How to securely log in to Linux with one-time password via SSH

Some people say that security is not a product, but a process. While the SSH protocol is designed to be secure with encryption , if used improperly, others can disrupt your system: such as weak passwords, key leaks, using outdated SSH clients, and so on, all of which can cause security problems. Therefore, in the security aspect, must rely on the authoritative professional security Service provider, in the mobile application Security aspect, the love encryption is undoubtedly the very good choice.

When considering the SSH authentication scheme, it is generally accepted that public key authentication is more secure than password authentication. However, public key authentication technology is not set for the public environment, if you use public key authentication on a public computer to log on to the SSH server, your server is no longer safe to say, the public computer may record your public key, or from your memory to read the public key. If you don't trust your local computer, you'd better log in to the server in a different way. Now it's time to use a one-off password (OTP), as the name implies, once the password is used only once. This one-time password is well suited for use in unsafe environments, even if it is stolen and cannot be used again.

There is a way to generate a one-time password through the Google Authenticator, but in this article, I would like to introduce another SSH login scenario:OTPW, it is a one-time password login package. Unlike Google certification, OTPW does not need to rely on any third-party libraries.

What is OTPW?

The OTPW consists of a one-time password generator and PAM authentication rules. In Otpw, a one-time password is generated in advance by the generator and then obtained by the user in a secure way (such as printing to paper). On the other hand, these passwords are stored on the SSH server side via Hash encryption. When a user logs on to the system using a one-time password, the OTPW PAM module authenticates the passwords and guarantees that they cannot be used again.

installation and configuration of step 1:OTPWon Debian, Ubuntu or Linux Mint distributions

To install using Apt-get:

$ sudo apt-get install LIBPAM-OTPW otpw-bin

Open the PAM configuration file (/etc/pam.d/sshd) for the SSH service and comment out the following line (to disable the Password Authentication feature for PAM):

# @include Common-auth

Add the following two lines (to turn on the one-time Password authentication feature):

Auth       required     pam_otpw.sosession    optional     pam_otpw.so

on the Fedora or Centos/rhel release

There is no compiled OTPW in the RedHat-based release, so we need to use the source code to install it.

First, install the build environment:

$ sudo yum git gcc pam-devel$ git clone https://www.cl.cam.ac.uk/~mgk25/git/otpw$ cd OTPW

Open the Makefile file and edit the line configuration that begins with "pamlib=":

64-bit system:

Pamlib=/usr/lib64/security

32-bit system:

Pamlib=/usr/lib/security

Compile the installation. It is important to note that the installation process will automatically restart the SSH service, so if you are using SSH to connect to the server, be ready to be disconnected (LCTT: May not be disconnected, even if disconnected, please use the original way to reconnect, and now has not been replaced by a one-time password. ）。

$ make$ sudo make install

Now you need to update the SELinux policy because/USR/SBIN/SSHD will write data to your home directory, which is not allowed by SELinux by default. If you are not using the SELinux service (LCTT Note: Use the Getenforce command to view the results, if it is enforcing, the SELinux service is turned on), please skip this step.

$ sudo grep sshd/var/log/audit/audit.log | Audit2allow-m mypol$ sudo semodule-i mypol.pp

Next open the PAM configuration file (/etc/pam.d/sshd) and note the following line (in order to disable password Authentication):

#auth       substack     Password-auth

Add the following two lines (to turn on the one-time Password authentication feature):

Auth       required     pam_otpw.sosession    optional     pam_otpw.so

Step 2: Configure the SSH server with a one-time password

Open the/etc/ssh/sshd_config file and set the following three parameters. You want to make sure that the following parameters are not duplicated, or that the SSH server may have an exception.

Useprivilegeseparation yeschallengeresponseauthentication Yesusepam Yes

You also need to disable the default password Authentication feature. Alternatively, you can turn on the public key authentication feature so that you can use the public key for authentication without a one-time password.

Pubkeyauthentication Yespasswordauthentication No

Restart the SSH server.

Debian, Ubuntu or Linux Mint distributions:

$ sudo service ssh restart

Fedora or Centos/rhel 7 release:

$ sudo systemctl restart sshd

(LCTT: Although the SSHD service is restarted here, your current SSH connection should not be affected, but you will not be able to establish a new connection in the original way until you complete the following steps.) Therefore, for the sake of insurance, either open an SSH connection, avoid accidentally exiting the current connection, or restart the sshd server step after step 3 is complete. ）

Step 3: Generate A one-time password using OTPW

As mentioned before, you need to create a one-time password and save it beforehand. To create a password using the Otpw-gen command:

$ cd ~$ Otpw-gen > Temporary_password.txt

This command will let you enter a password prefix, and when you log in later, you need to enter both the prefix and the one-time password. The password prefix is another layer of protection, and even if your one-time password list is compromised, no one else can hack your SSH password by brute force.

Once the password prefix is set, this command generates 280 one-time passwords (LCTT: Save to ~/.OTPW) and exports them to a text file (such as Temporary_password.txt). Each password (the default is 8 characters) is indexed by a 3-bit decimal number. You will need to print out this password form and carry it with you.

View the./.otpw file, which stores the hash value of a one-time password. The first 3 decimal digits correspond to the index one by one of the password table you carry, and will be used when you log in to the SSH server.

$ more ~/.OTPW

<pre name= "code" class= "plain" >otpw1280 3 8191AI+:ENWMMQWN218TYRZC%PIY27A241VE8NS%NSHFMF055W4/YCAUQJKR : 102znj4vwlfrk5n2273xww55htej8y1509d4b5=a64jbt168fwbxy%ztm9j%000rwusdbyr%8ue037nvyryzci+yrx122rewa3gxvok=z

Test a one-time password login to the SSH server

Log in to the SSH server in a normal way:

$ SSH [email protected]_host

If OTPW runs successfully, you will see a bit different from the usual login:

Password 191:

Now open your password table and find the password with index number 191.

023 kBvp tq/G  079 jKEw /HRM  135 oW/c /UeB  191 fOO+ PeiD  247 vAnZ EgUt

From the above table, the number 191th password is "Foo+peid". You need to add a password prefix, such as you set the prefix is "000", then you actually need to enter the password is "000foo+peid".

After successful login, the password you entered this time is automatically invalidated. Looking at the ~/.otpw file, you will find that the first line becomes "—————", which means that the number 191th password is invalid.

OTPW1280 3 8---------------218tyrzc%piy27a241ve8ns%nshfmf055w4/ycauqjkr:102znj4vwlfrk5n2273xww55htej8y1509d4b5 =a64jbt168fwbxy%ztm9j%000rwusdbyr%8ue037nvyryzci+yrx122rewa3gxvok=z

Summary

In this tutorial, I show you how to use the OTPW tool to set a one-time login password. You may have realized that in this two-factor authentication, printing a password list makes people feel good low, but this is the easiest way to do it and not rely on any third-party software. Regardless of the way you create a one-time password, they are useful when you need to log in to an SSH server in an untrusted environment.

How to securely log in to Linux with one-time password via SSH