How To Use OPIE to Get One-Time Passwords for FreeBSD 10.1

Introduction

SSH is the most popular way to log in to a server remotely. It is a cryptographic protocol that protects your password against man-in-the-middle and replay attacks.

You must keep in mind, though, that SSH protects your data only while it is in transit. Attackers can discover your SSH password by other means, such as by using keyloggers or strategically placed cameras.

As long as you use a trusted computer (say, one that belongs to you or your company), and do so from a safe location, you don’t have to worry about such attacks. However, sometimes you might need to use a public computer. To protect your passwords in such scenarios, FreeBSD comes with a security feature called One-time Passwords In Everything, or OPIE.

In this tutorial, you will learn how to generate and use one-time passwords to log in to your remote FreeBSD server. You can pregenerate one or more one-time passwords when you’re in a safe location, and save them for later when you access your server from a less secure location. That way, even if your one-time password gets logged, it won’t ever be useful to an attacker.

Prerequisites

In order to follow this tutorial, you will need:

• A FreeBSD 10.1 server which is accessible over SSH
• A user who is allowed to switch to root; the default freebsd user on DigitalOcean is fine

Step 1 — Create a New OPIE User

To make sure that you don’t get locked out of your remote server, it is a good idea to create a separate user for use with OPIE.

Switch to root, by typing in:

sudo su

To create a new user that you want to use with your one-time passwords, type in:

adduser

You will be prompted to enter various details about the user. Let the username be sammy. When prompted for the password, make sure you type in a strong password. For all other prompts, you can simply press ENTER to choose the default value.

Interactive
Username: sammy
Full name: Sammy the Shark
Uid (Leave empty for default):
Login group [sammy]:
Login group is sammy. Invite sammy into other groups? []: 
Login class [default]:
Shell (sh csh tcsh zsh nologin) [sh]: 
Home directory [/home/sammy]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password: password
Enter password again: password
Lock out the account after creation? [no]:
Username   : sammy
Password   : ****
Full Name  : My Test User
Uid        : 1001
Class      :
Groups     : sammy
Home       : /home/sammy
Shell      : /usr/local/bin/zsh
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (sammy) to the user database.
Add another user? (yes/no): no
Goodbye!

Enter yes to confirm the details, and when you are asked if you want to add another user, type in no to exit adduser.

You can now switch back to your original user, either the default freebsd user or your usual sudo user:

exit

At this point you should be logged in to your server with your non-OPIE sudo user.

Step 2 — Log In as the New OPIE User

From your current terminal session, use ssh to log in as sammy, the OPIE user.

ssh sammy@localhost

This is important, because OPIE setup can be done only from a secure terminal. If you were to use an insecure protocol, such as rsh or telnet, OPIE will complain.

Step 3 — Enable OPIE for the New User

To add a user to the OPIE authentication system, you use the command opiepasswd. The -c option tells the command that you are using a trusted computer and are in a safe location.

opiepasswd -c

When you are prompted for a secret pass phrase, type in a pass phrase that is at least ten characters long. This pass phrase should not be same as the SSH password of the user. You’ll need this pass phrase later to generate the one-time passwords.

The complete output of the command will look like this:

Interactive
Adding sammy:
Only use this method from the console; NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase: Sammy's secret pass phrase
Again new secret pass phrase: Sammy's secret pass phrase

You will receive a new OPIE seed and a randomized pass phrase:

Output
ID sammy OTP key is 499 si5509
RITE NERO BASS SOFA BEND TO

In this output, sammy is the user, 499 is the iteration count, and si5509 is the seed.

Now that sammy has been added to the OPIE authentication system, you can no longer use the actual SSH password to log in. Open a new terminal on your local machine and type in:

ssh sammy@your_server_ip

You will see a prompt that looks like this:

Prompt
otp-md5 498 zi5509 ext
Password:

You are now expected to type in a one-time password. As we haven’t generated any one-time passwords yet, for now, you won’t be able to log in. Close the terminal, and return to your previous terminal, where you are logged in as sammy.

