Use Single-Use Passwords for Authentication






Use Single-Use Passwords for Authentication

Use one-time passwords to access servers from possibly untrustworthy computers and to limit access to accounts.

Generally, it's best not to use untrusted computers to access a server. The pitfalls are plentiful. However, you can mitigate some part of the risk by using one-time passwords (OTPs) for authentication. An even more interesting use for them, though, is to limit access to accounts used for file transfer.

That is, if you want to provide a file to someone or allow someone to upload a file only once, you can set up an account to use OTPs. Once the person you've given the password to has done her thing (and disconnected), she no longer has access to the account. This works well with rssh [Hack #18], since it prevents the user from accessing the system outside of a specified directory and from generating additional OTPs.

For this purpose, FreeBSD provides One-time Passwords in Everything (OPIE), which is thoroughly supported throughout the system. OpenBSD uses a similar system called S/Key.

OPIE Under FreeBSD

Setting up an account to use OPIE under FreeBSD is fairly simple. First, run opiepasswd to create an entry in /etc/opiepasswd and to seed the OTP generator:

$ opiepasswd -c
Adding andrew:
Only use this method from the console; NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase: 
Again new secret pass phrase: 

ID andrew OTP key is 499 fr8266
HOVE TEE LANG FOAM ALEC THE

The 499 in the output is the OTP sequence, and fr8266 is the seed to use with it in generating the OTP. Once the sequence reaches 0, you'll need to run opiepasswd again to reseed the system.

The -c option tells it to accept password input directly. Needless to say, you shouldn't be setting this up over insecure channels; if you do, you'll defeat the purpose of OTP. Run this from the local console or over an SSH connection only!

Then, try logging into the system remotely:

$ ssh freebsd5-vm1
otp-md5 497 fr8266 ext
Password: 

The first line of output is the arguments to supply to opiekey, which is used to generate the proper OTP to use. otp-md5 specifies the hashing algorithm that has been used. As before, 497 specifies the OTP sequence, and fr8266 is the seed.

Now, generate the password:

$ opiekey 497 fr8266
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase: 
DUET SHAW TWIT SKY EM CITE

To log in, enter the passphrase that was generated. Once you've logged in, you can run opieinfo and see that the sequence number has been decremented:

$ opieinfo
496 fr8266

It's also possible to generate multiple passwords at the same time with opiekey:

$ opiekey -n 5 496 fr8266
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase: 
492: EVIL AMID EVEN CRAB FRAU NULL
493: GEM SURF LONG TOOK NAN FOUL
494: OWN SOB AUK RAIL SEED HUGE
495: GAP THAT LORD LIES BOMB ROUT
496: RON ABEL LIE GWYN TRAY ROAR

You might want to do this before traveling, so you can print out the passwords and carry them with you.

Be sure not to include the hostname on the same sheet of paper. If you do and you lose it, anyone who finds it can easily gain access to your system.


If you have a PDA, another option is to use PilOTP (http://astro.uchicago.edu/home/web/valdes/pilot/pilOTP/), an OTP generator for Palm OS devices, which supports both OPIE and S/Key systems.

S/Key Under OpenBSD

Setting up S/Key under OpenBSD is similar to setting up OPIE. First, the superuser needs to enable it by running skeyinit -E. Then, as a normal user, run skeyinit again. It will prompt you for your system password and then ask you for a password to initialize the S/Key system:

$ skeyinit 
Reminder - Only use this method if you are directly connected
           or have an encrypted channel.  If you are using telnet,
           hit return now and use skeyinit -s.
Password:
[Adding andrew with md5]
Enter new secret passphrase: 
Again secret passphrase: 

ID andrew skey is otp-md5 100 open66823
Next login password: DOLE WALE MAKE COAT BALE AVID

To log in, you need to append :skey to your username:

$ ssh andrew:[email protected]
otp-md5 99 open66823
S/Key Password:

Then, in another terminal, run skey and enter the password you entered when you ran skeyinit:

$ skey -md5 99 open66823
Reminder - Do not use this program while logged in via telnet.
Enter secret passphrase: 
SOME VENT BUDD GONG TEAR SALT

Here's the output of skeyinfo after logging in:

$ skeyinfo
98 open66823

Although it's not wise to use untrusted computers to access your systems, you can see that one-time passwords can help mitigate the possible ill effects. Additionally, they can have other uses, such as combining them with other components to allow a user to access a protected resource only a limited number of times. With a little ingenuity, you can come up with some other uses, too.



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows