Blame
Date:
Mon Jan 23 05:00:25 2023 UTC
Message:
Daily backup
01
2023-01-22
jrmu
version=pmwiki-2.2.130 ordered=1 urlencoded=1
02
2023-01-22
jrmu
agent=Mozilla/5.0 (Windows NT 5.1; rv:68.0) Gecko/20100101 Goanna/4.8 Firefox/68.0 Mypal/29.3.0
03
2023-01-22
jrmu
author=mkf
04
2023-01-22
jrmu
charset=UTF-8
05
2023-01-22
jrmu
csum=login.db compiling is no longer recommended.
06
2023-01-22
jrmu
ctime=1622979992
07
2023-01-22
jrmu
host=198.251.81.133
08
2023-01-22
jrmu
name=Openbsd.Two-FactorAuth
09
2023-01-22
jrmu
rev=5
10
2023-01-22
jrmu
targets=
11
2023-01-22
jrmu
text=[++'''Two Factor Authentication on OpenBSD with SSH and S/Key'''++]%0a%0aAssuming you guys already setup SSH using [[https://wiki.ircnow.org/index.php?n=Openbsd.Sshkeys | SSH Keys]] , If not, kindly setup SSH first before proceeding.%0a%0aTo improve security of one's system, it is better combine both SSH public key and an OTP (One Time Password).%0a%0a[+'''Configuring S/Key'''+]%0a%0aS/Key is a simple, secure OTP system based on hash functions md5, rmd160 or sha1. S/key is standard part of OpenBSD distributions, however it is disabled by default.%0a%0aTo enable, use%0a%0a[@%0a$ doas skeyinit -E%0a@]%0a%0aThen each user using S/Key needs to initialize their account with skeyinit. %0a%0a'''Note:''' You should be on a secure terminal before using 'skeyinit', Only use this method if you are directly connected or have an encrypted channel.%0a %0a[@%0a$ skeyinit%0aPassword: %3cEnter your VPS Password here>%0a@]%0a%0aIf you're using 'telnet' use skeyinit -s (read here for more info: [[https://man.openbsd.org/skeyinit.1 |skeyinit.1]])%0a%0aOnce you entered password, it'll show%0a%0a[@%0a[Adding user with md5]%0a@] %0aand asks for a passphrase, this passphrase is used to generate the OTP keys%0a%0a[@%0aEnter new secret passphrase: %3cEnter your desired passphrase here>%0aAgain secret passphrase: %3cRetype the above passphrase>%0a@]%0a%0a'''Note:''' The passphrase should be minimum 10 characters%0a%0aOnce done, the account is now setup and skeyinit echoes the next challenge and corresponding password.%0a%0a[@%0aID user skey is otp-md5 100 user41451%0aNext login password: HONE HOOF RILL BULK HEAL COWL%0a@]%0a%0a'''Note:''' By default it creates md5 hash based key, to change it to sha1, you can use%0a[@%0a$ skeyinit -sha1%0a@]%0a%0aThe next step is to force the login to use S/Key instead of the traditional password.%0a%0aEdit login.conf and make the following changes%0a%0a"By default, it should be "auth-defaults:passwd,skey:" change it as follows"%0a[@%0a auth-defaults:auth=skey:%0a@]%0a%0anote that you must include the whitespace, otherwise it won't work.%0a %0aNow, change sshd-config file to require SSH to use both authentication methods.%0a%0a[@%0a$ doas nano /etc/ssh/sshd_config%0a@]%0a%0aunder "# Authentication:"%0a%0a[@%0aAuthenticationMethods publickey,keyboard-interactive%0a@]%0a%0aSave and exit.