Dear AO.

Today i read a thread posted by sweet_angel with the topic “One time passwords”. This is something that i have not seen on AO yet so far, so i decided to write a simple tutorial about it, on what it is, and how to set it up.

Unfortunately my tutorial is based on SuSE Linux, so i'm not very sure of the differences to other *nix systems. The software needed for this is on my SuSE distribution Cds. I hope this comes in handy for some people.


One Time Passwords By InStRoNiCs.

One time passwords (aka OTP) are passwords that are valid only for one login procedure. A user therefore get a list with several one time passwords that has to be renewed once all the passwords on this list are used up. An example of where to find this type of security are banks, which use this for PINs and TANs. If an attacker was able to capture the packets containing the login information (encrypted), and would try to resend that packet, it would be useless to him, since the login information (password) is only valid for one use. For SuSE Linux there are 2 solutions for the one time passwords, and both work as PAM modules.


OPIE (One Time Passwords In Everything)

OPIE is an implementation for OTP standards, which is also described in RFC 1938. OPIE is compatible with S/Key implementation for Linux from Olaf Kirch. If you wish to use OPIE Which uses PAM you would need the following packages.

Opie-2.32.tar.gz

pam_opie-0.21.tar.gz

The archive opie-2.32.tar.gz contains the current stable OPIE version 2.32. Included is also the OPIE library, which makes OTP authentication possible with your programs (can be setup to work in any application that requires authentication). The system programs from OPIE 2.32 for example work for login, ftpd etc... using this library. This PAM variant from OPIE was also implemented on the base of this library.

The archive pam_opie-0.21.tar.gz contains the OPIE library version 2.32 and the OPIE PAM module.

When extracting the archives, 2 folders are created (opie-2.32 and pam_opie) and filled.


instronics:~# tar xzf opie-2.32.tar.gz
instronics:~# tar xzf pam_opie-0.21.tar.gz

The Makefile from pam_opie can be used under SuSE Linux without any additional modifications.

instronics:~# cd pam_opie
instronics:~# make
.
.
instronics:~# make install
.
.
instronics:~#


After this , the PAM-Module becomes available in /lib/security/pam_opie.so . Before you can activate pam_opie.so you have to setup the OPIE client programs and the OPIE administrations tools that are included in OPIE 2.32.

(I would like to remind you to prefer a “make install” instead of using an rpm package.)

Since you should use pam_opie, there is no need for the system programs from OPIE. Due to this, The Makefile template will have to be modified a little bit.

In my example below, just uncomment the following entries.

#@echo “Installing OPIE system programs...”
#@if test ! $(EXISTS) $(LOGIN).$BACKUP);\
then echo “Renaming existing $(
#@echo “Copying opielogin to $(LOGIN)”
#@cp opielogin $(LOGIN)
#@echo “Changing ownership of $(LOGIN)”
#@$(CHOWN) $(OWNER) $(LOGIN)
#@chgrp $(GROUP) $(LOGIN)
#@echo “Changing file permissions of $(LOGIN)”
#@chmod 4111 $(LOGIN)
#@if test ! $(EXISTS) $(SU).$(BACKUP); then\
echo “Remaining existing su to
#@-if test ! -z “$(ALT_SU)”; then if test !\
$(EXISTS) $(ALT_SU).$(BACKUP)
#@echo “Copying opiesu to su”
#@cp opiesu $(SU)
#@echo “Changing ownership of su”
#@$(CHOWN) $(OWNER) $(SU)
#@chgrp $(GROUP) $(SU)
#@echo “Changing file permissions of su”
#@chmod 4111 $(SU)
#@if test ! $(EXISTS) $(FTPD).$(BACKUP); then\
echo “Renaming existing ftp”
#@echo “Copying OPIE ftp daemon”
#@cp opieftpd $(FTPD)
#@echo “Changing ownership of ftpd”
#@$(CHOWN) $(OWNER) $(FTPD)
#@chgrp $(GROUP) $(FTPD)
#@echo “Changing file permissions of ftpd”
#@chmod 0100 $(FTPD)


After this just install it.

instronics:~# ./configure
.
.
instronics:~# make
.
.
# make install
.
.
instronics:~#


With the command opiepasswd you will activate the user accounts. For this example i will use a user called bubu.

instronics:~# opiepasswd bubu
Adding bubu:
You need the response from OTP generator.
New secret pass phrase:
otp-md5 499 ca4460
Response:

The response provides your opiekey.

instronics:~# opiekey 499 ca4460
Using the md5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:

