1 [[!meta title="One-time passwords"]]
3 [OTP][] is a protocol for generating single-use passwords used for
4 safer authentication than you would get by using a password directly.
5 The system is challenge/response authentication similar to [[SSH]]
6 keys, but with the keys and hashes reduced to something you can
7 actually type in in a reasonable amount of time. While not absolutely
8 secure (nothing is), one-time passwords greatly reduces the window of
9 vulnerability compared to using static passwords directly.
11 For example, suppose you want to log in to one of your machines from a
12 remote, untrusted teminal (e.g. from an internet café). You obviously
13 don't want to load your SSH key on the untrusted terminal, and a
14 keylogger would capture your password if you used it directly. By
15 using a one-time password, the risk is reduced. A keylogger on the
16 untrusted terminal could capture your one-time password and use it to
17 log in either instead of you or as part of a man-in-the-middle attack.
18 However, *after* that login is terminated, the keylogger can make no
19 further breaches, as they could if they had captured your password
20 itself. This “small window” risk is the same problem faced by sites
21 that send you plain text emails with one-time URLs for registration
22 confirmation, password reminders, etc. (who can't be bothered to use
25 For more information on one-time passwords, take a look at the
28 * [RFC 2289][] (A One-Time Password System, obsoletes RFC 1928)
29 * [RFC 1938][] (A One-Time Password System, obsoletes RFC 1760)
30 * [RFC 1760][] (The S/KEY One-Time Password System)
32 Sound good? Alright, how do we setup SSH to accept one-time passwords
35 [OpenSSH][]'s [[SSH]] daemon supports OTP authentication by default.
36 If you have disabled the support, you'll need to restore it by adding
38 ChallengeResponseAuthentication yes
40 to `/etc/ssh/sshd_config` and running
42 # /etc/init.d/sshd reload
44 From the [sshd_config(5)][] man page, having challenge/response
45 authentication enabled allows all all authentications styles from
46 [login.conf(5)][]. `/etc/login.conf` doesn't exist on my Gentoo or
47 Debian systems, which is, I think, because they use [PAM][] to handle
48 all the authentication. Tracing through `/etc/pam.d/`,
49 `/etc/pam.d/sshd` builds the following `auth` chain on my Gentoo
52 auth required pam_tally2.so onerr=succeed
53 auth required pam_shells.so
54 auth required pam_nologin.so
55 auth required pam_env.so
56 auth required pam_unix.so try_first_pass likeauth nullok
57 auth optional pam_permit.so
59 We need to add an OTP PAM module. There are several, none of which
60 seem to be actively developed:
62 * [S/Key][] (last activity in 2007)
63 * [OPIE][] (only maintained by Debian?)
65 The S/Key module does, however, have an ebuild in Gentoo's portage
66 tree (significantly patched from upstream), so we'll use that.
68 My initial idea was to add `skey` to `USE` and run
70 # emerge -av --deep --update --newuse @world
72 but that enabled built-in S/Key handling in `app-admin/sudo` and
73 similar packages. We don't want applications to use S/Key directly,
74 we want them to use PAM, and PAM should use S/Key. So instead, just
75 emerge the S/Key PAM module:
77 # emerge -av sys-auth/pam_skey
79 which will pull in the ` sys-auth/skey` package containing binary
80 tools and the `libskey.so` library.
82 Configure PAM to use the `skey` module for all system authentication
83 by adding a line like:
85 auth [success=done ignore=ignore auth_err=die default=bad] pam_skey.so
87 before the `pam_unix.so` line in `/etc/pam.d/system-auth`. This
88 allows users to use their one-time password (if configured) and falls
89 back to their system password if OTPs are not setup or the entered OTP
90 is invalid. See `/usr/share/doc/pam_skey-*/INSTALL.bz2` for details
91 on this specific case and the [PAM System Administrators'
92 Guide][PAM-SAG] for details on the syntax. Gentoo's `pam_skey` has
93 been patched up a good deal (see
94 `/usr/share/doc/pam_skey-*/README.bz2`), so on other systems, the
95 procedure may be different (e.g. OpenBSD has the S/Key module
96 [installed by default][OpenBSD]).
98 Setup a one-time password chain for a particular user by running
103 Reminder - Only use this method if you are directly connected
104 or have an encrypted channel. If you are using telnet
105 or rlogin, exit with no password and use skeyinit -s.
