{"id":88,"date":"2008-11-08T11:14:50","date_gmt":"2008-11-08T01:44:50","guid":{"rendered":"http:\/\/www.clearchain.com\/blog\/?p=88"},"modified":"2008-11-08T11:15:34","modified_gmt":"2008-11-08T01:45:34","slug":"opie-one-time-keys","status":"publish","type":"post","link":"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys","title":{"rendered":"OPIE &#8211; One Time Keys"},"content":{"rendered":"<p>Using External SSH access with normal password authentication is dangerous. It is susceptible to the following problems:<\/p>\n<ul>\n<li> People can use weak passwords which are easy to hack<\/li>\n<li> A remote machine may have a key logger on it<\/li>\n<li> Someone may be performing a man-in-the-middle type attack<\/li>\n<\/ul>\n<p>Hence if you wish to access a shell account or scp files remotely you should consider using either public\/private keys setup or to setup <em>One Time Keys<\/em>.<\/p>\n<h2><span class=\"mw-headline\">Setting Up One Time Keys <\/span><\/h2>\n<p><a name=\"Log_in_to_the_box_.28AS_SECURELY_AS_POSSIBLE.29\"><\/a><\/p>\n<h3><span class=\"mw-headline\">Log in to the box (AS SECURELY AS POSSIBLE) <\/span><\/h3>\n<p>Logging in securely is important as you&#8217;ll be asked for a pass phrase. If this is compromised you&#8217;re in trouble.<\/p>\n<p><a name=\"Enable_OTP\"><\/a><\/p>\n<h3><span class=\"mw-headline\"> Enable OTP <\/span><\/h3>\n<p>Run:<\/p>\n<pre> opiepasswd -c<\/pre>\n<p>This will enable one time keys, asking you for the pass phrase as a seed for the cipher.<\/p>\n<p>Once run one time keys are enabled.<\/p>\n<p>The output of the command (something like):<\/p>\n<pre> ID closebs OTP key is 499 wc8001\r\n THY HOOK TRY FREY DED DEDE<\/pre>\n<p>tells you a lot.<\/p>\n<ul>\n<li> The <em>499<\/em> is the number of the current One Time Password.<\/li>\n<li> The <em>wc80001<\/em> is a key to go with your pass phrase if you want to generate the 499 login password.<\/li>\n<li> The <em>THY HOOK&#8230;<\/em> is the password for key 499<\/li>\n<\/ul>\n<p><a name=\"Finding_out_the_next_N_passwords\"><\/a><\/p>\n<h3><span class=\"mw-headline\">Finding out the next N passwords <\/span><\/h3>\n<p>To discover the next N One Time Passwords for printing use:<\/p>\n<pre> opiekey -n NUM SEQ KEY<\/pre>\n<p>where:<\/p>\n<ul>\n<li> NUM is the amount of passwords to generate<\/li>\n<li> SEQ is the sequence number of the password to start with<\/li>\n<li> KEY is the key given for the cipher<\/li>\n<\/ul>\n<p>Ie:<\/p>\n<pre> opiekey -n 10 499 wc80001<\/pre>\n<p>This will display 10 keys, starting with key 499 and using the key wc80001. This can be useful as you can then print out the keys, and put them in your wallet\/purse. <em>WHAT<\/em> I hear you say?<\/p>\n<p>The reality is most passwords are broken by remote hackers. Whilst printing a list of one time passwords may seem insecure, the likely hood of someone going through your purse\/wallet to find the printed out keys is very low. If you are concerned about it, simple put a simple transposition in each key that only you will know about.<\/p>\n<p><a name=\"Disabling_OTP_access\"><\/a><\/p>\n<h3><span class=\"mw-headline\">Disabling OTP access <\/span><\/h3>\n<p>Help my keys have been compromised!<\/p>\n<p>Get someone to run:<\/p>\n<pre> opiepasswd -d<\/pre>\n<p>in your account.<\/p>\n<p><a name=\"Changing_your_OTP_Pass_Phrase\"><\/a><\/p>\n<h3><span class=\"mw-headline\">Changing your OTP Pass Phrase <\/span><\/h3>\n<p>Simply run:<\/p>\n<pre> opiepasswd<\/pre>\n<p>This will ask you for the next OTP in order to allow you to change your key (incase your remote) Once changed all your all your existing keys will now become invalid.<\/p>\n<p><a name=\"Using_One_Time_Passwords\"><\/a><\/p>\n<h2><span class=\"mw-headline\"> Using One Time Passwords <\/span><\/h2>\n<p>Any time you try to ssh to the WCL, you will be presented with:<\/p>\n<pre> otp-md5 497 psfasdf ext\r\n Password:<\/pre>\n<p>This indicates you are required to provide password <em>497<\/em>. The seed is given so you can generate the required password using it and your pass phrase if required.<\/p>\n<p>Depending on the server setup, you can also enter your regular password at this point.<\/p>\n<p>There is no way of telling if the server will accept your regular password or not unless you know it&#8217;s configuration.<\/p>\n<p><a name=\"Your_Away.2C_don.27t_have_any_passwords_or_pub.2Fprivate_keys_but_have_access_to_a_secure_machine\"><\/a><\/p>\n<h3><span class=\"mw-headline\">Your Away, don&#8217;t have any passwords or pub\/private keys but have access to a secure machine <\/span><\/h3>\n<p>As long as you can guarentee the machine you are on is secure, then chances are you can generate yourself the next password in the sequence in order to be able to access the remote box.<\/p>\n<p>On the box your on run:<\/p>\n<pre>   opiekey  SEQUENCENUM SEED<\/pre>\n<p>You can get SEQUENCENUM &amp; SEED just by sshing to the box and not logging in. You&#8217;ll need your pass phrase though.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Using External SSH access with normal password authentication is dangerous. It is susceptible to the following problems: People can use weak passwords which are easy to hack A remote machine may have a key logger on it Someone may be performing a man-in-the-middle type attack Hence if you wish to access a shell account or<a href=\"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys\"> <font size=-2>[..more..]<\/font><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[65,71,70,72],"class_list":["post-88","post","type-post","status-publish","format-standard","hentry","category-other","tag-keys","tag-logging","tag-password","tag-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>OPIE - One Time Keys - ClearChain<\/title>\n<meta name=\"description\" content=\"Using External SSH access with normal password authentication is dangerous. It is susceptible to the following problems: People can use weak passwords\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Benjamin Close\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys\"},\"author\":{\"name\":\"Benjamin Close\",\"@id\":\"https:\/\/www.clearchain.com\/blog\/#\/schema\/person\/aef6faa2c32188398139db9270ca1c98\"},\"headline\":\"OPIE &#8211; One Time Keys\",\"datePublished\":\"2008-11-08T01:44:50+00:00\",\"dateModified\":\"2008-11-08T01:45:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys\"},\"wordCount\":552,\"commentCount\":1,\"keywords\":[\"keys\",\"logging\",\"password\",\"security\"],\"articleSection\":[\"Other\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys\",\"url\":\"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys\",\"name\":\"OPIE - One Time Keys - ClearChain\",\"isPartOf\":{\"@id\":\"https:\/\/www.clearchain.com\/blog\/#website\"},\"datePublished\":\"2008-11-08T01:44:50+00:00\",\"dateModified\":\"2008-11-08T01:45:34+00:00\",\"author\":{\"@id\":\"https:\/\/www.clearchain.com\/blog\/#\/schema\/person\/aef6faa2c32188398139db9270ca1c98\"},\"description\":\"Using External SSH access with normal password authentication is dangerous. It is susceptible to the following problems: People can use weak passwords\",\"breadcrumb\":{\"@id\":\"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.clearchain.com\/blog\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"OPIE &#8211; One Time Keys\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.clearchain.com\/blog\/#website\",\"url\":\"https:\/\/www.clearchain.com\/blog\/\",\"name\":\"ClearChain\",\"description\":\"-= Daily Happenings =-\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.clearchain.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.clearchain.com\/blog\/#\/schema\/person\/aef6faa2c32188398139db9270ca1c98\",\"name\":\"Benjamin Close\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.clearchain.