September 29, 2004

Authentication methods in OpenBSD

Author: Brandon Parker and José Nazario

OpenBSD supports several authentication methods besides a simple password. Here are some ways you can keep your systems safe.

This article is excerpted from the recently published book Secure Architectures with OpenBSD.

To use these alternate login methods, the username is changed and OpenBSD processes the authentication in the background. By default, the only authentication methods that are allowed are simple passwords and S/Key. To specify a different authentication method, the username has the authentication method appended to it after a colon:


login: bpalmer:skey
otp-md5 95 psid06473
S/Key Password:

passwd

The standard authentication method is the passwd method. It takes the name of the user, looks up the password hash in the /etc/master.passwd file, and compares that with the hash of the password provided by the user.

S/Key

In some installations, S/Key is the most common login method. It is used when no secure way to log in exists and a password must be entered in plain text. Examples would be FTP and Telnet, where the login is not encrypted at all. OpenBSD supports S/Key for numerous services including ftpd, telnetd. and sshd. The problem with tools like Telnet and FTP is that they use plaintext logins that pass over the network and can be sniffed. In contrast, services like sshd use encryption to send information without danger. Rather than using plain text, S/Key sends a challenge and the remote user sends back a response. This information is sent in plain text but it's one-time information and does not contain the password, so it does not pose any danger.

To use S/Key, the user must first set it up for the receiving partner. This is done as follows:

# skeyinit bpalmer
Reminder -Only use this method if you are directly connected
or have an encrypted channel. If you are using telnet
or rlogin, hit return now and use skeyinit -s.

[Adding bpalmer with md5]
Enter secret passphrase:
ERROR: Your passphrase must be at least 10 characters long.
Enter secret passphrase:
Again secret passphrase:

ID bpalmer skey is otp-md5 99 orio71643
Next login password: WAD GALA FLAT ARTS SHOD LIEU

The user is first asked to specify a password (the user's normal login password) and then an S/Key password. This is done so that the S/Key password will be different than the system password or so that the user can use only S/Key (if no local system password is set). The number 99 indicates that there are 99 keys available until the user needs to repeat the skeyinit process.

If run as root, the skeyinit tool can set a password for any user:

root@orion:/root# skeyinit brandon

Reminder -Only use this method if you are directly connected
or have an encrypted channel. If you are using telnet
or rlogin, hit return now and use skeyinit -s.

[Updating brandon with md5]
Old seed: [md5] orio87272
Enter secret passphrase:
Again secret passphrase:

ID brandon skey is otp-md5 99 orio87273
Next login password: DEAR ALSO MONK GINA FRET STOW

Getting passphrases

There are two main ways to use S/Key once the keys are set up. The user either has access to an S/Key generator or has printed out the next keys in the sequence. To generate the next 10 keys, the user would issue the following commands:


$ skeyinfo
98 orio87273
$ skey -n 10 98 orio87273
Reminder -Do not use this program while logged in via telnet or
rlogin.
Enter secret password:

89: OH BUFF FOUL LAMB INK BALD
90: NILE FROG GRIM HANS NON ANTI
91: LEOBESS ELK NASH COIN SUNK
92: MARS HUH AMMOFAST MUCK DEAL
93: BUST ROVE AWN FRET FED BERN
94: ANTI LOVEAL HOWE BUCK RANK
95: ADDS AWRY BOCK SUIT SUN JUNO
96: CRAY SOY DOT WAST SELF SOB
97: ABEL LORD CHIN JANE TUBA SEEN
98: CASE GRIN ROOK TWIN BOG LAW

The first command asked what the next key would be. The system told us that it would be number 98 and key orio87273. This means that we could Telnet to the system and use CASE GRIN ROOK TWIN BOG LAW as our next password.


$ telnet orion
Trying 192.168.1.3...
Connected to orion.
Escape character is '^]'.

login: brandon:skey
otp-md5 98 orio87273
S/Key Password:
S/Key Password [echo on]: CASE GRIN ROOK TWIN BOG LAW
OpenBSD 3.3 (GENERIC) #2: Fri Feb 21 13:16:59 MST 2003

Welcome to OpenBSD: The proactively secure UNIX-like operating system.

When asked for a username, we entered the username followed by a colon and then the login method we wanted to use, S/Key. The challenge and sequence followed. We chose to enter the passphrase with the echo on. FTP would work in the same way.


$ ftp orion
Connected to orion..
220 orion. FTP server (Version 6.5/OpenBSD) ready.
Name (orion:jose): jose:skey
331-otp-md5 96 orio87273
331 S/Key Password:
Password:
230-OpenBSD 3.3 (GENERIC) #2: Fri Feb 21 13:16:59 MST 2003
230-
230-Welcome to OpenBSD: The proactively secure UNIX-like operating
230-system.
230
Ã230 User jose logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp>

Of course, the user won't always be able to, nor want to, carry around a list of passphrases. Thus we need tools to generate the passphrases. A few are available for each platform:

OpenBSD The skey program is used:

$ skey 97 orio87273
Reminder -Do not use this program while logged in via telnet or
rlogin.
Enter secret password:

ABEL LORD CHIN JANE TUBA SEEN

Palm OS The Pilot/OTP program can be used. It can be found through a search engine.

