After travelling around Mexico and logging into my mail server from random machines, my paranoia has turned me to looking at one-time passwords. Here's a brief rundown of what I went through to set it up on Ubuntu.
On a local secure machine (laptop/PDA):
- apt-get install opie-client
- Think up a secret passphrase between 10 and 127 characters long.
On the server:
- apt-get install libpam-opie opie-server
- As per /usr/share/doc/libpam-opie/README.Debian, I edited /etc/pam.d/ssh and replaced the line
with@include common-auth
.auth sufficient pam_unix.so auth sufficient pam_opie.so auth required pam_deny.so
- Enable ChallengeResponseAuthentication yes in /etc/ssh/sshd_config.
- As the user on the server, run opiepasswd. This will give you a challenge that you need to answer by running opiekey or otp-md5 on a local (secure) machine.
server% opiepasswd Adding bernard: You need the response from an OTP generator. New secret pass phrase: otp-md5 499 so9449 Response:
And now pass LIEU FOLK GULL WALL TASK AN back to the opiepasswd command.client% otp-md5 499 so9449 Using the MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: *************** LIEU FOLK GULL WALL TASK AN
Now when you log into the server with ssh, you should be greeted with something like:
where you respond by running otp-md5 498 so9449 on your local secure machine, entering your secret passphrase, and punch in the response back to the server. If the server rejects it, double-check you didn't mess up your secret passphrase. There are no other warnings or errors if you do!insecure% ssh server otp-md5 498 so9449 ext, Response:
The sequence number will decrement towards 0, each time a challenge is used. So if you're going travelling without your PDA, you could pre-generate your one-time passwords, print them out and stick them in your wallet (assuming you trust your wallet).
Et voila.