The pass phrase is the secret key from the user bubu, and should be a minimum of 10 characters, and can now be entered here. After you have entered your secret pass phrase (hidden), opiekey will give you the answer (response)

instronics:~# opiekey 499 ca4460
Using the md5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
Car GUY TAB SOOT ORAL HEHE

The response will be it generates will be entered in opiepasswd.

instronics:~# opiepasswd bubu
Adding bubu:
You need the response from an OTP generator.
New secret pass phrase:
otp-md5 499 ca4460
Response: CAR GUY TAB SOOT HEHE

ID bubu OTP key is 499 ca4460
CAR GUY TAB SOOT HEHE


Which adds these entries from user bubu to /etc/opiekeys.

instronics:~# cat /etc/opiekeys
bubu 049 ca4460 b62300fbf130df92 Feb 10,2003 12:15:17
instronics:~#


If you now activate the PAM-Module for login, then the user bubu can login. To do this just edit /etc/pam.d/login.

#@PAM-1.0
#auth requisite /lib/security/pam_unix.so \
nullok #set_secrpc
auth requisite /lib/security/pam_opie.so
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_env.so
auth required /lib/security/pam_mail.so
auth required /lib/security/pam_shells.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_pwcheck.so \
nullok use_cracklib
password required /lib/security/pam_unix.so \
nullok use_first_pass use_authtok
session required /lib/security/pam_unix.so \
none #debug or trace
session required /lib/security/pam_limits.so


With this, pam_Unix will be deactivated by commenting it, and pam_opie will be activated instead. From this point on, user bubu can not login with his normal password, but only using the OTP (which we have activated with opiepasswd. It is advisable to activate user root first.

For OTP logins we now need the one time passwords or an OTP calculator. The program opiekey is an OTP calculator.

(from another computer)

otherbox:~# telnet instronics
Trying 192.168.20.17...
Connected to instronics.
Escape character is '^]'.
Login: bubu
otp-md5 499 ca4460 ext
Response:


Instead of the usual password field, the challenge field is displayed. This field wants the one time password number 499 for the system ca4460.

The wanted one time password can be calculated from any machine that has opiekey installed. In order to generate your one time passwords, do the following.

Otherbox:~# opiekey 499 ca4460
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
ANY THING YOU WISH HERE HEHE
#


After filling in the secret pass phrase, it will give you your next one time password in the response.
With this response, the password will work for the login, making the old password 499 invalid.

Otherbox:~# telnet instronics
Trying 192.168.20.17...
Connected to instronics.
Escape character is '^]'.
login: bubu
otp-md5 499 ca4460 ext
Response:
Last login: Mon Feb 10 12:35:32 on tty2
Welcome to instronics. Please read the MOTD before continuing to use this service.


If the user does not have access to an OTP calculator, then you can print for him a password list using a special parameter for opiekey. The parameter -n 10 will generate the next 10 passwords.


instronics:~# opiekey -n 10 499 ca4460
Using the MD% algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter the secret pass phrase:
490: THAT COT SUIT LAB SAD HOLM
491: SAW BIT NET JOHN WAG LIT
492: GOES HALL DEAF RID HEHE GOOGLE
493: OWNS WHY TORN ITS BAWL COY
494: TWO WARM CODA GENT BOW WEED
495: GILT ARE HEN STAY ADD FUEL
496: SEWN WOVE GLAD HUSH FELL GILD
497: BOCK PAL KANT TUNE GRID SEE
498: HOOK SMUG SLOG MOOT WHY GULF
499: AVON FORK NUDE PUT ANY BALD
#

With this list, the user bubu can login another 9 times, since the number 499 has been used already. The next password valid will be the number 498 (note that it decreases, not increases).

Anotherbox:~# telnet instronics
Trying 192.168.20.17...
Connected to instronics.
Escape character is '^]'.
login: bubu
otp-md5 498 ca4460
Response:


Always remember that if there is a list with the one time passwords and it gets lost, the system administrator has to be notified ASAP. Its not a problem to create a new password list.

I had a hard time writing this tutorial, since all my source of information was in german, so i hope the translation is readable (SuSE is by default a german system). Forgive me for any typos, i have tried to avoid them as much as possible. I hope this tutorial will help you get started on the issue "one time passwords".

Good luck.

Oh, one more thing....i mentioned that the first user to be added to the PAM list should be root. I recomend you make a BACKUP of everything before applying this. It can lock you out of your system if you should make a mistake. Otherwise for me it all worked fine. (Remeber, that all this has to be done as user root )

Cheers everyone

//addon//

Please keep in mind that this software is on my SuSE 7.3, so some version might be outdated. The procedures are the same, just make sure that you get any updated versions needed.

Cheers.