How To Get One Time Password In FreeBSD Using OPIE?


One-time Password In Everything(OPIE) is a security feature in FreeBSD that prevent a system from replay attack. In a replay attack, an attacker discovers the password of a user and use it to access the system. Since a password used only once in OPIE so discovered password is of little use to an attacker.

In this article, you will learn to generate and use the one-time password using OPIE to login to a remote FreeBSD system.

Adding a new user

First, you should try this feature by creating a separate user account so that you do not end up locking your remote server. You can use the following command to add a user on FreeBSD

# adduser

Once this command gets executed it will ask details such as username, password, home directory, etc enter it. Finally, confirm that the information provided is correct. Press y and then enter.

Here I added a user named lalit in my system.

Login into the newly created user account

Now from the current terminal enter the following command to login into newly created user account –

ssh user_name@ip_of_server

For example –

ssh lalit@localhost

This will ask the current user password, enter it to get proceeded. Login using ssh is important because the OPIE setup requires a secure terminal.

Enable OPIE for new user

Use the following command to enable the OPIE for the new user. Be careful, Once this gets enabled you will not be able to access the system with the normal password.

opiepasswd -c

Option -c tells the command that this system is trusted.

[alert color=”red”]Warning: Think before enabling OPIE for a user, once gets enabled the user will not be able to login to its account with the normal password[/alert]

When this command executes you will be asked to enter the secret passphrase, enter your passphrase at least ten characters long e.g my secret pass phrase.  Enter the same passphrase in the next line also.

If passphrase matches you will get a new OPIE seed and a randomized passphrase.

Here 499 is the iteration count and sr7612 is the OPIE seed. Now open the new terminal on your local machine and run the following command –

ssh lalit@localhost

You will receive the following output. It will ask you to enter the one-time password instead of a normal user password.

You have not created the one-time password yet so let’s create it.

Create the one-time password

First, close this terminal and back to the previous one where you are login with your username. And then run the following command –

opieinfo

You need to remember sequence number 498 and OPIE seed value sr7612 to generate the one-time password.

Now use the following command to generate the OTP –

opiekey 498 sr7612

or use –

opiekey `opieinfo`

This will ask you to enter your secret passphrase, enter it –

The last line which is highlighted in red containing six words is the OTP.

[alert color=”yellow”] Note: Always generate your one time password from a secure location[/alert]

Now open a new terminal and run –

ssh lalit@localhost

and then if it asks to enter a password, enter the newly generated one-time password. You will be successfully login into it.

Now open a new terminal and try to login into the same account by using –

ssh lalit@localhost

you will now see that sequence number is decremented by one.

To log in to this, you need to generate new OTP using sequence number 497 and seed value sr7612.

opiekey 497 sr7612

How to create multiple OTPs

It is possible that you do not have access to a trusted computer for a long period of time. So you can create multiple OTPs and can use them later to log in to your server multiple times. You can use the following command to create multiple OTPs –

opiekey -n 5 `opieinfo`

This command will generate five OTPs with the consecutive sequence number that you can use later to log in to your server.

To know more about OPIE you could visit FreeBSD One-time Passwords.

Conclusion

The OPIE is useful to those who travel to different places and access the server from public computers and networks. Now if you have anything to ask then you can write to us in the comments below.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.