%0a%0a[@%0a$ doas rcctl restart sshd%0a@]%0a%0aand done, any user with default login profile will be forced to have a vaild SSH key on their PC and S/Key OTP to connect to the server.%0a%0a'''CAUTION:''' Do not disconnect the current window that already logged in to the server. Use a new window/tab to test the "ssh + otp" is working, incase if something went wrong you will want redo the steps properly or enable password login sshd_config and restart sshd again.%0a%0aNow, to calculate the challenge, Android users download [[https://play.google.com/store/apps/details?id=de.ub0r.android.otpdroid| OTPdroid]] or on iOS download [[https://apps.apple.com/us/app/otp/id539922062 | OTP]]%0a%0a'''CAUTION:''' The android and iPhone apps only have md5 and sha1 methods, if you're using rmd160, kindly find any app that supports it or use the alternative way below.%0a %0aalternatively, if you don't have phone, you can print next challenges on a paper or write down somewhere by using%0a%0a[@%0a$ skey -n 10 `skeyinfo`%0a@]%0a%0aThe above command will print next 10 challenges on screen. (Do not use this method when you're on telnet).%0a%0aNow that all set, you can try login in terminal%0a%0a ___________________________%0a%0a | @@ssh user@youruserhost@@ |%0a | @@otp-md5 97 user12446@@ |%0a | @@S/Key Password: @@ |%0a ___________________________%0a%0aafter you tried ssh, it echoes the challenge: key type and sequence number and user12446 (user id with some random numbers)%0aand asks for S/Key Password (the OTP).%0a%0aTo generate OTP, open the mobile app%0a%0aEnter your passphrase (the secret passphrase you entered above) , under 'challenge' select the key 'md5' or 'sha1' (as you see in the terminal) and type the sequence number (97) and (user12446) %0a%0aScreenshot 1: https://ibb.co/8BrYNdV%0a %0aTap on 'Calculate' , you'll get a response , a OTP of six words as shown in the image below:%0a%0aScreenshot 2: https://ibb.co/Qb8h6YP%0a%0aYou can enter the OTP on terminal as "cook days eros well fell gas" and press enter to login, although the OTP shown all capitalized in the screenshot, you can type without capitalizing.%0a%0a'''Note:''' Before the sequence ends up, you might wanna generate another set of keys using "skeyinit".%0a%0a%0a
12
2023-01-22
jrmu
time=1629747572
13
2023-01-22
jrmu
author:1629747572=mkf
14
2023-01-22
jrmu
csum:1629747572=login.db compiling is no longer recommended.
15
2023-01-22
jrmu
diff:1629747572:1629747508:=63c63,67%0a%3c note that you must include the whitespace, otherwise it won't work.%0a---%0a> Then recompile the login.conf file%0a> %0a> [@%0a> $ doas cap_mkdb /etc/login.conf%0a> @]%0a
16
2023-01-22
jrmu
host:1629747572=198.251.81.133
17
2023-01-22
jrmu
author:1629747508=mkf
18
2023-01-22
jrmu
csum:1629747508=wiki-ish.
