Hack 33 Use One Time Passwords 
Sometimes even a complex password may not meet
your security needs.
If
you
are on the road and need to access the
corporate network from a non-secure computer in a public place, the
risk of password leakage increases. Could the person next to you be
shoulder surfing, watching as you log into the network? Does the
computer you're using have some sort of installed
spyware or keystroke logger? Is there a packet sniffer running
somewhere on the network? In such a situation, a One Time Password
can be a real lifesaver.
3.11.1 Configuring OPIE
FreeBSD comes with
OPIE, or One-time Passwords In
Everything, a type of software OTP system. It is easy to configure
and doesn't require any additional hardware or
proprietary software running on a server. Ideally, you should
configure OPIE before leaving your secure network. For example, if
you plan on traveling with your laptop, configure OPIE while
connected to the office network. Make sure you are logged in as your
regular user account to the particular system you'll
need to access while on the road.
Start by adding yourself to the OPIE database, or
/etc/opiekeys, using
opiepasswd. If you
intend to access your workstation while on the road, run this command
while physically sitting at your workstation. Include the console
switch (-c) to indicate you are at that
station's console, so it is safe to enter a
passphrase:
% opiepasswd -c
Adding dru:
Only use this method from the console; NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase:
Secret pass phrases must be between 10 and 127 characters long.
Enter new secret pass phrase:
Again new secret pass phrase:
ID dru OTP key is 499 dh0391
CHUG ROSA HIRE MALT DEBT EBEN
See that warning at the beginning? If you don't have
physical access to the system's keyboard—say,
you're logging into a server—make sure you use
ssh to log into that system before running the
opiepasswd -c command. Your
only protection from another user using your one-time password is
your
passphrase, which is basically a
long password that can include spaces. If that passphrase is
transmitted over the network in clear text, you've
defeated the whole purpose of this exercise.
Note that the passphrase isn't used as a password
per se; instead, it is used to prove who added the account to the
database and is therefore the rightful owner of the resulting
response or one-time password. You'll need to issue
that passphrase whenever you need to view your responses. Responses
are always comprised of six uppercase nonsense words.
Next, verify that you are indeed in the OPIE
database:
% opieinfo
498 dh0391
The opieinfo command displays the count
(498) that will be used at the next login. It will
also display the seed associated with that count
(dh0391). In this example, it is expecting the
response associated with 498, but I only know the
response for 499. I'll need to
use an
OTP password calculator to figure
out the correct response; that calculator is really just the
opiekey
command.
You could use the calculator from a separate terminal every time you
login, but it is usually more convenient to print a list of responses
and regenerate a new list whenever you run out of responses.
3.11.2 Generating Responses
In order to use the calculator, you need to know three things:
Your current counter Your seed Your secret passphrase
The challenge at the login prompt will display the current counter
and seed. However, it is important that only you know your secret
passphrase. Otherwise, anyone could calculate the response and log
into your account.
To generate a list of responses, use the number switch
(-n), followed by the number of desired responses
and your current count and seed:
% opiekey -n 5 498 dh0391
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
494: MEAN ADD NEON CAIN LION LAUD
495: LYLE HOLD HIGH HOME ITEM MEL
496: WICK BALI MAY EGO INK TOOK
497: RENT ARM WARN ARC LICE DOME
498: LEAD JAG MUCH MADE NONE WRIT
You can either direct that output to a printer or record those
responses by hand. Either way, store those responses in a safe place
such as your wallet, as these are your next five one-time passwords.
The next time you log in, use the response that matches the count at
your login prompt:
login: dru
otp-md5 498 dh0391 ext
Password: (here I pressed Enter)
otp-md5 498 dh0391 ext
Password [echo on]: LEAD JAG MUCH MADE NONE WRIT
Once you configure OPIE on a 5.1 FreeBSD system, you will be required
to respond to the OTP challenge whenever you log into that system. If
you press Enter, you'll turn on
echo so you can see the response as
you type it.
Echo is usually a bad thing when logging in because anyone can see
your password. However, with a one-time password, it
doesn't matter if anyone sees that password, as it
can't be reused. Also, unlike a reusable password,
the response is not case-sensitive, so it doesn't
matter if you type it in upper- or lowercase. Do take care, though,
that no one sees your list of responses or your passphrase.
If your counter gets low—say, 10 or less—reset it before
it hits 0. Use
opiepasswd again, but
this time specify a new count and a new seed. Here
I'll use a count of 499 and a new
seed of dh1357:
% opiepasswd -n 499 -s dh1357
Updating dru:
You need the response from an OTP generator.
Old secret pass phrase:
otp-md5 8 dh0391 ext
Response: loot omit safe eric jolt dark
New secret pass phrase:
otp-md5 499 dh1357
Response: hewn as dot mel mali mann
How long it will take you to cycle through your OTP passwords will
depend upon how often you need to log in. You may find it convenient
to generate a week's worth of responses at the
beginning of each week.
It's also a good idea to consider how often to
change your
passphrase.
You'll be prompted to when you reset your counter.
For example, if you plan on changing your passphrase every 100
responses, specify -n 100 when you run
opiepasswd. The passphrase itself needs to be
memorable. Fortunately, it can contain spaces, so you can input, say,
a line from a song or a poem.
3.11.3 Choosing When to Use OTP
Starting
with FreeBSD 5.1-RELEASE, users are forced
to use OTP once they've added themselves to the OPIE
database. It doesn't matter if the user logs into
that system using a local keyboard or over the network using
ssh. This behavior is controlled by PAM, or, to be
more specific, the auth section of
/etc/pam.d/login:
% more /etc/pam.d/login
#
# $FreeBSD: src/etc/pam.d/login,v 1.11 2002/05/08 00:33:02 des Exp $
#
# PAM configuration for the "login" service
#
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_self.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn
#auth sufficient pam_kerberosIV.so no_warn try_first_pass
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
snip
Perhaps you'd like users to have the option of using
their regular password when logging in locally, but force them to use
OTP when logging in over the network. To achieve that, add the
allow_local option to the
opieaccess line so it looks like this:
auth requisite pam_opieaccess.so allow_local no_warn
This option lets the user type either her regular password or her OTP
response if she's logging in
locally. However, if she's logging in over the
network, the login attempt will fail unless she gives the correct
OTP
response.
3.11.4 See Also
| 
