How To Use OPIE to Get One-Time Passwords for FreeBSD 10.1
SSH is the most popular way to log in to a server remotely. It is a cryptographic protocol that protects your password against man-in-the-middle and replay attacks.
You must keep in mind, though, that SSH protects your data only while it is in transit. Attackers can discover your SSH password by other means, such as by using keyloggers or strategically placed cameras.
As long as you use a trusted computer (say, one that belongs to you or your company), and do so from a safe location, you don't have to worry about such attacks. However, sometimes you might need to use a public computer. To protect your passwords in such scenarios, FreeBSD comes with a security feature called One-time Passwords In Everything, or OPIE.
In this tutorial, you will learn how to generate and use one-time passwords to log in to your remote FreeBSD server. You can pregenerate one or more one-time passwords when you're in a safe location, and save them for later when you access your server from a less secure location. That way, even if your one-time password gets logged, it won't ever be useful to an attacker.
In order to follow this tutorial, you will need:
- A FreeBSD 10.1 server which is accessible over SSH
- A user who is allowed to switch to root; the default freebsd user on DigitalOcean is fine
Step 1 — Create a New OPIE User
To make sure that you don't get locked out of your remote server, it is a good idea to create a separate user for use with OPIE.
Switch to root, by typing in:
- sudo su
To create a new user that you want to use with your one-time passwords, type in:
You will be prompted to enter various details about the user. Let the username be sammy. When prompted for the password, make sure you type in a strong password. For all other prompts, you can simply press
ENTER to choose the default value.
InteractiveUsername: sammy Full name: Sammy the Shark Uid (Leave empty for default): Login group [sammy]: Login group is sammy. Invite sammy into other groups? : Login class [default]: Shell (sh csh tcsh zsh nologin) [sh]: Home directory [/home/sammy]: Home directory permissions (Leave empty for default): Use password-based authentication? [yes]: Use an empty password? (yes/no) [no]: Use a random password? (yes/no) [no]: Enter password: password Enter password again: password Lock out the account after creation? [no]: Username : sammy Password : **** Full Name : My Test User Uid : 1001 Class : Groups : sammy Home : /home/sammy Shell : /usr/local/bin/zsh Locked : no OK? (yes/no): yes adduser: INFO: Successfully added (sammy) to the user database. Add another user? (yes/no): no Goodbye!
yes to confirm the details, and when you are asked if you want to add another user, type in
no to exit
You can now switch back to your original user, either the default freebsd user or your usual sudo user:
At this point you should be logged in to your server with your non-OPIE sudo user.
Step 2 — Log In as the New OPIE User
From your current terminal session, use
ssh to log in as sammy, the OPIE user.
- ssh sammy@localhost
This is important, because OPIE setup can be done only from a secure terminal. If you were to use an insecure protocol, such as
telnet, OPIE will complain.
Step 3 — Enable OPIE for the New User
To add a user to the OPIE authentication system, you use the command
-c option tells the command that you are using a trusted computer and are in a safe location.
- opiepasswd -c
When you are prompted for a secret pass phrase, type in a pass phrase that is at least ten characters long. This pass phrase should not be same as the SSH password of the user. You'll need this pass phrase later to generate the one-time passwords.
The complete output of the command will look like this:
InteractiveAdding sammy: Only use this method from the console; NEVER from remote. If you are using telnet, xterm, or a dial-in, type ^C now or exit with no password. Then run opiepasswd without the -c parameter. Using MD5 to compute responses. Enter new secret pass phrase: Sammy's secret pass phrase Again new secret pass phrase: Sammy's secret pass phrase
You will receive a new OPIE seed and a randomized pass phrase:
OutputID sammy OTP key is 499 si5509 RITE NERO BASS SOFA BEND TO
In this output, sammy is the user, 499 is the iteration count, and si5509 is the seed.
Now that sammy has been added to the OPIE authentication system, you can no longer use the actual SSH password to log in. Open a new terminal on your local machine and type in:
You will see a prompt that looks like this:
Promptotp-md5 498 zi5509 ext Password:
You are now expected to type in a one-time password. As we haven't generated any one-time passwords yet, for now, you won't be able to log in. Close the terminal, and return to your previous terminal, where you are logged in as sammy.
