From d21333f4dc8672e00600bb73c65887b3e17a01dc Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Thu, 30 Dec 2010 13:34:59 -0500 Subject: [PATCH] Fixes to OTP post. --- posts/OTP.mdwn | 100 ++++++++++++++++++++++++++++++------------------- 1 file changed, 62 insertions(+), 38 deletions(-) diff --git a/posts/OTP.mdwn b/posts/OTP.mdwn index 52d49de..00ff612 100644 --- a/posts/OTP.mdwn +++ b/posts/OTP.mdwn @@ -8,19 +8,19 @@ actually type in in a reasonable amount of time. While not absolutely secure (nothing is), one-time passwords greatly reduces the window of vulnerability compared to using static passwords directly. -As an example use case, suppose you want to log in to one of your -machines from a remote, untrusted teminal (e.g. from an internet -cafe). You obviously don't want to load your SSH key on the untrusted -terminal, and a keylogger would capture your password if you used it -directly. By using a one-time password, the risk is reduced. A -keylogger on the untrusted terminal could capture your one-time -password and use it to log in either instead of you or as part of a -man-in-the-middle attack. However, *after* that login is terminated, -the keylogger can make no further breaches, as they could if they had -captured your password itself. This is the same problem faced by -sites that send you plain text emails with one-time URLs for -registration confirmation, password reminders, etc. (who can't be -bothered to use [[PGP]], sigh). +For example, suppose you want to log in to one of your machines from a +remote, untrusted teminal (e.g. from an internet café). You obviously +don't want to load your SSH key on the untrusted terminal, and a +keylogger would capture your password if you used it directly. By +using a one-time password, the risk is reduced. A keylogger on the +untrusted terminal could capture your one-time password and use it to +log in either instead of you or as part of a man-in-the-middle attack. +However, *after* that login is terminated, the keylogger can make no +further breaches, as they could if they had captured your password +itself. This “small window” risk is the same problem faced by sites +that send you plain text emails with one-time URLs for registration +confirmation, password reminders, etc. (who can't be bothered to use +[[PGP]], sigh). For more information on one-time passwords, take a look at the following standards: @@ -45,44 +45,42 @@ From the [sshd_config(5)][] man page, having challenge/response authentication enabled allows all all authentications styles from [login.conf(5)][]. `/etc/login.conf` doesn't exist on my Gentoo or Debian systems, which is, I think, because they use [PAM][] to handle -all the authentication. Tracing through `/etc/pam.d/', +all the authentication. Tracing through `/etc/pam.d/`, `/etc/pam.d/sshd` builds the following `auth` chain on my Gentoo system: - auth required pam_tally2.so onerr=succeed - auth required pam_shells.so - auth required pam_nologin.so - auth required pam_env.so - auth required pam_unix.so try_first_pass likeauth nullok - auth optional pam_permit.so + auth required pam_tally2.so onerr=succeed + auth required pam_shells.so + auth required pam_nologin.so + auth required pam_env.so + auth required pam_unix.so try_first_pass likeauth nullok + auth optional pam_permit.so We need to add an OTP PAM module. There are several, none of which seem to be actively developed: * [S/Key][] (last activity in 2007) -* [SOTP][] (last activity in 2005) -* [OPTW][] (last activity in 2003) -* [OPIE][] (no longer maintained?) +* [OPIE][] (only maintained by Debian?) The S/Key module does, however, have an ebuild in Gentoo's portage tree (significantly patched from upstream), so we'll use that. -My initial idea was to add the `skey` to `USE` and run +My initial idea was to add `skey` to `USE` and run # emerge -av --deep --update --newuse @world but that enabled built-in S/Key handling in `app-admin/sudo` and similar packages. We don't want applications to use S/Key directly, -we want them to use PAM, and PAM should use S/Key. So, just emerge -the S/Key PAM module: +we want them to use PAM, and PAM should use S/Key. So instead, just +emerge the S/Key PAM module: # emerge -av sys-auth/pam_skey which will pull in the ` sys-auth/skey` package containing binary tools and the `libskey.so` library. -Configure PAM to use the `skey` module for remote authentication by -adding line like: +Configure PAM to use the `skey` module for all system