Windows The winkey.exe program is a simple tool for generating S/Key passphrases. You can find it with a Web search engine as well.

sshd setup and usage with S/Key

In addition to Telnet and FTP, S/Key can be used with sshd. If SSH is encrypted, why would anyone need to use S/Key? Because the remote client isn't always trusted. Although public workstations are set up at a convention, for example, one can't be sure that keyboard logging systems aren't running. With an S/Key calculator running on a tool like a Palm Pilot, for instance, these can be used confidently.

The only changes needed to use S/Key are to enable UseLogin in the /etc/sshd config file and to restart sshd.


UseLogin yes

To ssh with S/Key, use the following code:


hacker@unsafe:/home/hacker$ ssh brandon:skey@server
otp-md5 97 serv87273
S/Key Password:
Last login: Sun Apr 3 20:58:14 on ttyp1 from client.
OpenBSD 3.3 (GENERIC) #44: Sat Mar 29 13:22:05 MST 2003

Welcome to OpenBSD: The proactively secure UNIX-like operating system.

The OpenSSH system integrates cleanly with the login methods described here, provided they have been set up properly.

Additional login classes

Additional login classes can be specified in the configuration file /etc/login.conf. This file works by specifying a login class and then the options for that class. The following variables work for the auth key word, which specifies the authentication types. S/Key support would be added by using the auth=skey parameter.

Login classes are defined as either the default or some specified class. This is given in the file /etc/master.passwd, in the field after the group ID. For example, a user friend whom we wanted to control in the class visitors would have a password file entry like the following:


jose:$2a$06$shki2fo4.t2e7mtSAGQwoejga7rm2lb6RkjahhfCmiFysXj0CXiDi:\
1000:1000:visitors:0:0:jose:/home/jose:/bin/ksh

This defines the user's class as visitors. Then, a login class visitors would be defined in the file login.conf:


visitors:
:datasize-cur=64M:
:datasize-max=infinity:
:maxproc-max=256:
:maxproc-cur=128:
:auth=skey,radius,passwd:

This would allow the visitors class to authenticate via S/Key, radius, or a local password. This section discusses these authentication methods.

lchpass

OpenBSD allows the user to change his or her password using several authentication methods. The first technique is to change the user's password on the local machine.


$ login
login: bpalmer:lchpass
Changing local password for bpalmer.
Old Password:
New password:
Retype new password:

The lchpass approach operates almost identically as a local password change system for the user.

chpass

The next method, chpass, is used to change the primary password system for the user. It differs from lchpass in that it can change the Kerberos password if the user normally authenticates via Kerberos. It will default to changing the local password, operating as lchpass does, if Kerberos is not available.

Token-based authentication methods

Varying degrees of support for token-based authentication (such as Smart Cards) exist in OpenBSD. However, this support is often hampered by access to such hardware. We will mention some of the tools available for such authentication, but because we also lack the needed hardware, we will not give any details on using these methods. These methods share one characteristic: use of the command tokeninit to initialize the system and add or remove users.

ActivCard authentication
The activ authentication method works with ActivCard tokens. When the user logs in with this method, the user is looked up in the /etc/active.db file. This activity is controlled by the activadm command.

SecureNet authentication
Another token-based authentication method utilizes SecureNet key tokens. This method is controlled via the snk command, which is similar to the activadm command.

CRYPTOCard authentication
The crypto method controls the use of CRYPTOCard tokens to authenticate. It works via the command login crypto. This method is controlled by the cryptoadm command, which is almost identical to snkadm and activadm.

SecureID
At the time of writing, there was no complete method for SecureID login. Several sites, such as http://www.deadly.org, continue to discuss this issue, but nothing exists yet.

Kerberos

krb-or-pwd
This authentication method first attempts to log the user in using Kerberos and then, if that fails, with a normal local login. It would be a good first method if Kerberos were installed on a system, but was not used for all users (such as root).

radius method

If the OpenBSD server is configured with a radiusd server, the user can log in using that server for authentication with this method. The radiusd server is not discussed here, but two versions are available in the ports tree.

reject method

The reject method, as the name implies, always rejects login attempts. It would be of value to prevent certain types of logins, like ftp, as shown in the manual page for reject:


:auth=krb-or-pwd,kerberos,passwd:
:auth-ftp=reject:

The user is allowed to log in with krb-or-pwd, kerberos,or passwd, but no logins are allowed of any sort are allowed for the auth-ftp class.

Category:

  • Security
Click Here!