OTPs: Using s/Key with SSH via OPIE

Passwords are a quite debatable way of authentification. Passwords can be sniffed and widely used with other services, if the same passwords are used on more than one service. Biometrical identification is another form of authetication, but not quite suitable via remote access. An excellent standard is defined by s/Key. Read how to use this on Linux boxes... s/Key defines how one time passwords are implement within a standard. The classical skeyinit command doesn't exist on Linux out of the box, but on this point, the OPIE (One-time password is everything) implementation of s/Key takes place. First of all, we need OPIE. Debian etch currently provides opie-server as well as opie-client, which are both to be installed on the system. The main idea is the following: The administrator creates an s/Key seed. By creating the seed, a password is used which builds the direct basis of the afterwards generaded one-time-passwords. When logging in via SSH remotely, the server tells the user which password numbers of which seed is needed for the current login. The one time passwords are about six quite-readable English words, generated from the seed and the password number. So, we have to options at the client: We can calculate the password by ourselves on the client. This option has two disadvantages: First, we need the seed-password given while initializing OPIE on the server, and second, of course we need a client with OPIE installed. The second option is that the administrator gives out a list of passwords (let's say, 100), and we just give SSH the password it wants to hear. Let's start, first install the software: apt-get install opie-client opie-server Now, edit /etc/pam.d/ssh and comment out the line "@include common-auth", which is replaced by the following lines: auth sufficient pam_unix.so auth sufficient pam_opie.so auth required pam_deny.so Finally we have to tell SSH to use our OTPs, by editing /etc/ssh/sshd_config on the server: ChallangeResponseAuthentication yes Now let's login: # ssh user@host.tld opt-md5 498 v38294 ext, Response: SSH now tells us, which password it wants to hear. If we havn't printed out a password list, we can easily recalculate the password by typing the following command on a client (it's not relevant on which machine we do this; this can even be done on palmtops of cellphones): $ opiekey 498 v38294 OPIE will ask for the password seed, given at the server, and finally returns the password string, something like this: 498: NICK FAY SEND BERT ALTO BANE Type this password at the SSH login, and you're done. Capitilization is not relevant! If you're the admin of the server and doesn't want to give the seed password to the users, just print out a list of passwords, counting down from 499: $ opiekey -n 100 498 v38294 498 just tells OPIE the password-number to start with. This list can safely be given to your clients which need secure SSH accounts.