One-time passwords
One-time passwords are (I think) more secure than plain passwords, at least for those situations where one can't just use proper key-authentication only.
What you need
- A Debian system. As of now, the "Sarge" (3.1) release is considered "stable".
- libpam-opie, opie-client, opie-server
How to configure the thingummy
- Edit /etc/ssh/sshd_config, set ChallengeResponseAuthentication "yes", PasswordAuthentication to "no", PAMAuthenticationViaKbdInt to "yes", UsePAM to "yes", UsePrivilegeSeparation to "yes".
- Edit /etc/pam.d/ssh, take out @include common-auth, insert auth sufficient pam_opie.so instead, followed by auth required pam_deny.so.
How to use it
Run opiepasswd -c (read the READMEs! Run this only from a physical and secure console!), pick a good passphrase (not the same as on your ssh-key), remember to remember the seed it tells you. Now run opiekey -n 50 499 seed (50 is the number of OTPs you want to get, 499 the sequence from which on you want them, seed the seed opiepasswd gave you. Plus, you now need the passphrase again).
Et voila. I guess.
Addendum, 2006/08/03:
Carrying the printed-out OTPs somehow didn't seem sufficiently secure to me, so I tried and (with some help) figured out how to combine the OTPs with my regular password. Just put
#opie fuer ssh
auth required pam_opie.so
auth sufficient pam_unix.so nullok_secure
into /etc/pam.d/ssh. That way, the system asks for the OTP first, then (regardless if the OTP was correct) for your regular password. Of course, you can only log in when both are correct.
And then there's JOTP, a OTP generator for Symbian-OS phones/PDAs, so you don't have to carry a printed list with you anymore.