OpenSSH skey
From Gentoo Linux Wiki
Contents |
[edit] Introduction
We will assume that you have already set up the identification with keys. Keys are a great way of authentification - better than passwords - but the problem with passwords and keys is that they can be stolen. So what if you want to log in from an untrusted box (such as a Windows box full of spywares, trojan horses, viruses, key loggers etc)? You could use S/Key - that is, a password that is only valid once.
[edit] Security implications
Please note that S/Key was developed in the 1980s and uses only the first 64 bits of the hashes. Considering the advancement of processing power since then, S/Key should not be used today anymore - it won't withstand bruteforce attacks.
[edit] Enabling S/Key support
Emerge OpenSSH with S/Key support. To do this, set the skey use flag in /etc/portage/package.use:
| File: /etc/portage/package.use |
... net-misc/openssh skey ... |
Then remerge OpenSSH:
# emerge -N openssh
[edit] sshd configuration
Edit the relevant parts of /etc/ssh/sshd_config as indicated below:
| File: /etc/ssh/sshd_config |
... # Change to no to disable s/key passwords ChallengeResponseAuthentication yes ... UsePAM no ... # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no PermitEmptyPasswords no ... |
Now restart the OpenSSH daemon:
# /etc/init.d/sshd restart
[edit] S/Key configuration
Then run skeyinit (the individual users can do this for themselves):
$ skeyinit [Updating root] Old key: [md5] port86245 Reminder - Only use this method if you are directly connected or have an encrypted channel. If you are using telnet or rlogin, exit with no password and use skeyinit -s. Enter secret password: Again secret password: ID root skey is otp-md5 99 port86246 Next login password: LEAR FOGY WISH DEE KIRK GUNK
Enter a password and don't lose it! When it's finished, it will show you a password:
LEAR FOGY WISH DEE KIRK GUNK
Don't try to log in with it (it won't work), but it will be useful later.
Then you will need to create some passwords:
$ skey -n 5 99 port86246 Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password: 95: SAT OFT JUG MAID SAN PAD 96: RAM THEE WAIT RAT HANG JAKE 97: SORE QUOD BERN GAME ISLE ROAD 98: SANK KEN SOD GONG PUP BOON 99: LEAR FOGY WISH DEE KIRK GUNK
Now you see that at slot 99 there is the same password as before. It's a confirmation; it tells you that you have provided the same password as here:
Enter secret password: Again secret password:
Then simply log in using the password the terminal tells you to use:
$ ssh root@host otp-md5 98 port86246 S/Key Password:
Consulting our list, the password asked for is SANK KEN SOD GONG PUP BOON. So type:
sank ken sod gong pup boon
And you should be logged in!
