From f72fcc65e81eb3ac36790eeb63c9473341e1e416 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Thu, 30 Dec 2010 12:45:51 -0500 Subject: [PATCH] Add OTP post. --- posts/OTP.mdwn | 161 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 161 insertions(+) create mode 100644 posts/OTP.mdwn diff --git a/posts/OTP.mdwn b/posts/OTP.mdwn new file mode 100644 index 0000000..52d49de --- /dev/null +++ b/posts/OTP.mdwn @@ -0,0 +1,161 @@ +[[!meta title="One-time passwords"]] + +[OTP][] is a protocol for generating single-use passwords used for +safer authentication than you would get by using a password directly. +The system is challenge/response authentication similar to [[SSH]] +keys, but with the keys and hashes reduced to something you can +actually type in in a reasonable amount of time. While not absolutely +secure (nothing is), one-time passwords greatly reduces the window of +vulnerability compared to using static passwords directly. + +As an example use case, suppose you want to log in to one of your +machines from a remote, untrusted teminal (e.g. from an internet +cafe). You obviously don't want to load your SSH key on the untrusted +terminal, and a keylogger would capture your password if you used it +directly. By using a one-time password, the risk is reduced. A +keylogger on the untrusted terminal could capture your one-time +password and use it to log in either instead of you or as part of a +man-in-the-middle attack. However, *after* that login is terminated, +the keylogger can make no further breaches, as they could if they had +captured your password itself. This is the same problem faced by +sites that send you plain text emails with one-time URLs for +registration confirmation, password reminders, etc. (who can't be +bothered to use [[PGP]], sigh). + +For more information on one-time passwords, take a look at the +following standards: + +* [RFC 2289][] (A One-Time Password System, obsoletes RFC 1928) +* [RFC 1938][] (A One-Time Password System, obsoletes RFC 1760) +* [RFC 1760][] (The S/KEY One-Time Password System) + +Sound good? Alright, how do we setup SSH to accept one-time passwords +on Gentoo? + +[OpenSSH][]'s [[SSH]] daemon supports OTP authentication by default. +If you have disabled the support, you'll need to restore it by adding + + ChallengeResponseAuthentication yes + +to `/etc/ssh/sshd_config` and running + + # /etc/init.d/sshd reload + +From the [sshd_config(5)][] man page, having challenge/response +authentication enabled allows all all authentications styles from +[login.conf(5)][]. `/etc/login.conf` doesn't exist on my Gentoo or +Debian systems, which is, I think, because they use [PAM][] to handle +all the authentication. Tracing through `/etc/pam.d/', +`/etc/pam.d/sshd` builds the following `auth` chain on my Gentoo +system: + + auth required pam_tally2.so onerr=succeed + auth required pam_shells.so + auth required pam_nologin.so + auth required pam_env.so + auth required pam_unix.so try_first_pass likeauth nullok + auth optional pam_permit.so + +We need to add an OTP PAM module. There are several, none of which +seem to be actively developed: + +* [S/Key][] (last activity in 2007) +* [SOTP][] (last activity in 2005) +* [OPTW][] (last activity in 2003) +* [OPIE][] (no longer maintained?) + +The S/Key module does, however, have an ebuild in Gentoo's portage +tree (significantly patched from upstream), so we'll use that. + +My initial idea was to add the `skey` to `USE` and run + + # emerge -av --deep --update --newuse @world + +but that enabled built-in S/Key handling in `app-admin/sudo` and +similar packages. We don't want applications to use S/Key directly, +we want them to use PAM, and PAM should use S/Key. So, just emerge +the S/Key PAM module: + + # emerge -av sys-auth/pam_skey + +which will pull in the ` sys-auth/skey` package containing binary +tools and the `libskey.so` library. + +Configure PAM to use the `skey` module for remote authentication by +adding line like: + + auth [success=done ignore=ignore auth_err=die default=bad] pam_skey.so + +before the `pam_unix.so` line in `/etc/pam.d/system-auth`. This +allows users to use their one-time password (if configured) and falls +back to their system password if OTPs are not setup or the entered OTP +is invalid. See `/usr/share/doc/pam_skey-*/INSTALL.bz2` for details +on this specific case and the [PAM System AG][PAM-SAG] for details on +the syntax. Gentoo's `pam_skey` has been patched up a good deal (see +`/usr/share/doc/pam_skey-*/README.bz2`), so on other systems, the +procedure may be different (e.g. [OpenBSD][]). + +Setup a one-time password chain for a particular user by running + + $ skeyinit + Password: + [Adding wking] + Reminder - Only use this method if you are directly connected + or have an encrypted channel. If you are using telnet + or rlogin, exit with no password and use skeyinit -s. + + Enter secret password: + Again secret password: + + ID wking skey is otp-md5 99 tyr24366 + Next login password: RIM CHUG MUSH LOFT SAFE CHAR + +there are a number of options you can pass to `skeyinit` to customize +the OTP (hash, effected user, etc.). + +That configures your server to accept RFC 2289 passwords. On the +client side, you'll need a generator to calculate the appropriate +response to server challenges. There are a number of choices: + +* S/Key (Gentoo: sys-auth/skey) Gentoo's version of the OpenBSD + package contains the command-line `skey` supporting RFC 2289 and RFC + 1760. +* [otpCalc][] (Gentoo: sys-auth/otpcalc) RFC 2289 and RFC 1760 + compliant calculator using GTK+. +* [OTPGen][] RFC 2289 compliant calculator using the Java 2 Micro + Edition (most mobil phones). +* [jopt][] RFC 2289? and RFC 1760 compliant calculator using Java with + MD4 and MD5 support. + +Eventually, your stock of OTPs will run low, and you'll need to use +`skeyinit` again to provide a fresh stash. + +Besides RFC 2289, there are alternative one-time password generation +possibilities. [RFC 4226][] (HOTP: An HMAC-Based One-Time Password +Algorithm) defines a particular ([inferior?][]) one-time password +generation alogrithm. [This Debian post][deb-fa] describes a +[FreeAuth][] implementation that uses time-based keys similar to many +commercial systems. + +[OPT]: http://en.wikipedia.org/wiki/One-time_password +[RFC 2289]: http://www.ietf.org/rfc/rfc2289.txt +[RFC 1760]: http://www.ietf.org/rfc/rfc1760.txt +[OpenSSH]: http://www.openssh.com/ +[sshd_config(1)]: http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config +[login.conf(5)]: http://www.openbsd.org/cgi-bin/man.cgi?query=login.conf +[PAM]: http://en.wikipedia.org/wiki/Pluggable_Authentication_Modules +[S/Key]: http://freshmeat.net/projects/pam_skey/ +[OPIE]: http://packages.debian.org/lenny/libpam-opie +[OPTW]: http://www.cl.cam.ac.uk/~mgk25/otpw.html +[SOTP]: http://www.cavecanen.org/cs/projects/pam_sotp/ +[PAM-SAG]: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html +[OpenBSD]: http://www.openbsd.org/faq/faq8.html#SKey +[otpCalc]: http://killa.net/infosec/otpCalc/ +[OTPGen]: http://marcin.studio4plus.com/en/otpgen/ +[jotp]: http://www.cs.umd.edu/~harry/jotp/ +[RFC 4226]: http://www.ietf.org/rfc/rfc4226.txt +[inferior?]: http://en.wikipedia.org/wiki/HOTP#Reception +[deb-fa]: http://www.debian-administration.org/articles/510 +[FreeAuth]: http://freeauth.org/ + +[[!tag tags/linux]] -- 2.26.2