Secure authentication with one-time passwords
Safety Net
The next step is to integrate the authentication mechanism with the PAM stack (see Listing 2). The pam_unix or pam_unix2 modules do most of the work. These modules are tagged with a sufficient control flag, but as you want to replace the pam_unix.so or pam_unix2.so libraries with the pam_opie.so library, you should modify the configuration accordingly.
Listing 2
pam_opie.so
Note that it is possible to configure your system so that, if OPIE fails for any reason, users can still use legacy passwords to authenticate.
Once you have modified the PAM configuration, your system is OTP-capable. Some services, such as the SSH daemon, still need some manual attention before they start using one-time passwords. In the case of SSH, you need the following line in the server configuration file /etc/sshd/sshd_config:
ChallengeResponseAuthenticationyes
Listing 3 shows an SSH login using OPIE. After successfully authenticating, OPIE updates the /etc/opiekeys file, adding the new sequence number and the hash of the last password used.
Listing 3
SSH Login with OPIE
Sowing and Harvesting
Users need opiekey to generate one-time passwords. The generator in Listing 4 expects the user password, the seed, and the current sequence number. Users can run opieinfo to view this information. OPIE also has a mechanism that generates a list of OTPs in case a user doesn't have a generator.
Listing 4
Creating three OTPs with opiekey
Other generators in addition to opiekey are also available. The Java program JOTP [6] will run on a Java-capable cellphone or on a normal website, although the website must be trustworthy. Palm owners can run Palmkey [7] or Pilotp [8], and desktop users can run Optcalc [9].
The opiepasswd -d command disables a user entry in /etc/opiekeys and thus bans the user from the OPIE system (see Listing 5). The system overwrites the password hash with a series of asterisks (*), although the sequence number and seed remain visible.
Listing 5
Disabling OPIE for a User
Pluggable Authentication Modules (PAM)
PAM defines four categories for the authentication process: auth, account, password, and session. The auth category handles the authentication itself, while password defines whether and how a user can change their password. PAM uses account to manage access based on the user account and session to handle the environment setup.
PAM has a selection of various modules in each category and organizes them in a stack. Each module is tagged with a control flag. This approach lets admins define how PAM reacts to successful or unsuccessful processing of a module. The following flags exist: required, requisite, sufficient, and optional. If a module flagged required, requisite, or sufficient fails, the complete authentication process fails. If the module is tagged requisite, PAM immediately stops processing the stack.
After successfully processing a module flagged required, requisite, or optional, the next PAM library steps up. PAM views the category as successfully processed if the module is flagged sufficient.
The OTPW Alternative
The OTPW software-based solution does not use the method specified by RFC 2289 but relies instead on a 160-bit version of the RIPEMD hash. OTPW includes a modified version of the program login (demologin) and an alternative module for integration with the PAM stack. Users are issued passwords in the form of a list, which is similar to the legacy TAN lists issued by banks.
When authenticating, the user types a string comprising the list entry and their own password. The OTPW server stores the RIPEMD hashes of all valid one-time passwords (along with a number) in the .otpw file below the user's home directory. The program overwrites used passwords with dashes, thus preventing reuse.
The OTPW package is far smaller than OPIE; the source code comprises just 18 files. A simple make will create the demologin and otpw-gen programs, as well as the pam_otpw.so PAM library.
For Linux systems with PAM, OTPW requires only the otpw-gen generator and the pam_otpw module. The user initializes the OTPW system by running otpw-gen (Listing 6). After entering a password, otpw-gen creates a list of OTPs and displays the results.
Listing 6
Setting up OTPW
The -p1 parameter tells otpw-gen to output the OTPs as a list of four-letter words, for example:
hare lane fyfe self lucy
Deleting the .otpw file disables the use of one-time passwords for the account.
It makes sense to print the list. Users are responsible for keeping track of how many valid one-time passwords they still have.
If you want to save paper, check the content of .otpw when you log in. Used OTPs are tagged with -. Integration of OTPW with the PAM system follows the same steps as for OPIE.
According to the documentation, adding this entry
session optional pam_otpw.so
tells OTPW to let you know how many OTPs you have left when you log in. This command did not work in our lab. The manual steps for the SSH daemon are similar to those for OPIE.
Users create one-time passwords by concatenating their user passwords with the strings in the list generated by otpw-gen.
When a user attempts to log in, OTPW creates a symbolic link for .otpw.lock in the user's home directory. If the user cancels the login attempt by pressing Ctrl+C, the symbolic link is kept. The user is locked out while the link exists, as it prevents the use of OTPW.
On top of this, OTPW does not normally support simultaneous logins for security reasons. According to the program documentation, the user enters an extended one-time password in this case. The extended OTP comprises the user password and three strings from the list. We were unable to test this behavior in our lab.
One-time passwords are useful for insecure environments with a danger of password sniffing. The OPIE and OTPW implementations are easily integrated with popular Linux distributions thanks to PAM.
Infos
- Digipass 300 Pro: http://www.vasco.com
- RSA Secur ID: http://www.rsa.com
- Onetime Password In Everything (OPIE): http://www.inner.net/opie
- One-Time Password (OTPW): http://www.cl.cam.ac.uk/~mgk25/otpw.html
- Pluggable Authentication Modules (PAM): http://www.kernel.org/pub/linux/libs/pam/
- Java OTP Calculator (JOTP): http://www.cs.umd.edu/~harry/jotp/
- Palmkey: http://palmkey.sf.net
- Pilot OTP Generator: http://www.valdes.us/palm/pilOTP/
- OTP and S/Key Calculator for X-Window: http://killa.net/infosec/otpCalc/
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
Kubuntu Focus Announces XE Gen 2 Linux Laptop
Another Kubuntu-based laptop has arrived to be your next ultra-portable powerhouse with a Linux heart.
-
MNT Seeks Financial Backing for New Seven-Inch Linux Laptop
MNT Pocket Reform is a tiny laptop that is modular, upgradable, recyclable, reusable, and ships with Debian Linux.
-
Ubuntu Flatpak Remix Adds Flatpak Support Preinstalled
If you're looking for a version of Ubuntu that includes Flatpak support out of the box, there's one clear option.
-
Gnome 44 Release Candidate Now Available
The Gnome 44 release candidate has officially arrived and adds a few changes into the mix.
-
Flathub Vying to Become the Standard Linux App Store
If the Flathub team has any say in the matter, their product will become the default tool for installing Linux apps in 2023.
-
Debian 12 to Ship with KDE Plasma 5.27
The Debian development team has shifted to the latest version of KDE for their testing branch.
-
Planet Computers Launches ARM-based Linux Desktop PCs
The firm that originally released a line of mobile keyboards has taken a different direction and has developed a new line of out-of-the-box mini Linux desktop computers.
-
Ubuntu No Longer Shipping with Flatpak
In a move that probably won’t come as a shock to many, Ubuntu and all of its official spins will no longer ship with Flatpak installed.
-
openSUSE Leap 15.5 Beta Now Available
The final version of the Leap 15 series of openSUSE is available for beta testing and offers only new software versions.
-
Linux Kernel 6.2 Released with New Hardware Support
Find out what's new in the most recent release from Linus Torvalds and the Linux kernel team.