LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-13-2016, 12:00 PM   #1
linux4evr5581
Member
 
Registered: Sep 2016
Posts: 151

Rep: Reputation: Disabled
USB pass key


Can anyone recommend a method to generating passwords using all available password characters? I'm tired of creating and manually entering long passwords so I want to make a USB passkey for the login screen, sudo, root, etc.. Thanks in advance!

Last edited by linux4evr5581; 10-13-2016 at 01:57 PM.
 
Old 10-13-2016, 12:08 PM   #2
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 3,774
Blog Entries: 1

Rep: Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339
If you have the ability to install 'pwgen' then do that. Change the '64' to how ever many digits you need and the '1' to how many passwords you need:

Code:
yum install pwgen
pwgen 64 1
Or using basic commands. Change the 'length=64' to how ever many digits you need and the 'passwords=1' to how many passwords you need:

Code:
passwords=1
length=64
x=1
while [ $x -le $passwords ]
do
  strings /dev/urandom | head -n 100 | tr -d '\n','\ ','\t' | cut -c1-$length
  x=$(( $x + 1 ))
done

Last edited by szboardstretcher; 10-13-2016 at 12:15 PM. Reason: length
 
2 members found this post helpful.
Old 10-13-2016, 01:44 PM   #3
linux4evr5581
Member
 
Registered: Sep 2016
Posts: 151

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by szboardstretcher View Post
If you have the ability to install 'pwgen' then do that. Change the '64' to how ever many digits you need and the '1' to how many passwords you need:

Code:
yum install pwgen
pwgen 64 1
Or using basic commands. Change the 'length=64' to how ever many digits you need and the 'passwords=1' to how many passwords you need:

Code:
passwords=1
length=64
x=1
while [ $x -le $passwords ]
do
  strings /dev/urandom | head -n 100 | tr -d '\n','\ ','\t' | cut -c1-$length
  x=$(( $x + 1 ))
done
I decided I like makepasswd, but your scipt, do I just modify it to run on startup then paste to my USB and it will work just like a key?
 
Old 10-13-2016, 01:55 PM   #4
Turbocapitalist
Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 954
Blog Entries: 3

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
If you're dealing with a lot of remote logins, you can put RSA keys onto various sorts of dongle. the Yubikey can use RSA or maybe the NitroKey. Older versions of the Yubikey (Neo and earlier) still use FOSS, but the new ones not so much and can be avoided.
 
1 members found this post helpful.
Old 10-13-2016, 02:17 PM   #5
linux4evr5581
Member
 
Registered: Sep 2016
Posts: 151

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
If you're dealing with a lot of remote logins, you can put RSA keys onto various sorts of dongle. the Yubikey can use RSA or maybe the NitroKey. Older versions of the Yubikey (Neo and earlier) still use FOSS, but the new ones not so much and can be avoided.
Thanks I just read an article on NitroKey I guess it uses special firmware that prevents viruses or something. I wonder if its possible to use a CD-R instead of USB? But now I'm looking into pam-usb tools which uses 2fa with a token and one time pass, I think it's what im looking for aslong as I can use makepasswd to genetrate the onetime pass..

Last edited by linux4evr5581; 10-13-2016 at 02:20 PM.
 
Old 10-13-2016, 02:25 PM   #6
Turbocapitalist
Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 954
Blog Entries: 3

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by linux4evr5581 View Post
Thanks I just read an article on NitroKey I guess it uses special firmware that prevents viruses or something. I wonder if its possible to use a CD-R instead of USB? But now I'm looking into pam-usb tools which uses 2fa with a token and one time pass, I think it's what im looking for aslong as I can use makepasswd to genetrate the onetime pass..
Not really. The dongles appear as keyboards, all processing is done onboard separate from the main computer. With a CD-RW (or CD-R) you'd be running the program in main memory and the whole disc would be readable. Then that'd defeat some of the theoretical protection offered by dongles.

You might look at TOTP or something like that, but I haven't used those. The old way to do OTP was S/Key or an equivalent. They'd use PAM. I think there's even a PAM module called OTPW. Either way, there's more to it than just generating a list of passwords.
 
