The trouble with a username and password is that they never change. We create them, write them down or memorize them, then use them over and over again. What has been needed is an inexpensive system that provides something which changes everytime it is used. GRC's Perfect Paper Passwords system offers a simple, safe and secure, free and well documented solution that is being adopted by a growing number of security-conscious Internet facilities to provide their users with state-of-the-art cryptographic logon security.
For securing SSH into your server, a PPP Pluggable Authentication Module is the best option. An open source PAM has been developed over on Google Code and is what this article uses. These instructions are adapted from the ppp-pam wiki.
Make sure you have the appropriate packages installed.
Download version 0.2 of the source code and save to your disk. Open a terminal window and extract the source files.
# tar -xvzf ppp-pam-0.2.tar.gzBuild the code
# cd ppp-pam
# cd buildInstall the pppauth utility and PAM module in the appropriate folders. (You will need to enter your administrator password to run the following command): # make install
Enable PPP authentication for ssh connections. The specifics here may vary depending on your linux distribution. If you find that they deviate significantly, please post a comment here.
# vi /etc/pam.d/sshdClose and save the file. Make sure you have the following settings in /etc/ssh/sshd_config:
Enter the following line just below @include common-auth
auth required pam_ppp.so
ChallengeResponseAuthentication yesSwitch to the user account you wish to protect and create a PPP sequence key for your user account. This sequence key is the master code used to generate the OTPs: $ pppauth --key
Generate a passcard. Print or save it -- you'll need it to log in over SSH: $ pppauth --text --next 1
Try logging in to test it: $ ssh localhost
$ ssh localhostFor more commands, run pppauth --help
Passcode 1B :
Last login: Sat Apr 18 16:56:43 2009 from localhost
Have a lot of fun..