4.5. How to setup OPIE with pam On Linux¶
4.5.1. What is OPIE?¶
One Password In Everything, S/Key or One Time Passwords. One of the problems with connecting to remote systems is that of sending over the password, someone could watch your keyboard or the network and capture your password. Even using SSL only provide a partial level of security. Using OTP where your password changes each time helps to improve this.
OTP works by combing a seed and your password and then hashes (MD4, MD5, SHA1) the results numerous times. When you attempt to connect the remote end sends a challenge, eg “otp-md5 98 seed1234”. The first part “otp-md5” says that the MD5 hash was used for this OTP, the number “98” means that it was done 98 times, and the last part “seed1234” is the seed used.
To create the correct response to this you need to know your password and use a OTP response calculator. In the calculator enter the challange and your password, you’ll then be presented with a response. the response can be either in HEX or as 6 WORDS. You will then just need to enter either of these onto your remote system. The next time you connect the challenge will change by reducing the number by one eg “97”. For a much more detailed understanding of OTP you can have a look at these sites:
RFC 2289 – A One-Time Password System
RFC 1320 – The MD4 Message-Digest Algorithm
RFC 1321 – The MD5 Message-Digest Algorithm
RFC 3174 – US Secure Hash Algorithm 1 (SHA1)
Below are instructions on how to download, install and setup a PAM module written by Andy Berkheimer to make your LINUX server support OTP challenge response authentication. Although it’s not been updated in sometime it still works just fine.
Once you have this all setup, you can use 1Key for iPhone to make your OTP responses.
4.5.2. Install / Setup¶
pam_opie-0.21.tar.gz
Download and compile the source
$ curl -O http://www.andybash.com/pam_opie-0.21.tar.gz
$ tar -xf pam_opie-0.21.tar.gz
$ cd pam_opie
$ make
$ sudo make install
Configure PAM../etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_opie.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
Configure SSHD../etc/ssh/sshd_config
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes
4.5.3. Create an OTP Entry in /etc/opiekeys¶
Start your OTP generator, either on the iPhone or web javascript, eg http://www.ocf.berkeley.edu/~jjlin/jsotp/
Make up a challange. The first part, a number is the number of times this challenge will work for, each time you authenticate the number will decrement by one. eg 99 The second part is a random seed containing letters (all lowercase) and numbers, eg seed1234. Finally a password..what ever you want and don’t tell anyone! create the MD5 response. You need the HEX response.
Challange: 99 seed1234
Password: 1234
Response: HOOD JADE TALK FOIL SLAB LISA (9A54 079D 41ED E360)
- Add the line to your opiekeys file. eg, my username is "guy"
guy 0099 seed1234 9a54079d41ede360
restart SSHD server
$ sudo /etc/rc.d/init.d/sshd restart
I can now authenticate. When challenged I’ll be asked for challenge “otp-md5 98 seed1234”, note the number has decreased by one.
4.5.4. Testing¶
$ ssh guy@localhost
otp-md5 98 seed1234
Response:
Using you OTP generator, create the correct response and either enter the HEX or 6 WORDS, and see that you are now logged in. Due to the way the above configuration is done, you can also just enter your shadow password and it’ll authenticate that too. Once your happy your OTP system is correct you can remove the line “pam_unix.so” in the “system-auth” file.
You should also note that as this is done via pam, any application which uses pam for authentication can also now use OTP.
4.5.5. How does the server do authentication?¶
well it’s very simple really. in the /etc/opiekeys file is stored the counter, seed, and HEX response, eg “0099 seed1234 9a54079d41ede360”.
The server creates the new challenge by subtracting one from the counter, eg “opt-md5 98 seed1234”. The user will provide his response either in WORDS or as HEX. If in WORDS they are converted back to HEX. Once in HEX it’s hashed again and should match the HEX from the opiekeys file. If it does then the authenticate succeeds and the new HEX and counter is then updated into the opiekeys file.
The advantage of this it that at no time does the server have the users password in any form. And knowing the last response does not provide anyway of generating the next one.