Old 10-13-2016, 04:18 PM   #7
linux4evr5581
Member
 
Registered: Sep 2016
Posts: 151

Original Poster
Rep: Reputation: Disabled
I assumed that the CD-R would be less permissive than a USB since a USB is read/write. So wouldn't both be readable in either case which is why you encrypt the flash drive? (or in case of the CD-R encrypt the password database, and use a password file as the encryption key and that key can be stored on the CD-R that's encrypted with Rohos) TOTP sounds good but I think you need the app the generates the tokens on mobile phone.. At most I would use a Rasberry Pie to do that if possible, but I dont want to use a mobile device just for that. So I guess the oldschool way like you said OTP with PAM modules would work.. I understand its more than just passwords, theres an algorithm that genetrates the token, but then I thought the other part was just making a password..

Last edited by linux4evr5581; 10-13-2016 at 06:05 PM.
 
Old 10-13-2016, 10:52 PM   #8
Turbocapitalist
Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 954
Blog Entries: 3

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
You also have to have a way to verify the password used, and a way to cross it off the list once it is used.

The CD-RW / CD-R analog won't work because the Yubikey and NitroKey are not flash drives. The OS does not read them, their contents are unavailable to the OS. If you want to think of them as anything, think of them as keyboards. Only one password is available at a time and the dongle types it in for you.

In the case of Yubikey, you press a button and the very small computer inside the dongle will generate and send to USB input a new one-time password (OTP) just as if you typed it out. The OTP consists of a public id for the dongle itself plus an encoded, AES-encrypted version of the OTP. The machine you are authenticating on needs to be able to decrypt the OTP and then verify it's components. First there is a CRC check of sorts. Then various fields inside the OTP are extracted, including a counter to try to prevent replay attacks.

At least that's the case if I interpret it correctly:

https://github.com/Yubico/yubico-c/b...st-vectors.txt

Last edited by Turbocapitalist; 10-14-2016 at 02:40 AM.
 
Old 10-14-2016, 11:31 AM   #9
linux4evr5581
Member
 
Registered: Sep 2016
Posts: 151

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
You also have to have a way to verify the password used, and a way to cross it off the list once it is used.

The CD-RW / CD-R analog won't work because the Yubikey and NitroKey are not flash drives. The OS does not read them, their contents are unavailable to the OS. If you want to think of them as anything, think of them as keyboards. Only one password is available at a time and the dongle types it in for you.

In the case of Yubikey, you press a button and the very small computer inside the dongle will generate and send to USB input a new one-time password (OTP) just as if you typed it out. The OTP consists of a public id for the dongle itself plus an encoded, AES-encrypted version of the OTP. The machine you are authenticating on needs to be able to decrypt the OTP and then verify it's components. First there is a CRC check of sorts. Then various fields inside the OTP are extracted, including a counter to try to prevent replay attacks.

At least that's the case if I interpret it correctly:

https://github.com/Yubico/yubico-c/b...st-vectors.txt
I get it now theres a HID device on the dongle that's acts like the keyboard. But just to clear things up are those dongles the only way to make it act as an automatic key, I cant do it on a USB? Or can I use a USB but have to use the token method only, instead of the traditional 2fa with a token and password? I say traditional because pamusb-tools can have 2fa, but it does so by merging the token with the one-time pass...

Last edited by linux4evr5581; 10-14-2016 at 12:27 PM.
 
Old 10-14-2016, 01:45 PM   #10
Turbocapitalist
Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 954
Blog Entries: 3

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Having your program on your regular USB key will be no different than having it in your home directory except that it might disappear from time to time while it is unplugged. It's still a regular file system and is visible while plugged in and mounted. The dongle is a small, specialized computer that just does one or two things resulting in it acting like a keyboard and sending a steam of fake keystrokes.

With PAM you can require one method of several available or else require two or more methods for authentication.
 
Old 10-14-2016, 01:54 PM   #11
linux4evr5581
Member
 
Registered: Sep 2016
Posts: 151

Original Poster
Rep: Reputation: Disabled
So it should still work, that's great, ok I understand now that the dongle keys are more specialized therfor more reliable, efficient and secure.. Thanks for all the help!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to pass string or key between exes in c++, eclipse pradeepkondipudi Programming 2 06-17-2014 05:16 AM
[SOLVED] script for pass the ENTER key in a process KaRt Linux - Newbie 4 07-26-2012 04:59 AM
[SOLVED] vim how pass argument to key mapping porphyry5 Programming 3 03-06-2012 02:10 PM
SSL Server Key W/O Pass Phrase? Arty Ziff Linux - Newbie 1 07-17-2010 04:17 AM
MDCrack cracks key with pass but not pass with key?... lynx5 Linux - Security 1 02-02-2008 06:49 PM


All times are GMT -5. The time now is 10:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration