linux poison RSS
linux poison Email

Perfect Paper Passwords - One Time Password System (OpenSuse)

Almost without exception, today's Internet users prove their identity online using a fixed account name and password. In the past, this simple system provided sufficient security. But with the growing popularity of online banking and eCommerce, the value of stealing online identities has skyrocketed. And the increasing presence and "spyware" and "malware" on innocent users' computers means that users can be "watched" while logging onto their banking and other eCommerce sites. Once their logon credentials have been "captured" and stolen, Internet criminals can easily assume their identity.

The trouble with a username and password is that they never change. We create them, write them down or memorize them, then use them over and over again. What has been needed is an inexpensive system that provides something which changes everytime it is used. GRC's Perfect Paper Passwords system offers a simple, safe and secure, free and well documented solution that is being adopted by a growing number of security-conscious Internet facilities to provide their users with state-of-the-art cryptographic logon security.

For securing SSH into your server, a PPP Pluggable Authentication Module is the best option. An open source PAM has been developed over on Google Code and is what this article uses. These instructions are adapted from the ppp-pam wiki.

Make sure you have the appropriate packages installed.

    * subversion
    * make
    * gcc
    * g++
    * libc6-dev
    * uuid-dev
    * libpam0g-dev
    * openssh-server

Download version 0.2 of the source code and save to your disk. Open a terminal window and extract the source files.
# tar -xvzf ppp-pam-0.2.tar.gz
# cd ppp-pam
Build the code
# cd build
# ../configure
# make
Install the pppauth utility and PAM module in the appropriate folders. (You will need to enter your administrator password to run the following command): # make install

Enable PPP authentication for ssh connections. The specifics here may vary depending on your linux distribution. If you find that they deviate significantly, please post a comment here.
# vi /etc/pam.d/sshd
Enter the following line just below @include common-auth
auth       required
Close and save the file. Make sure you have the following settings in /etc/ssh/sshd_config:
ChallengeResponseAuthentication yes
UsePAM yes
Switch to the user account you wish to protect and create a PPP sequence key for your user account. This sequence key is the master code used to generate the OTPs: $ pppauth --key

Generate a passcard. Print or save it -- you'll need it to log in over SSH: $ pppauth --text --next 1

Try logging in to test it: $ ssh localhost
$ ssh localhost
Passcode 1B [1]:
Last login: Sat Apr 18 16:56:43 2009 from localhost
Have a lot of fun..
 For more commands, run pppauth --help


Anonymous said...

Thanks for posting this!

Gopi said...

this is cool !

Thanks for posting :)

Anonymous said...

BTW. A more feature-full and more secure continuation of ppp-auth can be found here:

Anonymous said...

I get this error when trying to install

/usr/bin/ld: pam_ppp_so-pam_ppp.o: relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
pam_ppp_so-pam_ppp.o: could not read symbols: Bad value
collect2: ld returned 1 exit status
make: *** [] Error 1

any suggestions?

Anonymous said...

You have to add the -fPIC flag to the makefile on the MYCFLAGS line: MYCFLAGS -I blah blah blah -fPIC.

Post a Comment

Related Posts with Thumbnails