echo on]: LEAD JAG MUCH MADE NONE WRIT 

Once you configure OPIE on a 5.1 FreeBSD system, you will be required to respond to the OTP challenge whenever you log into that system. If you press Enter, you'll turn on echo so you can see the response as you type it.

Echo is usually a bad thing when logging in because anyone can see your password. However, with a one-time password, it doesn't matter if anyone sees that password, as it can't be reused. Also, unlike a reusable password, the response is not case-sensitive, so it doesn't matter if you type it in upper- or lowercase. Do take care, though, that no one sees your list of responses or your passphrase.

If your counter gets low—say, 10 or less—reset it before it hits 0. Use opiepasswd again, but this time specify a new count and a new seed. Here I'll use a count of 499 and a new seed of dh1357:

% opiepasswd -n 499 -s dh1357

Updating dru:

You need the response from an OTP generator.

Old secret pass phrase:

        otp-md5 8 dh0391 ext

        Response: loot omit safe eric jolt dark

New secret pass phrase:

        otp-md5 499 dh1357

        Response: hewn as dot mel mali mann

How long it will take you to cycle through your OTP passwords will depend upon how often you need to log in. You may find it convenient to generate a week's worth of responses at the beginning of each week.

It's also a good idea to consider how often to change your passphrase. You'll be prompted to when you reset your counter. For example, if you plan on changing your passphrase every 100 responses, specify -n 100 when you run opiepasswd. The passphrase itself needs to be memorable. Fortunately, it can contain spaces, so you can input, say, a line from a song or a poem.

3 Choosing When to Use OTP

Starting with FreeBSD 5.1-RELEASE, users are forced to use OTP once they've added themselves to the OPIE database. It doesn't matter if the user logs into that system using a local keyboard or over the network using ssh. This behavior is controlled by PAM, or, to be more specific, the auth section of /etc/pam.d/login:

% more /etc/pam.d/login


# $FreeBSD: src/etc/pam.d/login,v 1.11 2002/05/08 00:33:02 des Exp $


# PAM configuration for the "login" service


# auth

auth    required      no_warn

auth    sufficient         no_warn

auth    sufficient         no_warn no_fake_prompts

auth    requisite   no_warn

#auth   sufficient   no_warn try_first_pass

#auth   sufficient         no_warn try_first_pass

#auth   sufficient          no_warn try_first_pass

auth    required         no_warn try_first_pass nullok


Perhaps you'd like users to have the option of using their regular password when logging in locally, but force them to use OTP when logging in over the network. To achieve that, add the allow_local option to the opieaccess line so it looks like this:

auth    requisite    allow_local no_warn

This option lets the user type either her regular password or her OTP response if she's logging in locally. However, if she's logging in over the network, the login attempt will fail unless she gives the correct OTP response.

4 See Also

  • man opiepasswd

  • man opieinfo

  • man opiekey

  • man pam_opie

  • /usr/share/doc/en_US.ISO8859-1/articles/pam/article.html (FreeBSD PAM documentation)

     Python   SQL   Java   php   Perl 
     game development   web development   internet   *nix   graphics   hardware 
     telecommunications   C++ 
     Flash   Active Directory   Windows