19
2023-01-22
jrmu
diff:1629747508:1622980851:=13,16c13,14%0a%3c [@%0a%3c $ doas skeyinit -E%0a%3c @]%0a%3c %0a---%0a> @@user$ doas skeyinit -E@@%0a> %0a21,25c19,21%0a%3c [@%0a%3c $ skeyinit%0a%3c Password: %3cEnter your VPS Password here>%0a%3c @]%0a%3c %0a---%0a> @@user$ skeyinit@@%0a> @@Password: %3cEnter your VPS Password here>@@%0a> %0a30,32c26,27%0a%3c [@%0a%3c [Adding user with md5]%0a%3c @] %0a---%0a> @@[Adding user with md5]@@%0a> %0a35,41c30,34%0a%3c [@%0a%3c Enter new secret passphrase: %3cEnter your desired passphrase here>%0a%3c Again secret passphrase: %3cRetype the above passphrase>%0a%3c @]%0a%3c %0a%3c '''Note:''' The passphrase should be minimum 10 characters%0a%3c %0a---%0a> @@Enter new secret passphrase: %3cEnter your desired passphrase here>@@%0a> @@Again secret passphrase: %3cRetype the above passphrase>@@%0a> %0a> Note: The passphrase should be minimum 10 characters%0a> %0a44,48c37,41%0a%3c [@%0a%3c ID user skey is otp-md5 100 user41451%0a%3c Next login password: HONE HOOF RILL BULK HEAL COWL%0a%3c @]%0a%3c %0a---%0a> @@ID user skey is otp-md5 100 user41451@@%0a> @@Next login password: HONE HOOF RILL BULK HEAL COWL@@%0a> %0a> @@user$@@%0a> %0a50,53c43,44%0a%3c [@%0a%3c $ skeyinit -sha1%0a%3c @]%0a%3c %0a---%0a> @@user$ skeyinit -sha1@@%0a> %0a59,62c50,52%0a%3c [@%0a%3c auth-defaults:auth=skey:%0a%3c @]%0a%3c %0a---%0a> %0a> @@auth-defaults:auth=skey:@@%0a> %0a65,68c55,56%0a%3c [@%0a%3c $ doas cap_mkdb /etc/login.conf%0a%3c @]%0a%3c %0a---%0a> @@user$ doas cap_mkdb /etc/login.conf@@%0a> %0a71,74c59,60%0a%3c [@%0a%3c $ doas nano /etc/ssh/sshd_config%0a%3c @]%0a%3c %0a---%0a> @@$ doas nano /etc/ssh/sshd_config@@%0a> %0a76,80c62,63%0a%3c %0a%3c [@%0a%3c AuthenticationMethods publickey,keyboard-interactive%0a%3c @]%0a%3c %0a---%0a> @@AuthenticationMethods publickey,keyboard-interactive@@%0a> %0a83,86c66,69%0a%3c [@%0a%3c $ doas rcctl restart sshd%0a%3c @]%0a%3c %0a---%0a> @@user$ doas rcctl restart sshd@@%0a> @@sshd(ok)@@%0a> @@sshd(ok)@@%0a> %0a91,92c74,75%0a%3c Now, to calculate the challenge, Android users download [[https://play.google.com/store/apps/details?id=de.ub0r.android.otpdroid| OTPdroid]] or on iOS download [[https://apps.apple.com/us/app/otp/id539922062 | OTP]]%0a%3c %0a---%0a> Now, to calculate the challenge, Android users download [[https://play.google.com/store/apps/details?id=de.ub0r.android.otpdroid&hl=en&gl=US | OTPdroid]] or on iOS download [[https://apps.apple.com/us/app/otp/id539922062 | OTP]]%0a> %0a97,100c80,81%0a%3c [@%0a%3c $ skey -n 10 `skeyinfo`%0a%3c @]%0a%3c %0a---%0a> @@user$ skey -n 10 `skeyinfo`@@%0a> %0a119c100%0a%3c Screenshot 1: https://ibb.co/8BrYNdV%0a---%0a> @@Screenshot 1: https://ibb.co/8BrYNdV @@%0a123,124c104,105%0a%3c Screenshot 2: https://ibb.co/Qb8h6YP%0a%3c %0a---%0a> @@Screenshot 2: https://ibb.co/Qb8h6YP @@%0a> %0a127c108%0a%3c '''Note:''' Before the sequence ends up, you might wanna generate another set of keys using "skeyinit".%0a---%0a> '''Note:''' Before the sequence ends up, you might wanna generate another set of keys using " @@ user$ skeyinit@@ ".%0a
20
2023-01-22
jrmu
host:1629747508=198.251.81.133
21
2023-01-22
jrmu
author:1622980851=siva
22
2023-01-22
jrmu
csum:1622980851=Tutorial Created
23
2023-01-22
jrmu
