Configuring One-Time Password Authentication with OTPW

OTPW and Encrypted Home Directories

The ecryptfs filesystem presents special problems for SSH and OTPW. By default, distributions like Ubuntu unwrap the special passphrase required to mount an encrypted home directory with the user's system password.

This is handled by the pam_ecryptfs.so module, which is included through /etc/pam.d/common-auth and others. If you authenticate using anything other than your system password, the module prompts you for a system login password in order to mount the encrypted home directory.

In practice, this means that your system password is exposed on untrusted terminals when mounting your remote home directory. This is obviously not ideal.

The best way to avoid this is to leave a console session running at all times. For example, log in at the console using your system password, and then lock the screen. As long as your console session remains active, your home directory remains mounted. As a result, you can use OTPW authentication without further changes to the system, and you won't reveal your system password during login or mounting.

However, if you still want to be able to use OTPW for SSH logins when a console session isn't running—and understand the security implications of doing so—here's how it's done.

First, you need to create a wrapper script for calling otpw-gen:


#!/bin/bash
set -e
otpw-gen "$@"
mv ~/.otpw /usr/local/lib/otpw/$LOGNAME/
ln -s /usr/local/lib/otpw/$LOGNAME/.otpw ~/

The wrapper should be placed in your path and made executable.

Next, place otpw4ecryptfs.sh (listed below) in ~/bin or /usr/local/sbin:


#!/bin/bash

# Purpose:
#     Enable OTPW for all users on systems with
#     ecryptfs-mounted home directories.

set -e

# Expose the underlying directories that may be
# hidden by ecryptfs.
sudo mkdir -p /mnt/real_home
sudo mount -o bind /home /mnt/real_home

# Collect all non-system users.
users=$(
    awk -F: '$1 != "nobody" \
             && $3 >= 1000  \
             && $3 < 65534  \
             {print $1}' /etc/passwd
)

# Enable OTPW for each non-system user.
for user in $users; do
    sudo mkdir -p /usr/local/lib/otpw/$user
    sudo touch /usr/local/lib/otpw/$user/.otpw
    sudo chown -R $user: /usr/local/lib/otpw/$user
    sudo chmod 755 /mnt/real_home/$user
    ln -sf /usr/local/lib/otpw/$user/.otpw \
           /mnt/real_home/$user/
    ln -sf /usr/local/lib/otpw/$user/.otpw \
           /home/$user/
done < /etc/passwd

sudo umount /mnt/real_home

When you run the script, it creates OTPW files that are readable by pam_otpw.so even when the user's home directory is unmounted.

Please note that this script gives read and execute permissions to all users' home directories so that pam_otpw.so can read the OTPW password files. This is not inherently a risk, but users who rely on more restrictive directory permissions may want to tighten up the permissions of files and folders in their home directories immediately afterward.

Finally, all users should run otpw-gen-wrapper.sh to populate and maintain their OTPW password list. Always use the wrapper instead of calling otpw-gen directly, or password generation will break the symlinks required for proper operation.

Check for Remaining Passwords

If your password list is exhausted, you will no longer be able to use OTPW to log in until a new list is generated. Likewise, if your password list doesn't contain at least three unused responses, you will not be able to use OTPW to log in when ~/.otpw.lock exists, because there are not enough challenge IDs to issue a triplet.

In addition, some of the security of OTPW comes from the randomness of the remaining challenges. The use of triplets in particular can exhaust your unused passwords rapidly, so it's a good idea to regenerate the password list whenever you fall below a minimum amount.

The OTPW author recommends regenerating the password list when less than half the original passwords remain unused, but doesn't define a minimum bound for number of passwords required for adequate randomness of challenges. A small number of unused passwords makes you more vulnerable to brute-force attacks, since there are fewer challenges to present.

The pam_otpw.so PAM module is supposed to inform the user when unused passwords fall below half of those generated. However, the PAM session functionality doesn't seem to work on Debian or Ubuntu. In addition, even if it worked, the module doesn't establish a floor to ensure sufficient randomness of challenges.

