-
Notifications
You must be signed in to change notification settings - Fork 547
Server Authentication
This resource describes how King Phisher users authenticate to the server in order to use the provided RPC interface.
The King Phisher server utilizes PAM to authenticate it's users. Users that wish
to log into the server must have a valid system account with a non-empty
password. The client uses the credentials that are provided to it to open an SSH
connection to the server for port-forwarding RPC requests. Each RPC request is
also authenticated using the same credential pair. The server can restrict users
which are permitted to login to members of a specific group using the
authentication.group configuration setting. By default any valid system user
is permitted to authenticate, granted they can connect via SSH and forward a
TCP port to the localhost.
In order to use an automatically selected SSH Key, the SSH agent or key management program such as Seahorse needs to be running. In addition if there is multiple SSH keys being used on the system, the key must be explicitly defined in the configuration file. NOTE Kali Linux does not have ssh-agent or a key management program running by default and will need to be started and key added prior to starting King Phisher.
The King Phisher client will automatically select and use an SSH key that is
available from the users environment via ssh-agent. If the user has multiple SSH
keys then one can be specified in the ~/.config/king_phisher/config.json file
under the ssh_preferred_key setting. Only DSA and RSA OpenSSH-style keys are
supported, such as those created with the ssh-keygen utility. Using an SSH
key does not remove the requirement for a password. In order to authenticate to
the server process, a password must be specified regardless of whether or not a
key is used to connect via SSH.
The ssh_preferred_key option accepts the following formats:
| Format Type | Example Value |
|---|---|
| < OpenSSH 6.8 MD5 | 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff |
| >= OpenSSH 6.8 SHA256 | sha256:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| Specific File* | file:$HOME/.ssh/id_rsa |
| Raw Key* | key:-----BEGIN RSA PRIVATE KEY-----\nblahblahblah\n-----END RSA PRIVATE KEY-----\n |
* Password protected keys are not supported for these formats
The command ssh-add -l can be used to list the available keys for the
current user. Configuring a preferred key is only necessary if the user has
multiple SSH keys. If fewer than 2 SSH keys are in use then the
ssh_preferred_key setting should be left with its default null value.
Password protected keys must be added to the local ssh-agent instance and specified by it's fingerprint. They can not be specified using either the "file" or "raw" syntaxes (those noted with the asterisk in the above table).
Starting in version 1.0.0, King Phisher supports authenticating users with Time-base One Time Passwords that are compatible with popular applications such as Google Authenticator. In order to use this feature, users must be enrolled on the server which involves generating and setting a new TOTP secret. This secret must then be entered into the TOTP application the user would like to use.
Once a TOTP secret is set on the account, the King Phisher client will require it to be specified when logging in. A OTP field will be made available after the user provides a valid username and password combination. Before enabling TOTP based authentication, it is important to properly set the timezone and system clock on the server. If the system clock is in accurate TOTP will not work.
To enroll themselves users must either use the TOTP
Self-Enrollment Plugin or contact the King Phisher server
administrator to enroll them in TOTP authentication. If a user has lost their
TOTP secret they will need to request a server administrator to remove it using
the tools/otp_enroll.py script.
The following command can be used by a King Phisher server administrator to enroll a user in TOTP by generating a random OTP secret and assigning it to their account.
tools/otp_enroll.py -c SERVER_CONFIG_FILE USERNAME set
The OTP enrollment script will also provide a provisioning URI which can optionally be converted to a QR code suitable to be scanned into most applications. Converting the URI to a QR code is not supported by King Phisher but can be accomplished using available tools.
If a user has lost their TOTP secret, the same script can be used to remove their secret.
The King Phisher server requires credentials to connect to the database when PostgreSQL is in use. When using the installation script, a user and password are automatically created for this role. The password is then patched into the server configuration file. Once set, it is generally not necessary for users to deal with the database credentials.