diff:1622980851:1622980574:=15,17c15%0a%3c Then each user using S/Key needs to initialize their account with skeyinit. %0a%3c %0a%3c '''Note:''' You should be on a secure terminal before using 'skeyinit', Only use this method if you are directly connected or have an encrypted channel.%0a---%0a> Then each user using S/Key needs to initialize their account with skeyinit. Note: You should be on a secure terminal before using 'skeyinit', Only use this method if you are directly connected or have an encrypted channel.%0a
24
2023-01-22
jrmu
host:1622980851=223.182.200.161
25
2023-01-22
jrmu
author:1622980574=siva
26
2023-01-22
jrmu
diff:1622980574:1622979992:=96,98c96,98%0a%3c Enter your passphrase (the secret passphrase you entered above) , under 'challenge' select the key 'md5' or 'sha1' (as you see in the terminal) and type the sequence number (97) and (user12446) %0a%3c %0a%3c @@Screenshot 1: https://ibb.co/8BrYNdV @@%0a---%0a> Enter your passphrase, under 'challenge' select the key 'md5' or 'sha1' (as you see in the terminal) and type the sequence number (97) and (user12446) %0a> %0a> [img]https://i.ibb.co/8BrYNdV/SKey-File01.jpg[/img]%0a100,101c100,101%0a%3c Tap on 'Calculate' , you'll get a response , a OTP of six words as shown in the image below:%0a%3c %0a---%0a> Tap on 'Calculate' , you'll get a response , a password of six words like above @@"HONE HOOF RILL BULK HEAL COWL"@@ this is your OTP.%0a> %0a104,108c104%0a%3c You can enter the OTP on terminal as "cook days eros well fell gas" and press enter to login, although the OTP shown all capitalized in the screenshot, you can type without capitalizing.%0a%3c %0a%3c '''Note:''' Before the sequence ends up, you might wanna generate another set of keys using " @@ user$ skeyinit@@ ".%0a%3c %0a%3c %0a---%0a> You can enter the OTP on terminal and press enter to login, although the OTP shown in all capitalized, you can type without capitalizing.%0a
27
2023-01-22
jrmu
host:1622980574=223.182.200.161
28
2023-01-22
jrmu
author:1622979992=siva
29
2023-01-22
jrmu
diff:1622979992:1622979992:=1,104d0%0a%3c [++'''Two Factor Authentication on OpenBSD with SSH and S/Key'''++]%0a%3c %0a%3c Assuming you guys already setup SSH using [[https://wiki.ircnow.org/index.php?n=Openbsd.Sshkeys | SSH Keys]] , If not, kindly setup SSH first before proceeding.%0a%3c %0a%3c To improve security of one's system, it is better combine both SSH public key and an OTP (One Time Password).%0a%3c %0a%3c [+'''Configuring S/Key'''+]%0a%3c %0a%3c S/Key is a simple, secure OTP system based on hash functions md5, rmd160 or sha1. S/key is standard part of OpenBSD distributions, however it is disabled by default.%0a%3c %0a%3c To enable, use%0a%3c %0a%3c @@user$ doas skeyinit -E@@%0a%3c %0a%3c Then each user using S/Key needs to initialize their account with skeyinit. Note: You should be on a secure terminal before using 'skeyinit', Only use this method if you are directly connected or have an encrypted channel.%0a%3c %0a%3c @@user$ skeyinit@@%0a%3c @@Password: %3cEnter your VPS Password here>@@%0a%3c %0a%3c If you're using 'telnet' use skeyinit -s (read here for more info: [[https://man.openbsd.org/skeyinit.1 |skeyinit.1]])%0a%3c %0a%3c Once you entered password, it'll show%0a%3c %0a%3c @@[Adding user with md5]@@%0a%3c %0a%3c and asks for a passphrase, this passphrase is used to generate the OTP keys%0a%3c %0a%3c @@Enter new secret passphrase: %3cEnter your desired passphrase here>@@%0a%3c @@Again secret passphrase: %3cRetype the above passphrase>@@%0a%3c %0a%3c Note: The passphrase should be minimum 10 characters%0a%3c %0a%3c Once done, the account is now setup and skeyinit echoes the next challenge and corresponding password.