Captcha for your ssh login

[chilicuil]

 
This pam module is product of Jordan Sissel [0] and it's so cool than I package it for Debian|Ubuntu, so.., on this tutorial I'll show you how to add captcha protection to your vps instances =)
 
Installation

$ sudo add-apt-repository ppa:chilicuil/sucklesstools
$ sudo apt-get update && sudo apt-get install libpam-captcha

Configuration
 
To enable this module, you'll need to edit /etc/pam.d/sshd and add to the first line the following:

auth requisite pam_captcha.so math randomstring

And then ensure than your /etc/ssh/sshd_config have the following options enabled:

PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes

You can still use Password auth but it doesn't make a lot of sense, since automated scripts can request this method and avoid captcha, so it's better to disable it, in the other hand if you use ssh key based auth the captcha will be skipped
 
After ensuring your settings are correct, you'll need to reboot the ssh service:
 
$ sudo service ssh restart
 
And that's all, most automated attacks will be reject it.
 
Feel free to grab the modified source at:
 
https://github.com/chilicuil/pam_captcha
 
Or the original at [0], if you liked the post rate it =)
 
[0] http://www.semicomplete.com/projects/pam_captcha

 

[Nett]

Nice idea. But what if the default font/font size is changed?

 

[sv01]

LOL, I still prefer using Google Authenticator

 

[chilicuil]

The text is generated by figlet, the size and font can be changed in line 157 of pam_captcha.c, the screenshot here just show the default fliglet generated text. It works for me, so it's unlike it than I recreate the packages for such change.

https://github.com/chilicuil/pam_captcha/blob/master/pam_captcha.c#L157

 

[peterw]

I don't like to install scripts from third party repositories and it is not a good idea if you use fonts and figlet on different terminals. You should stop coding and keep your ceo work.


srand(time(NULL));

Meh code.

 

[HalfEatenPie]

While I probably wouldn't use this for a production server, I think this is a pretty fun and interesting thing here!

 

[24/7/365]

I don't like to install scripts from third party repositories and it is not a good idea if you use fonts and figlet on different terminals. You should stop coding and keep your ceo work.


srand(time(NULL));

Meh code.

Is this bad C++ practice or just bad cryptographic practice?

 

[peterw]

Is this bad C++ practice or just bad cryptographic practice?

Both. If you are trying to run the program quickly in succession and get different random numbers each time, initializing with the current time is the wrong approach. Never run srand in loop or in subsequent calls. What he needs is a random source not a timestamp.


*captcha_list = malloc(len * sizeof(captcha_func_t));
memset(*captcha_list, 0, len * sizeof(captcha_func_t));

memset and pointers are bad. Easy example

   // Stack corruption! 4 bytes will be initialized not 2
   char chars[2]
   char *chars2 = chars ;
   memset(chars2, 0, sizeof(chars2)) ;

 

[tchen]

That memset point is a stylistic choice. The original uses sizeof struct, not sizeof on a pointer - perfectly valid and standard, especially with appropriate type naming.

 

[blergh]

But.. why?

 

[KuJoe]

The only benefit this can add to a server is to prevent brute force attacks. An easier, less hassle method is to change your SSH port to something other than 22 which will reduce bruteforce attacks by 99.9999% as long as you don't post your SSH port publicly somewhere. For the other 0.0001% of attacks, Fail2Ban/Denyhosts will take care of them.

Of course, disabling passwords will prevent 100% of bruteforce attacks also.

 

[dano]

That is pretty neat -- been using two factor ssh logins with Authy on a few test machines, just wish SCP would act properly with it.

 

[Lorne]

That's great thanks!

 

[thedediguy]

I love it, thanks for sharing it is awesome!

 

[TruvisT]

But.. why?

My sentiments exactly.

 

[wlanboy]

But.. why?

The font can be parsed so he could use normal text too.

My sentiments exactly.

And he should add the config to ensure that his ... way to secure through obscurity ... should at least exclude scp.

 

[Ever Smile Hosting]

Thanks for sharing nice idea

 

[toshost]

wow. That's great .

 

[willie]

It's a cute idea though if it catches on, crackers will deploy code to recognize the characters.  I just use passwd -l to lock out password login completely, and rely on public key login. 

 

[chilicuil]

It's a cute idea though if it catches on, crackers will deploy code to recognize the characters.  I just use passwd -l to lock out password login completely, and rely on public key login. 

Yep, but since the code is quite simple, there could exist zillions of variations which could be fun for both, crackers and system administrators =), so far I've not found any automated robot who could pass the captcha successfully. The idea here is not to only rely on this technique to secure your servers but to use it when you don't available ssh key login. Or it's the case that everybody goes with their main laptop to everywhere?, I don't. And when I go with nothing but myself I still would like to login to my servers and captcha is only one more layer there to make it a little bit more secure.

Other methods such as Fail2Ban/Denyhosts or changing the default port are equally acceptable to further improve the security of your site.