OpenSSH_skey
Contents |
Introduction
We will assume that you have already set up the identification with keys. Keys are a great way of authentification - better than passwords - but the problem with passwords and keys is that they can be stolen. So what if you want to log in from an untrusted box (such as a Windows box full of spywares, trojan horses, viruses, key loggers etc)? You could use S/Key - that is, a password that is only valid once.
Security implications
Please note that S/Key was developed in the 1980s and uses only the first 64 bits of the hashes. Considering the advancement of processing power since then, S/Key should not be used today anymore - it won't withstand bruteforce attacks.
Enabling S/Key support
Emerge OpenSSH with S/Key support. To do this, set the skey use flag in /etc/portage/package.use:
| File: /etc/portage/package.use |
... net-misc/openssh skey ... |
Then remerge OpenSSH:
# emerge -N openssh
sshd configuration
Edit the relevant parts of /etc/ssh/sshd_config as indicated below:
| File: /etc/ssh/sshd_config |
... # Change to no to disable s/key passwords ChallengeResponseAuthentication yes ... UsePAM no ... # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no PermitEmptyPasswords no ... |
Now restart the OpenSSH daemon:
# /etc/init.d/sshd restart
S/Key configuration
Then run skeyinit (the individual users can do this for themselves):
$ skeyinit [Updating root] Old key: [md5] port86245 Reminder - Only use this method if you are directly connected or have an encrypted channel. If you are using telnet or rlogin, exit with no password and use skeyinit -s. Enter secret password: Again secret password: ID root skey is otp-md5 99 port86246 Next login password: LEAR FOGY WISH DEE KIRK GUNK
Enter a password and don't lose it! When it's finished, it will show you a password:
LEAR FOGY WISH DEE KIRK GUNK
Don't try to log in with it (it won't work), but it will be useful later.
Then you will need to create some passwords:
$ skey -n 5 99 port86246 Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password: 95: SAT OFT JUG MAID SAN PAD 96: RAM THEE WAIT RAT HANG JAKE 97: SORE QUOD BERN GAME ISLE ROAD 98: SANK KEN SOD GONG PUP BOON 99: LEAR FOGY WISH DEE KIRK GUNK
Now you see that at slot 99 there is the same password as before. It's a confirmation; it tells you that you have provided the same password as here:
Enter secret password: Again secret password:
Then simply log in using the password the terminal tells you to use:
$ ssh root@host otp-md5 98 port86246 S/Key Password:
Consulting our list, the password asked for is SANK KEN SOD GONG PUP BOON. So type:
sank ken sod gong pup boon
And you should be logged in!
Created by NickStallman.net, Luxury Homes Australia
Real estate agents should be using interactive floor plans and list their apartments, townhouses and units.