Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to use OTPW to safely log in to the Linux server with SSH". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to log in to the Linux server securely with SSH through OTPW".

Some people say that security is not a product, but a process (LCTT Note: security company McAfee believes that security risk management is a methodology, not a stack of security products). Although the SSH protocol is designed to use encryption to ensure security, if used improperly, others can still destroy your system: weak passwords, key disclosure, the use of outdated SSH clients, etc., can cause security problems.

When considering the SSH authentication scheme, it is generally believed that public key authentication is more secure than password authentication. However, public key authentication technology is not set up for the public environment. If you use public key authentication to log in to the SSH server on a public computer, your server is no longer secure, and the public computer may record your public key or read the public key from your memory. If you don't trust your local computer, you'd better log in to the server in another way. Now is the time for "OTP" to come in handy. As the name suggests, one-time passwords can only be used once. This one-time password is perfect for working in an insecure environment, and even if it is stolen, it cannot be used again.

One way to generate an one-time password is through the Google authenticator, but in this article, I'm going to introduce another SSH login scheme: OTPW, which is an one-time password login package. Unlike Google certification, OTPW does not rely on any third-party libraries.

What is OTPW?

OTPW consists of an one-time password generator and PAM authentication rules. In OTPW, one-time passwords are generated in advance by the generator and then obtained by the user in some secure way (such as printing to paper). On the other hand, these passwords are stored on the SSH server side via Hash encryption. When a user logs in to the system with one-time passwords, OTPW's PAM module authenticates these passwords and ensures that they cannot be used again.

Step 1:OTPW installation and configuration

On Debian, Ubuntu, or Linux Mint distributions

Install using apt-get:

The code is as follows:

$sudo apt-get install libpam-otpw otpw-bin

Open the PAM configuration file (/ etc/pam.d/sshd) for the SSH service and comment out the following line (to disable password authentication for PAM):

The code is as follows:

# @ include common-auth

Add the following two lines (to turn on the one-time password authentication feature):

The code is as follows:

Auth required pam_otpw.so

Session optional pam_otpw.so

On Fedora or CentOS/RHEL distributions

There is no compiled OTPW in the RedHat-based distribution, so we need to use the source code to install it.

First, install the compilation environment:

The code is as follows:

$sudo yum git gcc pam-devel

$git clone https://www.cl.cam.ac.uk/~mgk25/git/otpw

$cd otpw

Open the Makefile file and edit the line configuration that starts with "PAMLIB=":

64-bit system:

The code is as follows:

PAMLIB=/usr/lib64/security

32-bit system:

The code is as follows:

PAMLIB=/usr/lib/security

Compile and install. It is important to note that the installation process automatically restarts the SSH service, so if you are using SSH to connect to the server, be prepared to be disconnected. Even if you are disconnected, please reconnect in the original way, but there is no one-time password yet. ).

The code is as follows:

$make

$sudo make install

Now you need to update the SELinux policy because / usr/sbin/sshd writes data to your home directory, which is not allowed by SELinux by default. If you are not using the SELinux service (LCTT Note: use the getenforce command to see the results, if it is enforcing, the SELinux service is turned on), skip this step.

The code is as follows:

$sudo grep sshd / var/log/audit/audit.log | audit2allow-M mypol

$sudo semodule-I mypol.pp

Next, open the PAM configuration file (/ etc/pam.d/sshd) and comment on the following line (to disable password authentication):

The code is as follows:

# auth substack password-auth

Add the following two lines (to turn on the one-time password authentication feature):

The code is as follows:

Auth required pam_otpw.so

Session optional pam_otpw.so

Step 2: configure the SSH server with an one-time password

Open the / etc/ssh/sshd_config file and set the following three parameters. You need to make sure that the following parameters do not repeat, otherwise the SSH server may have an exception.

The code is as follows:

UsePrivilegeSeparation yes

ChallengeResponseAuthentication yes

UsePAM yes

You also need to disable the default password authentication feature. In addition, you can choose to turn on the public key authentication function, so that you can use the public key for authentication when you do not have an one-time password.

The code is as follows:

PubkeyAuthentication yes

PasswordAuthentication no

Restart the SSH server.

Debian, Ubuntu or Linux Mint distributions:

The code is as follows:

$sudo service ssh restart

Fedora or CentOS/RHEL 7 distribution:

The code is as follows:

$sudo systemctl restart sshd

Although the sshd service is restarted here, your current ssh connection should not be affected, except that you will not be able to establish a new connection in the same way until you have completed the following steps. Therefore, to be on the safe side, either open one more ssh connection to avoid mistakenly exiting the current connection, or leave the step of restarting the sshd server until after step 3. )

Step 3: use OTPW to generate an one-time password

As mentioned earlier, you need to create an one-time password in advance and save it. Use the otpw-gen command to create a password:

The code is as follows:

$cd ~

$otpw-gen > temporary_password.txt

This command allows you to enter a password prefix, and when you log in later, you need to enter both this prefix and an one-time password. Password prefixes are another layer of protection, and even if your one-time password table is compromised, no one will be able to break your SSH password by force.

Once the password prefix is set, this command produces 280 one-time passwords and exports them to a text file (such as temporary_password.txt). Otpw Each password (8 characters by default) is indexed by a 3-digit decimal number. You need to print out this password form and take it with you.

Look at the. / .otpw file, which holds the HASH value of the one-time password. The first three decimal digits correspond to the index of the password table you carry with you and will be used when you log in to the SSH server.

The code is as follows:

$more ~ / .otpw

OTPW1

280 3 12 8

191ai+:ENwmMqwn

218tYRZc%PIY27a

241ve8ns%NsHFmf

055W4/YCauQJkr:

102ZnJ4VWLFrk5N

2273Xww55hteJ8Y

1509d4b5=A64jBT

168FWBXY% ztm9j%

000rWUSdBYr%8UE

037NvyryzcI+YRX

122rEwA3GXvOk=z

Test one-time password to log in to the SSH server

Log in to the SSH server in the usual way:

The code is as follows:

$ssh user@remote_host

If OTPW runs successfully, you will see something different from the usual login:

The code is as follows:

Password 191:

Now open your password table and find the password with index number 191.

The code is as follows:

023 kBvp tq/G 079 jKEw / HRM 135 oW/c / UeB 191 fOO+ PeiD 247 vAnZ EgUt

As can be seen from the above table, the password No. 191 is "fOO+PeiD". You need to add a password prefix, for example, if you set the prefix "000", the password you actually need to enter is "000fOO+PeiD".

After successfully logging in, the password you entered this time will automatically expire. If you look at the ~ / .otpw file, you will find that the first line becomes "-", which means that password 191 is invalid.

The code is as follows:

OTPW1

280 3 12 8

-

218tYRZc%PIY27a

241ve8ns%NsHFmf

055W4/YCauQJkr:

102ZnJ4VWLFrk5N

2273Xww55hteJ8Y

1509d4b5=A64jBT

168FWBXY% ztm9j%

000rWUSdBYr%8UE

037NvyryzcI+YRX

122rEwA3GXvOk=z

Thank you for your reading, the above is the content of "how to use OTPW to use SSH to securely log in to Linux server". After the study of this article, I believe you have a deeper understanding of how to use SSH to securely log on to Linux server through OTPW, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.