This tutorial by FreeBSD user Hathy A (DigitalOcean) shows us how to set up “one-time” passwords on FreeBSD 10.1, a method to keep secure from unwanted access.
SSH is the most popular way to log in to a server remotely. It is a cryptographic protocol that protects your password against man-in-the-middle and replay attacks.
You must keep in mind, though, that SSH protects your data only while it is in transit. Attackers can discover your SSH password by other means, such as by using keyloggers or strategically placed cameras.
As long as you use a trusted computer (say, one that belongs to you or your company), and do so from a safe location, you don’t have to worry about such attacks. However, sometimes you might need to use a public computer. To protect your passwords in such scenarios, FreeBSD comes with a security feature called One-time Passwords In Everything, or OPIE.
In this tutorial, you will learn how to generate and use one-time passwords to log in to your remote FreeBSD server. You can pregenerate one or more one-time passwords when you’re in a safe location, and save them for later when you access your server from a less secure location. That way, even if your one-time password gets logged, it won’t ever be useful to an attacker.
In order to follow this tutorial, you will need:
- A FreeBSD 10.1 server which is accessible over SSH
- A user who is allowed to switch to root; the default freebsd user on DigitalOcean is fine