Hi,
I have a customer that has asked me to build a SMS-authentication
solution for OpenBSD. The idea being (not saying this is a good idea,
but anyway) that when the user connects using ssh, he will get a
sms-message to his phone with a one-time passkey.
I have made it easy for myself and modified the existing login_skey. I
created a new one called login_sms and added the following three lines
to the "case MODE_CHALLENGE"-section:
-----SNIPP------
case MODE_CHALLENGE:
haskey = (skeychallenge2(fd, &skey, user, challenge) == 0);
> char cmd[200];
> sprintf(cmd, "/bin/sh /etc/smsscript.sh \"%s\" \"%s\"",
auth_mkvalue(challenge), user);
> system(cmd);
strlcat(challenge, "\nS/Key Password: ", sizeof(challenge));
-----SNIPP------
This means that before sending the challenge to the user the system
executes a script with the challenge and the user name as parameters.
The script looks like this:
----------------------------
#!/bin/sh
declare -a pno
# Declare username/phonenumber-combinations here
pno[rd]="46712344554"
pno[skeytest]="46756223452"
# Get passkey
parm1=`/bin/echo "$1" | /usr/bin/cut -f 1 -d " "`
parm2=`/bin/echo "$1" | /usr/bin/cut -f 2,3 -d " "`
key=`/usr/bin/${parm1} -p 1234567890 ${parm2}`
# Send passkey to user
/usr/bin/logger -p "auth.info" "Sending key ${key} for challenge
${parm2} to ${pno[$2]}"
----------------------------
Right now the last line just logs the key to syslog instead of sending
it to a phone. Also not that the otp-key password is hardcoded in the
script. Not really a good idea, but I have no choice. (The file is not
world readable)
Yes, I know this is a hack and that I should probably find something
better to do instead of wasting your time with my crappy code. BUT this
exist, and even thought you don't see the use for it, can you please
just give me a hand in pointing out if this most obvious security concerns.
Thanks, Rickard.
