Jon Stewart on Thu, 5 Aug 2004 01:38:41 -0500 (CDT)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[hosers-talk] opie

Opie is a one-time password package for linux. Herewith, my plan for 
allowing secure logins into my linux box from an untrusted host:

1. Create two user accounts, my "real" account and a dummy account. 
Generate a public/private key pair for each; the dummy account private key 
will be left unencrypted, hence no password is required.

2. Put the real account's private key within the home directory of the 
dummy user. Put the dummy account's private key on a usb drive for use on 
the road.

4. Install opie and memorize list of one-time passwords (annoying).

5. ssh into my linux box from an untrusted host (e.g. work box, internet 
cafe, client sites, etc.), using dummy account. Authenticate using 
unencrypted private key on usb drive.

6. As second step, opie prompts for the appropriate one-time password. 
This is typed in from memory.

7. Access is now granted to dummy account. ssh into real account using 
encrypted private key, entering its password.

Normally, a login from an untrusted host can easily defeat ssh's public 
key authentication as the private key must exist on the host for some 
period of time and the password to the key must be entered; a careless ssh 
implementation could forget to memlock the password buffer, so it could 
get swapped out, and even memlock is no protection against keyloggers 
(which are becoming increasingly prolific). By using the one-time 
password, which is a secret, you can blithely ignore keyloggers and swap. 
By using public key authentication for the private account, you combine 
something you know (the OTP) with something you have (the private key) and 
you also initiate an encrypted session. Once into the dummy account, you 
can then safely enter your password for the real private key, because the 
real private key never leaves the trusted machine.

A dummy account is used so that trusted hosts can log into the real 
account directly, avoiding the OTP rigamarole.

Clumsy, but I think it should work.

Jon Stewart                                 Advanced Los Angeles C++
hosers-talk mailing list