One-Time-Passwords (OTPs) in the BSD systems derive from Bell Communications Research's orignal S/Key system from 1981. Bellcore provided their sources (skey v1.1). Others extended these with patches (such as adding alternative hash algorithms) and devised patches for services such as ftp to use these one-time passwords. Notable was the kit from the US Naval Research Labs (NRL), called OPIE (One-time Passwords In Everthing), avoiding the trademarked S/KEY moniker.
RFC 1760 "The S/KEY One-Time Password System" [1995] describes the system and provides a good bibliography. Followups are RFC 1938, obsoleted by RFC 2289, "A One-Time Password System", which made it to "STD0061".
Back then (in the eighties / early nineties) most TCP/IP traffic was not encrypted and one-time passwords were a significant aid against broken accounts. It was seldomly used in my circles back then (academia), though, and you looked pretty geeky/nerdy when you pulled out a slip of paper to lookup your next password.
These days, ssh has become the defacto standard for
remote access. Any paswords are encrypted when using
ssh, and more and more people are getting comfortable
with using public keys instead of passwords.
So: why still bother with one-time passwords?
I'm travelling around a bit, and it is often convenient to just use the computer of a client customer, friend, hotel lobby, or conference PC connected to the beamer to log into a home machine, without lugging my own laptop around. I generally trust the people I am visiting but can I trust their machines to not have been hacked from wherever and run some keylogger software? Just with my geekier friends.
Do I want to enter my password on these machines? No. Do I want to give access to my ssh private key to these machines? No.
One-time passwords combined with ssh are indeed an attractive option in these situations. So I had a fresh look into the current state of affairs. The last one had been twenty years ago, and I had forgetten everything by now.
You can give one-time passwords a try without having to fear anything bad or inconvenient:
You can use either password type whenever you like; you are not fixed on just one specific type at any time.
Here is sample session how to use the system, based on NetBSD's commands:
% skeyinit
Password:
[Adding neitzel]
Reminder - Only use this method if you are directly connected
or have an encrypted channel. If you are using telnet
or rlogin, exit with no password and use skeyinit -s.
Enter secret password:
Again secret password:
ID neitzel skey is otp-md4 100 hack37924
Next login password: SOWN FLY MUTE NOR HONK FORE
The first password asked for your is about your standard system password. It is asked to authorize you, after all you are adding another access method to your account right now.
The second, "secret password" is one of the ingredients for generating the list of one-time passwords. You will need it later on to print your OTP list. The "secret password" is supposed to be independent of your system password, but truth be told: I just re-used my standard system password here, it fit the bill for "at least 10 characters".
The last paragraph is kind of "off-by-one" and highly
misleading. Yes, the system is now setup to provide a sequence of
up to 100 OTPs for you, but you will never encounter the
otp-md4 100 hack37924 OTP challenge above, and you can
just forget the "Next login password".
All OTP passwords are "fixed width" 64 bit values. They can get
rendered as hex strings (16 places) or as a sequence of six
pronouncable words. The phrase SOWN FLY MUTE NOR HONK
FORE above equate the hex value
e3028f039669a309 but are much easier to remember and
transcribe.
The following is going to be your real, first OTP challenge. You can enquire it anytime:
% skeyinfo
Your next otp-md4 99 hack37924
Look, Ma, 99 not 100!
At this point, your login prompt also changes:
% ssh -p 222 hackett
Password [ otp-md4 99 hack37924 ]:
You can now use either your usual password or the OTP matching
the current otp-md4 99 hack37924 challenge.
How to know that OTP? Create a list when you are in your trusted network and can re-enter the "secret password" from above safely:
% skey -n 5 -t md4 99 hack37924
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password:
95: BREW NE HA GERM CUNY HARM
96: TUM DEAF OTTO JILT TILE WOW
97: GILD SAN DOSE COCA SAIL BOMB
98: WING IRK LUSH BAY SARA BERG
99: OLDY PAT CAST GIG VAIL TRIO
So the OTP matching the the current challenge is the word
sequence OLDY PAT CAST GIG VAIL TRIO. You may enter
the sequence in lowercase but do not omit the spaces. You could
also enter the OTP's hex rendition (c7c649910b7f2fdf,
available through skey -x ...) if you enjoy to
flagellate yourself.
You could print a longer list with the next, say, twenty OTPs and put this little sheet into your wallet.
Mind you:
(1) This is close to the notorious passwords on yellow post-it stickers.
(2) OTP-ing from remote into your favourite jump-host just to issue long-time passwords from there and have these key-logged may not be the smartest move.
NetBSD 1.3.3 -- 9.99.x:
Has the skey suite in the base system:
skey(3) - one-time password (OTP) library
pam_skey(8) - S/Key PAM module
skeyinit(1) - change password or add user to S/Key authentication system
skeyinfo(1) - obtain the next S/Key challenge for a user
skeyaudit(1) - warn users if their S/Key will soon expire
skey(1) - respond to an OTP challenge
Possible hashes are: MD4 (default), MD5, SHA1
The heimdahl package comes with its own one-time
password tools, otp(1) and
otpprint(1).
OpenBSD:
Has the skey suite, too, but different from
NetBSD:
login_skey(8) utility to hook
S/Key services into other programs. (OpenBSD does not use the "PAM"
framework.)FreeBSD-4.7 and 12.1: provide the "opie" ("one-time passwords in everything") suite of tools in the base system:
opie(4), OPIE(4) - One-time Passwords In Everything
opieinfo(1) - Extract sequence number and seed for future OPIE challenges
opiekey(1), otp-md4(1), otp-md5(1) - Programs for computing responses to OTP challenges
opiepasswd(1) - Change or set a user's password for the OPIE authentication system
pam_opie(8) - OPIE PAM module
pam_opieaccess(8) - OPIEAccess PAM module
opiekeys(5), /etc/opiekeys(5) - OPIE database of user key information
opieaccess(5), /etc/opieaccess(5) - OPIE database of trusted networks
Usable hash algorithms: MD4 (compatible with Bellcore S/Key), MD5 (the default on FreeBSD).
DragonFlyBSD-5.8:
The DragonFly BSD Handbook has a chapter on security. It explains both the OPIE and S/Key suites in detail.
However, neither is in the base system anymore, or available as a package instead. DragonFlyBSD-5.6 was the last release coming with OPIE support.
During skeyinit, the first few letters of the
hostname (hackett here) and some random number form
the "seed" string: hack37924 here.
The seed string is concatenated with your "secret password".
This is hashed once, using the selected hash algorithm, say md4,
into md4("$seed$secret"), 128 bits. These are condensed ("take the
first half") into the 64 bits being the OTP matching the challenge
md4 1 hack37924.
Take the hash of previous hash, i.e.
md4(md4("$seed$secret")), condense those 128 bits that
into the 64 bit OTP matching challenge md4 2
hack37924.
Rinse and repeat, say a hundred times.
On NetBSD, the Pluggable Authentication Modules (PAM) framework
is used to to tie the SKEY/OPIE method into various services. As
soon as you have gone through the skeyinit procedure,
you can use your OTP list all over the place: the
system stanza makes it a default authentication
method. The following services have it explicitly enabled on top of
the default:
display_manager
ftpd
sshd
su
It will just work, without turning any knobs.
One small caveat: As already mentioned above, the optional,
non-base heimdahl package comes with its own OTP
system. Services from this package, such as popper(8),
are not tied to the pam_skey.so module. You need the
setup with otp(1) and thusly a separate OTP list to
use these services. Also, popper(8) needs the -a
otp option to rely on the OTPs.