Configuring One-Time Password Authentication with OTPW
If you prefer to reverse the order, prompting for a system password
before falling back to one-time passwords, just ensure that
# /etc/pam.d/common-auth auth sufficient pam_unix.so nullok_secure auth sufficient pam_otpw.so session optional pam_otpw.so auth required pam_deny.so
If you're tempted to remove standard system passwords altogether, especially from console logins, please don't. On some systems, most notably Ubuntu systems with ecryptfs-encrypted home directories, recovering from OTPW mishaps is extremely difficult without standard system passwords.
Modifying common-auth is usually the right thing to do on a headless server or console-only system. However, workstations or servers that provide the X Window System present special problems for one-time password systems.
Some tools or applications won't work properly with OTPW because they can't display the challenge to the user. The typical symptom is usually a password dialog that never completes or seems to ignore user input. In times past, gksu and GNOME Display Manager (GDM) had this issue with OPIE. In such cases, the solution is to move OTPW out of common-auth and include it only in specific services.
For example, you can add OTPW authentication to SSH connections while using just the standard password prompt for console or GUI logins. You can do this in three easy steps:
1. Delete any lines from common-auth that reference pam_otpw.so:
# /etc/pam.d/common-auth on Debian Squeeze auth sufficient pam_unix.so nullok_secure auth required pam_deny.so
2. Create a new OTPW include file for PAM:
# /etc/pam.d/otpw auth sufficient pam_otpw.so session optional pam_otpw.so
3. Include OTPW immediately before common-auth in /etc/pam.d/sshd:
# Other stuff ... # Enable OTPW authentication. @include otpw # Standard Un*x authentication. @include common-auth # More stuff ...
In addition to configuring the PAM libraries, OTPW needs the following three settings in the SSH dæmon's configuration file:
# /etc/ssh/sshd_config UsePrivilegeSeparation yes UsePAM yes ChallengeResponseAuthentication yes
These are usually there, but possibly commented out or set to "no", so modify them accordingly. Next, reload the SSH dæmon after modifying its configuration file:
# Generic Linux sudo /etc/init.d/ssh reload # Debian 6.0.4+ sudo service ssh reload # Ubuntu 11.04+ sudo reload ssh
Generating OTPW Passwords
Once the OTPW PAM module has been configured properly, only users with an ~/.otpw file will be challenged with a one-time password dialog during login. This file contains some metadata about its contents, as well as a list of one-way hashes that will match only a valid response to a challenge.
To create this file, or to re-populate it with new passwords, use the otpw-gen utility. By default, it will create 280 password suffixes, formatted to fit on a single side of US letter-sized (8.5" x 11") paper. Because only the one-way hashes are stored in ~/.otpw, not the passwords themselves, you must capture or print the standard output of this command when the passwords are generated. You will not be able to retrieve the password list after the fact; you'll need to generate new passwords instead.
Here is what it looks like when you run the command for the first time, piping the output to your default printer:
$ otpw-gen | lpr Generating random seed ... If your paper password list is stolen, the thief should not gain access to your account with this information alone. Therefore, you need to memorize and enter below a prefix password. You will have to enter that each time directly before entering the one-time password (on the same line). When you log in, a 3-digit password number will be displayed. It identifies the one-time password on your list that you have to append to the prefix password. If another login to your account is in progress at the same time, several password numbers may be shown and all corresponding passwords have to be appended after the prefix password. Best generate a new password list when you have used up half of the old one. Enter new prefix password: Reenter prefix password: Creating '~/.otpw'. Generating new one-time passwords ...
When generating a new password list, the prompts that appear on standard error are slightly different:
Overwrite existing password list '~/.otpw' (Y/n)? Enter new prefix password: Reenter prefix password: Creating '~/.otpw'. Generating new one-time passwords ...
The first prompt ensures that you don't accidentally over-write your existing password list; the second prompt asks you for a new password. There's nothing stopping you from reusing the same prefix password on each invocation—the random seed makes duplicate hashes unlikely—but best practice is to use a new prefix each time you regenerate the password list.
If you want to generate a password list on a remote host but print to a local printer, you can do this over your SSH connection as long as you trust your localhost:
read -p 'Hostname: ' &
Note the use of
stty to ensure that your prefix password isn't echoed to
the screen. As long as your prefix password remains secure, you are no
worse off using an untrusted printer than you are if your password list
falls into the wrong hands. This is often a valuable security trade-off
for frequent travelers.
Todd A. Jacobs is a veteran IT consultant with a passion for all things Linux. He spends entirely too much time making systems do things they were never designed to do.