ppp-pam (ssh & one-time passwords)

November 10th, 2009

Being forced from sometime to login into my system with SSH from a machine I wouldn't ever trust (winxp/vista without firewall, publicly accessible) motivated me to configure an One-time Password system.

UPDATE: I've written similar system completely from scratch using ideas from ppp-pam. It is called "OTPasswd", since the name doesn't seem to be taken and its pretty neat shortcut for One-Time Passwords. It's actually pretty advanced, version in repository supports OOB messaging, policies, has nice manuals, etc. See it's homepage and project page at Savannah.

There're few available like ppp-pam, otpw, sotp, most weren't in repos of my distribution and some were simply to strange to use (s/key). I've decided to take one which looked pretty nice (mostly because of sexy passcards), install it and then do some hacking. It works.

I've chosen ppp-pam, which looked as a quite abandoned project, wrote ebuild, installed and quite liked it. Still it was fun to add configuration options to module, patch one or two security (in my understanding) issues, some less important issues when the same one-time password could be used twice, add some functionality I use (latex output), write an exemplary /etc/pam.d/otp-login file, some README etc.

Passcodes in ppp-pam are simple, 4-character long words without similar characters like 0, O, 1 and l. Version 0.2.4 with "secure" option (or --dontSkip not used) handles "race-for-the-last-key" attack in my opinion better than OTPW, by simply not allowing it to happen. By the time the user is asked some passcode, its already considered "used", and locking should prevent race-condition here (unless I missed something). DoS relying on an attacker using up all passcodes we have printed can be prevented by requiring the basic unix password before prompting for passcode at all. In situation when my basic password is sniffed, attacker can still do it, but this is a thing I can accept (still he will have to use plenty of different IP, because sshguard will block him after few trials).

And, if I accidentally end up without passcodes, I can still visit one URL and request current passcode in SMS (or email). Cool, eh?

I've got no contact with author so far, so if you like my changes you'd have to use my git repos or source tarball ppp-pam-0.2.5.tar.bz2. Latest original release has version 0.2, so I'm marking this (kind of) fork with 0.2.x versions.

Gentoo ebuild, which might be added in future to sunrise overlay, also can be used.

Add a comment [+] Hide the comment form [-]

I'm a bot, please ignore this comment.

I'm not a bot. Tick this box.

This is a mail of my good friend who loves rubbish email. Send him some if you want to land on my not-so-welcome lists: John Sparrow john@thera.be john(at)thera.be