One-time passwords by OTPW

seprob · 11-24-2010, 03:31 PM

I want to give my users option of logging to the system. They should have posibillity for choosing option betweend logging to the system with their default password or one-time password OTPW.

I installed OTPW in my Debian.

Here is my /etc/pam.d/sshd file:

Quote:

# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth required pam_env.so envfile=/etc/default/locale

# OTPW support
auth sufficient pam_otpw.so

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session optional pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
#session optional pam_mail.so standard noenv # [1]

# OTWP support
session optional pam_otpw.so

# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session required pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password

Here is my /etc/ssh/sshd_config file:

Quote:

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 666
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10

# Wyswietalnie MOTD. Wlaczenie tej opcji spowoduje podwojne
# wyswietlenie MOTD
PrintMotd no

PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60

# Monit pokazujacy sie przed zalogowaniem
Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

# Czas na zalogowanie sie do serwera
#LoginGraceTime 120

# Maksymalna liczba proba zalogowania sie
MaxAuthTries 3

# Maksymalna liczba otwartych sesji
MaxSessions 2

LoginGraceTime 1800

ClientAliveInterval 0

UsePrivilegeSeparation yes

During logging I don't have information of what password I have to put. Here is information from my logs:

Quote:

Nov 24 22:13:41 borekfalecki sshd[8152]: pam_unix(sshd:session): session opened for user seprob by (uid=0)
Nov 24 22:13:41 borekfalecki sshd(pam_otpw)[8152]: pam_get_data() failed

kbp · 11-25-2010, 03:56 PM

Just checking that you generated some one time passwords and the file ~/.otpw exists .. ?

seprob · 11-26-2010, 07:25 AM

Yes, I did. It looks like following: I'm logging and system ask me about one-time password. After this ask me about my system password and then I'm in. Error in logs appears again.

kbp · 11-27-2010, 01:04 AM

I'm not sure this will work but try making the change below:

Code:

auth sufficient pam_otpw.so debug

Maybe we'll be able to get some more info out of it

seprob · 11-27-2010, 06:03 AM

From /var/log/auth.log:

Quote:

Nov 27 12:59:21 borekfalecki sshd(pam_otpw)[16240]: pam_sm_authenticate called, flags=1
Nov 27 12:59:21 borekfalecki sshd(pam_otpw)[16240]: username is seprob
Nov 27 12:59:21 borekfalecki sshd(pam_otpw)[16240]: uid=0, euid=0, gid=0, egid=0
Nov 27 12:59:21 borekfalecki sshd(pam_otpw)[16240]: challenge: 009
Nov 27 12:59:21 borekfalecki sshd(pam_otpw)[16240]: calling conversation function
Nov 27 12:59:36 borekfalecki sshd(pam_otpw)[16240]: conversation function returned 0
Nov 27 12:59:36 borekfalecki (pam_otpw)[16240]: Password 0 = '++==Sq7t'
Nov 27 12:59:36 borekfalecki (pam_otpw)[16240]: Prefix = ''
Nov 27 12:59:36 borekfalecki (pam_otpw)[16240]: hash(password): 'by6aE7Wq+arn', hash from file: 'Nt55czUhzBY%'
Nov 27 12:59:36 borekfalecki (pam_otpw)[16240]: Entered password did not match.
Nov 27 12:59:36 borekfalecki (pam_otpw)[16240]: Removing lock file
Nov 27 12:59:36 borekfalecki sshd(pam_otpw)[16240]: incorrect password from user seprob
Nov 27 12:59:41 borekfalecki sshd[16236]: Accepted keyboard-interactive/pam for seprob from 91.150.220.49 port 29925 ssh2
Nov 27 12:59:41 borekfalecki sshd[16236]: pam_unix(sshd:session): session opened for user seprob by (uid=0)
Nov 27 12:59:41 borekfalecki sshd(pam_otpw)[16236]: pam_get_data() failed
Nov 27 12:59:45 borekfalecki sshd[16048]: pam_unix(sshd:session): session closed for user seprob

Hmm, password should looks like "++== Sq7t". It looks like system doesn't see or doesn't get ma spacebar.

kbp · 11-27-2010, 05:46 PM

Maybe try generating some new passwords and retest .. ?

seprob · 11-29-2010, 01:11 AM

All passwords allways have spacebar, so it won't help.

kbp · 11-29-2010, 03:23 AM

I'm not sure I understand .. are you saying that every password generated contains the [space] character ?

seprob · 11-29-2010, 02:58 PM

That's right.

kbp · 11-29-2010, 05:05 PM

I don't think you're supposed to enter the spaces, that's just the way the output is formatted when you generate them for readability - please try without

(borrowed from http://www.cl.cam.ac.uk/~mgk25/otpw.html)

Code:

OTPW list generated 2003-08-31 21:06 on trillium.cl.cam.ac.uk

  000 IZdB bqyH  006 rF62 k6zi  012 JCFe 6at3  018 uaYT azuu  024 Nt7n b=fQ
  001 yCSo /VQs  007 Phvb =6ZW  013 8Pm7 DbYJ  019 OdAk H62c  025 /pOm :ZEA
  002 mESf +nWK  008 J9fH iXrn  014 MAds 6TTS  020 Aj6W 9O4P  026 DhCc yrPY
  003 x4vX HXr2  009 DGPC amts  015 B=xZ waPx  021 MzUP Ahsc  027 UWTe G3Fh
  004 A5z9 japt  010 s6cr xwZ5  016 sCgq Da5Y  022 Q=XK 4I7w  028 xszW Ha9L
  005 YCcA k29/  011 inn6 Rsa/  017 m8za o/HB  023 umS= gYoU  029 +HmG Rr6P

Eg.
Password 015 should be entered as 'B=xZwaPx'

seprob · 11-30-2010, 12:32 AM

I did it. I receive the same message in /var/log/auth.log.

kbp · 11-30-2010, 04:49 PM

I just noticed that my sshd_config has "UsePrivilegeSeparation no", please change yours, restart sshd and retry

example session:

Code:

[root@xxx ~]# ssh me@localhost
Password 160: 
Last login: Wed Dec  1 09:39:41 2010 from localhost.localdomain
[me@xxx ~]$

Password file excerpt:

Code:

...
160 kCF+ YWBW
...

Entered without spaces as:

Code:

<prefix_password>kCF+YWBW

I also noticed that selinux will prevent access to ~/.otpw and ~/otpw.lock for sshd

hth

seprob · 12-01-2010, 05:01 AM

Still doesn't work. I have Debian.