Re: One-Time passwords for regular user accounts?

"Nico Kadel-Garcia" <nkadel@xxxxxxxxxxx> writes:

Carlos Moreno wrote:
John Thompson wrote:

I wonder if there is a way (a standard way, that is) to setup
one-time passwords for logging in to a Linux box (through SSH).

Search google on "opie" (one-time passwords in everything) and
"S/KEY"

Hmmm... The information seems a bit scarce. But still, from one of
the descriptions I read, it seems to be resistant to sniffing attacks,
and not to key loggers. But using SSH -- which I do -- makes me
already impervious to sniffing.

My concern is that I do not trust the keyboard where I'm typing my
password -- that's why I would like the server to have a list of
passwords ready to use, and as soon as one of them is used, it is
immediately removed from that list.

Am I getting it wrong?

Your concern is reasonable. I've used OPIE and its like in the past, for
off-site modem access. It works rather well, although you do need to keep
your printed list of one-time passwords with you.

Opie is a one time challenge response system. The challenge is the number,
the response if the password hashed that many times. The next time the
challenge will be one less.

It could be susceptible to active attacks, but not passive. Ie, you log
on, it sends you the challenge. The computer you are on reads your response
but sends a wrong one back. opie then will next time issue the same
challenge, and the active attacker can then replay your correct response.
it would have to know about your opie to do that.

It is done this way to prevent attacks which comprimise your server, so
that your password (or its equivalent ) is not stored there. If that is a
lesser danger, then opie on theserver can calculate the next challenge
reponse, and can cancel a response anytime it sends out a challenge, so it
never reuses the challenge. It is a trade off on the dangers to be
protected against. Of course this would open you to denial of service-- and
attacker simply wastes all of the challenges, leaving you with no way to
logging on.

.

Relevant Pages

  • Re: OPIE considered insecure
    ... Enhance OPIE to use larger internal hashes. ... the algorithm won't be brute-forced ... of one time passwords that can be generated is unlimited. ... The one time passwords should definitively be independent from each other; ...
    (FreeBSD-Security)
  • Re: telnet replacement - not ssh?
    ... Note the cautionary note at the end of the abstract: ... Passwords In Everything) Software Distribution is an enhancement ... OPIE can be an important part of one. ... preserve the confidentiality or integrity of the data in the stream. ...
    (comp.security.ssh)
  • Re: telnet replacement - not ssh?
    ... Note the cautionary note at the end of the abstract: ... Passwords In Everything) Software Distribution is an enhancement ... OPIE can be an important part of one. ... preserve the confidentiality or integrity of the data in the stream. ...
    (comp.security.unix)
  • Re: telnet replacement - not ssh?
    ... Note the cautionary note at the end of the abstract: ... Passwords In Everything) Software Distribution is an enhancement ... OPIE can be an important part of one. ... preserve the confidentiality or integrity of the data in the stream. ...
    (comp.security.misc)
  • RE: VmWare and Pen-test Learning
    ... Setup a tftp server on your client machine. ... Use John the Ripper to crack the passwords. ... (dictionary attacks, brute force, single mode). ... Download FREE whitepaper on how a managed service can help ...
    (Pen-Test)