When you are away from home, you may need to access your machine through an SSH (or telnet, if you are still using it) client. The client machine will often be public and not administered by you, so you can't trust it. Who warrants you that it does not contain any key sniffer that can capture your password?

In this situation, you can still log in by using a one time password (OTP). These passwords let you log in your machine only once, so even if somebody else is able to sniff it, it won't be of any use to them. The disadvantage is that you have to carry a list of valid OTP passwords and be sure that nobody can see them until they have been used.

There are many OTP systems; the one I'm using is skey, which comes with the default NetBSD installation - on other systems, check if it is included or install it from the packages system. Furthermore, it is well integrated with SSH, so its setup is painless.

Start by enabling OTP passwords for you account, issuing skeyinit from the command line. It will ask you your account's password and a passphrase: the first one is used to authenticate you and the second one is used to generate the OTP sequence. Once introduced, the program will let you know the actual sequence number and an identifier for your keys. Be sure to store take note of the identifier, as you will need it to generate further keys (if you are unsure, just store the entire output of the program). Furthermore, it will also let you know your first OTP.

But one OTP is not enough, specially when you are away (since you can't generate more from there). So, run the skey program, which takes two arguments: the sequence number and the key identifier you stored above. Additionally, pass it the -n 10 parameter to generate 10 OTPs (replace the number with the amount you want). Then, take note of all listed passwords in a paper and store them in your wallet.

Now you can safely log into your system 10 times. If you need more passwords, you can generate them with another call to skey, replacing the sequence number with the next one.

Edit (18:37): In fact, you don't need to remember the identifier printed by skeyinit; simply running skeyinfo at any time will tell you your next OTP sequence and identifier. Sorry for the confusion, but I was posting from a computer that didn't have these utilities and I couldn't verify it.

Go to posts index

Comments from the original Blogger-hosted post: