Files of check-in [d5e3088d0c]
in the top-level directory
otpsh
=====
One-time passwords for unprivileged users:
Authenticate with a one-time password before starting a shell.
Introduction
------------
One-time passwords can thwart certain attacks. Notably, they can reduce the risk
caused by a keylogger running on a computer that you happen to be using. Here
are some one-time password systems.
* S/KEY
* otpw
* OPIE
* HOTP
* TOTP
One-time password authentication methods typically require special configuration
by the root user. This presents several inconveniences
* You need root access.
* The configuration can be troublesome.
* Implementations often are not portable.
* It is easy to lock oneself out of a system while configuring the OTP system
Application
-----------
otpsh is designed for remote login to an unprivileged user.
otpsh requests a one-time password. If the one-time password
is valid, otpsh launches the login shell. Thus, otpsh can not
be used as a login shell.
otpsh could be made to work as a login shell with some changes,
but I don't care enough to do it.
Installation
------------
otpsh requires a Unix-like operating system and Python 3.5 or greater.
You can install with "make install".
Alternatively, copy the files in bin to your PATH.
Usage
-----
otpsh provides three executables:
* otpreset creates passwords, and otpsh is the shell.
* totpsh is the shell for time-based one-time passwords.
To configure totpsh, create the file .totp with one line per secret key.
Use base32 encoding.
To configure otpsh, run "otpreset" to generate the passwords.
A few passwords will be printed; write them down.
$ otpreset
pecrd
0vpy9
rgj4a
b3yrm
bdzdx
2oyfv
amxar
pcq47
Then run "totpsh" to log in with time-based authentication or "otpsh" to log in
with pre-shared one-time passwords. You can do this from your login shell for
testing, but that is not useful for securing your account, of course; you should
set up SSH authorized keys or similar to run otpsh.
I suggest that you configure otpsh or totpsh to be run when you log in, but not
as the login shell. If you use SSH, you can add a line like this to your
authorized keys file.
command="totpsh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFdqtsqH4+6PaiEwwAUw6c1I810jgm8kNniaFbffewm rmarrone@lizardland
Options
-------
otpsh and totpsh refer to the SHELL environment to choose what shell to open on
successful authentication. They take no other options.
otpreset takes several options for setting the password properties.
$ otpreset --help
SYNOPSIS
otpreset [-help] [options]
DESCRIPTION
Reset the one-time passwords in the otpsh database.
INPUTS
(None)
OPTIONS
db: Database file
chars: Characters to use for passwords
length: Password length
count: How many passwords
seconds: Size of interval during with maxfail failures are allowed
maxfail: Number of failures allowed within the seconds interval