Skip to content

OTP and SSH

After travelling around Mexico and logging into my mail server from random machines, my paranoia has turned me to looking at one-time passwords. Here's a brief rundown of what I went through to set it up on Ubuntu.

On a local secure machine (laptop/PDA):

  1. apt-get install opie-client
  2. Think up a secret passphrase between 10 and 127 characters long.

On the server:

  1. apt-get install libpam-opie opie-server
  2. As per /usr/share/doc/libpam-opie/README.Debian, I edited /etc/pam.d/ssh and replaced the line
    @include common-auth
    with
    auth	sufficient	pam_unix.so
    auth 	sufficient	pam_opie.so
    auth	required	pam_deny.so
    
    .
  3. Enable ChallengeResponseAuthentication yes in /etc/ssh/sshd_config.
  4. As the user on the server, run opiepasswd. This will give you a challenge that you need to answer by running opiekey or otp-md5 on a local (secure) machine.
    server% opiepasswd
    Adding bernard:
    You need the response from an OTP generator.
    New secret pass phrase:
            otp-md5 499 so9449
            Response: 
    
    client% otp-md5 499 so9449
    Using the MD5 algorithm to compute response.
    Reminder: Don't use opiekey from telnet or dial-in sessions.
    Enter secret pass phrase: ***************
    LIEU FOLK GULL WALL TASK AN
    
    And now pass LIEU FOLK GULL WALL TASK AN back to the opiepasswd command.

Now when you log into the server with ssh, you should be greeted with something like:

insecure% ssh server
otp-md5 498 so9449 ext, Response:
where you respond by running otp-md5 498 so9449 on your local secure machine, entering your secret passphrase, and punch in the response back to the server. If the server rejects it, double-check you didn't mess up your secret passphrase. There are no other warnings or errors if you do!

The sequence number will decrement towards 0, each time a challenge is used. So if you're going travelling without your PDA, you could pre-generate your one-time passwords, print them out and stick them in your wallet (assuming you trust your wallet).

Et voila.