Search:  
Gentoo Wiki

OpenSSH_skey

Contents

Introduction

We will assume that you have already set up the identification with keys. Keys are a great way of authentification - better than passwords - but the problem with passwords and keys is that they can be stolen. So what if you want to log in from an untrusted box (such as a Windows box full of spywares, trojan horses, viruses, key loggers etc)? You could use S/Key - that is, a password that is only valid once.

Security implications

Please note that S/Key was developed in the 1980s and uses only the first 64 bits of the hashes. Considering the advancement of processing power since then, S/Key should not be used today anymore - it won't withstand bruteforce attacks.

Enabling S/Key support

Emerge OpenSSH with S/Key support. To do this, set the skey use flag in /etc/portage/package.use:

File: /etc/portage/package.use
...
net-misc/openssh                skey
...

Then remerge OpenSSH:

# emerge -N openssh

sshd configuration

Edit the relevant parts of /etc/ssh/sshd_config as indicated below:

File: /etc/ssh/sshd_config
...

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes

...

UsePAM no

...

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

...


Warning: Be careful: If you permit PAM, anyone will still be able to log in using the account's password.

Now restart the OpenSSH daemon:

# /etc/init.d/sshd restart

S/Key configuration

Then run skeyinit (the individual users can do this for themselves):

$ skeyinit
[Updating root]
Old key: [md5] port86245
Reminder - Only use this method if you are directly connected
or have an encrypted channel.  If you are using telnet
or rlogin, exit with no password and use skeyinit -s.

Enter secret password:
Again secret password:

ID root skey is otp-md5 99 port86246
Next login password: LEAR FOGY WISH DEE KIRK GUNK

Enter a password and don't lose it! When it's finished, it will show you a password:

LEAR FOGY WISH DEE KIRK GUNK

Don't try to log in with it (it won't work), but it will be useful later.


Then you will need to create some passwords:

$ skey -n 5 99 port86246
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password:
95: SAT OFT JUG MAID SAN PAD
96: RAM THEE WAIT RAT HANG JAKE
97: SORE QUOD BERN GAME ISLE ROAD
98: SANK KEN SOD GONG PUP BOON
99: LEAR FOGY WISH DEE KIRK GUNK

Now you see that at slot 99 there is the same password as before. It's a confirmation; it tells you that you have provided the same password as here:

Enter secret password:
Again secret password:

Then simply log in using the password the terminal tells you to use:

$ ssh root@host
otp-md5 98 port86246
S/Key Password:            

Consulting our list, the password asked for is SANK KEN SOD GONG PUP BOON. So type:

sank ken sod gong pup boon

And you should be logged in!

Retrieved from "http://www.gentoo-wiki.info/OpenSSH_skey"

Last modified: Sat, 06 Sep 2008 13:07:00 +0000 Hits: 6,281