Back to CFM home             Brown University



Remote Access Guide to CFM/DAM Systems

For security reasons remote access to systems on the CFM/DAM network is limited to fritz.cfm.brown.edu (CFM) or nemo.dam.brown.edu (DAM). After September 2002, only fritz.cfm.brown.edu and fritz.dam.brown.edu will work since the CFM and DAM addresses were merged. CFM will still be working as before for backward compatibility. These systems support Secure Shell (ssh) for terminal access and S/Key(OPIE) authentication for terminal and ftp access. This document will describe each system's strengths and weaknesses and how to use them to access our network. Our main goal in employing these security measures is to prevent the cleartext transmission of passwords over a remote network, mostly by telnet and ftp clients.

Ssh

S/Key (OPIE)

Which one to use?

Secure Shell (ssh)

Secure Shell (ssh) comprises a suite of programs that attempt to provide security by employing host authentication and encryption of all communications. The ssh suite provides mechanisms for securing remote login, file transfers, X11 connections, among other things. A complete description of ssh's capabilities are beyond the scope of this document, we will only cover using ssh for remote terminal access. For more information see http://www.ssh.com/products/ssh/.

Ssh requires a server to be running at the remote site as well as client software locally. It is available for free for most Unix platforms and Win32 (Windows95/98/NT). Unfortunately, there is currently no free version for MacOS. A commercial version for Win32 and MacOS is available from Data Fellows. The official SSH site is http://www.ssh.com

Unix Installation

Many unix sites have ssh installed already, check to see if it is already, the most likely place is /usr/local/bin/ssh. If its not already installed it may be possible to get the sysadmin to install it with little hassle. We provide some versions of the ssh binary. Download the appropriate ssh.platform for your version of unix, name it "ssh" and copy it to a place in your PATH and make sure that it is executable with chmod +x ssh.

If you have a version of unix for which a binary is not readily available you can build the software yourself from source. We recommend that you build the latest version 1 release, of which we maintain a copy on our anonymous ftp site. Its a trouble free build on most unix's, in the directory where you have downloaded the source type:


gunzip -c ssh-version.tar.gz | tar xf -
cd ssh-version
./configure
make

If you have superuser privledges then type:

make install

to install in /usr/local/bin, if not make sure ssh is in your PATH.

Unix Use

To open a connection to a remote host running the ssh server type:

ssh -l username hostname

The "-l username" is unnecessary if your username is the same on both systems. If this is the first time connecting to this host you will be asked if its ok to continue. Say "yes". You will then be prompted for your password.

Win32

For University and other non-commercial use, the official version of SSH is available at http://www.ssh.com. To download the Windows client you must enter an email address and agree to the Non-commercial use license agreement.

You may also try a free Win32 ssh client, such as Ttssh, an extension of the TeraTerm terminal emulation program.

Installation of TTSSH

To install, create a directory for the files to go in, for example C:\ttssh. Then download the provided archive and extract it with a compression program such as winzip.

Use

Double click on the ttssh application icon. Make sure the TCP/IP and ssh are selected and the port number is 22. Enter the hostname you would like to connect to in the Host field, then click Ok. A new dialog box appears, titled "SSh Authentication". Make sure that "Use plain password ..." is checked and enter your username and password in the correct fields. If its your first time connecting to a host you may receive a warning to that effect, check the "Add host ..." box and click Continue.

S/Key (OPIE) authentication

S/Key (OPIE) authentication gets around the problem of transmitting passwords over an insecure network by changing the password that will log you into a system. A password is only good once, so if a password is snooped it is of no use to the snooper. The basic idea is to generate a list of passwords while you are on a secure network so that you can use them one at a time when you are at a remote site.

The system currently used is OPIE (One Time Password in Everything).

The first step for using OPIE is to run the opiepasswd program. Only run the opiepasswd program when logged directly into a machine on the CFM/DAM network or logged in through SSH. Opiepasswd asks you for a password that it uses to initialize the list of passwords that you will use. This password should not be the same as your unix password and it can be a phrase.

# opiepasswd  -c
Updating :
Only use this method from the console; NEVER from remote. If you are
using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter old secret pass phrase:

ID  OTP key is 499 fr334
TUB LOW EST RUM FLOW TOLL

Please note that the number "499" is the sequence number and "fr334" is called the sequence seed. You will need this information to generate a sequence of multiple one-time passwords.

To obtain the password list you must run a key generator program. On the CFM/DAM systems this program's name is opiekey. Run opiekey, give it your secret password and the previous output from opiepasswd, and it will generate a list of passwords for you. Only run opiekey on a machine you are directly logged into or when using SSH.

Here is an example of using opiekey:

# opiekey -n 100  499 fr334
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.

495: AUK BUST BANG SODA HULL ASH
496: RUDE DICE OLGA BAM MULE DOSE
497: MAIL FOND OVEN FULL BOLD SAFE
498: PET SLOG PUG IDEA MUM DONE
499: BASH WU FLAT IF TWO SWAT
............................


Once you have this list of one-time passwords, to log in remotely :
[user@remotehost]$ telnet fritz.cfm.brown.edu
Trying 128.148.160.2...
Connected to fritz.cfm.brown.edu.
Escape character is '^]'.
Welcome to fritz.
login: 
otp-md5 498 fr334 ext
Response: PET SLOG PUG IDEA MUM DONE (this won't show for security
protection)
Last login: Wed Feb 13 19:39:34 from remotehost
You have mail.

The next time this user logs in the prompt will be for number 497.

You can create a list of skey (OPIE) passwords with any version of the key program,your secret password, and the skey prompt put forth by the telnet program (e.g. 497 fr334). S/Key generators are available for free, we have executables for several platforms available.

What many people like to do is print up a list of 100 S/Key (OPIE) passwords and take it with them when they are offsite. This way you don't have to worry about remembering yet another password in order to generate keys when you need them. Note that if you forget the password that you used when you ran opiepasswd all you have to do is run opiepasswd again and use any password you want (again, only run opiepasswd while logged into a machine on the CFM/DAM network).

You can also use this One Time Password generator (jotp) written in Java to generate a one-time S/Key .

If your passwords run out (you have used up all 500 passphrases of a specific seed sequence) you will need to generate a new sequence with a seed (where a seed is 5-12 characters)

For example:
 
fritz% opiepasswd -s "anyseed" -c
Updating :
Only use this method from the console; NEVER from remote. If you are
using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter old secret pass phrase:
Enter new secret pass phrase:
Again new secret pass phrase:

ID  OTP key is 499 anyseed
RACK HAST JUTE JOCK EST ICY
fritz%

Which one to use, when and why?

The recommended remote access method to CFM/DAM is SSH. Please use SSH if you can. SSH provides both file transfer and remote session capabilities. All data transfers through a SSH session are encrypted. Use SSH2 whenever possible (as opposed to SSH1).
Use OPIE only if you have no access to a Secure Shell client. That is, if your only options are telnet and/or ftp. A big weakness of the OPIE system is that it only protects your password when you log in from the outside. If type your UNIX password after logging in with an OPIE key, the UNIX password can be snooped. Secure shell prevents this from happening because it encrypts all traffic.

The moral of the story is use ssh whenever possible remotely for terminal access. When using S/Key's be aware that anything you type can be spied upon.