So, you’re out of your secret lair and now you need to log in from a computer you don’t trust. After all, every computer you don’t administer is most likely full of viruses, malware and probably even a hardware keylogger somewhere along the keyboard cord, right?
So you want to use a one-time password, so that even if someone snatches it, it has already been used and can never be used again.
Fortunately, one-time passwords on Debian is a breeze to set up.
apt-get install opie-server
This will install opie-server, which will drag along opie-client and libpam-opie as dependencies, unless you have them already.
Now you have to choose if you want one-time passwords for every single login, or only the ones happening over SSH
I wanted it only for SSH logins, so I edit /etc/pam.d/sshd (might be named just “ssh” in other distros)
At the bottom of the file, I appended:
auth sufficient pam_opie.so auth required pam_deny.so
This will make your server first ask for your password, then ask for the one-time password if the password is correct. If you want it to not ask for your normal password, comment out the last line of the file, saying “@include common-auth”
“common-auth“, in /etc/pam.d, is also the file you have to edit if you want one-time passwords for all logins, not just for SSH. Don’t have sshd ask for your normal password if you also use that for FTP connections or other stuff which doesn’t also require a one-time password. Your normal password should be unique.
Then you need to enable challenge response authentication in SSH, which is disabled by default in Debian Squeeze. Edit /etc/ssh/sshd_config and locate the line “ChallengeResponseAuthentication no” change this to “yes” and restart sshd
Next, all you have to do is set a passphrase for your one-time passwords:
-c is for console mode, -f is only needed if you’re currently logged in remotely, to force opiepasswd to assume the connection is secure.
Enter the passphrase it asks for. This should be some sentence you can easily remember, preferably with upper and lower case and punctuation.
Now you’re ready to try it. Connect, enter your password, watch the one-time password challenge appear:
ssh myserver.dhampir.no Password: otp-md5 498 sl8229 ext, Response:
You can generate the one-time passwords using any suitable tool. I use VeJOTP to generate the passwords on my Java phone, which is really neat, but you can also just use “opiekey” to generate passwords and print them out:
$ opiekey -n 10 498 sl8229 Using the MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Sorry, but you don't seem to be on the console or a secure terminal. Warning: Continuing could disclose your secret pass phrase to an attacker! Enter secret pass phrase: 489: BABY NAN GALL MONA WEST LUG 490: FEND DES WOO RACE BED AQUA 491: GET FAST HECK BELA NONE RAY 492: NINE SUCH CUNY ARID JUNO SOUR 493: DOTE DUG BRED WARN AWRY SAID 494: FAWN ABUT SAY KILL WAVE WATS 495: RASH AMES BLUE SAP DEE GAB 496: JACK DIRE LUCY ROOM JACK RENA 497: FLUE LOAM TICK LAMB ROWS BEST 498: GLIB ELBA POE OUCH ROW LEN
This command generates the 10 next passphrases, counting down from the requested one (498) based on challenge sl8229.
One-time passwords count downwards, because every key is based on the previous ones, and starting at the end of the list, you then can’t calculate the “next” (previous) key.