Skip to content

Instantly share code, notes, and snippets.

@andrewlkho

andrewlkho/gist:10738177

Created April 15, 2014 14:43
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save andrewlkho/10738177 to your computer and use it in GitHub Desktop.
Save andrewlkho/10738177 to your computer and use it in GitHub Desktop.
Download ZIP
Securing authentication in Debian with OPIE
Raw
gistfile1.md

This was originally posted on 2010-08-28 to http://andrewho.co.uk/weblog/securing-authentication-in-debain-with-opie

A lot of the software I use is run on a remote server, and as a consequence I often have a terminal connected to this server. Whilst most of time I log in through my own computer, it often comes up that I need to SSH in using an unknown computer (such as someone else's, or the university computing cluster). I needed to come up with a way that made it easy to get in whilst using my own (secure) computers, but provided an extra layer of security when using potentially insecure terminals. Enter OPIE.

To get OPIE working in Debian Lenny, you need to install the packages libpam-opie, opie-client and opie-server. You then need to setup OPIE with a secret. The easiest way to do this is to run opiepasswd -c -f from a known secure terminal (a direct console is best). Alternatively, you can use a combination of opiepasswd and opiekey.

The next step is to let the various systems know about OPIE. There are two points of authentication where I frequently enter my passphrase. The first is to authenticate an SSH session ("logging in"), and the second is when using sudo. Fortunately, it's easy to set these up in an unobtrusive manner.

For SSH, here's the key part of my sshd_config:

AuthorizedKeysFile %h/.ssh/authorized_keys
ChallengeResponseAuthentication yes
PubKeyAuthentication yes
UsePAM yes
PasswordAuthentication no
GSSAPIAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
PermitRootLogin no

Then comment out the common-auth include in /etc/pam.d/sshd and add auth requisite pam_opie.so. So what will happen when I try and SSH in? Well, if I'm on one of my own trusted computers, then ssh-agent will be running, and so I will go straight in. If, however, I'm on an untrusted terminal, then my SSH keys won't be installed, so public key authentication will fail and OPIE will be used (via PAM).

The next step is sudo. This involves commenting out the common-auth include in /etc/pam.d/sudo and replacing it with:

auth sufficient pam_unix.so
auth sufficient pam_opie.so

So most of the time, whilst I'm on my own computers, I can just authenticate with my UNIX password. However, if I am on an untrusted computer, I will deliberately fail UNIX password authentication which drops through to OPIE.

In terms of OPIE calculators, I personally use 1key on my iPhone, but I'm sure there are plenty of others for your smartphone platform of choice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment