OTP (one-time passwords) on Debian Squeeze SSH logins

So, you’re out of your secret lair and now you need to log in from a computer you don’t trust. After all, every computer you don’t administer is most likely full of viruses, malware and probably even a hardware keylogger somewhere along the keyboard cord, right?

So you want to use a one-time password, so that even if someone snatches it, it has already been used and can never be used again.

Fortunately, one-time passwords on Debian is a breeze to set up.

apt-get install opie-server

This will install opie-server, which will drag along opie-client and libpam-opie as dependencies, unless you have them already.

Now you have to choose if you want one-time passwords for every single login, or only the ones happening over SSH

I wanted it only for SSH logins, so I edit /etc/pam.d/sshd (might be named just “ssh” in other distros)

At the bottom of the file, I appended:

auth sufficient pam_opie.so
auth required pam_deny.so

This will make your server first ask for your password, then ask for the one-time password if the password is correct. If you want it to not ask for your normal password, comment out the last line of the file, saying “@include common-auth”

common-auth“, in /etc/pam.d, is also the file you have to edit if you want one-time passwords for all logins, not just for SSH. Don’t have sshd ask for your normal password if you also use that for FTP connections or other stuff which doesn’t also require a one-time password. Your normal password should be unique.

Then you need to enable challenge response authentication in SSH, which is disabled by default in Debian Squeeze. Edit /etc/ssh/sshd_config and locate the line “ChallengeResponseAuthentication no” change this to “yes” and restart sshd

/etc/init.d/ssh restart

Next, all you have to do is set a passphrase for your one-time passwords:

opiepasswd -cf

-c is for console mode, -f is only needed if you’re currently logged in remotely, to force opiepasswd to assume the connection is secure.

Enter the passphrase it asks for. This should be some sentence you can easily remember, preferably with upper and lower case and punctuation.

Now you’re ready to try it. Connect, enter your password, watch the one-time password challenge appear:

ssh myserver.dhampir.no
Password:
otp-md5 498 sl8229 ext, Response:

You can generate the one-time passwords using any suitable tool. I use VeJOTP to generate the passwords on my Java phone, which is really neat, but you can also just use “opiekey” to generate passwords and print them out:

$ opiekey -n 10 498 sl8229
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Sorry, but you don't seem to be on the console or a secure terminal.
Warning: Continuing could disclose your secret pass phrase to an attacker!
Enter secret pass phrase:
489: BABY NAN GALL MONA WEST LUG
490: FEND DES WOO RACE BED AQUA
491: GET FAST HECK BELA NONE RAY
492: NINE SUCH CUNY ARID JUNO SOUR
493: DOTE DUG BRED WARN AWRY SAID
494: FAWN ABUT SAY KILL WAVE WATS
495: RASH AMES BLUE SAP DEE GAB
496: JACK DIRE LUCY ROOM JACK RENA
497: FLUE LOAM TICK LAMB ROWS BEST
498: GLIB ELBA POE OUCH ROW LEN

This command generates the 10 next passphrases, counting down from the requested one (498) based on challenge sl8229.

One-time passwords count downwards, because every key is based on the previous ones, and starting at the end of the list, you then can’t calculate the “next” (previous) key.

3 Comments

  • hmy says:

    very good! I have a question, if I want use publickey with the otp . how to configure it ?

    • tobi says:

      @hmy
      I installed otp today too. It seems that only one of the auth mechanism from ssh can be used at the same login. I can login either using the key OR using otp. But I could not figure out to use both in the same auth context. For me it seems its impossible to first auth using key and following an auth using otp.
      @boltblog
      Nice, this helped me a lot when I installed otp on my debian squeeze today

Leave a Reply

Your email address will not be published.