Using one-time passwords (OTPW) in SSH authentication

One-time passwords/OTPW consists of one-time password generator and PAM-integrated verification routines.

One-time passwords are generated apriori with the generator, given to the user and cryptographic hash of the generated passwords are stored in the host. When a user logs in with a one-time password, OTPW’s PAM module verifies the password, and invalidates it to prevent re-use.

## install (deb/ubuntu)
$ apt-get install otpw-bin libpam-otpw
$ vi /etc/pam.d/sshd
#@include common-auth
auth       required
session    optional

## install (arch)
$ yaourt -S otpw 
$ vi /etc/pam.d/ssh-otpw
auth sufficient
session optional
$ vi /etc/pam.d/sshd
auth      include   ssh-otpw
#auth      include   system-remote-login

## install (el/fedora)
$ yum git gcc pam-devel
$ git clone ; cd optw
$ vi Makefile
$ make ; sudo make install
# disable SELinux
$ vi /etc/selinux/config
$ vi /etc/pam.d/sshd
#auth       substack     password-auth
auth       required
session    optional

## configure sshd
$ vi /etc/ssh/sshd_config
UsePAM yes
UsePrivilegeSeparation yes
ChallengeResponseAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
$ systemctl restart sshd

## generate passwords
# asks for a prefix to user cannot login even if list is public
$ otpw-gen > ~/temporary_password.txt
# print 'otpw_passwords' file; passwords are store in '~/.otpw'

## using
$ ssh user@remote_host
Password INDEX:
# use password in INDEX prefixed with your prefix
# if successful '~/.otpw' is updated to void used password

from otpw@xmodulo and otpw@arch/otpw@ubuntu


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s