Getting One Time Password for FreeBSD using OPIE

Introduction

Secure Shell, or SSH, is a cryptographic (encrypted) network protocol for initiating text-based shell sessions on remote machines in a secure way. This allows a user to run commands on a machine’s command prompt without them being physically present near the machine. It also allows a user to establish a secure channel over an insecure network in a client-server architecture, connecting an SSH client application with an SSH server.  The most visible application of the protocol is for access to shell accounts on Unix-like operating systems.

To protect your password from different attacks you have the OPIE tool which will  generate a password for the current session, or a list of passwords you can print and carry on your person. It is the acronym of “One time Passwords In Everything”. Opie is a mature, Unix-like login and password package installed on the server and the client which makes untrusted networks safer against password-sniffing packet-analysis software like dSniff and safe against Shoulder surfing.

In this article we will show you how you can generate and work with this method on your FreeBSD server. As prerequisites for this article you need to have a FreeBSD 10.1 server already installed and accessible with SSH.

Tasks to do

we will start by moving to the root by using the following command:

> sudo su

And use the following command to add a new user which will be used for this article with the OPIE:

# adduser

Then you will be asked to give different details about you, don’t forget to change the following details which were made by us; by yours. And to choose the default value you have just to press enter.

Username: anis
Full name: anis maj
Uid (Leave empty for default):
Login group [anis]:
Login group is anis. Invite anis into other groups? []: 
Login class [default]:
Shell (sh csh tcsh zsh nologin) [sh]: 
Home directory [/home/anis]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password: My_password
Enter password again: My_password
Lock out the account after creation? [no]:
Username   : anis
Password   : *******
Full Name  : Anis user
Uid        : 1001
Class      :
Groups     : anis
Home       : /home/anis
Shell      : /usr/local/bin/zsh
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (anis) to the user database.
Add another user? (yes/no): no

If all the entered details are correct enter yes and type no in case if you don’t want to add another user. After exiting the adduser you are able to switch to your original user or your usual sudo user:

# exit

Now we will log in with our new OPIE user, we will use the following command and don’t forget to change “anis” by your name:

> ssh anis@localhost

You can’t use rsh or telnet because OPIE works just with secure protocol such ssh.

Then we will use the following command to enable OPIE for the new user. Be careful, after making this, the corresponding user can’t use the normal password again so don’t forget to keep another user accessible without OPIE.

$ opiepasswd -c

You will be asked then to add secret pass phrase and be careful that is different of the SSH password of the user. You will receive the following text as output:

Adding anis:
Only use this method from the console; NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase: My secret pass phrase
Again new secret pass phrase: My secret pass phrase

You will receive a new OPIE seed and a randomized pass phrase:

Output
ID anis TP key is 450 si5023
RITE NERO BASS SOFA BEND TO

The 569 is the count number and the si5859 is the random seed.

Then use the following command:

ssh anis@your_server_IP

You will receive something like this:

otp-md5 450 zi5023 ext
Password:

Now you are able to create a one-time-password so close the terminal and return to the terminal where you were logged in as anis.

Keep in mind your count number and random number which will be used later while creating your OPIE. To know those values when you want use the following command:

$ opieinfo

You will receive something like this but with your count and random number:

450 zi5023

To generate your one time password use the following command:

$ opiekey 450 zi5023

And of course you can use the following command to check it:

$ opiekey `opieinfo`

You will be asked to enter your pass phrase to your OPIE user and you will receive the following text as output:

Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase: My secret pass phrase
GYT SIO TURF LIFE ZOPE BAMB

Your one time password is the last line. And to check the functionality use the following command:

ssh anis@your_server_IP

You will receive:

otp-md5 450 zi5023 ext
Password:

Then type in your one time password and log in to your server as anis and you can finish this SSH session by using the exit command or directly closing the terminal.

So try now to establish a new connection to check that everything work:

ssh anis@your_server_IP

You will receive now a different prompt looks like this:

otp-md5 451 zi5023 ext
Password:

The count number is decremented by one and of course you are able to generate a new OPIE by using the previous described commands.

To generate a multiple one time password use the following command and don’t forget to change number by your choice (how much you want to create OPIEs)

$ opiekey -n number `opieinfo`

And of course as output you will receive a list of the number you choose of one time password that will be created. You can also get one time passwords generated in the form of hexadecimal numbers by using the following command:

$ opiekey -x -n  number `opieinfo`

You have to keep in mind the different generated one time passwords to use them when you want to log in. And after using all of them repeat all the previous steps to generate a new list of passwords.

Conclusion

In this article we showed you how you can use the OPIE authentication system to log in to your FreeBSD server securely. You are able to generate one time passwords and also to use them when you want to log in which is very helpful to those who work in different place and are obliged to use public computers.