One-time password verification with OTPW configuration (1)

Password Verification involves many assumptions about security and trust. Encrypted SSH tunneling and public key verification are two common methods to ensure that passwords are not compromised during transmission. But what if the computer you are currently using is untrusted?

This is not an easy-to-attack scenario for careful people. In many common cases and common cases, you may not use the system password, even through a secure tunnel. Examples include:

◆ Public computers in hotels, libraries, or Internet cafes;

◆ Computers infected with viruses;

◆ Shared workstation used for Pair programming;

◆ Others may see any part of the entire password process.

What are the similarities between these examples? In common, you try to connect from an untrusted source to a trusted destination. This is totally contrary to the original intention of designing most verification systems.

Take public key verification as an example. SSH public key verification undoubtedly bypasses the password prompt on the remote host, but it still requires you to hand over your private key password to the local machine. In addition, once the key is decrypted using your password, the local system can fully access the sensitive key content.

Fortunately, there is already a way to solve this problem that is often overlooked: A one-time password.

The combination of SSH and one-time password has powerful functions:

◆ The SSH protocol provides a mechanism to encrypt the logon sequence across the entire network.

◆ A good SSH client allows you to check the Public Key fingerprint of the remote host before entering the logon information. This prevents unauthorized hosts from collecting your one-time password.

◆ The one-time password system ensures that passwords cannot be reused. Therefore, even if a password is obtained during transmission, once you log on with the password, the password is of no value to the attacker.

UNIX-like systems have many one-time password solutions. The two most famous solutions are S/KEY and one-time password for each OPIE task ).

Since OPIE was recently removed from the Debian and Ubuntu repositories, The OTPW one-time password system developed by German computer scientist Markus Kuhn provides a practical alternative. Although OTPW does not directly replace OPIE, it provides similar functions and some notable features not available in S/KEY or OPIE.