authentication +by adding a line like: auth [success=done ignore=ignore auth_err=die default=bad] pam_skey.so @@ -90,14 +88,16 @@ before the `pam_unix.so` line in `/etc/pam.d/system-auth`. This allows users to use their one-time password (if configured) and falls back to their system password if OTPs are not setup or the entered OTP is invalid. See `/usr/share/doc/pam_skey-*/INSTALL.bz2` for details -on this specific case and the [PAM System AG][PAM-SAG] for details on -the syntax. Gentoo's `pam_skey` has been patched up a good deal (see +on this specific case and the [PAM System Administrators' +Guide][PAM-SAG] for details on the syntax. Gentoo's `pam_skey` has +been patched up a good deal (see `/usr/share/doc/pam_skey-*/README.bz2`), so on other systems, the -procedure may be different (e.g. [OpenBSD][]). +procedure may be different (e.g. OpenBSD has the S/Key module +[installed by default][OpenBSD]). Setup a one-time password chain for a particular user by running - $ skeyinit + $ skeyinit Password: [Adding wking] Reminder - Only use this method if you are directly connected @@ -124,9 +124,30 @@ response to server challenges. There are a number of choices: compliant calculator using GTK+. * [OTPGen][] RFC 2289 compliant calculator using the Java 2 Micro Edition (most mobil phones). -* [jopt][] RFC 2289? and RFC 1760 compliant calculator using Java with +* [jotp][] RFC 2289? and RFC 1760 compliant calculator using Java with MD4 and MD5 support. +If you don't have a secure client (e.g. cell phone) that will be +accessible from the untrusted terminal, you can also print a list of +future OTPs and cary the paper on your person. + + $ otp-md5 -xn 5 99 tyr24366 + Reminder - Do not use this program while logged in via telnet or rlogin. + Enter secret password: + 95: WENT FORM GAUL DATA LYLE SIR FA10 A627 37FB 5078 + 96: DINE RODE SANK LYON SUCH MEAT 735A 275B 5AAE 4972 + 97: THEE TOUR GOES HULK WORM TROY EA1D D238 4E4F DFE0 + 98: ELM RUB CULL ANY LIND HOBO 1167 21B5 014A FD32 + 99: RIM CHUG MUSH LOFT SAFE CHAR 37CC D302 D8BD 56CA + +The printed paper is obviously less secure, because it reduces the +authentication requirement from something-you-know (secret key) to +something-you-have (paper). If that bothers you, take a look at +Markus Kuhn's [OTPW][] package, which uses a different algorithm to +genrate OTPs that all begin with a secret (memorized) prefix. Kuhn's +approach requires a hacker to copy your paper list *and* log your +keystrokes to extract your prefix. + Eventually, your stock of OTPs will run low, and you'll need to use `skeyinit` again to provide a fresh stash. @@ -135,27 +156,30 @@ possibilities. [RFC 4226][] (HOTP: An HMAC-Based One-Time Password Algorithm) defines a particular ([inferior?][]) one-time password generation alogrithm. [This Debian post][deb-fa] describes a [FreeAuth][] implementation that uses time-based keys similar to many -commercial systems. +commercial systems. The [SOTP][] module doesn't specify it's +algorithm, but it has the option of using secret prefixes along the +lines of [OTPW][]. -[OPT]: http://en.wikipedia.org/wiki/One-time_password +[OTP]: http://en.wikipedia.org/wiki/One-time_password [RFC 2289]: http://www.ietf.org/rfc/rfc2289.txt +[RFC 1938]: http://www.ietf.org/rfc/rfc1938.txt [RFC 1760]: http://www.ietf.org/rfc/rfc1760.txt [OpenSSH]: http://www.openssh.com/ -[sshd_config(1)]: http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config +[sshd_config(5)]: http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config [login.conf(5)]: http://www.openbsd.org/cgi-bin/man.cgi?query=login.conf [PAM]: http://en.wikipedia.org/wiki/Pluggable_Authentication_Modules [S/Key]: http://freshmeat.net/projects/pam_skey/ [OPIE]: http://packages.debian.org/lenny/libpam-opie -[OPTW]: http://www.cl.cam.ac.uk/~mgk25/otpw.html -[SOTP]: http://www.cavecanen.org/cs/projects/pam_sotp/ [PAM-SAG]: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html [OpenBSD]: http://www.openbsd.org/faq/faq8.html#SKey [otpCalc]: http://killa.net/infosec/otpCalc/ [OTPGen]: http://marcin.studio4plus.com/en/otpgen/ [jotp]: http://www.cs.umd.edu/~harry/jotp/ +[OPTW]: http://www.cl.cam.ac.uk/~mgk25/otpw.html [RFC 4226]: http://www.ietf.org/rfc/rfc4226.txt [inferior?]: http://en.wikipedia.org/wiki/HOTP#Reception [deb-fa]: http://www.debian-administration.org/articles/510 [FreeAuth]: http://freeauth.org/ +[SOTP]: http://www.cavecanen.org/cs/projects/pam_sotp/ [[!tag tags/linux]] -- 2.26.2