Improved security for ssh authentication on fedora

version
                                                     anglaise version
                                                     francaise
Nowadays with ssh connections, nothing travels unencrypted over the network. Any time someone sniffs that you hit the keyboard (eg if you're running Windos with putty), it can retrieve the password you type in, before it circulates certainly encrypted on the network .
To avoid such attacks, even though it is quite rare I agree, you can install a one time password mecanism (OTP or OPIE), and therefore disposable. Thus, even if a person has snif your password, it is unusable.

I. The necessary, for the server

I.1 Rpms


Install this rpm:

i686: opie-2.4-726.1.i686.rpm
x86_64: opie-2.4-726.1.x86_64.rpm
RPM source: opie-2.4-726.1.src.rpm

Or directly here: last version on RPMFIND.

I.2. Configuration of selinux


Type the following commands (as root):

~# grep type=AVC /var/log/audit/audit.log|grep sshd|awk 'NR == 1 {print;}'| audit2allow -M opiek
~# semodule -i opiek.pp

I.3 Activate OPIE authentification in PAM (Pluggable Authentication Modules)

Since Fedora 17, add this line in the file /etc/pam.d/system-auth-ac :
auth        sufficient    pam_opie.so
just after this one:
 auth        required      pam_env.so

Until Fedora 16, change the content of the file /etc/pam.d/system-auth-ac by this:
auth        required      pam_env.so
auth        sufficient    pam_opie.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so


I.4 Configure openssh

Verify the file /etc/ssh/sshd_config has this option:
ChallengeResponseAuthentication yes

I.5 Allow only OPIE on ssh


Since Fedora 17, change the content of /etc/pam.d/sshd by this:
auth       required    pam_sepermit.so
#auth       substack     password-auth
auth       sufficient   pam_opie.so
auth       required     pam_deny.so
auth       substack     pam_opie.so
auth       include      postlogin
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin


Until Fedora 16, change the content of  /etc/pam.d/sshd  by this:
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke




I.6 First initialisation of password

Use  opiepasswd to initialise your secret password, NOT the command passwd :

opiepasswd -c


II.The necessary, for the client


II.1 Client for GNU/Linux

On your client computer,   you need the rpm opie-2.4-726.1.x86_64.rpm again,  this one has too a calculator of OPIE ( opiekey ):


~> ssh tux.sever.org
otp-md5 490 oc1012 ext
Response:
 ~> opiekey 490 oc1012 
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
ROSE GAM BONA SITS NO BAIT

II.2 Client for Windos

You will find on the web the software Winkey.exe which can compute OTP passwords on windos.

II.3 Client for PalmOS

You need this file on your Palm:

PalmOTP.prc
SHALib.prc
mdlib.prc

Compute your One Time Password on a computer wich is NOT connected to the Internet, is certainly the best solution in the world.

II.3 Client in java

Here is a client running on all platforms, thanks to the Java virtual machine:

jotp:

~$ java jotp 490 oc1012 my_secret_pass_phrase md5
Using md5. Thinking...
ROSE GAM BONA SITS NO BAIT

III. More informations


You can find a good documentation here , or here , and here too.

III.1 Local Exploit (old versions)

Old versions of this mecanism of authentification allowed simple local user to get root access.