Difference between revisions of "S/KEY Authentication"

From ArchWiki
Jump to: navigation, search
(http -> https://aur.archlinux.org)
m (see Help:Style)
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[Category:Daemons and system services (English)]]
+
[[Category:Security]]
 
+
 
This guide shows you how you can enable S/KEY one-time password authentication on your Arch.
 
This guide shows you how you can enable S/KEY one-time password authentication on your Arch.
  
WARNING! Do following actions on secure connection from a secure computer. A chain is as strong as its weakest link.
+
{{Warning|Do following actions on secure connection from a secure computer. A chain is as strong as its weakest link.}}
  
 
== Install opie ==
 
== Install opie ==
From [https://aur.archlinux.org/packages.php aur], install following packages:
+
Install the following packages from the [[AUR]]:
* libpam-opie
+
* {{AUR|libpam-opie}}
* opie-client
+
* {{AUR|opie-client}}
* opie-server
+
* {{AUR|opie-server}}
  
 
(As of today 2010-05-17 packages does not seem to support x86_64 but there is posted a fix on comments of opie-client)
 
(As of today 2010-05-17 packages does not seem to support x86_64 but there is posted a fix on comments of opie-client)
Line 15: Line 14:
 
== Config pam module ==
 
== Config pam module ==
 
In /etc/pam.d tweak config files for wanted logins. I tweaked sshd and sudo. Do the following to selected files:
 
In /etc/pam.d tweak config files for wanted logins. I tweaked sshd and sudo. Do the following to selected files:
<pre>
+
 
auth  required  pam_unix.so
+
auth  required  pam_unix.so
change to (note order)-->
+
change to (note order)-->
auth sufficient pam_unix.so
+
auth sufficient pam_unix.so
auth sufficient pam_opie.so
+
auth sufficient pam_opie.so
</pre>
+
  
 
If you want to use SSH, change ChallengeResponseAuthentication to yes in /etc/ssh/sshd_config
 
If you want to use SSH, change ChallengeResponseAuthentication to yes in /etc/ssh/sshd_config
Line 30: Line 28:
 
After entering a passphrase you get your OTP key:
 
After entering a passphrase you get your OTP key:
  
<pre>
+
ID busk OTP key is 499 fe6839
ID busk OTP key is 499 fe6839
+
MIRE MORE ODE DOME REAM
MIRE MORE ODE DOME REAM
+
</pre>
+
  
 
== Get yourself some passwords ==
 
== Get yourself some passwords ==
Line 40: Line 36:
 
OR alternative way for Java-enabled mobile phone owners:
 
OR alternative way for Java-enabled mobile phone owners:
 
Get [http://fatsquirrel.org/software/vejotp/ VeJotp], It's free and you can generate passwords on the run.
 
Get [http://fatsquirrel.org/software/vejotp/ VeJotp], It's free and you can generate passwords on the run.
 
  
 
Now, when you ssh to your box, hit Enter to the password prompt and you will be prompted for onetime password.
 
Now, when you ssh to your box, hit Enter to the password prompt and you will be prompted for onetime password.
  
 
This guide is based on [http://busk.blogs.lysator.liu.se/2009/12/12/skey-one-time-passwords-using-opie/]
 
This guide is based on [http://busk.blogs.lysator.liu.se/2009/12/12/skey-one-time-passwords-using-opie/]

Revision as of 09:14, 28 April 2013

This guide shows you how you can enable S/KEY one-time password authentication on your Arch.

Warning: Do following actions on secure connection from a secure computer. A chain is as strong as its weakest link.

Install opie

Install the following packages from the AUR:

(As of today 2010-05-17 packages does not seem to support x86_64 but there is posted a fix on comments of opie-client)

Config pam module

In /etc/pam.d tweak config files for wanted logins. I tweaked sshd and sudo. Do the following to selected files:

auth  required  pam_unix.so
change to (note order)-->
auth sufficient pam_unix.so
auth sufficient pam_opie.so

If you want to use SSH, change ChallengeResponseAuthentication to yes in /etc/ssh/sshd_config

Create an OTP key

As your user (no root), run:

# opiepasswd -c

After entering a passphrase you get your OTP key:

ID busk OTP key is 499 fe6839
MIRE MORE ODE DOME REAM

Get yourself some passwords

# opiekey -n 20 499 fe6839

OR alternative way for Java-enabled mobile phone owners: Get VeJotp, It's free and you can generate passwords on the run.

Now, when you ssh to your box, hit Enter to the password prompt and you will be prompted for onetime password.

This guide is based on [1]