<--- Read the sidebar :1 Many useful links and they are relevant 2: Use the labels on the left to find the sort of thing you want to read. Posts range from creatively entertaining to logically helpful bullet points 3: Turn adblock off if you want to see useful items on the left side and at the bottom

27 Dec 2010

Safely login to your computer at home from an Internet cafe with one time passwords (otp) and sshd

If you login to your home computer from an internet cafe there's every chance someone could have logged what you typed. You can use the on screen keyboard to cut that problem, but then also your movements on screen can be tracked.

What can you do?

One time passwords are the answer. You use them once, and then go to the next one in the list.
However, as I found, they are not simple to get working in the first place. So, here's a quick guide.

Don't mess with this too much remotely, or be prepared for it to go wrong because you're messing with ssh login here and if you mess up (don't blame me), you'll be locked out.

will need "UsePAM yes" in it

will need to look something like:

auth required pam_nologin.so
auth optional pam_afpmount.so
auth sufficient pam_ppp.so
auth sufficient pam_securityserver.so
auth sufficient pam_unix.so
#auth required pam_deny.so

Basically that will ask for the one time password first and if that fails it will then ask you for your normal password.
You can generate a list of passwords using the gmail-otp package, amoungst others.

The next thing you might need is a putty.exe like java applet in case you can't put a USB stick in the cafe.

Hope this helps


Anonymous said...


auth sufficient pam_ppp.so
auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login

on sabyaron

Anonymous said...

Also, you can add

auth sufficient pam_ppp.so

to the top of /etc/pam.d/sudo

otherwise as soon as you need to do anything as root you'll expose your password