One-time password for security management in linux
Linux servers have always been known for their stability, efficiency, and security. Security is an important part, which is related to commercial secrets and the survival of enterprises. This article describes how to use optw to generate a one-time password and only allow specific commands to be executed:
I want to allow my friend to log on to my server to download some materials, but only allow him to log on 10 times. After logging on, he can only execute the scp command and do not do anything else. What should I do?
To sum up, complete the following two tasks:
Generate one-time password
Only allow users to execute scp tasks
Achieve objective 1: generate a one-time password
Install otpw
sudo apt-get install otpw-bin libpam-otpw
Configure common-auth
nano /etc/pam.d/common-auth
Find the following lines:
auth [success=1 default=ignore] pam_unix.so nullok_secure
Add:
auth sufficient pam_otpw.so
session optional pam_otpw.so
When a user logs on, he/she first tries to use a one-time password to log on. If the logon fails, he/she can use the normal logon method.
Configure sshd service
Add an otpw configuration file:
nano /etc/pam.d/otpw
The content is as follows:
auth sufficient pam_otpw.so
session optional pam_otpw.so
The sshd configuration file contains the otpw configuration file:
nano /etc/pam.d/sshd
Search:
@include common-auth
Add a row to the preceding row:
@include otpw
After modifying the sshd configuration file, make sure that the following three parameters are set to yes:
UsePrivilegeSeparation yes
ChallengeResponseAuthentication yes
UsePAM yes
Restart the sshd service
service ssh restart
This is the basic otpw configuration. Make sure that the file configuration file (~ /. Otpw.
The following command generates four one-time passwords:
otpw-gen -h 5 -w 64
The following command generates 10 one-time passwords:
otpw-gen -h 6 -w 79
The command output is as follows:
Generating random seed ...
If your paper password list is stolen, the thief should not gain
access to your account with this information alone. Therefore, you
need to memorize and enter below a prefix password. You will have to
enter that each time directly before entering the one-time password
(on the same line).
When you log in, a 3-digit password number will be displayed. It
identifies the one-time password on your list that you have to append
to the prefix password. If another login to your account is in progress
at the same time, several password numbers may be shown and all
corresponding passwords have to be appended after the prefix
password. Best generate a new password list when you have used up half
of the old one.
Overwrite existing password list '~/.otpw' (Y/n)?
Enter new prefix password:
Reenter prefix password:
Creating '~/.otpw'.
Generating new one-time passwords ...
OTPW list generated 2014-02-27 01:31 on kali
000 IT4U V3Bk 002 cfFE g=Gj 004 +2ML Ff92 006 kaag Ar:Y 008 VZY8 iGsp
001 9H7n aPhV 003 fcIJ zf/P 005 Qxqf OhgF 007 zPY/ QJOV 009 :N7K 3zEu
!!! REMEMBER: Enter the PREFIX PASSWORD first !!!
SSH Logon:
login as: test
Using keyboard-interactive authentication.
Password 003:
Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1 i686
The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jul 9 20:03:23 2013 from 192.168.200.10
test@debian:~$
If your prefix password is "pass", the actual password 003 is:
passfcIJ zf/P
(No space is required after the prefix and password are entered ).
Create a user group with one-time optw password and add users:
addgroup optw adduser test optw
Modify file permissions:
chown root:optw /home/test/.otpw chmod 640 /home/test/.otpw
Disable other users from resetting passwords:
chmod 750 /usr/bin/otpw-gen
Objective 2. Restrict the user to only allow scp tasks:
apt-get install rssh apt-get install scponly
The two customized shells complete the following tasks respectively:
When rssh limits user behavior scponly, there is only one shell of the scp command.
Now, you can modify the user's shell:
usermod -s /usr/sbin/scponly test usermod -s /usr/sbin/rssh test
And you can confiure rssh quite descent:
nano /etc/rssh.conf
Content:
# Leave these all commented out to make the default action for rssh to lock# users out completely...allowscp#allowsftp#allowcvs#allowrdist#allowrsync#allowsvnserve# if your chroot_path contains spaces, it must be quoted...# In the following examples, the chroot_path is "/usr/local/my chroot"user=test:011:000010:"/opt/scpspace/test chroot" # scp with chroot
Note:
1. optw is an open-source implementation of one-time password on linux, similar to the RSA Secure ID function.
2. rssh is a restricted shell and provides many practical functions. Easy to configure.
[Translated from vpsboard]