Using OPIE on FreeBSD 6.3

The best documentation out there on OPIE focuses on using OPIE with FreeBSD. FreeBSD comes with OPIE as part of the core, and it works beautifully.

The FreeBSD Handbook contains a section on One-time Passwords (14.5) which discusses using OPIE, and how to use utilities associated with it.

The esteemed Dru Lavigne wrote excellent articles as well (way back in February of 2003!) about making OTP work in FreeBSD. The first was One-Time Passwords, and followed by PAM (which used OPIE access as an example).

There is no installation required, as all the appropriate bits already exist in the base install. To get started, follow this example with your own password:

$ opiepasswd -c
Only use this method from the console: NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase:
Again new secret pass phrase:
 
ID dgd OTP key is 499 xf4915
OTTO BRIM CAT PEN FAD PREEN
$

Now everything is set. However, the first password requested will be number 498: so let’s generate the key so we can record it:

$ opiekey 499 xf4915
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
498: SLIP MAX ROT BLIP PIP FLIT
$

Note that this second step does not have to be done on the same machine. You do need to have your count (499 in the example) and the seed (xf4915 in the example). Combined with your secret password, you can generate your next password or passwords using any valid OTP password calculator.

Dru’s article on PAM discusses the conversion from Linux PAM to OpenPAM, and other things relevant to the introduction of FreeBSD 5.0. However, now with FreeBSD 6.3 out and FreeBSD 7 coming, most of what she discussed then is now well-tested and preconfigured. OPIE is built into PAM as she suggests (within the file /etc/pam.d/system file).

Now if you want to be forced to log in with OTP, touch the file .opiealways (note the leading dot) file in your home directory and it will be so.

There was also an interview done in June of 2007 in BSDTalk #117 (audio) which discussed OTP in depth. One interesting thing to note: FreeBSD uses OPIE, whereas NetBSD and OpenBSD both use S/Key for their implementations.

Using OPIE on OpenSUSE

With OpenSUSE, things are very easy. Select your favorite package manager (I tend to use which ever one comes up first!) and install the RPM for opie – under the group Productivity/Security.

Install the RPM, and all of the opie tools are available. Using opie to control your one-time passwords (OTP) has been discussed before, and nothing changes under OpenSUSE. However, installing OTP into PAM requires changing a different file (/etc/pam.d/common-auth). Add to the end of this file the following:

auth sufficient pam_opie.so use_first_pass

This should be enough to allow the use of OTP in most normal situations. The other directions are as they were presented in a previous blog post. Namely: use opiepasswd to create the initial key and password, and use opiekey to generate a list of upcoming OTP keys if desired.

Using OPIE on Fedora 7

Well, it turned out that installing OPIE went smoother once I figured out what was causing the RPM rebuild to fail.

I took the source RPM from OpenSUSE, and installed it onto the Fedora system:

rpm -ivh opie-2.4-630.src.rpm

This installs the files in their appropriate locations in the RPM build tree. In Red Hat distributions, this means /usr/src/redhat: the spec file goes into /usr/src/redhat/SPECS, and the sources and patches go into /usr/src/redhat/SOURCES.

Then I had to remove a line from the spec file (opie.spec) that read:

%debug_package

Otherwise, the Fedora RPM suite complained thusly when built using rpmbuild:

error: Package already exists: %package debuginfo

Building the binary RPM consists of:

rpmbuild /usr/src/redhat/SPECS/opie.spec

The RPMs will be created in RPMS/i386.

Installing the RPMs is then very straightforward:

rpm -Uvh opie-2.4-630.i386.rpm

These steps bring us to the point where we now have opie available (and installed as an RPM). The rest is configuring opie. In the file /etc/pam.d/system-auth, add a line under the line that mentions pam_unix.so:

auth sufficient pam_opie.so use_first_pass

This line adds support for one-time passwords during logins – including most all forms of logins. However, some login programs do not handle the extra output and requirements well. KDM (related to XDM) perhaps does not handle it the best: a message is put up, and then it goes away without any indication that the password request has changed.

