由於常常有機會從外面的電腦甚至是網咖連回家中的 server,很容易就會被 keylogger 記錄起使用者及密碼,若改用 public key 則要隨身攜帶隨身碟之類的,滿麻煩。所以最好用的應該就是 OTP( one time password) 了,在第一次設好後,將一部份的密碼印出來在紙上,隨身攜帶,平時還是使用帳號及密碼登入系統,若是在不安全的電腦上,就直接按 Enter 跳過帳號密碼登入,接下來會出現 otp 的登入訊息。
在 debian 上步驟如下:
# apt-get install opie-server opie-client
# vi /etc/pam.d/sshd
change
@include common-auth
to
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_opie.so
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
並且要修改 ssh server 的設定檔,這樣才會出現 otp 的密碼訊息
# vi /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
and restart sshd
# /etc/init.d/ssh restart
第一次要先用 opiepasswd 初始密碼
The OPIE services must be initialised with the command: (run by user which wanna login)
in opie server:
$ opiepasswd -c
to allow users to log-in with OTPs
Updating behappy:
Only use this method from the console; NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter old secret pass phrase:
Enter new secret pass phrase:
Again new secret pass phrase:
ID behappy OTP key is 499 po9644
BABY JACK FIGS KYLE SOCK RAKE
列出20組密碼隨身攜帶:
get the password list:
$ opiekey -n 20 499 po9644
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Sorry, but you don't seem to be on the console or a secure terminal.
Warning: Continuing could disclose your secret pass phrase to an attacker!
Enter secret pass phrase:
480: SITS DUE ALVA BEEN WOO OBOE
481: WADE GLUM NOVA THAN OVEN HAAS
482: REAL LET CON VETO BLOW MOSS
483: IRIS LUGE FAT RECK CORN ARGO
484: HUGH LUG EDGE JEFF FOLK HATH
485: ODE TEND MIKE FIR FATE DAYS
486: WAND PUB OHIO JOY EMIL COCA
487: IRK SOB CUBA KALE OAK COAT
488: SOFA MIRE LEER BOP OTT JAM
489: LOAD HOW SWAT OWL MILT AIDA
490: OUT LEAR CRAG LOON LUND MONK
491: NEWT BOLT SANK HURD BUG DEAN
492: SET ANTI DEAL CAST JAIL ROBE
493: REAL BEER ROVE CUFF RET MUG
494: NON RAID ETC ROB HAVE YARN
495: BOON CAW RUE LAM LATE HOCK
496: FIRM HARK EM ALTO NOW FRY
497: GOOF WEAL SHAM OAR LACY RILL
498: EST PAY WAG GOLF PA ART
499: BABY JACK FIGS KYLE SOCK RAKE
在外面用 ssh 登入時,一開始還是和平常一樣,要你輸入原本系統的密碼,這時直接按 Enter 跳過,再來就是 otp 的訊息了,出現了 497 號,所以查看列出來的 497 組密碼,全部輸入即可登入。
$ ssh localhost
Password: [ just press enter to skip normal login]
otp-md5 497 po9644 ext, Response: [ key in the number 497 above ]
You have mail.
Last login: Fri Apr 1 00:56:48 2011 from pony
yes, it works.
不會很難地。
沒有留言:
張貼留言