Jan. 7, 2011, 2:11 p.m.
posted by unixgeek
Use Single-Use Passwords for Authentication
Use one-time passwords to access servers from possibly untrustworthy computers and to limit access to accounts.
Generally, it's best not to use untrusted computers to access a server. The pitfalls are plentiful. However, you can mitigate some part of the risk by using one-time passwords (OTPs) for authentication. An even more interesting use for them, though, is to limit access to accounts used for file transfer.
That is, if you want to provide a file to someone or allow someone to upload a file only once, you can set up an account to use OTPs. Once the person you've given the password to has done her thing (and disconnected), she no longer has access to the account. This works well with rssh [Hack #18], since it prevents the user from accessing the system outside of a specified directory and from generating additional OTPs.
OPIE Under FreeBSD
Setting up an account to use OPIE under FreeBSD is fairly simple. First, run opiepasswd to create an entry in /etc/opiepasswd and to seed the OTP generator:
$ opiepasswd -c Adding andrew: Only use this method from the console; NEVER from remote. If you are using telnet, xterm, or a dial-in, type ^C now or exit with no password. Then run opiepasswd without the -c parameter. Using MD5 to compute responses. Enter new secret pass phrase: Again new secret pass phrase: ID andrew OTP key is 499 fr8266 HOVE TEE LANG FOAM ALEC THE
The 499 in the output is the OTP sequence, and fr8266 is the seed to use with it in generating the OTP. Once the sequence reaches 0, you'll need to run opiepasswd again to reseed the system.
The -c option tells it to accept password input directly. Needless to say, you shouldn't be setting this up over insecure channels; if you do, you'll defeat the purpose of OTP. Run this from the local console or over an SSH connection only!
Then, try logging into the system remotely:
$ ssh freebsd5-vm1 otp-md5 497 fr8266 ext Password:
The first line of output is the arguments to supply to opiekey, which is used to generate the proper OTP to use. otp-md5 specifies the hashing algorithm that has been used. As before, 497 specifies the OTP sequence, and fr8266 is the seed.
Now, generate the password:
$ opiekey 497 fr8266 Using the MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: DUET SHAW TWIT SKY EM CITE
To log in, enter the passphrase that was generated. Once you've logged in, you can run opieinfo and see that the sequence number has been decremented:
$ opieinfo 496 fr8266
It's also possible to generate multiple passwords at the same time with opiekey:
$ opiekey -n 5 496 fr8266 Using the MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: 492: EVIL AMID EVEN CRAB FRAU NULL 493: GEM SURF LONG TOOK NAN FOUL 494: OWN SOB AUK RAIL SEED HUGE 495: GAP THAT LORD LIES BOMB ROUT 496: RON ABEL LIE GWYN TRAY ROAR
You might want to do this before traveling, so you can print out the passwords and carry them with you.
If you have a PDA, another option is to use PilOTP (http://astro.uchicago.edu/home/web/valdes/pilot/pilOTP/), an OTP generator for Palm OS devices, which supports both OPIE and S/Key systems.
S/Key Under OpenBSD
Setting up S/Key under OpenBSD is similar to setting up OPIE. First, the superuser needs to enable it by running skeyinit -E. Then, as a normal user, run skeyinit again. It will prompt you for your system password and then ask you for a password to initialize the S/Key system:
$ skeyinit Reminder - Only use this method if you are directly connected or have an encrypted channel. If you are using telnet, hit return now and use skeyinit -s. Password: [Adding andrew with md5] Enter new secret passphrase: Again secret passphrase: ID andrew skey is otp-md5 100 open66823 Next login password: DOLE WALE MAKE COAT BALE AVID
To log in, you need to append :skey to your username:
$ ssh andrew:[email protected] otp-md5 99 open66823 S/Key Password:
Then, in another terminal, run skey and enter the password you entered when you ran skeyinit:
$ skey -md5 99 open66823 Reminder - Do not use this program while logged in via telnet. Enter secret passphrase: SOME VENT BUDD GONG TEAR SALT
Here's the output of skeyinfo after logging in:
$ skeyinfo 98 open66823
Although it's not wise to use untrusted computers to access your systems, you can see that one-time passwords can help mitigate the possible ill effects. Additionally, they can have other uses, such as combining them with other components to allow a user to access a protected resource only a limited number of times. With a little ingenuity, you can come up with some other uses, too.