%0a%3c %0a%3c @@ID user skey is otp-md5 100 user41451@@%0a%3c @@Next login password: HONE HOOF RILL BULK HEAL COWL@@%0a%3c %0a%3c @@user$@@%0a%3c %0a%3c '''Note:''' By default it creates md5 hash based key, to change it to sha1, you can use%0a%3c @@user$ skeyinit -sha1@@%0a%3c %0a%3c The next step is to force the login to use S/Key instead of the traditional password.%0a%3c %0a%3c Edit login.conf and make the following changes%0a%3c %0a%3c "By default, it should be "auth-defaults:passwd,skey:" change it as follows"%0a%3c %0a%3c @@auth-defaults:auth=skey:@@%0a%3c %0a%3c Then recompile the login.conf file%0a%3c %0a%3c @@user$ doas cap_mkdb /etc/login.conf@@%0a%3c %0a%3c Now, change sshd-config file to require SSH to use both authentication methods.%0a%3c %0a%3c @@$ doas nano /etc/ssh/sshd_config@@%0a%3c %0a%3c under "# Authentication:"%0a%3c @@AuthenticationMethods publickey,keyboard-interactive@@%0a%3c %0a%3c Save and exit.%0a%3c %0a%3c @@user$ doas rcctl restart sshd@@%0a%3c @@sshd(ok)@@%0a%3c @@sshd(ok)@@%0a%3c %0a%3c and done, any user with default login profile will be forced to have a vaild SSH key on their PC and S/Key OTP to connect to the server.%0a%3c %0a%3c '''CAUTION:''' Do not disconnect the current window that already logged in to the server. Use a new window/tab to test the "ssh + otp" is working, incase if something went wrong you will want redo the steps properly or enable password login sshd_config and restart sshd again.%0a%3c %0a%3c Now, to calculate the challenge, Android users download [[https://play.google.com/store/apps/details?id=de.ub0r.android.otpdroid&hl=en&gl=US | OTPdroid]] or on iOS download [[https://apps.apple.com/us/app/otp/id539922062 | OTP]]%0a%3c %0a%3c '''CAUTION:''' The android and iPhone apps only have md5 and sha1 methods, if you're using rmd160, kindly find any app that supports it or use the alternative way below.%0a%3c %0a%3c alternatively, if you don't have phone, you can print next challenges on a paper or write down somewhere by using%0a%3c %0a%3c @@user$ skey -n 10 `skeyinfo`@@%0a%3c %0a%3c The above command will print next 10 challenges on screen. (Do not use this method when you're on telnet).%0a%3c %0a%3c Now that all set, you can try login in terminal%0a%3c %0a%3c ___________________________%0a%3c %0a%3c | @@ssh user@youruserhost@@ |%0a%3c | @@otp-md5 97 user12446@@ |%0a%3c | @@S/Key Password: @@ |%0a%3c ___________________________%0a%3c %0a%3c after you tried ssh, it echoes the challenge: key type and sequence number and user12446 (user id with some random numbers)%0a%3c and asks for S/Key Password (the OTP).%0a%3c %0a%3c To generate OTP, open the mobile app%0a%3c %0a%3c Enter your passphrase, under 'challenge' select the key 'md5' or 'sha1' (as you see in the terminal) and type the sequence number (97) and (user12446) %0a%3c %0a%3c [img]https://i.ibb.co/8BrYNdV/SKey-File01.jpg[/img]%0a%3c %0a%3c Tap on 'Calculate' , you'll get a response , a password of six words like above @@"HONE HOOF RILL BULK HEAL COWL"@@ this is your OTP.%0a%3c %0a%3c @@Screenshot 2: https://ibb.co/Qb8h6YP @@%0a%3c %0a%3c You can enter the OTP on terminal and press enter to login, although the OTP shown in all capitalized, you can type without capitalizing.%0a
30
2023-01-22
jrmu
host:1622979992=223.182.200.161
IRCNow