Tag: palm

As old as good: One Time Passwords

Posted by – 12/09/2008

People frequently ask me what I am doing typing on my Palm right before logging in one of my remote systems. The answer is quite simple: “generating my next password”. People always seem puzzled by that answer… Maybe I am just too old to have had only telnet sessions available to remote connections (that was the time before SSH took over)… or maybe I am just too paranoid regarding the access to my systems… Anyway, I like One Time Passwords, and here is an article I can refer to when I get asked again 😉

One Time Passwords are just that: passwords that are good for one time use. They never repeat and once used you can throw it away securely. They were quite common when the authentication was done in clear text (so that any man-in-the-middle could steal your passwords), back in the r-tools age (rcp, rsh, rlogin, rexec, etc). After the SSH-related tools took over, providing easy tunneling and remote access, MITM attacks were of much concern, so OTPs became less relevant. What a shame, for they even have a couple of standards for those!

But there’s still room for OTPs… Question: Is it easier to deploy a MITM attack or a keylogger? That’s right… We are always connecting to our remote systems in public terminals (well… at least I am – right now typing from the hospital computer), and a keylogger is so easily installed in one of those terminals, even remotely, that no one would ever get close to deploy a refined MITM attack just to steal someone’s password. One would just install a keylogger! All the security SSH provides would just be gone by then. That’s why I use SSH to connect to my remote machines, but use OTPs to authenticate myself.

It’s so easy to deploy it. In Debian you’ll find packages opie-server and libpam-opie and those are the only things you’ll need on the server side (besides SSH, obviously). OPIE means “One-time Passwords In Everything”, and combined with PAM, one can really use it everywhere.

After installing it, you’ll have to generate the password file for your account:

spectra@home:~$ opiepasswd -c
Adding spectra:
Only use this method from the console; NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase:
Again new secret pass phrase:
 
ID spectra OTP key is 499 ho6484
HAVE COOK LOLA AIRY NEIL ROAM

The pass phrase will be used to generate the passwords in a step before your login. Please, try not to forget it (specially if you’re following this article and playing with some remote system at the same time). Now you can edit /etc/pam.d/ssh file (or its equivalent in non-Debian systems) to require that kind of authentication. Mine just looks like this:

# /etc/pam.d/ssh
auth       required     pam_env.so
auth       required     pam_env.so envfile=/etc/default/locale
auth       required     pam_opie.so

First two lines are unrelated and just load the environment variables. Last line is where the fun is. Please, note two things: (1) I removed references to pam_unix.so, which is what would ask for my “real” password, that I want to disable (no login is allowed with that password). And (2), I declared it as required, meaning that failing it will keep one out of the system.

We are not ready yet! SSH will work by now, but will not present you the OTP challenge. Probably you could still login, but you’d have to remember which is the current password (Trust me, you would not!). To get the challenge you’ll need to enable it – in /etc/ssh/sshd_config change the following line:

ChallengeResponseAuthentication yes

That’s it. Now to login to your remote machine, that’s what will usually happen:

spectra@hospital:~$ ssh home
otp-md5 498 ho6484 ext, Response:
spectra@home:~$

Voilà! It asks for password #498. By default, it starts with 500 passwords and goes down from that. Password #498 were asked, so the next will be #497. After that, #498 is not useable anymore, and #496 is not useable yet. You can generate a list of those passwords (let’s say 10), print it and keep it in your pocket. This is the command you’d use for that:

spectra@home:~$ opiekey -n 10 498 ho6484
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Sorry, but you don't seem to be on the console or a secure terminal.
Warning: Continuing could disclose your secret pass phrase to an attacker!
Enter secret pass phrase:
489: CALM INTO WEEK APS LOON VIE
490: HASH GYM RAID GOSH HOYT DUAL
491: BELL GIN RIFT HELM GUY BUNK
492: HEBE OBOE SUP LEG LULU LANG
493: HOYT JOT ASK JOG GIBE BETH
494: NASH MOOT HIND YEAH  YAP CARL
495: MATE OF BARD LAVA LEAK AHOY
496: TAB BAG KEY GILT AVID VEAL
497: MOLE FORM NIB LEER ROSS HAVE
498: SING WERE OVEN SOD VEIN NIBS

That is not so secure, since you can loose the paper and be doomed… Luckily there are lots of small softwares that does this generation for you. Some you can use from your Palm or from some J2ME-enabled phone (such as N95). Some your can use from another (trusted) computer. Some are even online, written in javascript!

There are at least one other side-benefit of using OPIE as above: You can give away your user password (even root password – OK, probably not a Good ThingTM), that the system would still be secure, since it only allows SSH authentications via OPIE! If the session is started with a username whose opiepasswd was not activated (first step… scroll back to the beginning of the article), SSH will greet you with a bogus challenge… only “opie-activated users” will be allowed to login with the above configuration.

Easy enough, isn’t it? Now, next time you see me typing on my Palm before opening an SSH connection you’ll know what I am doing… 😉

Recording with Palm TX

Posted by – 30/04/2008

I gave Brenda a Palm TX, so she can better organize her life. As a plus, it is wi-fi aware, so all sorts of interesting things can be done. Sadly, though, it doesn’t ship with a microphone (I still wonder why… it’s large enough to hold an embedded mic, just as Palm smartphones have). Lately, Brenda was talking about recording some sessions or holding her thoughts in one of those tiny memo-recorders, and this promptly stroke me as “another gadget to stuff her purse”… then I remembered having read that Palm TX have all that is required to hold a microphone, but the microphone…

I retrieved the Palm Multi-Connector pinout from Wikipedia and realized that all I had to do was attach an electret microphone to 16 and 17 pins and there we go. I ordered a charging cable just for the connector and here are the pictures I took of the building process:

The tools and pieces I used:

It’s easy to disassemble the connector. Take a close look at the attaching plastic hooks… there are four of them: two outside, near the pins, and two inside near the cable. Last two are harder to detach, but once you’ve detached the first ones, just hold the two pieces of the connector and easily shear them: one side will detach first.

The microphone have two terminals that already hold enough soldering tin. Beware to solder the “blue” cable (the one that goes with pin 16 – AGND) to the marked terminal of the microphone, and the “red” one (the one that goes with pin 17 – MIC_IN) to the unmarked one. (In the picture, my cables are all black, but the wires inside are “red” or “blue”. I could not get a good picture of the terminal markings).

I have dissolded the charging cables from pins 1, 3, 5, and 8, but that is up to you (you can just cut the main cable and leave the pins untouched). Also, while soldering the microphone cables to the connector, beware of using as little tin as possible. It’ll be even easier if you remove the pin from the connector… it’s easy to do if you have small pliers and careful fingers. Try first with one of the other pins that will not be used. Solder the “red” one to pin 17 and the “blue” one to pin 16.

I cut a piece of an old earphone cushion to close the charging cable hole (and to protect the microphone). Here is the final result:

Now, for the recording software, there’s a nice free software that does that perfectly for PalmOS: Better Recorder. Now Brenda can record her mind!