Skip to content

Server Authentication

Spencer McIntyre edited this page Jan 8, 2016 · 17 revisions

This resource describes how King Phisher users authenticate to the server in order to use the provided RPC interface.

User Authentication

The King Phisher server utilizes PAM to authenticate it's users. Users that wish to log into the server must have a valid system account with a non-empty password. The client uses the credentials that are provided to it to open an SSH connection to the server for port-forwarding RPC requests. Each RPC request is also authenticated using the same credential pair. The server can restrict users which are permitted to login to members of a specific group using the authentication.group configuration setting. By default any valid system user is permitted to authenticate, granted they can connect via SSH.

The King Phisher client will automatically select and use an SSH key that is available from the users environment via ssh-agent. If the user has multiple SSH keys then one can be specified in the ~/.config/king_phisher/config.json file under the ssh_preferred_key setting. Only DSA and RSA OpenSSH-style keys are supported, such as those created with the ssh-keygen utility.

The ssh_preferred_key option accepts the following formats:

Format Type Example Value
< OpenSSH 6.8 MD5 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
>= OpenSSH 6.8 SHA256 SHA256:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Specific File* file:$HOME/.ssh/id_rsa
Raw Key* key:-----BEGIN RSA PRIVATE KEY-----\nblahblahblah\n-----END RSA PRIVATE KEY-----\n

* Encrypted keys are not supported for these formats

The command ssh-add -l can be used to list the available keys for the current user. Configuring a preferred key is only necessary if the user has multiple SSH keys. If fewer than 2 SSH keys are in use then the ssh_preferred_key setting should be left with its default null value.

TOTP Support

Starting in version 1.0.0 King Phisher supports authenticating users with Time-base One Time Passwords that are compatible with popular applications such as Google Authenticator. In order to use this feature, users must use the tools/otp_enroll.py script on the server to set a new TOTP secret. This secret must then be entered into the TOTP application the user would like to use. Once a TOTP secret is set on the account, the King Phisher client will require it to be specified when logging in. A OTP field will be made available after the user provides a valid username and password combination. Before enabling TOTP based authentication, it is important to properly set the timezone and system clock on the server. If the system clock is in accurate TOTP will not work.

TOTP Enrollment

At this time users must contact the King Phisher server administrator to enroll in TOTP authentication. They can not yet self enroll using the client application. The following command can be used to enroll a user in TOTP by generating a random OTP secret and assigning it to their account.

tools/otp_enroll.py -c SERVER_CONFIG_FILE USERNAME set

The OTP enrollment script will also provide a provisioning URI which can optionally be converted to a QR code suitable to be scanned into most applications. Converting the URI to a QR code is not supported by King Phisher but can be accomplished using available tools.