In any case, to support a user with OTP requires initializing their OTP key. This is done with:

opiepasswd -c user

This initializes the password and OTP for the specified user. This command should only be used in a secure environment (such as over SSH or on the system console). It will ask for a new password to create (only needed for a few things, but important) and then generates your secret password (along with the sequence number and the seed). All three of these things will be needed when using OTP calculators. Remember that your secret password is just like any other normal password: that is, it must be kept secret. The sequence number and seed are not enough to get in, and the generated OTP are not enough either (though they should also be kept secret).

It is possible to generate a list of the next series of OTP passwords to use; for example:

$ opiekey -n 5 -5 499 my9999
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
495: KAY TRY GLOM NOVA CALF KIM
496: OVAL JADE RUNT LATE MIT JAKE
497: MYRA COED LIND TO GREY FIG
498: NESS WAKE BLOC COAT GAIT ROWE
499: CLAW GAGE HOST MARK FAIN PAP

However, do not do this over an insecure line – such as from telnet, xterm, rsh, and so forth – as your secret pass phrase will be sent in the clear. Whenever using an OTP password calculator, make sure that your password is not seen by others, whether on the wire or in person: again, it is just like a regular password and should be treated as such. The generated passwords should also be kept secret; however, during use secrecy is not required. That’s because as soon as it is typed in, it is no longer valid.

Using OPIE

Setting up OPIE (One-time Passwords In Everything) in OpenSUSE was easy: there is a opie RPM in the standard repository, and it installs cleanly and easily.  Then it is just a matter of initializing the database and modifying the PAM configuration to match.  Then each user is added to the database (/etc/opiekeys) one at a time.  I’ll describe the exact process on OpenSUSE at a later time.

Insufferingly, it appears that Fedora (and Red Hat) do not offer any form of one-time passwords anywhere – and certainly not OPIE.  RPMs for opie are exclusively for OpenSUSE and for the Polish PLD distribution (both of which seem to have everything).  How extremely frustrating!  This sounds like a good time to switch my home system from Fedora 5 to OpenSUSE 10.3.

OpenSUSE has supported LVM, XFS, KDE, and many other technologies when Red Hat staunchly refused to.  Even now, OpenSUSE support for all of these is much more integrated and time-tested than Red Hat’s.

Lest I sound like I hate Red Hat – I don’t – and that’s what makes it so frustrating.  Grrr….

The search for one-time passwords for HP-UX and for OpenVMS was even more fruitless.  HP-UX apparently has a third party skey package available; OpenVMS has nothing – though it could be added through programming the ACME interface (which provides similar capabilities to PAM – though perhaps not as flexible).

It looks like the BSDs aren’t a lot better: FreeBSD has OPIE built into the core (with a full section on OPIE in the FreeBSD Handbook on it); NetBSD and OpenBSD do not appear to have it (!).

Looks like my settling in to FreeBSD and OpenSUSE has paid off.  I don’t even need to suggest Debian – Debian has everything – and OPIE is no exception.  And of course, Ubuntu follows suit as well.

One-Time Passwords (OTP)

I’ve been trying out one-time passwords (OTP) – and they work well. Not as hard as I thought it would be. I found several resources as well. The incomparable Dru Lavigne described one-time passwords (under FreeBSD) quite well, then went on to describe setting up PAM for OTP. The directions are transferable to Linux and others. Michele Baldessari had a stupendous description on setting up OTP under Ubuntu – and taking advantage of a OTP password calculator built into Gnome Terminal (who knew?).

There are also OTP calculators for X, for Palm Pilots, for MacOS X, and cross-platform using Java (and even on mobile phones using Java). However, generating passwords is intensive, so slower platforms will not be helpful (such as older Pilots and most mobile phones). Generating multiple strings of passwords and storing them in a safe place is still a valid way to store passwords.

I’ll go into more detail later about how I set up OpenSUSE to use OTP (simple really).