Debian Administration

Using one time passwords to temporarily open firewall ports

I use Xen to create multiple locked down virtual machines that to run services which I want to present to the internet I do not allow direct connections from the internet to my firewall but sometimes there's a need to do remote administration (via ssh) so I can temporarily open up one or more ports. This I do with a webpage where an OPIE (one time password) challenge should be entered.

The idea of using OPIE challenges to open up firewall ports is not new. I saw this option with Checkpoint FW1 firewalls. I implemented this myself with a couple of perl scripts. The system is presented in the following image:


I connect to a CGI page which presents me with an OPIE challenge and a box to fill in an IP address. The latter will default to the connecting IP address, but the option is provided for when your ISP uses a transparent proxy or your browser is configured to use a web proxy. If the verification succeeds, the IP address is sent to a dedicated tcp port on the firewall. Behind that port another script waits, parses the IP address and adds one or more rules for the INPUT table to the iptables rulebase. The ports that are added to the rulebase are hardcoded in the listening script on the firewall. The script will then sleep for a limited time (I use 5 minutes) and then remove all added rules from the firewall rulebase. Sessions that have been established during that time can be kept alive by using state checking in your iptables rulebase.

Implementation

The webserver needs support for OPIE verification. That is provided with the opie-server tools which is standard in debian etch. Since this verification has to be done via a CGI script, I created a dedicated non-privileged user, changed the ownership of /etc/opiekeys to that user and run the script as that user via the suexec mechanism of Apache. The script uses the HTML::Template and Authen::OPIE perl modules. The latter is not available as a package in debian etch, so you should create it yourself with dh_perl (part of the debhelper package). To create the package, you need to have the libopie-dev package installed. Alternately, you can fetch the package from my site. This is the CGI script:

#!/usr/bin/perl -w
# vim:ai:filetype=perl:sta:sw=4:et:
#
# This CGI script will use the S/Key One-Time 
# Password mechanism for verification and if
# sucessfull, will pass an IP address (default:
# $ENV{REMOTE_ADDR}) to a tcp socket for inclusion
# in a firewall rulebase
#
use strict;
use CGI qw /:standard/;
use CGI::Carp 'fatalsToBrowser';
use HTML::Template;
use IO::Socket;
use Authen::OPIE qw(opie_challenge opie_verify);

# var declarations
our ($cgi, $template);
our $opie_user="opie";
our $fwhost="192.168.1.1";
our $fwport="54321";

$cgi=CGI->new();
print $cgi->header();

if (not defined $cgi->param(-name=>"login") or 
    $cgi->param(-name=>"login") ne "Open Sesame") {
    #
    # print challenge screen
    #
    my $opiechalstr=&opie_challenge($opie_user);
    &Barf2Browser("Unknown OPIE user: $opie_user")
        if (not defined $opiechalstr);
    my @opiechalarr=split(/ /, $opiechalstr);
    if ($opiechalarr[0] ne "otp-md5") {
        &Barf2Browser("Crazy challenge: $opiechalstr");
    }
    my $response=$cgi->textfield(-name=>"response",
        -value=>"",
        -size=>40);
    my $ipaddr=$cgi->textfield(-name=>"ipaddr",
        -value=>"",
        -size=>16);
    my $submitbutton=$cgi->submit(-name=>"login",
        -value=>"Open Sesame");
    $template=HTML::Template->new(filename =>"sesame.tmpl",
        path => "/home/$opie_user/templates");
    $template->param(chalbool => 1);
    $template->param(formstart => $cgi->start_form);
    $template->param(sequence => $opiechalarr[1]);
    $template->param(seed => $opiechalarr[2]);
    $template->param(response => $response);
    $template->param(ipaddr => $ipaddr);
    $template->param(curraddr => $ENV{REMOTE_ADDR});
    $template->param(submit => $submitbutton);
    print $template->output;
}
else {
    #
    # Verify the challenge
    #
    my $response=$cgi->param(-name=>"response");
    my $ipaddr=$cgi->param(-name=>"ipaddr");
    &Barf2Browser("Empty response")
        if (not defined $response or $response eq "");
    my $verifyval=&opie_verify($opie_user,$response);
    if (not defined $verifyval or $verifyval != 0) {
        &Barf2Browser("<span class=red>Athentication attempt FAILED</span>");
    }
    else {
        #
        # OTP challenge succeeded, send IP address to firewall
        #
        $ipaddr=$ENV{REMOTE_ADDR} if (not defined $ipaddr or $ipaddr eq "");
        my $socket= new IO::Socket::INET (PeerAddr => $fwhost,
                                          PeerPort => $fwport,
                                          Proto    => "tcp",
                                          Type     => SOCK_STREAM)
            or &Barf2Browser("Authentication succeeded but "
            ."<span class=red>network connection failed</span>");
        print $socket "$ipaddr";
        close $socket;
        my $submitbutton=$cgi->submit(-name=>"ok",
            -value=>"OK");
        $template=HTML::Template->new(filename =>"sesame.tmpl",
            path => "/home/$opie_user/templates");
        $template->param(msgbool => 1);
        $template->param(formstart => $cgi->start_form);
        $template->param(msghdr => "<span class=blue>Authentication succeeded!</span>");
        $template->param(message => "Sent $ipaddr to the firewall");
        $template->param(submit => $submitbutton);
        print $template->output;
    }
}
exit 0;

sub Barf2Browser() {
    # output error
    my ($string)=@_;
    my $submitbutton=$cgi->submit(-name=>"ok",
        -value=>"OK");
    $string="undefined" if (not defined $string);
    $template=HTML::Template->new(filename =>"sesame.tmpl",
        path => "/home/$opie_user/templates");
    $template->param(msgbool => 1);
    $template->param(formstart => $cgi->start_form);
    $template->param(msghdr => "Sesame error:");
    $template->param(message => $string);
    $template->param(submit => $submitbutton);
    print $template->output;
    exit 0;
}

The template file is very straight-forward:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<style type="text/css">

BODY {background-color: #b0c4ef; color: black}
A:link {color: #000040}
A:external {color: #000040}
A:active {color: #000040}
A:visited {color: #000040}
SPAN.blue {color: #0000c0}
SPAN.red {color: #c00000}
</style>
</head>

<body>
<tmpl_var name="formstart">
<h1>Sesame Verifyer</h1>
<tmpl_if name="chalbool">
    <h3>Challenge:<br/>
    <tmpl_var name="sequence"> <tmpl_var name="seed"></h3>
    <br/>
    <strong>Response:</strong><br/>
    <tmpl_var name="response"><br/><br/>
    <table><tr><td>
    Current IP address:
    </td><td>
    <tt><strong><tmpl_var name="curraddr"></strong></tt>
    </td></tr><tr><td>
    Optionally override with:
    </td><td>
    <tmpl_var name="ipaddr">
    </td></tr></table>
<tmpl_else>
    <tmpl_if name="msgbool">
        <h3><tmpl_var name=msghdr></h3>
        <strong><tmpl_var name="message"></strong>
    </tmpl_if>
</tmpl_if>
<br/><br/><tmpl_var name="submit">
</form>
</body>
</html>

On the firewall end we have inetd listen to the specified port (here: port 54321) and send any incoming string to the script to add firewall rules. Because of the latter task this script needs to run as root. You can specify multiple tcp and/or udp ports in this script and for each of these, a firewall rule will be added to allow packets for that rule from the specified IP address, then the script will sleep for some time (default 5 minutes) and then all added rules are deleted again. Existing sessions stay active because of the stateful checks of iptables. The script:

#!/usr/bin/perl
# vim:ai:filetype=perl:sta:sw=4:et:
#
# This script will read a line from STDIN, expecting
# expecting an IP address and will use that address
# as a source for a firewall rule that temporarily
# opens one or more ports in the INPUT chain
#
# ports must be specified as /^[tu]\d+$/ (the first
# character specifies the tcp or udp protocol

use strict;
use Sys::Syslog qw(:standard :macros);

our @ports = ("t22","u5000");
our $timeslot = 300; #5 minutes

my $addr=<STDIN>;
chomp $addr;
# check if we received a correct IP address
if ($addr !~ /^(\d{1,3}\.){3}\d{1,3}$/) {
    &LogText(LOG_WARNING, "WARNING: someone tried something nasty!");
    exit 0;
}
foreach my $port (@ports) {
    &IPTrule("-I",$port,$addr);
}
sleep $timeslot;
foreach my $port (@ports) {
    &IPTrule("-D",$port,$addr);
}
exit 0;

sub LogText() {
    my ($level, $text)=@_;
    openlog("sesamed","ndelay,pid",LOG_DAEMON);
    syslog($level,$text);
    closelog;
}

sub IPTrule() {
    my ($act,$protoport,$addr)=@_;
    my ($proto,$port)=();
    if ($protoport =~ /^([tu])(\d+)$/) {
        $port=$2;
        $proto = ($1 eq "t") ? "tcp" : "udp";
    }
    if (not defined $proto) {
        &LogText(LOG_NOTICE, "BUG: wrong protoport specified");
        return;
    }
    my @cmdline=("/sbin/iptables",$act,"INPUT","-p",$proto,"--dport");
    push @cmdline, ($port,"-s",$addr,"-j","ACCEPT");
    &LogText(LOG_INFO, join(" ", @cmdline));
    system(@cmdline);
}

Calculating the OPIE challenge

Note: Calculating the response to an OPIE challenge should not be done over an insecure line. That would defeat the whole purpose of using one-time passwords.
The OPIE system presents you with a sequence number and a seed. You enter these in your OPIE calculator, enter the password and the one-time password (consisting of 6 english words) is generated. There are various calculators available.

• for debian: the opiekey command
• for MacOS: SkeyCalc
• for Windows: WinKey
• for PocketPC: AWE OTP
• for PalmOS: PalmKey

If you don't have a device with you that can run an OTP calculator, you can pre-calculate a number of responses with the opiekey command (using the -n option) and print them out to keep in your wallet.