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/19dca0aa372edfa901b93c556dfda2e78ad4434558fe4d139598e086315d714a?s=96&d=mm&r=pg\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/19dca0aa372edfa901b93c556dfda2e78ad4434558fe4d139598e086315d714a?s=96&d=mm&r=pg\",\"caption\":\"Benjamin Close\"},\"sameAs\":[\"http:\/\/www.clearchain.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"OPIE - One Time Keys - ClearChain","description":"Using External SSH access with normal password authentication is dangerous. It is susceptible to the following problems: People can use weak passwords","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys","twitter_misc":{"Written by":"Benjamin Close","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys#article","isPartOf":{"@id":"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys"},"author":{"name":"Benjamin Close","@id":"https:\/\/www.clearchain.com\/blog\/#\/schema\/person\/aef6faa2c32188398139db9270ca1c98"},"headline":"OPIE &#8211; One Time Keys","datePublished":"2008-11-08T01:44:50+00:00","dateModified":"2008-11-08T01:45:34+00:00","mainEntityOfPage":{"@id":"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys"},"wordCount":552,"commentCount":1,"keywords":["keys","logging","password","security"],"articleSection":["Other"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys","url":"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys","name":"OPIE - One Time Keys - ClearChain","isPartOf":{"@id":"https:\/\/www.clearchain.com\/blog\/#website"},"datePublished":"2008-11-08T01:44:50+00:00","dateModified":"2008-11-08T01:45:34+00:00","author":{"@id":"https:\/\/www.clearchain.com\/blog\/#\/schema\/person\/aef6faa2c32188398139db9270ca1c98"},"description":"Using External SSH access with normal password authentication is dangerous. It is susceptible to the following problems: People can use weak passwords","breadcrumb":{"@id":"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.clearchain.com\/blog\/posts\/opie-one-time-keys#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.clearchain.com\/blog"},{"@type":"ListItem","position":2,"name":"OPIE &#8211; One Time Keys"}]},{"@type":"WebSite","@id":"https:\/\/www.clearchain.com\/blog\/#website","url":"https:\/\/www.clearchain.com\/blog\/","name":"ClearChain","description":"-= Daily Happenings =-","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.clearchain.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.clearchain.com\/blog\/#\/schema\/person\/aef6faa2c32188398139db9270ca1c98","name":"Benjamin Close","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.clearchain.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/19dca0aa372edfa901b93c556dfda2e78ad4434558fe4d139598e086315d714a?s=96&d=mm&r=pg","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/19dca0aa372edfa901b93c556dfda2e78ad4434558fe4d139598e086315d714a?s=96&d=mm&r=pg","caption":"Benjamin Close"},"sameAs":["http:\/\/www.clearchain.com"]}]}},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.clearchain.com\/blog\/wp-json\/wp\/v2\/posts\/88","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.clearchain.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.clearchain.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.clearchain.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.clearchain.com\/blog\/wp-json\/wp\/v2\/comments?post=88"}],"version-history":[{"count":3,"href":"https:\/\/www.clearchain.com\/blog\/wp-json\/wp\/v2\/posts\/88\/revisions"}],"predecessor-version":[{"id":91,"href":"https:\/\/www.clearchain.com\/blog\/wp-json\/wp\/v2\/posts\/88\/revisions\/91"}],"wp:attachment":[{"href":"https:\/\/www.clearchain.com\/blog\/wp-json\/wp\/v2\/media?parent=88"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.clearchain.com\/blog\/wp-json\/wp\/v2\/categories?post=88"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.clearchain.com\/blog\/wp-json\/wp\/v2\/tags?post=88"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}