Category: projects

OTP – One Time Passwords

After the installation of anyterm on my sheeva I am now working on the integration of One Time Passwords to enable fullaccess to my network even from a compromised workstation in an internet cafe.

I decided to go with OPIE – One-time Passwords In Everything which is using the S/KEY system (http://www.inner.net/opie).  The installation is as easy as:

aptitude install opie-server opie-client

after that the pam module for SSH must be adjusted:

/etc/pam.d/sshd

auth sufficient pam_unix.so
auth sufficient pam_opie.so
auth required pam_deny.so

must be in whereas:

@include common-auth

must be out.

Initialisation is done via:

opiepasswd -c

which gives you back the first password and seed. You need to give a passphrase for the actual account before the command completes.

With the command opiekey the sequence number and the passphrase you can also get the apropriate password or with the option -n <number> a list of usable
passwords for printing.

pflog0

To view the log file:

# tcpdump -n -e -ttt -r /var/log/pflog

Note that using tcpdump(8) to watch the pflog file does not give a real-time display. A real-time display of logged packets is achieved by using the pflog0 interface:

# tcpdump -n -e -ttt -i pflog0

pfctl

     # pfctl -f /etc/pf.conf     Load the pf.conf file
     # pfctl -nf /etc/pf.conf    Parse the file, but don't load it
     # pfctl -Nf /etc/pf.conf    Load only the NAT rules from the file
     # pfctl -Rf /etc/pf.conf    Load only the filter rules from the file

     # pfctl -sn                 Show the current NAT rules
     # pfctl -sr                 Show the current filter rules
     # pfctl -ss                 Show the current state table
     # pfctl -si                 Show filter stats and counters
     # pfctl -sa                 Show EVERYTHING it can show