The otwp-stats.sh script shown in Listing 1 provides this missing functionality. It also allows you to define a sensible minimum for unused passwords by adjusting the MIN_PASSWORDS variable at the top of the script.

Listing 1. otwp-stats.sh


#!/bin/bash

# 30 unused passwords seems like a reasonable, if
# arbitrary, floor to ensure randomness and a small
# cushion against triplet exhaustion. Feel free to
# adjust this number to suit your needs.
MIN_PASSWORDS=30
OTPW_LIST="$HOME/.otpw"

# Stop processing if OTPW isn't set up for this
# user.
[ -f "$OTPW_LIST" ] || exit

# The top two lines of an OTPW file are meta-data.
TOTAL_PASSWORDS=$((`wc -l < "$OTPW_LIST"` - 2))
# Lines with dashes represent used passwords.
USED_PASSWORDS=$(egrep '^-' "$OTPW_LIST" | wc -l)
# The number of passwords remaining is a calculated
# value.
PASSWORDS_LEFT=$((TOTAL_PASSWORDS - USED_PASSWORDS))

cat << EOF
OTPW Password Statistics
------------------------
    Passwords used: ${USED_PASSWORDS:=0}
    Passwords left: $PASSWORDS_LEFT

EOF

if [ $PASSWORDS_LEFT -le $((TOTAL_PASSWORDS / 2)) ]
then
    echo "It's time to generate new OTPW passwords."
elif [ $PASSWORDS_LEFT -le $MIN_PASSWORDS ]; then
    echo "Remaining passwords at critical levels."
    echo "It's time to generate new OTPW passwords."
fi

Add otwp-stats.sh to your ~/.profile (or other shell startup script) to provide feedback at login:


# Only run script when logging in via SSH.
[ -n "$SSH_CONNECTION" ] && ~/bin/otpw-stats.sh

Conclusion

OTPW provides a one-time password implementation that compares favorably against OPIE and S/KEY. It is easy to integrate with SSH on most Linux systems, and remains possible to use on Ubuntu systems with encrypted home directories.

Resources

OTPW Source: http://www.cl.cam.ac.uk/~mgk25/otpw.html

Password image via Shutterstock.com

______________________

Todd A. Jacobs is a veteran IT consultant with a passion for all things Linux. He spends entirely too much time making systems do things they were never designed to do.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site.

www.webhostingiq.net ra23z27

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site.

www.webhostingiq.net ra23z27

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site.

www.webhostingiq.net ra23z27

Web Hosting IQ

 Web Hosting IQ's picture

Thanks for this very thorough explanation. Hope to read more helpful information from your site.

www.webhostingiq.net ra23z27

hello !!!

linda99's picture

Congratulations very nice new site that allows you to see the details. I'm a fan, good luck on my part !! good luck for you
voyance gratuit

The OBD II the Actron

billwu's picture

The OBD II the Actron autoscanner is compatible with OBD II standard vehicles, light trucks, SUV and minivan. It is designed with extensive OBD II code library built-in units. Another notable feature is its sheer size, which makes it simple for owners backlit screen reading. http://www.obdiag4u.com/

Configuring One-Time Password Authentication with OTPW | Linux

Bridal Boudoir Photography's picture

I ԁon't even know how I ended up here, but I thought this post was great. I don't κnow who you
are but dеfinitely уοu агe going tо a famous bloggеr if you are nοt already ;) Cheers!

Also viѕit my blоg: Bridal Boudoir Photography

Reply to comment | Linux Journal

Mark Lewis's picture

We love each other very much and it is out love that
at times I get mad when he does something dangerous like lifting something heavy, speeding on the freeway.
He gets pissed off and tells me that I over-react. I don't want to tolerate dangerous behavior and make sure that there is some consequence so that he does not repeat. (He was the only child with never any consequences to bad behavior) Unfortunately being upset/mad does not do the job. What should I do so that I can get the message across effectively?.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix