Mindtwist.de

...let your mind twist!

How to use one-time SSH passwords on Debian/Ubuntu

In this howto you will find all necessary information to enable an one-time-password SSH login on Debian or debian-like systems (e.g. Ubuntu).

Creating a S/Key secured SSH gateway

This article is a followup to the How to use one-time SSH passwords on OpenBSD article.

First you need to install OPIE programs for maintaining an OTP key file:

# apt-get install opie-server

Then you need to add the pam_opie.so module to your plugable authentication modules /etc/pam.d/common-auth:

auth sufficient pam_unix.so
auth sufficient pam_opie.so
auth required pam_deny.so

Then you need to create a new one-time-password list for your useraccount:

$ opiepasswd -c
Adding rottmrei:
Only use this method from the console; NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase:
Again new secret pass phrase:
ID rottmrei OTP key is 499 mo8913
NAVY ION BIRD TIDE MOOR VAT
To generate a list of the next 20 passwords, you may use the following command:
$ opiekey -n 20 499 mo8913
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
480: HO DANG MAUL GWEN JUKE SIS
481: AKIN JESS DICE DUCT BOLO DUET
482: NEWT SLAY TORN PEP DUN BULK
483: IQ PAR BIAS DUG LEA GIFT
484: DAVY BUB DRUB SEEM OWE KURT
485: RUNT USE CALL OINT DES WAIT
486: COD KNIT DAB JAG CREW GUNK
487: WIN LIT GALE FLEA GAD BEY
488: SEAR CUP DIP BAIT BAWD BOIL
489: HEAT OMEN PEN OR AMID US
490: GREW UN GAIT WOLF WAYS TUNE
491: BASH ABE BITE WET DOOM FAIR
492: LEG NEAL JAG RUTH KITE WED
493: BUN BEAN RAIL HIT SOLD TROT
494: FIR TIRE DENT TUNE FUR GYM
495: JAVA LEO END RIO BANG REEF
496: NULL FOAM OBOE WAND ROUT BUCK
497: AYE HASH COIL PAM LENS AMES
498: HERD VENT LAG BUST FOGY NECK
499: NAVY ION BIRD TIDE MOOR VAT

To enable S/Key password challenge response authentication, the following option needs to be set in /etc/ssh/sshd_config:

ChallengeResponseAuthentication yes

After your changes don't forget to reload your ssh daemon!

Now you may use the S/Key one-time-passwords to login to your system:

$ ssh rottmrei:opie@vdebian07
Password:
otp-md5 498 mo8913 ext, Response:
Last login: Tue Dec 8 18:05:31 2009 from ***scrubbed***

* * * * * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE ONLY.
UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED.
IF NOT AUTHORIZED TO ACCESS THIS SYSTEM, DISCONNECT IMMEDIATELY!
* * * * * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * * * *


$
 

Linux Magazine

Linux Magazine News (path: lmi_news)