11:10 Organization sshaccess to a onetime passwords | |
In any serious company is sometimes necessary that the officer who went on vacation, immediately complied with their duties. Consider the situation where the company needs a particular employee, for example, a system administrator, who currently lies on the beach a thousand miles from the stuffy office. Suppose even that the employee agrees to perform unexpectedly had fallen on his head and work on the resort has an internet cafe. But here's the problem: cafe located in a dark alley, on its computers are a popular operating system, Trojans, keyloggers and other haktulzy, so that typing the root password from the main server of the company on similar machines rather unwise. There are several solutions to this problem. For example, you can use one-time passwords, namely the system s / key, which uses algorithms to generate passwords and md4 md5. About this system and will be explained later. S / key works on the principle of client-server as follows: the user specifies a secret key, which is then hashed a few hundred times (eg, 500). The user's computer (server) is stored last (500th) hash of secret phrases. For authentication the user will need to enter the previous (499th) hash of the secret key that will be generated by the client application. The server hashes the user-entered combination and, in the case of coincidence with the earlier recorded data, authenticates the user and stores the newly introduced (499th), hash, so the next time to ask the previous (498th) to the current hash. More information about s / key can be read on Wikipedia and in RFC 1760. Go to the practice. We will use the PAM (API for user authentication) and OPIE (PAM-module for one-time password). It is assumed that SSH is already installed. Set OPIE: $ apt-get install opie-client opie-server Next, edit the configuration files: The file / etc / pam.d / sshd need to comment out the line "@ include common-auth": # @ include common-auth and add after it the following: auth sufficient pam_unix . so auth sufficient pam_opie.so auth required pam_deny.so The first line leaves the possibility of authentication by password on the account. If it is not required, it can be removed. Read more about configuring PAM can be read here and here. Next, edit the / etc / ssh / sshd_config - on line "ChallengeResponseAuthentication no" no need to change to yes. Now restart SSH: $ service ssh restart OPIE data stored in a file / etc / opiekeys, which has the following format: Field Description name User ID. Sequence serial number hash. Seed Seed - unclassified random sequence. Key most recently used hash. Date Date of last change. Time has been updated. Initially, this file is empty. For the initial data (generation of the very 500th hash) to run the command opiepasswd: $ opiepasswd Adding username: You need the response from an OTP generator. New secret pass phrase: otp-md5 499 no8327 Response: To request a response (Response), open a second console and run the command otp-md5 499 no8327: $ otp-md5 499 no8327 Using the MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: come up and enter the password. In response, we see something similar to WATS NIP DUD BRAD LIME DRUM. A nice point: sometimes one-time passwords consist of a short English words that are fairly easy to remember. Go back to the previous console to the application and enter opiepasswd gave us a sequence (WATS NIP DUD BRAD LIME DRUM). In large letters and spaces. According to experts, you can enter small and capital letters, but the author has not been verified. $ Opiepasswd Adding username: You need the response from an OTP generator. New secret pass phrase: ********* otp-md5 499 no8327 Response: WATS NIP DUD BRAD LIME DRUM ID username OTP key is 499 no8327 WATS NIP DUD BRAD LIME DRUM $ If you now open the file / etc / opiekeys, you can see a line similar to the username 0499 no8327 f825803faf1afaee Jul 10,2010 20:12:12 Before leaving on vacation, you can take a list of pre-generated one-time passwords. Get this list by running the opiekey-n 100499 no8327. We asked the secret phrase, and in return we get a list of 100 (the number given by the key -n 100) one-time passwords type 480: SLUR ROVE TONE ADAM MUST IRK 481: FULL NAY LYLE BROW MARY COD 482: WERE LOB DOME LIT GIN CHAD sheet with passwords can be hidden deep in the trunk or copy to the phone as a text file. At the end of this article will be considered more convenient and secure way of receiving / storing time passwords. Back to our SSH-access: $ ssh username @ host Password: For authentication using one-time password to request a password from the account password must be entered "opiepasswd», after which we are asked for a one-time password: $ ssh username @ host Password: opiepasswd otp-md5 498 no8327 ext, Response: As response, we introduce a sequence that can be obtained by running the $ otp-md5 498 no8327 or $ opiekey 498 no8327 In fact, you can generate a response on any computer using any s / key-generator instead otp-md5 or opiekey. If all goes well, we'll get ssh-access. Back to our legend of vacation. Few in which Internet cafes can be found ssh-client. As a solution to this problem, use ssh-client as a java applet. Unfortunately, not all ssh-clients are equally useful supporting s / key. This writer has met only one running as an applet must: JCTerm from Jcraft, Inc. Source code is available on the site developer. The applet can be tested here. Concluding the article, it is worth to mention the open source java2me application OneTimePassword, available at sourceforge.net/projects/otp-j2me /. After loading it into my cell phone, you can safely go on vacation without worrying about losing unnecessary now sheet-time passwords - OneTimePassword easily generate them. Happy holidays! When writing this article we used materials of the following sites: ru.wikipedia.org / wiki / S / Key tools.ietf.org/html/rfc1760 www.delta-xi. net / index.php? / archives/16-OTPs-Using-sKey-with-SSH-via-OPIE.html blog.bogosity.se/2008/05/31/debian-ubuntu-skey-and- opie / www.opennet.ru/cgi-bin/opennet/man.cgi?topic=opiekeys&category=5 alexustes.dev.juga.ru / pam / article.html www. ibm.com / developerworks / ru / library / l-pam / index.html sourceforge.net/projects/otp-j2me / www.jcraft.com/jcterm/ wiredx.net / jcterm / | |
|
Total comments: 0 | |