One time root password script
 

Hello guys,

This is my first post on this forum :)

Often when I travel, I have to connect to my boxes from machines I don't have control over (eg. customer site).

My idea is to create a script that changes the root password of a server after every login. The passwords would be kept in a coded format in a file and shown once when the script is initiated. Let say the script gives me a list of 20 future passwords. Then, everytime I need to login, I have to use next password in the list. After every successful login, the script would automatically change the password and apply the next one in the list.

My machines use mostly md5 based passwords ($1$) with a salt. I am trying to understand how the server generate the string stored in the shadow file. I would like to know the manual steps to go from a passwd to the string in the /etc/shadow file.

You help is appreciated.

PS: if the script is good, it will be made avaible to the community.

plenty of examples out there... I'd suggest that using a root password at all is the problem, why ever allow root logins? log in as a normal user, then su with the known root password over a secure encrypted session. Or use "sudo -i" and have no root password involved in the process at all. I see where you're coming from, but I think it's a bad idea. You're reinventing the wheel and making it square.

Thank you :) It points me to the right direction.

Even with a user account, the problem would be same if someone is logging what I type in the keyboard. The script can work with root account or any other account.

For my eBanking, my banks gives me a list of 100 passwords and every time I use one, I tick it in the list. So for next login, I would use a different password.

Hmm OK keyloggers... good point.

here then I'd suggest a formal OTP solution. I know there are pure GPL solutions out there, but something like openotp would work well with a smartphone and less than 25 user accounts - http://www.rcdevs.com/products/openotp/

Better to invest your time in one of the existing systems, unless you will make a better one.

s/key and opie seem to be gone, but otpw seems to be around still.

If you can tolerate dongles, yubikey seems to be rising in populuarity.

I think that the time will quickly come, either when you can't log-in any more, or when your "secret" paper list of passwords gets pick-pocketed and photocopied. :rolleyes:

I would, first of all, bring a computer with me and set it up with password-protected (encrypted...) VPN certificates to allow access to the target servers. Access to the servers e.g. by SSH or other means is not possible, except through the VPN tunnel, and access to the tunnel is only possible for a bearer of a currently valid certificate (i.e. you) who knows the encryption key for the same and is thereby able to use it.

Actually, password-free SSH logins, using once again digital certificates (encrypted, again) is stronger in my opinion than any password system. And, this SSH cannot directly log-in to root.

It must be used to log-in to a maintenance account which might be the only member of the "wheel" group or otherwise via PAM the only one who can from there gain access to root. This maintenance account has read/write access to directories and files of elevated concern, such that full root access is not required to get to those files. (The maintenance account is super but not super-duper.)

So, a keylogger wouldn't do any good: you have to steal your laptop, hold a gun to your head to get the encryption key for the certificate, and so on . . .