The trouble with a username and password is that they never change. We create them, write them down or memorize them, then use them over and over again. What has been needed is an inexpensive system that provides something which changes everytime it is used. GRC's Perfect Paper Passwords system offers a simple, safe and secure, free and well documented solution that is being adopted by a growing number of security-conscious Internet facilities to provide their users with state-of-the-art cryptographic logon security.
For securing SSH into your server, a PPP Pluggable Authentication Module is the best option. An open source PAM has been developed over on Google Code and is what this article uses. These instructions are adapted from the ppp-pam wiki.
Make sure you have the appropriate packages installed.
* subversion
* make
* gcc
* g++
* libc6-dev
* uuid-dev
* libpam0g-dev
* openssh-server
Download version 0.2 of the source code and save to your disk. Open a terminal window and extract the source files.
# tar -xvzf ppp-pam-0.2.tar.gzBuild the code
# cd ppp-pam
# cd buildInstall the pppauth utility and PAM module in the appropriate folders. (You will need to enter your administrator password to run the following command): # make install
# ../configure
# make
Enable PPP authentication for ssh connections. The specifics here may vary depending on your linux distribution. If you find that they deviate significantly, please post a comment here.
# vi /etc/pam.d/sshdClose and save the file. Make sure you have the following settings in /etc/ssh/sshd_config:
Enter the following line just below @include common-auth
auth required pam_ppp.so
ChallengeResponseAuthentication yesSwitch to the user account you wish to protect and create a PPP sequence key for your user account. This sequence key is the master code used to generate the OTPs: $ pppauth --key
UsePAM yes
Generate a passcard. Print or save it -- you'll need it to log in over SSH: $ pppauth --text --next 1
Try logging in to test it: $ ssh localhost
$ ssh localhostFor more commands, run pppauth --help
Password:
Passcode 1B [1]:
Last login: Sat Apr 18 16:56:43 2009 from localhost
Have a lot of fun..
$
5 comments:
Thanks for posting this!
this is cool !
Thanks for posting :)
BTW. A more feature-full and more secure continuation of ppp-auth can be found here:
https://savannah.nongnu.org/projects/otpasswd/
I get this error when trying to install
/usr/bin/ld: pam_ppp_so-pam_ppp.o: relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
pam_ppp_so-pam_ppp.o: could not read symbols: Bad value
collect2: ld returned 1 exit status
make: *** [pam_ppp.so] Error 1
any suggestions?
You have to add the -fPIC flag to the makefile on the MYCFLAGS line: MYCFLAGS -I blah blah blah -fPIC.
Post a Comment