Step 4 — Create a One-Time Password

When a user is added to the OPIE authentication system, an iteration count number starting at 499 and a random seed are associated with the user. You need to know these values to generate a one-time password.

If you are already logged in as sammy, which you should be at this point, you can determine these values using the command opieinfo.

opieinfo

Its output will contain two values. The first is the sequence number, and the second is the seed.

Output
498 zi5509

Output
freebsd not found in database.

Pass these values to the opiekey command to generate your one-time password. Remember, just like opiepasswd, opiekey too should be run only from a trusted computer.

opiekey 498 zi5509

Alternatively, you could type in:

opiekey `opieinfo`

You will be prompted to enter the pass phrase for the OPIE user. Type in the pass phrase that you chose in the previous step. The output of this command is as follows:

Interactive
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase: Sammy's secret pass phrase
PER POE TURF LITE ZONE BART

The last line containing six short words is your one-time password.

Open a new terminal to try logging in again:

ssh sammy@your_server_ip

Your prompt will still be the same:

Prompt
otp-md5 498 zi5509 ext
Password:

Note that the numbers you see in this prompt match the output of opieinfo, and the parameters you passed to opiekey.

Now you can either paste in your pass phrase, or type it in manually. Before you begin typing the long password, to avoid mistakes, press ENTER. Your prompt will change, and you will be allowed to see the password you type in:

Prompt
otp-md5 498 zi5509 ext
Password [echo on]: 

Type in your one-time password now, and you will be able to log in to your server as sammy.

End the SSH session by typing in exit or closing the terminal.

Open another terminal, and try to establish a new connection:

ssh sammy@your_server_ip

This time, the prompt will be slightly different.

Prompt
otp-md5 497 zi5509 ext
Password:

As you can see, the sequence number has changed; it’s been decremented by one. You won’t be able to log in again until you generate a new one-time password using opiekey with these new values. In other words, you will have to go through the process described in Step 4 of this tutorial all over again.

Step 5 — Create Multiple One-Time Passwords

If you know that you won’t be able to reach a trusted computer for a couple of days, you might need multiple one-time passwords so you can access your server multiple times. You can specify the number of one-time passwords you want by running opiekey with the -n option. For example, to generate three one-time passwords, type in:

opiekey -n 3 `opieinfo`

The output will contain three passwords, along with their sequence numbers:

Interactive
Using the MD5 algorithm to compute response.
Reminder: Do not use opiekey from telnet or dial-in sessions.
Enter secret pass phrase: Sammy's secret pass phrase
495: BEAM BOW TOO CAVE BOWL AUK
496: HIVE KITE HUGE SANG VAT FOAM
497: THIN ALL BUT NIL SUP BALE

The one-time passwords can also be generated in the form of hexadecimal numbers by using the -x option:

opiekey -x -n 3 `opieinfo`

Of course, the passwords will look less intelligible now:

Interactive
Using the MD5 algorithm to compute response.
Reminder: Do not use opiekey from telnet or dial-in sessions.
Enter secret pass phrase: Sammy's secret pass phrase
495: 5484 C106 B214 B801
496: 98F1 E6CF 7F54 3108
497: 6010 2C11 192A EDAC

You are now supposed to write these down on a paper and carry the paper with you while traveling. The next time you need to log in, use the paper to find the password associated with the sequence number shown in the SSH prompt, and type it in. After you have used a password, you might want to strike it off. Needless to say, you have to make sure that this paper doesn’t end up in the wrong hands.

When you’ve used up all the passwords on the paper, just repeat this step again to generate more passwords. However, if you use up all 498 passwords, and your sequence number becomes zero, you will have to call opiepasswd -c again. Doing so resets the random seed and the sequence number.

Conclusion

In a real-life situation, you should prepare an appropriate number of passwords from a secure location beforehand, write them down on paper, and use them one at a time when you need to log in from an insecure location. Keep the paper safe!

In this tutorial, you have learned how to use the OPIE authentication system to log in to your remote FreeBSD server securely from terminals on untrusted computers. You have learned how to generate one-time passwords, and use them every time you need to log in. This feature is most useful for people who are constantly on the move and are forced to use public computers and networks.