Wednesday, June 13, 2007

bsdtalk117 - One Time Passwords

  • Important when you don't trust the computer you are using, such as a library computer or internet kiosk.
  • Available by default in Free/Net/Open BSD.
  • FreeBSD uses OPIE, Net/Open use S/Key.
  • One time passwords are based on your pass phrase, a non-repeating sequence number, and a seed.
  • Initial setup should be done directly on the server.
  • "skeyinit" for Net/Open, "opiepasswd -c" for FreeBSD.
  • Enter a pass phrase that is not your regular account password.
  • Find your current sequence number and seed with "opieinfo" or "skeyinfo", for example: "497 pc5246".
  • Generate a list of the next 10 passwords and write them down, using "opiekey -n 10 497 pc5246" or "skey -n 10 497 pc5246".
  • When you log in from a remote machine that might have a keystroke logger, you can now use a one time password instead of your regular password.
  • For OpenBSD, log in as account:skey, for example "bob:skey", which will cause the system to present the s/key challenge.
  • For NetBSD, the system will always present you with the s/key challenge if it is configured for your account, although you can still use your regular password.
  • FreeBSD by default will force you to use a one time password if it is configured for your account.
  • If you want both OPIE and password authentication, FreeBSD allows you to list trusted networks or hosts in /etc/opieaccess.
  • Instead of carrying a list of passwords around, you can use s/key generators on a portable device that you trust, such as a palm pilot.
  • For more info, check the man pages.
File info: 6Min, 4MB.

Ogg Link:
https://archive.org/download/bsdtalk117/bsdtalk117.ogg
at

10 comments:

  1. Anonymous11:05 PM

    Instead of carrying a list of passwords around, you can use s/key generators on a portable device that you trust, such as a palm pilot.

    I installed an OTP calculator on my mobile phone: jotp, the Java OTP Calculator.

    ReplyDelete
  2. Anonymous4:49 AM

    What happened to the Ogg feed? Amarok complains about "invalid data" and if I click on the feed link in Firefox, it comes up empty... :(

    ReplyDelete
  3. Mr7:33 AM

    The ogg feed is hosted by a listener. Maybe his server is having problems.

    ReplyDelete
  4. Anonymous3:27 PM

    thanks alot for this. i always wondered about one time passwords but never took the time to look into it.

    ReplyDelete
  5. Anonymous5:58 AM

    I discovered the other day that I can get this podcast through iTunes--very cool!

    However, this episode didn't appear.

    I tried downloading the mp3 and got...

    Safari can’t connect to the server.
    Safari can’t open the page “http://cisx1.uma.maine.edu/~wbackman/bsdtalk/bsdtalk117.mp3” because it could not connect to the server “cisx1.uma.maine.edu”.

    ReplyDelete
  6. Mr12:51 PM

    Sorry. Server upgrades today, so the files might be unavailable for a bit.

    ReplyDelete
  7. Anonymous10:41 AM

    DragonFly works like FreeBSD.

    ReplyDelete
  8. Unknown1:40 PM

    Neat, thanks :-) I didn't even know about OTP on BSD before this.

    ReplyDelete
  9. Ashish SHUKLA4:31 AM

    Could you please correct the URL to the Ogg in the Ogg feed ? In feed, it is stored as "http://www.example.com/none.ogg" . And also tonnes of thanks for producing such great stuff. I just found this today, and listened to no. of Oggs. Thanks :)

    ReplyDelete
  10. Anonymous6:59 PM

    Instead of carrying a list of passwords around, you can use s/key generators on a portable device that you trust, such as a palm pilot.

    ReplyDelete