-
Notifications
You must be signed in to change notification settings - Fork 531
Server Authentication
This resource describes how King Phisher users authenticate to the server in order to use the provided RPC interface.
The King Phisher server utilizes PAM to authenticate its users. Users that wish
to log into the server must have a valid system account with a non-empty
password. The client uses the credentials that are provided to it to open an SSH
connection to the server for port-forwarding RPC requests. Each RPC request is
also authenticated using the same credential pair. The server can restrict users
which are permitted to login to members of a specific group using the
authentication.group configuration setting. By default any valid system user
is permitted to authenticate, granted they can connect via SSH and forward a
TCP port to the localhost.
The King Phisher client will automatically select and use an SSH key that is available from the users environment via ssh-agent. In order to do this, the ssh-agent must be running and be configured with at least one key. NOTE: Kali Linux does not have the ssh-agent running by default and it will need to be started either explicitly by the user or through a key management program such as Seahorse prior to starting King Phisher.
If the user has multiple SSH keys then one can be specified in the
~/.config/king_phisher/config.json file under the ssh_preferred_key setting.
Only DSA and RSA OpenSSH-style keys are supported, such as those created
with the ssh-keygen utility. Using an SSH key does not remove the requirement
for a password. In order to authenticate to the server process, a password must
be specified regardless of whether or not a key is used to connect via SSH.
The ssh_preferred_key option accepts the following formats:
| Format Type | Example Value |
|---|---|
| < OpenSSH 6.8 MD5 | 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff |
| >= OpenSSH 6.8 SHA256 | sha256:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| Specific File* | file:$HOME/.ssh/id_rsa |
| Raw Key* | key:-----BEGIN RSA PRIVATE KEY-----\nblahblahblah\n-----END RSA PRIVATE KEY-----\n |
* Password protected keys are not supported for these formats
The command ssh-add -l can be used to list the available keys for the
current user. Configuring a preferred key is only necessary if the user has
multiple SSH keys. If fewer than 2 SSH keys are in use then the
ssh_preferred_key setting should be left with its default null value.
Password protected keys must be added to the local ssh-agent instance and specified by it's fingerprint. They can not be specified using either the "file" or "raw" syntaxes (those noted with the asterisk in the above table).
Starting in version 1.0.0, King Phisher supports authenticating users with Time-base One Time Passwords that are compatible with popular applications such as Google Authenticator. In order to use this feature, users must be enrolled on the server which involves generating and setting a new TOTP secret. This secret must then be entered into the TOTP application the user would like to use.
Once a TOTP secret is set on the account, the King Phisher client will require it to be specified when logging in. A OTP field will be made available after the user provides a valid username and password combination. Before enabling TOTP based authentication, it is important to properly set the timezone and system clock on the server. If the system clock is in accurate TOTP will not work.
To enroll themselves users must either use the TOTP
Self-Enrollment Plugin or contact the King Phisher server
administrator to enroll them in TOTP authentication. If a user has lost their
TOTP secret they will need to request a server administrator to remove it using
the tools/otp_enroll.py script.
The following command can be used by a King Phisher server administrator to enroll a user in TOTP by generating a random OTP secret and assigning it to their account.
tools/otp_enroll.py -c SERVER_CONFIG_FILE USERNAME set
The OTP enrollment script will also provide a provisioning URI which can optionally be converted to a QR code suitable to be scanned into most applications. Converting the URI to a QR code is not supported by King Phisher but can be accomplished using available tools.
If a user has lost their TOTP secret, the same script can be used to remove their secret.
The King Phisher server requires credentials to connect to the database when PostgreSQL is in use. When using the installation script, a user and password are automatically created for this role. The password is then patched into the server configuration file. Once set, it is generally not necessary for users to deal with the database credentials.