Skip to content

Server Authentication

Spencer McIntyre edited this page Apr 25, 2019 · 17 revisions

This resource describes how King Phisher users authenticate to the server in order to use the provided RPC interface.

User Authentication

The King Phisher server utilizes PAM to authenticate its users. Users that wish to log into the server must have a valid system account with a non-empty password. The client uses the credentials that are provided to it to open an SSH connection to the server for port-forwarding RPC requests. Each RPC request is also authenticated using the same credential pair. The server can restrict users which are permitted to login to members of a specific group using the authentication.group configuration setting. By default any valid system user is permitted to authenticate, granted they can connect via SSH and forward a TCP port to the localhost.

The King Phisher client will automatically select and use an SSH key that is available from the users environment via ssh-agent. In order to do this, the ssh-agent must be running and be configured with at least one key. NOTE: Kali Linux does not have the ssh-agent running by default and it will need to be started either explicitly by the user or through a key management program such as Seahorse prior to starting King Phisher.

If the user has multiple SSH keys then one can be specified in the ~/.config/king_phisher/config.json file under the ssh_preferred_key setting. Only DSA and RSA OpenSSH-style keys are supported, such as those created with the ssh-keygen utility. Using an SSH key does not remove the requirement for a password. In order to authenticate to the server process, a password must be specified regardless of whether or not a key is used to connect via SSH.

The ssh_preferred_key option accepts the following formats:

Format Type Example Value
< OpenSSH 6.8 MD5 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
>= OpenSSH 6.8 SHA256 sha256:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Specific File* file:$HOME/.ssh/id_rsa
Raw Key* key:-----BEGIN RSA PRIVATE KEY-----\nblahblahblah\n-----END RSA PRIVATE KEY-----\n

* Password protected keys are not supported for these formats

The command ssh-add -l can be used to list the available keys for the current user. Configuring a preferred key is only necessary if the user has multiple SSH keys. If fewer than 2 SSH keys are in use then the ssh_preferred_key setting should be left with its default null value.

Password protected keys must be added to the local ssh-agent instance and specified by it's fingerprint. They can not be specified using either the "file" or "raw" syntaxes (those noted with the asterisk in the above table).

TOTP Support

Starting in version 1.0.0, King Phisher supports authenticating users with Time-base One Time Passwords that are compatible with popular applications such as Google Authenticator. In order to use this feature, users must be enrolled on the server which involves generating and setting a new TOTP secret. This secret must then be entered into the TOTP application the user would like to use.

Once a TOTP secret is set on the account, the King Phisher client will require it to be specified when logging in. A OTP field will be made available after the user provides a valid username and password combination. Before enabling TOTP based authentication, it is important to properly set the timezone and system clock on the server. If the system clock is in accurate TOTP will not work.

TOTP Enrollment

To enroll themselves users must either use the TOTP Self-Enrollment Plugin or contact the King Phisher server administrator to enroll them in TOTP authentication. If a user has lost their TOTP secret they will need to request a server administrator to remove it using the tools/otp_enroll.py script.

Server Side TOTP Enrollment

The following command can be used by a King Phisher server administrator to enroll a user in TOTP by generating a random OTP secret and assigning it to their account.

tools/otp_enroll.py -c SERVER_CONFIG_FILE USERNAME set

The OTP enrollment script will also provide a provisioning URI which can optionally be converted to a QR code suitable to be scanned into most applications. Converting the URI to a QR code is not supported by King Phisher but can be accomplished using available tools.

If a user has lost their TOTP secret, the same script can be used to remove their secret.

Database Authentication

The King Phisher server requires credentials to connect to the database when PostgreSQL is in use. When using the installation script, a user and password are automatically created for this role. The password is then patched into the server configuration file. Once set, it is generally not necessary for users to deal with the database credentials.