107 Enter secret password:
108 Again secret password:
110 ID wking skey is otp-md5 99 tyr24366
111 Next login password: RIM CHUG MUSH LOFT SAFE CHAR
113 there are a number of options you can pass to `skeyinit` to customize
114 the OTP (hash, effected user, etc.).
116 That configures your server to accept RFC 2289 passwords. On the
117 client side, you'll need a generator to calculate the appropriate
118 response to server challenges. There are a number of choices:
120 * S/Key (Gentoo: sys-auth/skey) Gentoo's version of the OpenBSD
121 package contains the command-line `skey` supporting RFC 2289 and RFC
123 * [otpCalc][] (Gentoo: sys-auth/otpcalc) RFC 2289 and RFC 1760
124 compliant calculator using GTK+.
125 * [OTPGen][] RFC 2289 compliant calculator using the Java 2 Micro
126 Edition (most mobil phones).
127 * [jotp][] RFC 2289? and RFC 1760 compliant calculator using Java with
130 If you don't have a secure client (e.g. cell phone) that will be
131 accessible from the untrusted terminal, you can also print a list of
132 future OTPs and cary the paper on your person.
134 $ otp-md5 -xn 5 99 tyr24366
135 Reminder - Do not use this program while logged in via telnet or rlogin.
136 Enter secret password:
137 95: WENT FORM GAUL DATA LYLE SIR FA10 A627 37FB 5078
138 96: DINE RODE SANK LYON SUCH MEAT 735A 275B 5AAE 4972
139 97: THEE TOUR GOES HULK WORM TROY EA1D D238 4E4F DFE0
140 98: ELM RUB CULL ANY LIND HOBO 1167 21B5 014A FD32
141 99: RIM CHUG MUSH LOFT SAFE CHAR 37CC D302 D8BD 56CA
143 The printed paper is obviously less secure, because it reduces the
144 authentication requirement from something-you-know (secret key) to
145 something-you-have (paper). If that bothers you, take a look at
146 Markus Kuhn's [OTPW][] package, which uses a different algorithm to
147 genrate OTPs that all begin with a secret (memorized) prefix. Kuhn's
148 approach requires a hacker to copy your paper list *and* log your
149 keystrokes to extract your prefix.
151 Eventually, your stock of OTPs will run low, and you'll need to use
152 `skeyinit` again to provide a fresh stash.
154 Besides RFC 2289, there are alternative one-time password generation
155 possibilities. [RFC 4226][] (HOTP: An HMAC-Based One-Time Password
156 Algorithm) defines a particular ([inferior?][]) one-time password
157 generation alogrithm. [This Debian post][deb-fa] describes a
158 [FreeAuth][] implementation that uses time-based keys similar to many
159 commercial systems. The [SOTP][] module doesn't specify it's
160 algorithm, but it has the option of using secret prefixes along the
163 [OTP]: http://en.wikipedia.org/wiki/One-time_password
164 [RFC 2289]: http://www.ietf.org/rfc/rfc2289.txt
165 [RFC 1938]: http://www.ietf.org/rfc/rfc1938.txt
166 [RFC 1760]: http://www.ietf.org/rfc/rfc1760.txt
167 [OpenSSH]: http://www.openssh.com/
168 [sshd_config(5)]: http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config
169 [login.conf(5)]: http://www.openbsd.org/cgi-bin/man.cgi?query=login.conf
170 [PAM]: http://en.wikipedia.org/wiki/Pluggable_Authentication_Modules
171 [S/Key]: http://freshmeat.net/projects/pam_skey/
172 [OPIE]: http://packages.debian.org/lenny/libpam-opie
173 [PAM-SAG]: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html
174 [OpenBSD]: http://www.openbsd.org/faq/faq8.html#SKey
175 [otpCalc]: http://killa.net/infosec/otpCalc/
176 [OTPGen]: http://marcin.studio4plus.com/en/otpgen/
177 [jotp]: http://www.cs.umd.edu/~harry/jotp/
178 [OTPW]: http://www.cl.cam.ac.uk/~mgk25/otpw.html
179 [RFC 4226]: http://www.ietf.org/rfc/rfc4226.txt
180 [inferior?]: http://en.wikipedia.org/wiki/HOTP#Reception
181 [deb-fa]: http://www.debian-administration.org/articles/510
182 [FreeAuth]: http://freeauth.org/
183 [SOTP]: http://www.cavecanen.org/cs/projects/pam_sotp/