Using OPIE on Fedora 7

Well, it turned out that installing OPIE went smoother once I figured out what was causing the RPM rebuild to fail.

I took the source RPM from OpenSUSE, and installed it onto the Fedora system:

rpm -ivh opie-2.4-630.src.rpm

This installs the files in their appropriate locations in the RPM build tree. In Red Hat distributions, this means /usr/src/redhat: the spec file goes into /usr/src/redhat/SPECS, and the sources and patches go into /usr/src/redhat/SOURCES.

Then I had to remove a line from the spec file (opie.spec) that read:

%debug_package

Otherwise, the Fedora RPM suite complained thusly when built using rpmbuild:

error: Package already exists: %package debuginfo

Building the binary RPM consists of:

rpmbuild /usr/src/redhat/SPECS/opie.spec

The RPMs will be created in RPMS/i386.

Installing the RPMs is then very straightforward:

rpm -Uvh opie-2.4-630.i386.rpm

These steps bring us to the point where we now have opie available (and installed as an RPM). The rest is configuring opie. In the file /etc/pam.d/system-auth, add a line under the line that mentions pam_unix.so:

auth sufficient pam_opie.so use_first_pass

This line adds support for one-time passwords during logins – including most all forms of logins. However, some login programs do not handle the extra output and requirements well. KDM (related to XDM) perhaps does not handle it the best: a message is put up, and then it goes away without any indication that the password request has changed.

In any case, to support a user with OTP requires initializing their OTP key. This is done with:

opiepasswd -c user

This initializes the password and OTP for the specified user. This command should only be used in a secure environment (such as over SSH or on the system console). It will ask for a new password to create (only needed for a few things, but important) and then generates your secret password (along with the sequence number and the seed). All three of these things will be needed when using OTP calculators. Remember that your secret password is just like any other normal password: that is, it must be kept secret. The sequence number and seed are not enough to get in, and the generated OTP are not enough either (though they should also be kept secret).

It is possible to generate a list of the next series of OTP passwords to use; for example:

$ opiekey -n 5 -5 499 my9999
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
495: KAY TRY GLOM NOVA CALF KIM
496: OVAL JADE RUNT LATE MIT JAKE
497: MYRA COED LIND TO GREY FIG
498: NESS WAKE BLOC COAT GAIT ROWE
499: CLAW GAGE HOST MARK FAIN PAP

However, do not do this over an insecure line – such as from telnet, xterm, rsh, and so forth – as your secret pass phrase will be sent in the clear. Whenever using an OTP password calculator, make sure that your password is not seen by others, whether on the wire or in person: again, it is just like a regular password and should be treated as such. The generated passwords should also be kept secret; however, during use secrecy is not required. That’s because as soon as it is typed in, it is no longer valid.

About these ads

7 Responses to Using OPIE on Fedora 7

  1. Pingback: Using OPIE on OpenSUSE « UNIX Administratosphere

  2. bohrsty says:

    to build the rpm-package you need the parameter -bb (=build binary), the whole command is:
    rpmbuild -bb /usr/src/redhat/SPECS/opie.spec

  3. ddouthitt says:

    The -bb option is only one part of it; I normally use -ba (build all). In any case, if the .spec file is incorrect, no build option will work.

    As I noted above, I did get it to work. I may have used -ba specifically – it’s been a while.

  4. Guy says:

    I’ve just released an OTP, SKey management application for the iphone, 1Key.

    –Guy

  5. chark says:

    How can I configure SElinux in enforcing mode to allow access to /etc/opiekeys file ?

  6. chark says:

    I have found:
    ~# grep type=AVC /var/log/audit/audit.log|grep sshd|awk ‘NR == 1 {print;}’| audit2allow -M opiek
    ~# semodule -i opiek.pp

  7. Yeechang Lee says:

    Thanks for the pointer to the OpenSuSE package, as I always like to use RPMs whenever possible. On my CentOS 5 system the SRPM built without my having to edit the specfile.

    I added the pam_opie.so line just before pam_unix.so, not after. This way I can, if I choose, use my shadow password at the OPIE prompt. If pam_unix.so has try_first_pass, pam_opie.so will automatically pass on rejected passwords to it.

    I bought Guy’s OTP iPhone application although I’d of course have preferred to have a free (both beer and speech) alternative, as he offers his own directions on how to install OPIE, including the important sshd_config option.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 43 other followers

%d bloggers like this: