Sunteți pe pagina 1din 9


com :: Authentication methods in OpenBSD

Search Search Log in | Create Account | Submit Story Articles Case studies Features News NewsVac Reviews Documentation What Are Linux HOWTOs? Where Can I Get Linux HOWTOs? HOWTO Translations Categorized List of HOWTOs Single list of HOWTOs Single list of mini-HOWTOs Unmaintained HOWTOs Writing and Submitting a HOWTO Copyright Information Distributions Forums About Us What is Linux? Learn about Linux Download Linux Get Linux help Feeds Features News Feeds Forums News Video Answers Special Offers

1 of 9

8/16/2011 2:47 PM :: Authentication methods in OpenBSD

Get special offers on: Linux Application Dev Programming Software Email:

Managed Colocation

Special Savings promotion- Hurry Ends Sept. 30th (888) 471-1816

Authentication methods in OpenBSD

By Brandon Parker and Jos Nazario on September 29, 2004 (8:00:00 AM)
Share Print Comments

OpenBSD supports several authentication methods besides a simple password. Here are some ways you can keep your systems safe. This article is excerpted from the recently published book Secure Architectures with OpenBSD. To use these alternate login methods, the username is changed and OpenBSD processes the authentication in the background. By default, the only authentication methods that are allowed are simple passwords and S/Key. To specify a different authentication method, the username has the authentication method appended to it after a colon:
login: bpalmer:skey otp-md5 95 psid06473 S/Key Password:

passwd The standard authentication method is the passwd method. It takes the name of the user, looks up the password hash in the /etc/master.passwd file, and compares that with the hash of the password provided by the user. S/Key In some installations, S/Key is the most common login method. It is used when no secure way to log in exists and a password must be entered in plain text. Examples would be FTP and Telnet, where the login is not

2 of 9

8/16/2011 2:47 PM :: Authentication methods in OpenBSD

encrypted at all. OpenBSD supports S/Key for numerous services including ftpd, telnetd. and sshd. The problem with tools like Telnet and FTP is that they use plaintext logins that pass over the network and can be sniffed. In contrast, services like sshd use encryption to send information without danger. Rather than using plain text, S/Key sends a challenge and the remote user sends back a response. This information is sent in plain text but it's one-time information and does not contain the password, so it does not pose any danger. To use S/Key, the user must first set it up for the receiving partner. This is done as follows:
# skeyinit bpalmer Reminder -Only use this method if you are directly connected or have an encrypted channel. If you are using telnet or rlogin, hit return now and use skeyinit -s. [Adding bpalmer with md5] Enter secret passphrase: ERROR: Your passphrase must be at least 10 characters long. Enter secret passphrase: Again secret passphrase: ID bpalmer skey is otp-md5 99 orio71643 Next login password: WAD GALA FLAT ARTS SHOD LIEU

The user is first asked to specify a password (the user's normal login password) and then an S/Key password. This is done so that the S/Key password will be different than the system password or so that the user can use only S/Key (if no local system password is set). The number 99 indicates that there are 99 keys available until the user needs to repeat the skeyinit process. If run as root, the skeyinit tool can set a password for any user:
root@orion:/root# skeyinit brandon Reminder -Only use this method if you are directly connected or have an encrypted channel. If you are using telnet or rlogin, hit return now and use skeyinit -s. [Updating brandon with md5] Old seed: [md5] orio87272 Enter secret passphrase: Again secret passphrase: ID brandon skey is otp-md5 99 orio87273 Next login password: DEAR ALSO MONK GINA FRET STOW

Getting passphrases There are two main ways to use S/Key once the keys are set up. The user either has access to an S/Key generator or has printed out the next keys in the sequence. To generate the next 10 keys, the user would issue the following commands:
$ skeyinfo

3 of 9

8/16/2011 2:47 PM :: Authentication methods in OpenBSD

98 orio87273 $ skey -n 10 98 orio87273 Reminder -Do not use this program while logged in via telnet or rlogin. Enter secret password: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: OH BUFF FOUL LAMB INK BALD NILE FROG GRIM HANS NON ANTI LEOBESS ELK NASH COIN SUNK MARS HUH AMMOFAST MUCK DEAL BUST ROVE AWN FRET FED BERN ANTI LOVEAL HOWE BUCK RANK ADDS AWRY BOCK SUIT SUN JUNO CRAY SOY DOT WAST SELF SOB ABEL LORD CHIN JANE TUBA SEEN CASE GRIN ROOK TWIN BOG LAW

The first command asked what the next key would be. The system told us that it would be number 98 and key orio87273. This means that we could Telnet to the system and use CASE GRIN ROOK TWIN BOG LAW as our next password.
$ telnet orion Trying Connected to orion. Escape character is '^]'. login: brandon:skey otp-md5 98 orio87273 S/Key Password: S/Key Password [echo on]: CASE GRIN ROOK TWIN BOG LAW OpenBSD 3.3 (GENERIC) #2: Fri Feb 21 13:16:59 MST 2003 Welcome to OpenBSD: The proactively secure UNIX-like operating system.

When asked for a username, we entered the username followed by a colon and then the login method we wanted to use, S/Key. The challenge and sequence followed. We chose to enter the passphrase with the echo on. FTP would work in the same way.
$ ftp orion Connected to orion.. 220 orion. FTP server (Version 6.5/OpenBSD) ready. Name (orion:jose): jose:skey 331-otp-md5 96 orio87273 331 S/Key Password: Password: 230-OpenBSD 3.3 (GENERIC) #2: Fri Feb 21 13:16:59 MST 2003 230230-Welcome to OpenBSD: The proactively secure UNIX-like operating 230-system.

4 of 9

8/16/2011 2:47 PM :: Authentication methods in OpenBSD

230 230 User jose logged in. Remote system type is UNIX. Using binary mode to transfer files. Ftp>

Of course, the user won't always be able to, nor want to, carry around a list of passphrases. Thus we need tools to generate the passphrases. A few are available for each platform: OpenBSD The skey program is used:
$ skey 97 orio87273 Reminder -Do not use this program while logged in via telnet or rlogin. Enter secret password: ABEL LORD CHIN JANE TUBA SEEN

Palm OS The Pilot/OTP program can be used. It can be found through a search engine. Windows The winkey.exe program is a simple tool for generating S/Key passphrases. You can find it with a Web search engine as well. sshd setup and usage with S/Key In addition to Telnet and FTP, S/Key can be used with sshd. If SSH is encrypted, why would anyone need to use S/Key? Because the remote client isn't always trusted. Although public workstations are set up at a convention, for example, one can't be sure that keyboard logging systems aren't running. With an S/Key calculator running on a tool like a Palm Pilot, for instance, these can be used confidently. The only changes needed to use S/Key are to enable UseLogin in the /etc/sshd config file and to restart sshd.
UseLogin yes

To ssh with S/Key, use the following code:

hacker@unsafe:/home/hacker$ ssh brandon:skey@server otp-md5 97 serv87273 S/Key Password: Last login: Sun Apr 3 20:58:14 on ttyp1 from client. OpenBSD 3.3 (GENERIC) #44: Sat Mar 29 13:22:05 MST 2003 Welcome to OpenBSD: The proactively secure UNIX-like operating system.

The OpenSSH system integrates cleanly with the login methods described here, provided they have been set up properly. Additional login classes Additional login classes can be specified in the configuration file /etc/login.conf. This file works by specifying

5 of 9

8/16/2011 2:47 PM :: Authentication methods in OpenBSD

a login class and then the options for that class. The following variables work for the auth key word, which specifies the authentication types. S/Key support would be added by using the auth=skey parameter. Login classes are defined as either the default or some specified class. This is given in the file /etc/master.passwd, in the field after the group ID. For example, a user friend whom we wanted to control in the class visitors would have a password file entry like the following:
jose:$2a$06$shki2fo4.t2e7mtSAGQwoejga7rm2lb6RkjahhfCmiFysXj0CXiDi:\ 1000:1000:visitors:0:0:jose:/home/jose:/bin/ksh

This defines the user's class as visitors. Then, a login class visitors would be defined in the file login.conf:
visitors: :datasize-cur=64M: :datasize-max=infinity: :maxproc-max=256: :maxproc-cur=128: :auth=skey,radius,passwd:

This would allow the visitors class to authenticate via S/Key, radius, or a local password. This section discusses these authentication methods. lchpass OpenBSD allows the user to change his or her password using several authentication methods. The first technique is to change the user's password on the local machine.
$ login login: bpalmer:lchpass Changing local password for bpalmer. Old Password: New password: Retype new password:

The lchpass approach operates almost identically as a local password change system for the user. chpass The next method, chpass, is used to change the primary password system for the user. It differs from lchpass in that it can change the Kerberos password if the user normally authenticates via Kerberos. It will default to changing the local password, operating as lchpass does, if Kerberos is not available. Token-based authentication methods Varying degrees of support for token-based authentication (such as Smart Cards) exist in OpenBSD. However, this support is often hampered by access to such hardware. We will mention some of the tools available for such authentication, but because we also lack the needed hardware, we will not give any details on using these methods. These methods share one characteristic: use of the command tokeninit to initialize the system and add or remove users. ActivCard authentication

6 of 9

8/16/2011 2:47 PM :: Authentication methods in OpenBSD

The activ authentication method works with ActivCard tokens. When the user logs in with this method, the user is looked up in the /etc/active.db file. This activity is controlled by the activadm command. SecureNet authentication Another token-based authentication method utilizes SecureNet key tokens. This method is controlled via the snk command, which is similar to the activadm command. CRYPTOCard authentication The crypto method controls the use of CRYPTOCard tokens to authenticate. It works via the command login crypto. This method is controlled by the cryptoadm command, which is almost identical to snkadm and activadm. SecureID At the time of writing, there was no complete method for SecureID login. Several sites, such as, continue to discuss this issue, but nothing exists yet. Kerberos krb-or-pwd This authentication method first attempts to log the user in using Kerberos and then, if that fails, with a normal local login. It would be a good first method if Kerberos were installed on a system, but was not used for all users (such as root). radius method If the OpenBSD server is configured with a radiusd server, the user can log in using that server for authentication with this method. The radiusd server is not discussed here, but two versions are available in the ports tree. reject method The reject method, as the name implies, always rejects login attempts. It would be of value to prevent certain types of logins, like ftp, as shown in the manual page for reject:
:auth=krb-or-pwd,kerberos,passwd: :auth-ftp=reject:

The user is allowed to log in with krb-or-pwd, kerberos,or passwd, but no logins are allowed of any sort are allowed for the auth-ftp class.




Related Links Other articles in category Security: Barracuda offers a new -- and free -- alternative to Spamhaus Dec 17, 2008 Protecting networks with SmoothWall Express Dec 09, 2008 Open source Untangle guard union's privacy Nov 24, 2008

7 of 9

8/16/2011 2:47 PM :: Authentication methods in OpenBSD

Access remote network services with SSH tools Nov 11, 2008 Automatically mount encrypted filesystems at login with pam_mount Nov 06, 2008 Last 5 articles by this author: Authentication methods in OpenBSD Sep 29, 2004 Sponsored links: Best deals: Security Comments on Authentication methods in OpenBSD Note: Comments are owned by the poster. We are not responsible for their content. SecurID for OpenBSD Posted by: Anonymous Coward on October 02, 2004 06:39 AM It is technically possible to use the OpenBSD "radius" authentication method to authenticate to the RADIUS service that is included with the <A HREF="" title="">RSA ACE/SecurID</a> server software. # This story has been archived. Comments can no longer be posted.

8 of 9

8/16/2011 2:47 PM :: Authentication methods in OpenBSD

Copyright 1999-2008 - SourceForge, Inc., All Rights Reserved About - Privacy Statement - Terms of Use - Advertise - Trademark - Ask Linux Questions - Write for Us - RSS Feed ThinkGeek - Slashdot - - freshmeat - Surveys - Jobs

Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya

9 of 9

8/16/2011 2:47 PM