Results 1 to 4 of 4

Thread: One Time Passwords Tutorial for SuSE Linux.

  1. #1
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901

    Post One Time Passwords Tutorial for SuSE Linux.

    Dear AO.

    Today i read a thread posted by sweet_angel with the topic “One time passwords”. This is something that i have not seen on AO yet so far, so i decided to write a simple tutorial about it, on what it is, and how to set it up.

    Unfortunately my tutorial is based on SuSE Linux, so i'm not very sure of the differences to other *nix systems. The software needed for this is on my SuSE distribution Cds. I hope this comes in handy for some people.


    One Time Passwords By InStRoNiCs.

    One time passwords (aka OTP) are passwords that are valid only for one login procedure. A user therefore get a list with several one time passwords that has to be renewed once all the passwords on this list are used up. An example of where to find this type of security are banks, which use this for PINs and TANs. If an attacker was able to capture the packets containing the login information (encrypted), and would try to resend that packet, it would be useless to him, since the login information (password) is only valid for one use. For SuSE Linux there are 2 solutions for the one time passwords, and both work as PAM modules.


    OPIE (One Time Passwords In Everything)

    OPIE is an implementation for OTP standards, which is also described in RFC 1938. OPIE is compatible with S/Key implementation for Linux from Olaf Kirch. If you wish to use OPIE Which uses PAM you would need the following packages.

    Opie-2.32.tar.gz

    pam_opie-0.21.tar.gz

    The archive opie-2.32.tar.gz contains the current stable OPIE version 2.32. Included is also the OPIE library, which makes OTP authentication possible with your programs (can be setup to work in any application that requires authentication). The system programs from OPIE 2.32 for example work for login, ftpd etc... using this library. This PAM variant from OPIE was also implemented on the base of this library.

    The archive pam_opie-0.21.tar.gz contains the OPIE library version 2.32 and the OPIE PAM module.

    When extracting the archives, 2 folders are created (opie-2.32 and pam_opie) and filled.


    instronics:~# tar xzf opie-2.32.tar.gz
    instronics:~# tar xzf pam_opie-0.21.tar.gz

    The Makefile from pam_opie can be used under SuSE Linux without any additional modifications.

    instronics:~# cd pam_opie
    instronics:~# make
    .
    .
    instronics:~# make install
    .
    .
    instronics:~#


    After this , the PAM-Module becomes available in /lib/security/pam_opie.so . Before you can activate pam_opie.so you have to setup the OPIE client programs and the OPIE administrations tools that are included in OPIE 2.32.

    (I would like to remind you to prefer a “make install” instead of using an rpm package.)

    Since you should use pam_opie, there is no need for the system programs from OPIE. Due to this, The Makefile template will have to be modified a little bit.

    In my example below, just uncomment the following entries.

    #@echo “Installing OPIE system programs...”
    #@if test ! $(EXISTS) $(LOGIN).$BACKUP);\
    then echo “Renaming existing $(
    #@echo “Copying opielogin to $(LOGIN)”
    #@cp opielogin $(LOGIN)
    #@echo “Changing ownership of $(LOGIN)”
    #@$(CHOWN) $(OWNER) $(LOGIN)
    #@chgrp $(GROUP) $(LOGIN)
    #@echo “Changing file permissions of $(LOGIN)”
    #@chmod 4111 $(LOGIN)
    #@if test ! $(EXISTS) $(SU).$(BACKUP); then\
    echo “Remaining existing su to
    #@-if test ! -z “$(ALT_SU)”; then if test !\
    $(EXISTS) $(ALT_SU).$(BACKUP)
    #@echo “Copying opiesu to su”
    #@cp opiesu $(SU)
    #@echo “Changing ownership of su”
    #@$(CHOWN) $(OWNER) $(SU)
    #@chgrp $(GROUP) $(SU)
    #@echo “Changing file permissions of su”
    #@chmod 4111 $(SU)
    #@if test ! $(EXISTS) $(FTPD).$(BACKUP); then\
    echo “Renaming existing ftp”
    #@echo “Copying OPIE ftp daemon”
    #@cp opieftpd $(FTPD)
    #@echo “Changing ownership of ftpd”
    #@$(CHOWN) $(OWNER) $(FTPD)
    #@chgrp $(GROUP) $(FTPD)
    #@echo “Changing file permissions of ftpd”
    #@chmod 0100 $(FTPD)


    After this just install it.

    instronics:~# ./configure
    .
    .
    instronics:~# make
    .
    .
    # make install
    .
    .
    instronics:~#


    With the command opiepasswd you will activate the user accounts. For this example i will use a user called bubu.

    instronics:~# opiepasswd bubu
    Adding bubu:
    You need the response from OTP generator.
    New secret pass phrase:
    otp-md5 499 ca4460
    Response:

    The response provides your opiekey.

    instronics:~# opiekey 499 ca4460
    Using the md5 algorithm to compute response.
    Reminder: Don't use opiekey from telnet or dial-in sessions.
    Enter secret pass phrase:

    The pass phrase is the secret key from the user bubu, and should be a minimum of 10 characters, and can now be entered here. After you have entered your secret pass phrase (hidden), opiekey will give you the answer (response)

    instronics:~# opiekey 499 ca4460
    Using the md5 algorithm to compute response.
    Reminder: Don't use opiekey from telnet or dial-in sessions.
    Enter secret pass phrase:
    Car GUY TAB SOOT ORAL HEHE

    The response will be it generates will be entered in opiepasswd.

    instronics:~# opiepasswd bubu
    Adding bubu:
    You need the response from an OTP generator.
    New secret pass phrase:
    otp-md5 499 ca4460
    Response: CAR GUY TAB SOOT HEHE

    ID bubu OTP key is 499 ca4460
    CAR GUY TAB SOOT HEHE


    Which adds these entries from user bubu to /etc/opiekeys.

    instronics:~# cat /etc/opiekeys
    bubu 049 ca4460 b62300fbf130df92 Feb 10,2003 12:15:17
    instronics:~#


    If you now activate the PAM-Module for login, then the user bubu can login. To do this just edit /etc/pam.d/login.

