[Server-devel] xs-otp: one time passwords for the XS
douglas at paradise.net.nz
Fri Oct 24 02:02:23 EDT 2008
This is an implementation of the ideas described at
There's an RPM at
and a repository at
It uses the patched version of the pam_sotp rpm I wrote about earlier
This version shouldn't be considered to be very well tested or proven,
considering it meddles with your root login. The README is below.
This package provides short term passwords for the OLPC XS root user.
Upon installation, nothing happens. Thereafter nothing will happen
unless the file /etc/xs-otp/allow-otp-password-via-usb exists. If it
does, and you attach a USB drive containing special files, the root
password is removed and replaced by a series of week-long passwords.
The passwords are encrypted using all public keys known to the
xs-tools package, and copied to the USB drive and also into the web
tree at http://schoolserver/passwords.pgp.
If the USB stick has additional keys on it which are signed by a known
key, the passwords are encrypted for those too.
How to enable xs-otp passwords
0. Make sure you have a root login on the machine, and keep it open
while you do the other steps. Then if something goes wrong you can
always back out, and ensure that you can log in again by resetting
the password (with passwd). This step will disappear in later
releases, but in XS-0.5, xs-otp is quite experimental.
1. Set the magic flag with `touch /etc/xs-otp/allow-otp-password-via-usb`
2. If you want to disable root login via the system password, touch
/etc/xs-otp/disable-root-password. This file will eventually exist
by default, but for now this option should be used with care. It
*could* leave you with no way of logging into the server.
3. Insert a USB drive with a file called "enable-xs-otp-passwords" in
its root directory.
The USB drive can optionally have any of these other special files
./entropy/ -- a directory containing randomly generated files. If
this exists, one of the files will be added to the system's
entropy pool and deleted.
./extra-xs-otp-keys/ -- a directory containing public gpg keys (in
PEM format) which have been signed by keys that the XS
already knows. The signatures should be detached, with a
4. Done, almost. Before logging out, please check that you can log in
with the one time passwords. To do this you'll need to decrypt the
list of passwords using a private key that corresponds with a
public key known by the XS. Open a new console (using something
like control-alt-F3) and login with root and the first password on
the list. If you disabled the normal password in step 2, try that
too and make sure it fails.
By default xs-otp generates 520 8-character passwords containing a
mixture of letters, numbers and some punctuation. The passwords are
saved in an ordered list, like this:
And this file is encrypted.
Each password lasts for a week from its first use. That means a
technician in the field can get practically any job done with a single
password. The login prompt will ask for a numbered password, like
schoolserver login: root
One time password :
This meas it wants password 4 form the list. But if it is less than a
week since you first logged in with password 3, then password 3 will
still work (as would password 1 and 2, if they were similarly recent).
More information about the Server-devel