4.5. How to setup OPIE with pam On Linux

4.5.1. What is OPIE?

One Password In Everything, S/Key or One Time Passwords. One of the problems with connecting to remote systems is that of sending over the password, someone could watch your keyboard or the network and capture your password. Even using SSL only provide a partial level of security. Using OTP where your password changes each time helps to improve this.

OTP works by combing a seed and your password and then hashes (MD4, MD5, SHA1) the results numerous times. When you attempt to connect the remote end sends a challenge, eg “otp-md5 98 seed1234”. The first part “otp-md5” says that the MD5 hash was used for this OTP, the number “98” means that it was done 98 times, and the last part “seed1234” is the seed used.

To create the correct response to this you need to know your password and use a OTP response calculator. In the calculator enter the challange and your password, you’ll then be presented with a response. the response can be either in HEX or as 6 WORDS. You will then just need to enter either of these onto your remote system. The next time you connect the challenge will change by reducing the number by one eg “97”. For a much more detailed understanding of OTP you can have a look at these sites:

  • RFC 2289 – A One-Time Password System

  • RFC 1320 – The MD4 Message-Digest Algorithm

  • RFC 1321 – The MD5 Message-Digest Algorithm

  • RFC 3174 – US Secure Hash Algorithm 1 (SHA1)

Below are instructions on how to download, install and setup a PAM module written by Andy Berkheimer to make your LINUX server support OTP challenge response authentication. Although it’s not been updated in sometime it still works just fine.

Once you have this all setup, you can use 1Key for iPhone to make your OTP responses.

4.5.2. Install / Setup


Download and compile the source

$ curl -O http://www.andybash.com/pam_opie-0.21.tar.gz
$ tar -xf pam_opie-0.21.tar.gz
$ cd pam_opie
$ make
$ sudo make install

Configure PAM../etc/pam.d/system-auth

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_opie.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
 account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
 password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so
 session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Configure SSHD../etc/ssh/sshd_config

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes

4.5.3. Create an OTP Entry in /etc/opiekeys

  • Start your OTP generator, either on the iPhone or web javascript, eg http://www.ocf.berkeley.edu/~jjlin/jsotp/

  • Make up a challange. The first part, a number is the number of times this challenge will work for, each time you authenticate the number will decrement by one. eg 99 The second part is a random seed containing letters (all lowercase) and numbers, eg seed1234. Finally a password..what ever you want and don’t tell anyone! create the MD5 response. You need the HEX response.

 Challange: 99 seed1234
 Password: 1234
 Response: HOOD JADE TALK FOIL SLAB LISA (9A54 079D 41ED E360)

- Add the line to your opiekeys file. eg, my username is "guy"
  guy 0099 seed1234 9a54079d41ede360

restart SSHD server

$ sudo /etc/rc.d/init.d/sshd restart

I can now authenticate. When challenged I’ll be asked for challenge “otp-md5 98 seed1234”, note the number has decreased by one.

4.5.4. Testing

$ ssh guy@localhost
otp-md5 98 seed1234

Using you OTP generator, create the correct response and either enter the HEX or 6 WORDS, and see that you are now logged in. Due to the way the above configuration is done, you can also just enter your shadow password and it’ll authenticate that too. Once your happy your OTP system is correct you can remove the line “pam_unix.so” in the “system-auth” file.

You should also note that as this is done via pam, any application which uses pam for authentication can also now use OTP.

4.5.5. How does the server do authentication?

well it’s very simple really. in the /etc/opiekeys file is stored the counter, seed, and HEX response, eg “0099 seed1234 9a54079d41ede360”.

The server creates the new challenge by subtracting one from the counter, eg “opt-md5 98 seed1234”. The user will provide his response either in WORDS or as HEX. If in WORDS they are converted back to HEX. Once in HEX it’s hashed again and should match the HEX from the opiekeys file. If it does then the authenticate succeeds and the new HEX and counter is then updated into the opiekeys file.

The advantage of this it that at no time does the server have the users password in any form. And knowing the last response does not provide anyway of generating the next one.