SSH access organization by one-time passwords
In any serious company, it is sometimes necessary that an employee who has gone on vacation urgently fulfill his official duties. Consider a situation where a company needs a specific employee, for example, a system administrator who is currently reclining on the beach a thousand kilometers away from the stuffy office. Let us even assume that this employee agrees to do the work unexpectedly dropped on his head and there is an internet cafe at the resort. But here’s the problem: the cafe is located in a dark alley, on its computers are popular OS, Trojans, keyloggers and other haktulzy, so typing the root password from the company's main server on such machines is rather unwise.
There are several solutions to this problem. For example, one-time passwords can be used, namely the s / key system, using the md4 and md5 algorithms for generating passwords. About this system and will be discussed below.
S / key works on the client-server principle as follows: the user sets a secret key, which is then hashed hundreds of times (eg, 500). The last (500th) hash of the secret phrase is remembered on the user's computer (server). For
authorization, the user will need to enter the previous (499th) hash of the secret key that will be generated by the client application. The server hashes the combination entered by the user and, in case of coincidence with the previously stored data, authorizes the user and remembers the just entered (499th) hash, so that the next time to ask the previous (498th) to the current hash.
You can read more about s / key on Wikipedia and RFC 1760 .
')
We proceed to practice. We will use PAM (a set of API for user authentication) and OPIE (PAM-module for working with one-time passwords). It is assumed that SSH is already installed.
Install OPIE:
Then you need to edit the configuration files:
In the /etc/pam.d/sshd file you need to comment out the line " @include common-auth ":
and add the following after it:
The first line leaves the possibility of authorization by the password from the account. If this is not required, then it can be removed.
More information about configuring PAM can be read here and here .
Next, edit / etc / ssh / sshd_config - in the line " ChallengeResponseAuthentication no " no need to be changed to yes .
Now restart ssh:
OPIE data is stored in the / etc / opiekeys file , which has the following format:
Field Description
name User login.
sequence The sequence number of the hash.
seed A seed is an unclassified random sequence.
key Last used hash.
date Date of last change.
time The time of the last change.
Initially this file is empty. To set the initial data (generating the 500th hash), run the opiepasswd command:
To get the requested response (Response), open the second console and run the command otp-md5 499 no8327 :
We invent and enter the password. In response, we see something similar to WATS NIP DUD BRAD LIME DRUM.
Pleasant moment: sometimes one-time passwords consist of short English words that are fairly easy to remember. We return to the previous console to the opiepasswd application and enter the sequence given to us (WATS NIP DUD BRAD LIME DRUM). In capital letters and with spaces. According to experts, you can enter in small letters, but the author did not check this.
If you now open the / etc / opiekeys file , you can see a line similar to
When you go on vacation, you can take along a list of pre-generated one-time passwords. You can get this list by running opiekey -n 100 499 no8327 . We will be asked for a secret phrase, and in response we will receive a list of 100 (the number is specified by the -n 100 key) one-time passwords of the form
...
480: SLUR ROVE TONE ADAM MUST IRK
481: FULL NAY LYLE BROW MARY COD
482: WERE LOB DOME LIT GIN CHAD
...
Sheet with passwords can be hidden deeper in a suitcase or copied to your phone as a simple text file. At the end of this article, a more convenient and secure way to retrieve / store one-time passwords will be considered.
Let's return to our SSH access:
To authorize using a one-time password to request a password from your account, you must enter the password " opiepasswd ", after which you will be asked one-time password:
In response, we introduce a sequence that can be obtained by running
or
In fact, you can generate a response on any computer using any s / key generator instead of otp-md5 or opiekey.
If done correctly, we will get ssh-access.
Let's return to our legend about vacation. Few in which Internet cafes can you find an ssh client. As a solution to this problem, you can use the ssh client as a java applet. Unfortunately, not all ssh clients areequally useful as supporting s / key. The author of this article met only one working as it should applet: JCTerm from Jcraft, Inc. The source code is available on the developer’s site. The applet can be experienced here .
Concluding the article, it is worth mentioning the open source java2me application OneTimePassword, available at sourceforge.net/projects/otp-j2me . Having downloaded it to your mobile phone, you can safely go on vacation, without worrying about the safety of a sheet of one-time passwords that you no longer need - OneTimePassword will easily generate them.
Happy holidays!
When writing the article materials from the following sites were used:
- en.wikipedia.org/wiki/S/Key
- tools.ietf.org/html/rfc1760
- www.delta-xi.net/index.php?/archives/16-OTPs-Using-sKey-with-SSH-via-OPIE.html
- blog.bogosity.se/2008/05/31/debian-ubuntu-skey-and-opie
- www.opennet.ru/cgi-bin/opennet/man.cgi?topic=opiekeys&category=5
- alexustes.dev.juga.ru/pam/article.html
- www.ibm.com/developerworks/ru/library/l-pam/index.html
- sourceforge.net/projects/otp-j2me
- www.jcraft.com/jcterm
- wiredx.net/jcterm
There are several solutions to this problem. For example, one-time passwords can be used, namely the s / key system, using the md4 and md5 algorithms for generating passwords. About this system and will be discussed below.
