One-time password for security management in linux

One-time password for security management in linux

Linux servers have always been known for their stability, efficiency, and security. Security is an important part, which is related to commercial secrets and the survival of enterprises. This article describes how to use optw to generate a one-time password and only allow specific commands to be executed:

I want to allow my friend to log on to my server to download some materials, but only allow him to log on 10 times. After logging on, he can only execute the scp command and do not do anything else. What should I do?

To sum up, complete the following two tasks:

Generate one-time password

Only allow users to execute scp tasks

Achieve objective 1: generate a one-time password

Install otpw

sudo apt-get install otpw-bin libpam-otpw

Configure common-auth

nano /etc/pam.d/common-auth

Find the following lines:

auth [success=1 default=ignore] pam_unix.so nullok_secure

Add:

auth sufficient pam_otpw.so

session optional pam_otpw.so

When a user logs on, he/she first tries to use a one-time password to log on. If the logon fails, he/she can use the normal logon method.

Configure sshd service

Add an otpw configuration file:

nano /etc/pam.d/otpw

The content is as follows:

auth           sufficient      pam_otpw.so
session        optional        pam_otpw.so

The sshd configuration file contains the otpw configuration file:

nano /etc/pam.d/sshd

Search:

@include common-auth

Add a row to the preceding row:

@include otpw

After modifying the sshd configuration file, make sure that the following three parameters are set to yes:

UsePrivilegeSeparation yes
ChallengeResponseAuthentication yes
UsePAM yes

Restart the sshd service

service ssh restart

This is the basic otpw configuration. Make sure that the file configuration file (~ /. Otpw.

The following command generates four one-time passwords:

otpw-gen -h 5 -w 64

The following command generates 10 one-time passwords:

otpw-gen -h 6 -w 79

The command output is as follows:

Generating random seed ...
If your paper password list is stolen, the thief should not gain
access to your account with this information alone. Therefore, you
need to memorize and enter below a prefix password. You will have to
enter that each time directly before entering the one-time password
(on the same line).
When you log in, a 3-digit password number will be displayed.  It
identifies the one-time password on your list that you have to append
to the prefix password. If another login to your account is in progress
at the same time, several password numbers may be shown and all
corresponding passwords have to be appended after the prefix
password. Best generate a new password list when you have used up half
of the old one.
Overwrite existing password list '~/.otpw' (Y/n)?
Enter new prefix password: 
Reenter prefix password:
Creating '~/.otpw'.
Generating new one-time passwords ...
OTPW list generated 2014-02-27 01:31 on kali
000 IT4U V3Bk  002 cfFE g=Gj  004 +2ML Ff92  006 kaag Ar:Y  008 VZY8 iGsp
001 9H7n aPhV  003 fcIJ zf/P  005 Qxqf OhgF  007 zPY/ QJOV  009 :N7K 3zEu
!!! REMEMBER: Enter the PREFIX PASSWORD first !!!

SSH Logon:

login as: test
Using keyboard-interactive authentication.
Password 003:
Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1 i686
The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jul  9 20:03:23 2013 from 192.168.200.10
test@debian:~$

If your prefix password is "pass", the actual password 003 is:

passfcIJ zf/P

(No space is required after the prefix and password are entered ).

Create a user group with one-time optw password and add users:

addgroup optw adduser test optw

Modify file permissions:

chown root:optw /home/test/.otpw chmod 640 /home/test/.otpw

Disable other users from resetting passwords:

chmod 750 /usr/bin/otpw-gen

Objective 2. Restrict the user to only allow scp tasks:

apt-get install rssh apt-get install scponly

The two customized shells complete the following tasks respectively:

When rssh limits user behavior scponly, there is only one shell of the scp command.

Now, you can modify the user's shell:

usermod -s /usr/sbin/scponly test usermod -s /usr/sbin/rssh test

And you can confiure rssh quite descent:

nano /etc/rssh.conf

Content:

# Leave these all commented out to make the default action for rssh to lock# users out completely...allowscp#allowsftp#allowcvs#allowrdist#allowrsync#allowsvnserve# if your chroot_path contains spaces, it must be quoted...# In the following examples, the chroot_path is "/usr/local/my chroot"user=test:011:000010:"/opt/scpspace/test chroot"  # scp with chroot

Note:

1. optw is an open-source implementation of one-time password on linux, similar to the RSA Secure ID function.

2. rssh is a restricted shell and provides many practical functions. Easy to configure.

[Translated from vpsboard]