Contact SalesSitemapCustomer Login

Setup One Time Passwords With PAM

SSH is secure, but what if someone is running a keylogger or somehow gets your password? One time passwords allow you to securely log in even if the attacker knows the OTP and your regular password. Since the OTP is generated cryptographically, only your SSH server knows what the next one is. Before you start using OTPs, you must first generate your first set of passwords so that you can print and save them. There are many commercial OTP systems such as SecurID, but with the assistance of the GRC Newsgroup, Steve Gibson has developed Perfect Paper Passwords or PPP. He released the specifications into the public domain so there are many open source implementations. For securing SSH into your server, a PPP Pluggable Authentication Module is the best option. An open source PAM has been developed over on Google Code and is what this article uses. These instructions are adapted from the ppp-pam wiki.

Make sure you have the appropriate packages installed. On a fresh Ubuntu distribution, the following packages were required:

Download version 0.2 of the source code and save to your disk. Open a terminal window and extract the source files. 

    tar -xvzf ppp-pam-0.2.tar.gz
    cd ppp-pam

Build the code 

    cd build
    ../configure
    make

Install the pppauth utility and PAM module in the appropriate folders. (You will need to enter your administrator password to run the following command). 

    sudo make install

Enable PPP authentication for ssh connections. (Feel free to use your preferred editor rather than vi). The specifics here may vary depending on your linux distribution. If you find that they deviate significantly, please post a comment here. 

   sudo vi /etc/pam.d/ssh
   Enter the following line just below @include common-auth
     auth       required       pam_ppp.so

Close and save the file. Make sure you have the following settings in /etc/ssh/sshd_config: 

   ChallengeResponseAuthentication yes
   UsePAM yes

Switch to the user account you wish to protect and create a PPP sequence key for your user account. This sequence key is the master code used to generate the OTPs 

   pppauth --key

Generate a passcard. Print or save it -- you'll need it to log in over SSH. 

   pppauth --text --next 1

Try logging in to test it. 

   ssh localhost

For more commands, run pppauth --help

Retrieved from "http://wiki.vpslink.com/Setup_One_Time_Passwords_With_PAM"

Copyright © 2009 VPSLink, a subsidiary of Spry

Recent Changes | RSS RSS Feed