S / key works on the client-server principle as follows: the user sets a secret key, which is then hashed hundreds of times (eg, 500). The last (500th) hash of the secret phrase is remembered on the user's computer (server). For
authorization, the user will need to enter the previous (499th) hash of the secret key that will be generated by the client application. The server hashes the combination entered by the user and, in case of coincidence with the previously stored data, authorizes the user and remembers the just entered (499th) hash, so that the next time to ask the previous (498th) to the current hash.
You can read more about s / key on Wikipedia and RFC 1760 .
')
We proceed to practice. We will use PAM (a set of API for user authentication) and OPIE (PAM-module for working with one-time passwords). It is assumed that SSH is already installed.
Install OPIE:
$ apt-get install opie-client opie-serverThen you need to edit the configuration files:
In the /etc/pam.d/sshd file you need to comment out the line " @include common-auth ":
#@include common-authand add the following after it:
auth sufficient pam_unix.so
auth sufficient pam_opie.so
auth required pam_deny.soThe first line leaves the possibility of authorization by the password from the account. If this is not required, then it can be removed.
More information about configuring PAM can be read here and here .
Next, edit / etc / ssh / sshd_config - in the line " ChallengeResponseAuthentication no " no need to be changed to yes .
Now restart ssh:
$ service ssh restartOPIE data is stored in the / etc / opiekeys file , which has the following format:
Field Description
name User login.
sequence The sequence number of the hash.
seed A seed is an unclassified random sequence.
key Last used hash.
date Date of last change.
time The time of the last change.
Initially this file is empty. To set the initial data (generating the 500th hash), run the opiepasswd command:
$ opiepasswd
Adding username:
You need the response from an OTP generator.
New secret pass phrase:
otp-md5 499 no8327
Response:To get the requested response (Response), open the second console and run the command otp-md5 499 no8327 :
$ otp-md5 499 no8327
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:We invent and enter the password. In response, we see something similar to WATS NIP DUD BRAD LIME DRUM.
Pleasant moment: sometimes one-time passwords consist of short English words that are fairly easy to remember. We return to the previous console to the opiepasswd application and enter the sequence given to us (WATS NIP DUD BRAD LIME DRUM). In capital letters and with spaces. According to experts, you can enter in small letters, but the author did not check this.
$ opiepasswd
Adding username:
You need the response from an OTP generator.
New secret pass phrase: *********
otp-md5 499 no8327
Response: WATS NIP DUD BRAD LIME DRUM
ID username OTP key is 499 no8327
WATS NIP DUD BRAD LIME DRUM
$If you now open the / etc / opiekeys file , you can see a line similar to
username 0499 no8327 f825803faf1afaee Jul 10,2010 20:12:12When you go on vacation, you can take along a list of pre-generated one-time passwords. You can get this list by running opiekey -n 100 499 no8327 . We will be asked for a secret phrase, and in response we will receive a list of 100 (the number is specified by the -n 100 key) one-time passwords of the form
...
480: SLUR ROVE TONE ADAM MUST IRK
481: FULL NAY LYLE BROW MARY COD
482: WERE LOB DOME LIT GIN CHAD
...
Sheet with passwords can be hidden deeper in a suitcase or copied to your phone as a simple text file. At the end of this article, a more convenient and secure way to retrieve / store one-time passwords will be considered.
Let's return to our SSH access:
$ ssh username@host
Password:To authorize using a one-time password to request a password from your account, you must enter the password " opiepasswd ", after which you will be asked one-time password:
$ ssh username@host
Password: opiepasswd
otp-md5 498 no8327 ext, Response:In response, we introduce a sequence that can be obtained by running
$ otp-md5 498 no8327or
$ opiekey 498 no8327In fact, you can generate a response on any computer using any s / key generator instead of otp-md5 or opiekey.
If done correctly, we will get ssh-access.
Let's return to our legend about vacation. Few in which Internet cafes can you find an ssh client. As a solution to this problem, you can use the ssh client as a java applet. Unfortunately, not all ssh clients are
Concluding the article, it is worth mentioning the open source java2me application OneTimePassword, available at sourceforge.net/projects/otp-j2me . Having downloaded it to your mobile phone, you can safely go on vacation, without worrying about the safety of a sheet of one-time passwords that you no longer need - OneTimePassword will easily generate them.
Happy holidays!
When writing the article materials from the following sites were used:
- en.wikipedia.org/wiki/S/Key
- tools.ietf.org/html/rfc1760
- www.delta-xi.net/index.php?/archives/16-OTPs-Using-sKey-with-SSH-via-OPIE.html
- blog.bogosity.se/2008/05/31/debian-ubuntu-skey-and-opie
- www.opennet.ru/cgi-bin/opennet/man.cgi?topic=opiekeys&category=5
- alexustes.dev.juga.ru/pam/article.html
- www.ibm.com/developerworks/ru/library/l-pam/index.html
- sourceforge.net/projects/otp-j2me
- www.jcraft.com/jcterm
- wiredx.net/jcterm
Source: https://habr.com/ru/post/99377/
All Articles