July 2, 2011, 2:02 p.m.
posted by ifman
Use One Time Passwords
Sometimes even a complex password may not meet your security needs.
If you are on the road and need to access the corporate network from a non-secure computer in a public place, the risk of password leakage increases. Could the person next to you be shoulder surfing, watching as you log into the network? Does the computer you're using have some sort of installed spyware or keystroke logger? Is there a packet sniffer running somewhere on the network? In such a situation, a One Time Password can be a real lifesaver.
1 Configuring OPIE
FreeBSD comes with OPIE, or One-time Passwords In Everything, a type of software OTP system. It is easy to configure and doesn't require any additional hardware or proprietary software running on a server. Ideally, you should configure OPIE before leaving your secure network. For example, if you plan on traveling with your laptop, configure OPIE while connected to the office network. Make sure you are logged in as your regular user account to the particular system you'll need to access while on the road.
Start by adding yourself to the OPIE database, or /etc/opiekeys, using opiepasswd. If you intend to access your workstation while on the road, run this command while physically sitting at your workstation. Include the console switch (-c) to indicate you are at that station's console, so it is safe to enter a passphrase:
% opiepasswd -c Adding dru: Only use this method from the console; NEVER from remote. If you are using telnet, xterm, or a dial-in, type ^C now or exit with no password. Then run opiepasswd without the -c parameter. Using MD5 to compute responses. Enter new secret pass phrase: Secret pass phrases must be between 10 and 127 characters long. Enter new secret pass phrase: Again new secret pass phrase: ID dru OTP key is 499 dh0391 CHUG ROSA HIRE MALT DEBT EBEN
See that warning at the beginning? If you don't have physical access to the system's keyboard—say, you're logging into a server—make sure you use ssh to log into that system before running the opiepasswd -c command. Your only protection from another user using your one-time password is your passphrase, which is basically a long password that can include spaces. If that passphrase is transmitted over the network in clear text, you've defeated the whole purpose of this exercise.
Note that the passphrase isn't used as a password per se; instead, it is used to prove who added the account to the database and is therefore the rightful owner of the resulting response or one-time password. You'll need to issue that passphrase whenever you need to view your responses. Responses are always comprised of six uppercase nonsense words.
% opieinfo 498 dh0391
The opieinfo command displays the count (498) that will be used at the next login. It will also display the seed associated with that count (dh0391). In this example, it is expecting the response associated with 498, but I only know the response for 499. I'll need to use an OTP password calculator to figure out the correct response; that calculator is really just the opiekey command.
You could use the calculator from a separate terminal every time you login, but it is usually more convenient to print a list of responses and regenerate a new list whenever you run out of responses.
2 Generating Responses
In order to use the calculator, you need to know three things:
Your current counter
Your secret passphrase
The challenge at the login prompt will display the current counter and seed. However, it is important that only you know your secret passphrase. Otherwise, anyone could calculate the response and log into your account.
To generate a list of responses, use the number switch (-n), followed by the number of desired responses and your current count and seed:
% opiekey -n 5 498 dh0391 Using the MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: 494: MEAN ADD NEON CAIN LION LAUD 495: LYLE HOLD HIGH HOME ITEM MEL 496: WICK BALI MAY EGO INK TOOK 497: RENT ARM WARN ARC LICE DOME 498: LEAD JAG MUCH MADE NONE WRIT
You can either direct that output to a printer or record those responses by hand. Either way, store those responses in a safe place such as your wallet, as these are your next five one-time passwords. The next time you log in, use the response that matches the count at your login prompt:
login: dru otp-md5 498 dh0391 ext Password: (here I pressed Enter) otp-md5 498 dh0391 ext Password [echo on]: LEAD JAG MUCH MADE NONE WRIT
Once you configure OPIE on a 5.1 FreeBSD system, you will be required to respond to the OTP challenge whenever you log into that system. If you press Enter, you'll turn on echo so you can see the response as you type it.
Echo is usually a bad thing when logging in because anyone can see your password. However, with a one-time password, it doesn't matter if anyone sees that password, as it can't be reused. Also, unlike a reusable password, the response is not case-sensitive, so it doesn't matter if you type it in upper- or lowercase. Do take care, though, that no one sees your list of responses or your passphrase.
% opiepasswd -n 499 -s dh1357 Updating dru: You need the response from an OTP generator. Old secret pass phrase: otp-md5 8 dh0391 ext Response: loot omit safe eric jolt dark New secret pass phrase: otp-md5 499 dh1357 Response: hewn as dot mel mali mann
How long it will take you to cycle through your OTP passwords will depend upon how often you need to log in. You may find it convenient to generate a week's worth of responses at the beginning of each week.
It's also a good idea to consider how often to change your passphrase. You'll be prompted to when you reset your counter. For example, if you plan on changing your passphrase every 100 responses, specify -n 100 when you run opiepasswd. The passphrase itself needs to be memorable. Fortunately, it can contain spaces, so you can input, say, a line from a song or a poem.
3 Choosing When to Use OTP
Starting with FreeBSD 5.1-RELEASE, users are forced to use OTP once they've added themselves to the OPIE database. It doesn't matter if the user logs into that system using a local keyboard or over the network using ssh. This behavior is controlled by PAM, or, to be more specific, the auth section of /etc/pam.d/login:
% more /etc/pam.d/login # # $FreeBSD: src/etc/pam.d/login,v 1.11 2002/05/08 00:33:02 des Exp $ # # PAM configuration for the "login" service # # auth auth required pam_nologin.so no_warn auth sufficient pam_self.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn #auth sufficient pam_kerberosIV.so no_warn try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok snip
Perhaps you'd like users to have the option of using their regular password when logging in locally, but force them to use OTP when logging in over the network. To achieve that, add the allow_local option to the opieaccess line so it looks like this:
auth requisite pam_opieaccess.so allow_local no_warn
This option lets the user type either her regular password or her OTP response if she's logging in locally. However, if she's logging in over the network, the login attempt will fail unless she gives the correct OTP response.
4 See Also