Securing SSH Servers with OTP

SSH server logins can be well secured with built-in tools. The prerequisite is that the admin sets the PasswordAuthentication directive to No in sshd_config and then rolls out password-protected RSA/DSA keys to all users. Alternatively, authentication on an OpenSSH server can also be protected using the S/KEY one-time password method.

S/KEY has since been replaced by OPIE [15], thereby adding the option of generating password lists with one-time passwords in advance, which are then used like TAN lists in e-banking. Alternatively, one-time passwords can be generated on demand using an OTP generator – for example, with Opiekey [16] on an Android smartphone.

Today, a much simpler and more elegant approach is to secure sessions with Google Authenticator [17]. The Google Authenticator Project is released under the Apache License 2.0 and is freely available. A PAM module is available for the server; the Google Authenticator client runs on Android, iOS, and BlackBerry devices and can be installed easily from the corresponding app stores.

On the server side, installing the Google Authenticator PAM module on an Ubuntu server is a breeze because a ready-to-install package is available directly from the repositories:

sudo apt-get install libpam-google-authenticator

You can also download the source code [18] and build it for your platform. Once the PAM module is installed, you can log on at the console as the user who will be signing on later with Google Authenticator and then enter google-authenticator .

The program will display a QR code, a secret key, a verification code, and five emergency scratch codes in the terminal. Again, you should print out the emergency scratch codes and keep them in a safe place. With these one-time passwords, you can also log on to the SSH server with Google Authenticator if you do not have your smartphone at hand.

Combating Brute Force

In the Google Authenticator app on your phone, tap the plus sign at the bottom and select the Scan Barcode command. Alternatively, you can add the account manually. To do so, enter the account name in the form user@host along with the corresponding private key.

The questions that follow additionally serve to harden the account. You should ban multiple use of authentication tokens and allow up to three login attempts per 30 seconds, to prevent brute force attacks. Finally, you still need to activate Google Authenticator in the PAM configuration and modify the SSH configuration. To do this, open /etc/pam.d/sshd in an editor, add

auth required pam_google_authenticator.so

to the end of the line, and save the file. In etc/ssh/sshd_config, change the value for ChallengeResponseAuthentication to yes and restart the SSH daemon.

When you log in to your server via SSH in the future, the SSH server will prompt you as usual for your username and password but also for the verification code from Google Authenticator, as displayed on your smartphone.

PayPal and Facebook

eBay subsidiary PayPal has for some time offered the possibility of hardening the registration process with two-factor authentication. Customers who use this facility have, in the past, received a hardware token (Vasco GO 3) from PayPal. If you want to harden the login process for your PayPal account, now your only option is to sign up for text message-based security on the site [19]. For each login process, PayPal sends you a one-time password by text message to the registered cell number.

If a user cannot access his or her mobile phone, PayPal offers the ability to define security questions and answers as a fallback facility. Facebook can now also secure the login process with a one-time password. However, users must have the Facebook app installed on their smartphone and associate the app with their account in the security settings during the activation process.