Introduction: One Time Password for SSH Server (Windows and Linux)

By My Youtube tutorial's channel
About: I had a long break in my online activity, bad things happened in my life and i'm still trying to recover, sorry folks that i was away for a long time and please be patient with me, i will be better in time, i …

I 'needed' a two step authentification for my SSH server, or simpy put, OTP is cool and realy easy to deploy on pro level, its fun to install, configure and use. The knowledge you will get from here will work from Windows 2000 -> to Windows 8 and on Linux too (maybee on Macs too - i dident ever owned a mac or used one so sorry mac fans xD ).

I will show you how to configure 3 popular SSH servers for the windows platform and 1 for linux. After you read it you will understand what to modify and where in any server and under any operating system.

There are some limitations to this method:
• port forwarding client to server and server to client ARE NOT PROTECTED BY THE OTP
• SCP and SFTP file transfers ARE NOT PROTECTED BY THE OTP
Why ? After the interactive login and/or the public/private keys, the above mentioned services DONT NEED SHELL.

And we put the OTP challange in place of the shell, the OTP will give shell when the answer is correct.
Thats why we need to disable port forwarding, SCP and SFTP.

PS - I know what a pam module is and how to use it, this method is used for servers that dont have pam (?!!) or for peaple that dont know or dont wanna to use it.

Step 1: FreeSSHd SSH Server - Telnet Server

This is a real small and nice (not feature rich) but freeware server.
http://www.freesshd.com/

The configuration is made in 10 mouse clicks. (see image below in original size for details).

On short you go to users, make a user that has only shell enabled and sftp and tunneling disabled. Second, on ssh tab and set shell to my script instead of cmd.exe. All done.

PS - If you wonder about the path that contains "Portable SSH" it is easly explained, i made a portable wersion of freeSSHd (it still needs Administrator rights).

Step 2: Bitvise SSH Server for Windows (WinSSHD)

Bitvise SSH Server for Windows aka the old WinSSHd (yes the name of the last program is inspired from this one xD ) it is a full, feature rich SSH server that goes in the pro region (even the free version is with all you will ever need in 99% of the cases).
http://www.bitvise.com/winsshd

The configuration is made in 12 mouse clicks. (see image below in original size for details).

Go to edit advanced settings -> virtual accounts or windows accounts (depends on how you setup your users) click the user name
and hit edit button, unchek group default set terminal shell to my script and then disable port forwarding s2c and c2s followed by the disabling of SCP and SFTP then hit ok, on the back window hit ok too and you are done.

Step 3: OpenSSH for Windows ... or Linux Too :D

OpenSSH
http://sshwindows.sourceforge.net/

The configuration is made in 6 keyboard edits in to files. (no more clicks and stuff this comes directly from the linux world).

Use notepad or like me notepad++ and sshd_config and passwd.

In passwd, replace for the user you wanna add OTP (yes some users can have OTP and some not, is that not sweet?) the ending
part /bin/swith with the path to the OTP script, in this case /OATH/

In sshd_config comment (add # at the begining of the line) AllowTcpForwarding yes (default is not alowing or just set no instead of yes)
comment Banner /etc/banner.txt (this is gonna messup your OTP system if not disabled) and now for the sftp, comment subsystem sftp /usr/sbin/sftp-server.

Save both files, restart service.

And you are done.

Step 4: OBSERVATIONS

The servers are presented in a dificulty to setup from easy to hard (for the normal user).

1. FreeSSHd
2. Bitvise SSH Server (WinSSHd)
3. OpenSSH for Windows (or Linux)


For a beginner i recomand FreeSSHd and for the normal user (that had never used linux before) Bitvise SSH server is the best choice.

Step 5: The Files

First you will need oathtool-1.10.0-cygwin.rar (this is the name and file type of the attached one below - if the filename gets messedup).
the archive contains oathtool.exe, cygoath-0.dll and cygwin1.dll. It is the linux version compiled for cygwin.

You can compile it yourself from withing cygwin or you can grab it from here http://rubli.info/t-blog/2011/09/03/generating-oath-otps-on-windows-with-oathtool/

I put all 3 files in a folder called OATH.

Next you will need 2 script files:
Oath.cmd the main script, and TOKEN2.cmd the software token for windows (testing purpose only), after that you can use software tokens for android or ios (i use android and AndroidToken or TokenOne).

My setup is TOTP (RFC6238) a time based one time password with a validity window of 30 seconds. This result in a need to have your mobile devices or pc/laptop clock to be in sync. Sync server and clients with a atomic clock (NTP protocol port 123 anyone ?).

Oath.cmd
---------start copy below this line---------
@echo off & setlocal
set oath=
set result=
echo.
echo One Time Password required.
echo Enter your password now:
echo.
set /p oath=
"C:\Bitvise SSH Server\OATH\oathtool.exe" --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto COMMAND
set oath=
set result=
goto ERROR
exit
:COMMAND
cls
echo.
echo Authentication - SUCCESSFUL ...
echo.
echo [OTP SESSION: valid]
echo.
cmd.exe
:ERROR
cls
echo.
echo Authentication - FAILED ...
echo.
echo [OTP SESSION: invalid]
echo.
exit
--------- stop copy abowe this line--------

the "strange number" 06cce8cf80aa529381361d06e57d8402d4daae50 is the secret token key, no1 shud know this one except you and the token programs, the programs onece entered they 'spit' every 30 seconds a 6 number OTP without saying ever again the secret key.

PS - this is not my key it is just freshly generated from random string that got digested in a SHA1.


---------start copy below this line---------
@echo off & setlocal
SETLOCAL ENABLEDELAYEDEXPANSION
:top
set oath=
set result=
call :progress 0
cls
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 > result
set /p oath= < result
del result
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step1
goto top
:step1
set result=1
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step2
goto top
:step2
set result=1
call :progress 13
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step3
goto top
:step3
set result=1
call :progress 16
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step4
goto top
:step4
set result=1
call :progress 19
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step5
goto top
:step5
set result=1
call :progress 22
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step6
goto top
:step6
set result=1
call :progress 25
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step7
goto top
:step7
set result=1
call :progress 28
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step8
goto top
:step8
set result=1
call :progress 31
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step9
goto top
:step9
set result=1
call :progress 34
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step10
goto top
:step10
set result=1
call :progress 37
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step11
goto top
:step11
set result=1
call :progress 40
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step12
goto top
:step12
set result=1
call :progress 43
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step13
goto top
:step13
set result=1
call :progress 46
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step14
goto top
:step14
set result=1
call :progress 49
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step15
goto top
:step15
set result=1
call :progress 52
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step16
goto top
:step16
set result=1
call :progress 55
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step17
goto top
:step17
set result=1
call :progress 58
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step18
goto top
:step18
set result=1
call :progress 61
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step19
goto top
:step19
set result=1
call :progress 64
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step20
goto top
:step20
set result=1
call :progress 67
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step21
goto top
:step21
set result=1
call :progress 70
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step22
goto top
:step22
set result=1
call :progress 73
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step23
goto top
:step23
set result=1
call :progress 76
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step24
goto top
:step24
set result=1
call :progress 79
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step25
goto top
:step25
set result=1
call :progress 82
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step26
goto top
:step26
set result=1
call :progress 85
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step27
goto top
:step27
set result=1
call :progress 88
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step28
goto top
:step28
set result=1
call :progress 91
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step29
goto top
:step29
set result=1
call :progress 94
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step30
goto top
:step30
set result=1
call :progress 97
ping 192.0.2.2 -n 1 -w 1000 > nul
oathtool.exe --totp 06cce8cf80aa529381361d06e57d8402d4daae50 --time-step-size=30 %oath% > result
set /p result= < result
del result
if %result%==0 goto step31
goto top
:step31
set result=1
call :progress 100
del nul
goto top

:progress
SET ProgressPercent=%1
SET /A NumBars=%ProgressPercent%/2
SET /A NumSpaces=50-%NumBars%
SET Meter=
FOR /L %%A IN (%NumBars%,-1,1) DO SET Meter=!Meter!I
FOR /L %%A IN (%NumSpaces%,-1,1) DO SET Meter=!Meter!
TITLE Progress:  [%Meter%] %ProgressPercent%%%
--------- stop copy abowe this line--------

The token is not optimised or made like a pro, it is a quick and dirty script written in around 30 seconds. :P

Now for more info:
here is the man for oathtool.exe http://www.nongnu.org/oath-toolkit/oathtool.1.html

As you will know, if not already oathtool can be used in event-based HOTP algorithm (RFC4226) mode and in time-based TOTP algorithm (RFC6238) mode.

For the linux ppl you can just use a bash script that invokes oathtool in the same manner as in the cmd above.
for begginers a starting point for convertion http://tldp.org/LDP/abs/html/dosbatch.html and http://www.backwoodrealm.com/home/index.php?option=com_content&view=article&id=72:windows-qdos-shellq-command-to-nix-bash-conversion-chart&catid=76:linuxunix&Itemid=58

FINAL NOTE:

• for paranoids you can make a three step auth:
1. username and password
2. 2048 bit (ore more) public/private keypair that is password protected (like a certificate)
3. TOTP (or HOTP) one time password

PS - for the uberparanoids: all above end ... accessing the server trough a VPN (OpenVPN really rocks and there is a windows version too) and putting all behind a router with firewall, IDS, ...

SCRIPTS ARE ADDED IN THE scripts.zip below

Attachments