Feed RSS
Feed RSS
Debian GNU Linux
Play Ogg
Eliminate DRM!
hosted by tuxfamily.org
Articles Hierarchy

    One-Time Passwords howto

One Time Passwords (OTP) are throwaway passwords that you can use one time only. They were very useful years ago when SSH was not there yet and people login to remote server using unprotected protocols like rcp, rsh, rlogin, ecc. You were continually exposed to Man In The Middle attacks. SSH made OTP password less used. Nowadays OTP can be very useful if you have to login to a remote server from a public computer where keylogger or memory scraper are a possibility or you are working on a shared workstation. In practice in any scenario where you are connecting to a trusted destination from an untrusted source.
The OTP is good for a single use only and therefore it will be unusable to an attacker that managed to steal it. The passwords are generated a priori and stored hashed on the remote server. The user carries a copy (printed on paper for example) of the list of passwords. At login the user is prompted for one password from the list that is immediately disabled after use.

This article was originally written for OPIE one-time passwords. However, on Debian and derivatives, this application has been removed due to license problems and no upstream update. Instead, the OTPW package is used. In the following the OTPW package is set up, but the old article on OPIE is left at the bottom in case might be useful for someone.



On Debian and derivatives install the following packages

# apt-get install libpam-otpw otpw-bin

On Arch

# yaourt -S otpw 

On Red Hat/Fedora there are no packages. Therefore the source code has to be compiled

# git clone https://www.cl.cam.ac.uk/~mgk25/git/otpw
# cd optw
# vi Makefile
# make; make install



It is convenient to configure PAM to use OTPW for authentications in the system. By creating an ad-hoc file OTPW can be added to any situation where an authentication is required. Create a new file called

# touch /etc/pam.d/otpw

and insert

auth           required      pam_otpw.so
session        optional        pam_otpw.so

Then open the PAM file relative to SSH, usually /etc/pam.d/sshd
Search for the line

@include common-auth

and comment it out adding the OTPW PAM file instead. In Debian/Ubuntu

# Enable OTPW
@include otpw
# Standard Un*x
#@include common-auth

In Arch

# Enable OTPW
@include otpw
# Standard Un*x
#auth      include   system-remote-login

In Red Hat/Fedora

# Enable OTPW
@include otpw
# Standard Un*x
#auth       substack     password-auth

It is not strictly required to comment out the standard authentication method. If it is not commented it will be still available for log in. In this case note that the order in which the authentication methods appear will be respected during the authentication procedure.



Now we must be sure that SSH is using PAM for authentication. Open the SSH daemon configuration file

# vi /etc/ssh/sshd_config

and search/add the following lines

UsePrivilegeSeparation yes
UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication no

If you want to enable the public key authentication in addition to the OTPW make sure you have the following line

PubkeyAuthentication yes

If you don't want to use the public key set the line to

PubkeyAuthentication no

Reload the SSH daemon

Old style

# /etc/init.d/ssh reload

Debian service

# service ssh reload


# systemctl restart sshd


Generating OTPW

To generate a new set of OTPW passwords use the command

$ otpw-gen > my_otpw.txt

A new seed is generated and a prefix to be added to each password is requested. When you log in, a 3-digit password number will be displayed. It identifies the one-time password on your list that you have to append to the prefix password. If another login to your account is in progress at the same time, several password numbers
may be shown and all corresponding passwords have to be appended after the prefix password. Best generate a new password list when you have used up half of the old one.

Enter new prefix password:
Reenter prefix password:

Than the hashed version of the passwords is locally stored in .otpw

Creating '~/.otpw'.
Generating new one-time passwords ...

If this is not the first generation of passwords an .otpw is already present. Therefore it is first asked whether the old password file should be deleted

Overwrite existing password list '~/.otpw' (Y/n)?

Every user with a .otpw file in the home directory will be prompted for OTPW to log in on SSH. If an user wants to be disabled just remove this file from the home.


Using OTPW

Given the list of password, log in to SSH. You will be prompted with the password challenge

$ ssh localhost
Password 032:

To to log in type in your prefix password by memory (you didn't write it on the piece of paper, right?) and the 32-th password. If you fail entering the password you will be prompted again up to the maximum number of trials, usually 3. If the standard authentication method has not be commented out, you'll be prompted with the standard authentication method after each OTPW attempt. After a OTPW has been used for a login, is permanently disabled. Therefore, even if an attacker was able to eavesdrop it, it will be unusable for a second log in.

No Comments have been Posted.

Post Comment
Please Login to Post a Comment.

Rating is available to Members only.

Please login to vote.

No Ratings have been Posted.