    #@PAM-1.0
    #auth requisite /lib/security/pam_unix.so \
    nullok #set_secrpc
    auth requisite /lib/security/pam_opie.so
    auth required /lib/security/pam_securetty.so
    auth required /lib/security/pam_nologin.so
    auth required /lib/security/pam_env.so
    auth required /lib/security/pam_mail.so
    auth required /lib/security/pam_shells.so
    account required /lib/security/pam_unix.so
    password required /lib/security/pam_pwcheck.so \
    nullok use_cracklib
    password required /lib/security/pam_unix.so \
    nullok use_first_pass use_authtok
    session required /lib/security/pam_unix.so \
    none #debug or trace
    session required /lib/security/pam_limits.so


    With this, pam_Unix will be deactivated by commenting it, and pam_opie will be activated instead. From this point on, user bubu can not login with his normal password, but only using the OTP (which we have activated with opiepasswd. It is advisable to activate user root first.

    For OTP logins we now need the one time passwords or an OTP calculator. The program opiekey is an OTP calculator.

    (from another computer)

    otherbox:~# telnet instronics
    Trying 192.168.20.17...
    Connected to instronics.
    Escape character is '^]'.
    Login: bubu
    otp-md5 499 ca4460 ext
    Response:


    Instead of the usual password field, the challenge field is displayed. This field wants the one time password number 499 for the system ca4460.

    The wanted one time password can be calculated from any machine that has opiekey installed. In order to generate your one time passwords, do the following.

    Otherbox:~# opiekey 499 ca4460
    Using the MD5 algorithm to compute response.
    Reminder: Don't use opiekey from telnet or dial-in sessions.
    Enter secret pass phrase:
    ANY THING YOU WISH HERE HEHE
    #


    After filling in the secret pass phrase, it will give you your next one time password in the response.
    With this response, the password will work for the login, making the old password 499 invalid.

    Otherbox:~# telnet instronics
    Trying 192.168.20.17...
    Connected to instronics.
    Escape character is '^]'.
    login: bubu
    otp-md5 499 ca4460 ext
    Response:
    Last login: Mon Feb 10 12:35:32 on tty2
    Welcome to instronics. Please read the MOTD before continuing to use this service.


    If the user does not have access to an OTP calculator, then you can print for him a password list using a special parameter for opiekey. The parameter -n 10 will generate the next 10 passwords.


    instronics:~# opiekey -n 10 499 ca4460
    Using the MD% algorithm to compute response.
    Reminder: Don't use opiekey from telnet or dial-in sessions.
    Enter the secret pass phrase:
    490: THAT COT SUIT LAB SAD HOLM
    491: SAW BIT NET JOHN WAG LIT
    492: GOES HALL DEAF RID HEHE GOOGLE
    493: OWNS WHY TORN ITS BAWL COY
    494: TWO WARM CODA GENT BOW WEED
    495: GILT ARE HEN STAY ADD FUEL
    496: SEWN WOVE GLAD HUSH FELL GILD
    497: BOCK PAL KANT TUNE GRID SEE
    498: HOOK SMUG SLOG MOOT WHY GULF
    499: AVON FORK NUDE PUT ANY BALD
    #

    With this list, the user bubu can login another 9 times, since the number 499 has been used already. The next password valid will be the number 498 (note that it decreases, not increases).

    Anotherbox:~# telnet instronics
    Trying 192.168.20.17...
    Connected to instronics.
    Escape character is '^]'.
    login: bubu
    otp-md5 498 ca4460
    Response:


    Always remember that if there is a list with the one time passwords and it gets lost, the system administrator has to be notified ASAP. Its not a problem to create a new password list.

    I had a hard time writing this tutorial, since all my source of information was in german, so i hope the translation is readable (SuSE is by default a german system). Forgive me for any typos, i have tried to avoid them as much as possible. I hope this tutorial will help you get started on the issue "one time passwords".

    Good luck.

    Oh, one more thing....i mentioned that the first user to be added to the PAM list should be root. I recomend you make a BACKUP of everything before applying this. It can lock you out of your system if you should make a mistake. Otherwise for me it all worked fine. (Remeber, that all this has to be done as user root )

    Cheers everyone

    //addon//

    Please keep in mind that this software is on my SuSE 7.3, so some version might be outdated. The procedures are the same, just make sure that you get any updated versions needed.

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  2. #2
    Senior Member
    Join Date
    Dec 2002
    Posts
    309

    Arrow Instronics

    Instronics ,

    Good info, good read,

    I ''ll try it now....


    Thanks

    Dr Evil

  3. #3
    Senior Member
    Join Date
    Aug 2002
    Posts
    508
    Thanks instronic it's agood one I'll try that in my SuSE 8.1
    Not an image or image does not exist!
    Not an image or image does not exist!

  4. #4
    Nice one instronic ..
    Good info, it realy helped me .
    I like your style you are on the subject all the time ! Keep on rollin !

    Cya
    There is no diference betwen God and Devil. The only good and evil is the one we belive in .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •