-
Notifications
You must be signed in to change notification settings - Fork 547
Server Authentication
This resource describes how King Phisher users authenticate to the server in order to use the provided RPC interface.
The King Phisher server utilizes PAM to authenticate it's users. Users that wish
to log into the server must have a valid system account with a non-empty
password. The client uses the credentials that are provided to it to open an SSH
connection to the server for port-forwarding RPC requests. Each RPC request is
also authenticated using the same credential pair. The server can restrict users
which are permitted to login to members of a specific group using the
authentication.group configuration setting. By default any valid system user
is permitted to authenticate, granted they can connect via SSH and forward a
TCP port to the localhost.
The King Phisher client will automatically select and use an SSH key that is
available from the users environment via ssh-agent. If the user has multiple SSH
keys then one can be specified in the ~/.config/king_phisher/config.json file
under the ssh_preferred_key setting. Only DSA and RSA OpenSSH-style keys are
supported, such as those created with the ssh-keygen utility. Using an SSH
key does not remove the requirement for a password. In order to authenticate to
the server process, a password must be specified regardless of whether or not a
key is used to connect via SSH.
The ssh_preferred_key option accepts the following formats:
| Format Type | Example Value |
|---|---|
| < OpenSSH 6.8 MD5 | 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff |
| >= OpenSSH 6.8 SHA256 | sha256:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| Specific File* | file:$HOME/.ssh/id_rsa |
| Raw Key* | key:-----BEGIN RSA PRIVATE KEY-----\nblahblahblah\n-----END RSA PRIVATE KEY-----\n |
* Password protected keys are not supported for these formats
The command ssh-add -l can be used to list the available keys for the
current user. Configuring a preferred key is only necessary if the user has
multiple SSH keys. If fewer than 2 SSH keys are in use then the
ssh_preferred_key setting should be left with its default null value.
Password protected keys must be added to the local ssh-agent instance and specified by it's fingerprint. They can not be specified using either the "file" or "raw" syntaxes (those noted with the asterisk in the above table).
Starting in version 1.0.0 King Phisher supports authenticating users with
Time-base One Time Passwords that are compatible with popular applications such
as Google Authenticator. In order to use this feature, users must use the
tools/otp_enroll.py script on the server to set a new TOTP secret. This secret
must then be entered into the TOTP application the user would like to use. Once
a TOTP secret is set on the account, the King Phisher client will require it to
be specified when logging in. A OTP field will be made available after the user
provides a valid username and password combination. Before enabling TOTP based
authentication, it is important to properly set the timezone and system
clock on the server. If the system clock is in accurate TOTP will not work.
At this time users must contact the King Phisher server administrator to enroll in TOTP authentication. They can not yet self enroll using the client application. The following command can be used to enroll a user in TOTP by generating a random OTP secret and assigning it to their account.
tools/otp_enroll.py -c SERVER_CONFIG_FILE USERNAME set
The OTP enrollment script will also provide a provisioning URI which can optionally be converted to a QR code suitable to be scanned into most applications. Converting the URI to a QR code is not supported by King Phisher but can be accomplished using available tools.