Debian – Ubuntu, S/Key and OPIE

Been looking for a simple way to enabling  S/Key support in Linux. Once I found out the magical keyboards being OPIE and PAM it became almost trivial to allow ssh-logins using One Time Passwords (OTP).

The following instructions are specifically written to apply on Debian and Ubuntu. On a general note the concept should work on any Linux system using OpenSSH and PAM.

First of all you should install the package opie-server. It will give you the necessary PAM-module and some accompanying tools.

Now edit /etc/pam.d/ssh, remove (comment) the inclusion of common-auth, and add these lines.

auth       sufficient pam_unix.so
auth       sufficient pam_opie.so
auth       required  pam_deny.so

If you only want allow OTP-logins; this line will do.

auth       required   pam_opie.so

Next it’s time to edit /etc/ssh/sshd_config.

ChallengeResponseAuthentication yes

That’s it. Restart your sshd and it will be ready to accept OTP-logins. To initialize a user; run opiepasswd (equivivalent of keyinit). Responses are generated using opiekey.

Client-side it’s usually enough to install the package opie-client.

  1. Just wondering, does the one time password feature override the main password, or it increase the security by using a two-factors authentication scheme?

    Thanks, and nice article.

  2. The OTP-info is stored in a separate file.
    (/etc/opiekeys)

  3. The name of the file on an Ubuntu 10.04 system, at least, is /etc/pam.d/sshd, not /etc/pam.d/ssh.

Leave a Comment