Two Factor Authentication with SSH & S/Key on OpenBSD
For some time now system administrators have known that password authentication has its shortcomings. Password based authentication depends on password quality and how passwords are handled by users. Considering how easy it is to crack a password system administrators have to rely on Public Key based authentication.
Public-key-authentication mitigates the effects of a dictionary attack on SSH by eliminating the need for a password. But, what happens when a user's laptop gets compromised? Our user is using public key authentication and is not required to enter a password when logging in. An attacker who gains access to our user's laptop has unrestricted access to any of the servers our user has a public key on.
With the new version of OpenSSH 6.2 released on March 22, 2013, it is possible to enforce multi factor authentication. System administrators can now protect their servers by combining more than one authentication factor.
Two factor authentication with SSH
The new SSH command to specify which authentication methods to use is
AuthenticationMethods followed with one or more lists of
authentication methods to use. Successful authentication requires the
completion of every authentication method by the user.
In the following example, SSH enforces the public key and the password before allowing the user to log into our system.
A user login requires two factors, as shown in the following
example. The first factor is successfully authenticated as displayed
by the message
Authenticated with partial success., then SSH
requests the second authentication factor which is in our example the
$ ssh 192.168.10.216 Authenticated with partial success. firstname.lastname@example.org's password:
To further improve the security of my systems I have combined the SSH public key authentication with another authentication system known as One Time Passwords (OTP). As the name suggests, the password can only be used once. An OTP system ensures that a discovered password is useless to the person who discovers it.
Configuring SSH and S/Key
S/Key is a secure and simple OTP system based on a one-way hash
sha1. S/Key has been a standard
part of OpenBSD distributions for as long as I can remember.
The very first thing the system administrator needs to do is to enable S/Key with the following command.
$ sudo skeyinit -E
Then each user using S/Key needs to initialize their account with skeyinit. The system responds with a warning and prompts the user to enter their current system password. If the authentication is successful, then the user is prompted for a secret passphrase.
bob$ skeyinit Reminder - Only use this method if you are directly connected or have an encrypted channel. If you are using telnet, hit return now and use skeyinit -s. Password: [Adding bob with md5] Enter new secret passphrase: Again secret passphrase: ID bob skey is otp-md5 100 zonb08446 Next login password: LURK SOD ACID GUNK EDGE FAKE
The account is now setup and skeyinit presents the next challenge and corresponding password.
The next step is to force the login to use S/Key instead of the traditional password.
Edit the file
login.conf and change the following lines.
$ sudo vi /etc/login.conf ... auth-defaults:auth=skey: ...
Then recompile the
$ sudo cap_mkdb /etc/login.conf
Now you can change your
sshd_config file to require SSH to use both
publickey and S/Key. Then restart the SSH
$ sudo vi /etc/ssh/sshd_config ... # Authentication: AuthenticationMethods publickey,keyboard-interactive ... $ sudo /etc/rc.d/sshd restart sshd(ok) sshd(ok)
We are now done. Any user with the default login profile will be
forced to have a valid
publickey setup on their system and use S/Key
OTP to connect to the server. If you didn't forget to copy your SSH
public key onto the server you should be able to login as shown here.
$ ssh 192.168.10.216 -l bob Authenticated with partial success. otp-md5 99 zonb08446 S/Key Password:
To calculate the challenge I use an iPhone app simply called OTP, but you can find an equivalent for Androïd, Windows Phone, or even Palm.
If you live off the grid and don't own a phone, you can even print the next challenges on a piece of paper with the following command. Just never leave that piece of paper with your computer. Otherwise thieves stealing your laptop will have all they need to connect to your server.
$ skey -n 7 `skeyinfo` Reminder - Do not use this program while logged in via telnet. Enter secret passphrase: 93: FOAM LEW IVY ONUS ENDS ROD 94: IONS SAND RAVE RITE TAUT TUFT 95: BOSE FOIL SCAT TAIL GYM RED 96: ALSO SNUB AWL GULF GALL SHAY 97: FILM WAS GLEE LOUD REP HANS 98: TWO COLD HUH HER AID KIND 99: BESS AMY GAIT WHEN BOCK LIEN
S/Key saves some files into the
/etc/skey the directory. If
is mounted on a read only file system, like it is often done on
embedded systems, S/Key will not work. Today there is no way to
configure or change the path of the S/Key files.