Domain: inner.net
Stories and comments across the archive that link to inner.net.
Comments · 7
-
Re:As always...
Is there a way to implement one time passwords with ssh?
Yes, there's several. Some SSH software has S/Key support (eg OpenSSH "./configure --with-skey"). The most current S/Key implementation seems to be the one in Wietse Venema's logdaemon package.
You can also do OTP through PAM or BSDauth if your platform supports those, eg pam_skey, pam_opie (OPIE: One-time Passwords In Everything)
Several systems have either S/Key or OPIE support natively (OPIE seems to be becoming the more popular of the two).
-
Re:Opie, the one everyone forgot.
I thought OPIE was One-time Passwords In Everything.
-
Re:sol'n: one-time password tokens
Or you could use an OTP system like OPIE, and your users can just get a batch of passwords, write them down, and use them up.
-
S/Key is now OPIE, & built into *BSD, other UnWhen deploying a S/Key derived OTP, you will want to take care in the selection of crypto algorithms. The original MD4 S/Key implementation has serious known weaknesses. MD5 is suspect.
The paranoid admin will deploy OPIE with SHA1 or RIPEMD-160, but there are very few clients/servers with support for anything beyond MD5.
- http://inner.net/opie
- http://original.killa.net/infosec/otpCalc/
- http://palmkey.sourceforge.net/
- http://directory.google.com/Top/Computers/Securit
y /Authentication/One_Time_Passwords/
Here's the scoop on the name change:
"One-time Passwords In Everything" (OPIE) is a freely distributable software package originally developed at and for the US Naval Research Laboratory (NRL). Recent versions are the result of a cooperative effort between of NRL, several of the original NRL authors, The Inner Net, and many other contributors from the Internet community.
The "primary" OPIE site is http://inner.net/opieOPIE is an implementation of the One-Time Password (OTP) System that is being considered for the Internet standards-track. OPIE provides a one-time password system. The system should be secure against the passive attacks now commonplace on the Internet (see RFC 1704 for more details). The system is vulnerable to active dictionary attacks, though these are not widespread at present and can be detected through proper use of system audit software.
OPIE is primarily written for UNIX-like operating systems, but work is underway to make applicable portions portable to other operating systems. The OPIE software is derived in part from and is fully interoperable with the Bell Communications Research (Bellcore) S/Key Release 1 software. Because Bellcore claims "S/Key" as a trademark for their software, NRL was forced to use a different name (they picked "OPIE") for this software distribution.
-
S/Key is now OPIE, & built into *BSD, other UnWhen deploying a S/Key derived OTP, you will want to take care in the selection of crypto algorithms. The original MD4 S/Key implementation has serious known weaknesses. MD5 is suspect.
The paranoid admin will deploy OPIE with SHA1 or RIPEMD-160, but there are very few clients/servers with support for anything beyond MD5.
- http://inner.net/opie
- http://original.killa.net/infosec/otpCalc/
- http://palmkey.sourceforge.net/
- http://directory.google.com/Top/Computers/Securit
y /Authentication/One_Time_Passwords/
Here's the scoop on the name change:
"One-time Passwords In Everything" (OPIE) is a freely distributable software package originally developed at and for the US Naval Research Laboratory (NRL). Recent versions are the result of a cooperative effort between of NRL, several of the original NRL authors, The Inner Net, and many other contributors from the Internet community.
The "primary" OPIE site is http://inner.net/opieOPIE is an implementation of the One-Time Password (OTP) System that is being considered for the Internet standards-track. OPIE provides a one-time password system. The system should be secure against the passive attacks now commonplace on the Internet (see RFC 1704 for more details). The system is vulnerable to active dictionary attacks, though these are not widespread at present and can be detected through proper use of system audit software.
OPIE is primarily written for UNIX-like operating systems, but work is underway to make applicable portions portable to other operating systems. The OPIE software is derived in part from and is fully interoperable with the Bell Communications Research (Bellcore) S/Key Release 1 software. Because Bellcore claims "S/Key" as a trademark for their software, NRL was forced to use a different name (they picked "OPIE") for this software distribution.
-
Draconian Password Policies Are Not The AnswerThis is a touchy area.
You need to have a password policy that encourages better passwords without requiring a specific password makeup.
If I encounter a system where my password must include mixed case and digits and punctuation, I'm going to make up a random string, and then have to write it down.
Some Unices I've encountered had a passwd(1) that would NOT allow you to enter a "bad" password, while others would nag you gently depending on how "bad" it was, but would eventually relent and let you set your password to "flower" if that's what you REALLLY wanted.
The REAL answer is not "password" but "pass phrase" where the text can be lengthy and meaningful to none but the user.
Furthermore Opie is a neat project to avoid keyboard snooping.
-
Telnet With S/Key
Even though I haven't used it often, telnet with S/Key login seems to be a great alternative to vanilla telnet.
From what I understand, it's only vulnerable to TCP hijacking (most things are) and dictionary attacks (which can be easily detected or accounts can be configured to be "locked out" after X bad login attempts).
The best one of these is OPIE which can provide a one time pad for telnet, FTP and even su.
Better yet, OpenBSD comes with this feature built into the OS.