Once and never again
Secure log-ins with one-time passwords
Logging into a server from a cyber café has its risks, since a potential keylogger might be able to read the password for subsequent abuse. One-time passwords can be used to prevent such spying attempts and to ensure secure access to one's own systems, despite an insecure environment. Only few steps are required to achieve this.
Sometimes, the only possibility for users who want to access their own servers "on the fly" are PCs in a cyber café or a public institution. Basically, such computers are not trustworthy, since they might host a variety of malware that may spy keyboard entries. A static password entered by a user might well be forwarded to the wrong hands.
One-time passwords (OTPs, not to be confused with one-time pads), which become invalid after usage, are a way of solving this problem . Since they cannot be used for a second log-in, stolen OTPs are useless for attackers. Neither is it possible to derive or predict a new password from a stolen OTP. Although this approach is vulnerable to man-in-the-middle attacks, where an attacker disguised as the legitimate server requests the correct OTP from the victim and uses it to log in himself, such attacks must be prepared very carefully, which is unlikely to happen on a PC chosen at random.
OPIE (one-time passwords in everything) developed by the United States Naval Research Laboratory (NRL) is one way to implement one-time passwords, based on the S/KEY approach. [2,3]. A generator creates a sequence number and a seed to feed the so-called OTP calculator, which uses a pass phrase to determine a unique password to be transmitted to the server. To achieve independence from such an OTP calculator, multiple one-time passwords can be pre-determined and noted on a piece of paper.
Since Linux authentication is based on the standard pluggable authentication module (PAM), procedures to be used instead of the standard log-in can be added without major problems or may replace the current procedure to expand authentication under SSH with one-time passwords. For all subsequent installations and adaptations, root rights are required. The paths specified here come from an Ubuntu 6.10; they might differ on other distributions and must be adapted accordingly.
First, OPIE is installed, consisting of a client and a server, which are available as ready-to-use packages for Ubuntu 6.10:
apt-get install opie-client
apt-get install opie-server
Configuration files for all services using authentication are stored in the /etc/pam.d/ directory. In addition to the normal log-in, SSH, Samba and other services can be installed in this directory. To allow SSH to also use OTP in addition to normal passwords, the line @include common-auth in /etc/pam.d/ssh must be replaced by the following:
auth sufficient pam_unix.so
auth sufficient pam_opie.so
auth required pam_deny.so
In addition, support for challenge response procedures must be enabled for the SSH server in /etc/ssh/sshd_config by specifying ChallengeResponseAuthentication yes. Then the SSH server must be restarted to take over the changed configuration settings.