This time on the show, we challenge you... to respond... then we'll authenticate ya! That's right, we're getting into Challenge Response Authentication. Plus, Two-Factor Authentication for SSH using the Google Authenticator and how not to lock yourself out of your own workstation. All that and more, this time on Hak5!

Download HD Download MP4

Challenge Response Authentication

  • Used in the 80's and 90's for copy protection (Wolfenstein SoD example)
  • DRYAD Example
    • Used for Authentication or Encryption by US military
  • Keyboard Interactive is define in an Internet-draft to the IETF two Googlers in 2004 describe "Generic Message Exchange Authentication for SSH"

Example of Lame-Ass-Challenge-Response-Authentication

  • Client initiates connection to server

  • Server asks for password
  • Client tells server password
  • Server lets client connect, they become BFF
  • Eavesdropping hacker now knows password

One-way hash

  • Takes input, returns hash value

  • Finding input from hash value is "computationally infeasible"
  • Popular funcations include MD5, SHA

Example of proper Challenge-Response Authentication

  • Client initiates connection to server

  • Server "challenges" client by sending a random number
  • Client "responds" by using one-way hash to compute random number + password, sends result
  • Server uses same one-way hash to compute random number + password, verifies result
  • If result matches, client and server become BFF
  • Eavesdropping hacker now knows a random number and a the resulting hash from said random number + the password :-(

Weaknesses in CRA

  • If a challenge is used more than once, the hacker can simply replay the hash

  • Mitigated by using long random numbers

SSH 2-Factor Authentication via Google Authenticator

Ubuntu 10.04 setup based off webbynode guide.

# Install Google Authenticator PAM module
$ cd ~
$ wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
$ tar jxvf libpam-google-authenticator-1.0-source.tar.bz2
$ cd google-authenticator
$ sudo make install
# Edit /etc/ssh/sshd_config and change the ChallengeResponseAuthentication to yes
# Edit /etc/pam.d/sshd and add
# auth    required                        pam_google_authenticator.so
#*** Some guides recommend adding the above line to the /etc/pam.d/common-auth file.
#*** You'll wish you hadn't if you're testing this on your desktop with gnome/kde/etc ;-)
# Configure the user account
$ google-authenticator
# Follow the URL and scan the barcode from your phones google authenticator app
# Restart sshd:
$ /etc/init.d/ssh restart
# Login as normal and you'll be prompted for verification code in addition to password

Leave a Reply

Your email address will not be published. Required fields are marked *

*

6 Comments

  • I’ve set this up and it works great when I ssh with localhost. However, when I try and ssh in from another machine using putty, the connection drops before asking for the username. Has anyone else experienced this with putty?

  • I got this working with a bit of effort on a CentOS 6.2 OpenVZ VPS. Few quirks to deal with but worked it out easily enough.

    Great article.

  • ashara 1 year ago

    This is great and just what I was looking for so thank you very much for showing us the way to Google Authenticator loving. ^_^

  • Thanks Mark!! You just ROCKED my day