Two Factor Authentication with SSH & S/Key on OpenBSD

Posted by Fred C (W6BSD) on Aug 28 2013

For some time now system administrators have known that password authentication has its shortcomings. Password based authentication depends on password quality and how passwords are handled by users. Considering how easy it is to crack a password system administrators have to rely on Public Key based authentication.

Public-key-authentication mitigates the effects of a dictionary attack on SSH by eliminating the need for a password. But, what happens when a user's laptop gets compromised? Our user is using public key authentication and is not required to enter a password when logging in. An attacker who gains access to our user's laptop has unrestricted access to any of the servers our user has a public key on.

With the new version of OpenSSH 6.2 released on March 22, 2013, it is possible to enforce multi factor authentication. System administrators can now protect their servers by combining more than one authentication factor.

Two factor authentication with SSH

The new SSH command to specify which authentication methods to use is AuthenticationMethods followed with one or more lists of authentication methods to use. Successful authentication requires the completion of every authentication method by the user.

In the following example, SSH enforces the public key and the password before allowing the user to log into our system.

AuthenticationMethods publickey,password

A user login requires two factors, as shown in the following example. The first factor is successfully authenticated as displayed by the message Authenticated with partial success., then SSH requests the second authentication factor which is in our example the password.

$ ssh 192.168.10.216
Authenticated with partial success.
fred@192.168.10.216's password:

To further improve the security of my systems I have combined the SSH public key authentication with another authentication system known as One Time Passwords (OTP). As the name suggests, the password can only be used once. An OTP system ensures that a discovered password is useless to the person who discovers it.

Configuring SSH and S/Key

S/Key is a secure and simple OTP system based on a one-way hash function md4, md5, rmd160, or sha1. S/Key has been a standard part of OpenBSD distributions for as long as I can remember.

The very first thing the system administrator needs to do is to enable S/Key with the following command.

$ sudo skeyinit -E

Then each user using S/Key needs to initialize their account with skeyinit. The system responds with a warning and prompts the user to enter their current system password. If the authentication is successful, then the user is prompted for a secret passphrase.

bob$ skeyinit
Reminder - Only use this method if you are directly connected
           or have an encrypted channel.  If you are using telnet,
           hit return now and use skeyinit -s.
Password:
[Adding bob with md5]
Enter new secret passphrase:
Again secret passphrase:

ID bob skey is otp-md5 100 zonb08446
Next login password: LURK SOD ACID GUNK EDGE FAKE

The account is now setup and skeyinit presents the next challenge and corresponding password.

The next step is to force the login to use S/Key instead of the traditional password.

Edit the file login.conf and change the following lines.

$ sudo vi /etc/login.conf
...
auth-defaults:auth=skey:
...

Then recompile the login.conf file.

$ sudo cap_mkdb /etc/login.conf

Now you can change your sshd_config file to require SSH to use both authentication methods: publickey and S/Key. Then restart the SSH daemon.

$ sudo vi /etc/ssh/sshd_config
...
# Authentication:
AuthenticationMethods publickey,keyboard-interactive
...
$ sudo /etc/rc.d/sshd restart
sshd(ok)
sshd(ok)

We are now done. Any user with the default login profile will be forced to have a valid publickey setup on their system and use S/Key OTP to connect to the server. If you didn't forget to copy your SSH public key onto the server you should be able to login as shown here.

$ ssh 192.168.10.216 -l bob
Authenticated with partial success.
otp-md5 99 zonb08446
S/Key Password:

To calculate the challenge I use an iPhone app simply called OTP, but you can find an equivalent for Androïd, Windows Phone, or even Palm.

If you live off the grid and don't own a phone, you can even print the next challenges on a piece of paper with the following command. Just never leave that piece of paper with your computer. Otherwise thieves stealing your laptop will have all they need to connect to your server.

$ skey -n 7 `skeyinfo`
Reminder - Do not use this program while logged in via telnet.
Enter secret passphrase:
93: FOAM LEW IVY ONUS ENDS ROD
94: IONS SAND RAVE RITE TAUT TUFT
95: BOSE FOIL SCAT TAIL GYM RED
96: ALSO SNUB AWL GULF GALL SHAY
97: FILM WAS GLEE LOUD REP HANS
98: TWO COLD HUH HER AID KIND
99: BESS AMY GAIT WHEN BOCK LIEN

Caveat

S/Key saves some files into the /etc/skey the directory. If /etc is mounted on a read only file system, like it is often done on embedded systems, S/Key will not work. Today there is no way to configure or change the path of the S/Key files.

 OpenBSD      SSH      S/Key      OTP