Step 4 — Create a One-Time Password
When a user is added to the OPIE authentication system, an iteration count number starting at 499 and a random seed are associated with the user. You need to know these values to generate a one-time password.
If you are already logged in as sammy, which you should be at this point, you can determine these values using the command
Its output will contain two values. The first is the sequence number, and the second is the seed.
If you are currently logged in with a non-OPIE user, you will get an error like this:
Outputfreebsd not found in database.
In this case, you can get the information by opening a new terminal window and attempting to log in with the OPIE user. The password prompt will include the current iteration count and the seed. Copy this information and use it in your authenticated session.
Pass these values to the
opiekey command to generate your one-time password. Remember, just like
opiekey too should be run only from a trusted computer.
- opiekey 498 zi5509
Alternatively, you could type in:
- opiekey `opieinfo`
You will be prompted to enter the pass phrase for the OPIE user. Type in the pass phrase that you chose in the previous step. The output of this command is as follows:
InteractiveUsing the MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: Sammy's secret pass phrase PER POE TURF LITE ZONE BART
The last line containing six short words is your one-time password.
Open a new terminal to try logging in again:
Your prompt will still be the same:
Promptotp-md5 498 zi5509 ext Password:
Note that the numbers you see in this prompt match the output of
opieinfo, and the parameters you passed to
Now you can either paste in your pass phrase, or type it in manually. Before you begin typing the long password, to avoid mistakes, press
ENTER. Your prompt will change, and you will be allowed to see the password you type in:
Promptotp-md5 498 zi5509 ext Password [echo on]:
Type in your one-time password now, and you will be able to log in to your server as sammy.
End the SSH session by typing in
exit or closing the terminal.
Open another terminal, and try to establish a new connection:
This time, the prompt will be slightly different.
Promptotp-md5 497 zi5509 ext Password:
As you can see, the sequence number has changed; it's been decremented by one. You won't be able to log in again until you generate a new one-time password using
opiekey with these new values. In other words, you will have to go through the process described in Step 4 of this tutorial all over again.
Step 5 — Create Multiple One-Time Passwords
If you know that you won't be able to reach a trusted computer for a couple of days, you might need multiple one-time passwords so you can access your server multiple times. You can specify the number of one-time passwords you want by running
opiekey with the
-n option. For example, to generate three one-time passwords, type in:
- opiekey -n 3 `opieinfo`
opieinfo, you can supply the iteration count number and seed, as before.
The output will contain three passwords, along with their sequence numbers:
InteractiveUsing the MD5 algorithm to compute response. Reminder: Do not use opiekey from telnet or dial-in sessions. Enter secret pass phrase: Sammy's secret pass phrase 495: BEAM BOW TOO CAVE BOWL AUK 496: HIVE KITE HUGE SANG VAT FOAM 497: THIN ALL BUT NIL SUP BALE
The one-time passwords can also be generated in the form of hexadecimal numbers by using the
- opiekey -x -n 3 `opieinfo`
Of course, the passwords will look less intelligible now:
InteractiveUsing the MD5 algorithm to compute response. Reminder: Do not use opiekey from telnet or dial-in sessions. Enter secret pass phrase: Sammy's secret pass phrase 495: 5484 C106 B214 B801 496: 98F1 E6CF 7F54 3108 497: 6010 2C11 192A EDAC
You are now supposed to write these down on a paper and carry the paper with you while traveling. The next time you need to log in, use the paper to find the password associated with the sequence number shown in the SSH prompt, and type it in. After you have used a password, you might want to strike it off. Needless to say, you have to make sure that this paper doesn't end up in the wrong hands.
When you've used up all the passwords on the paper, just repeat this step again to generate more passwords. However, if you use up all 498 passwords, and your sequence number becomes zero, you will have to call
opiepasswd -c again. Doing so resets the random seed and the sequence number.
In a real-life situation, you should prepare an appropriate number of passwords from a secure location beforehand, write them down on paper, and use them one at a time when you need to log in from an insecure location. Keep the paper safe!
In this tutorial, you have learned how to use the OPIE authentication system to log in to your remote FreeBSD server securely from terminals on untrusted computers. You have learned how to generate one-time passwords, and use them every time you need to log in. This feature is most useful for people who are constantly on the move and are forced to use public computers and networks.